CN110545292B - Abnormal flow monitoring method and device - Google Patents
Abnormal flow monitoring method and device Download PDFInfo
- Publication number
- CN110545292B CN110545292B CN201910935734.1A CN201910935734A CN110545292B CN 110545292 B CN110545292 B CN 110545292B CN 201910935734 A CN201910935734 A CN 201910935734A CN 110545292 B CN110545292 B CN 110545292B
- Authority
- CN
- China
- Prior art keywords
- log
- target
- logs
- total
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
- H04L43/106—Active monitoring, e.g. heartbeat, ping or trace-route using time related information in packets, e.g. by adding timestamps
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Cardiology (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application provides a method and a device for monitoring abnormal flow, wherein the method comprises the following steps: the method comprises the steps that a total click log and a total exposure log of a to-be-detected push message can be obtained, and a plurality of target devices are determined based on the total click log and the total exposure log; for each target device, determining a target log of the target device from the total click log and the total exposure log; any one target log is one of a click log or an exposure log; determining at least one group of logs from a target log of the target device; each log group comprises a plurality of target logs with association relations; and if any target log of the target equipment is confirmed to be the abnormal flow log, determining other target logs having an association relation with the any target log as the abnormal flow log based on the log group. The abnormal flow monitoring method provided by the application improves the accuracy of abnormal flow monitoring.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for monitoring abnormal traffic.
Background
With the continuous development of network information technology, network push messages flood the lives of people and attract a plurality of throwing parties to throw push messages in the network. However, some vulnerabilities existing in current internet technologies can bring a large amount of abnormal traffic. For example, after the message is pushed, some pushing platforms charge the delivering party based on the click rate or exposure of the pushed message; for illegal profit, there may be a large number of abnormal click or exposure behaviors.
The applicant finds in research that the current abnormal traffic detection method for the push message has the problem of low detection precision.
Disclosure of Invention
In view of the above, an object of the present application is to provide a method and an apparatus for monitoring abnormal traffic, so as to improve the detection accuracy of the current method for detecting abnormal traffic of a push message.
In a first aspect, an embodiment of the present application provides a method for monitoring abnormal traffic, including:
acquiring a total click log and a total exposure log of a to-be-detected push message, and determining a plurality of target devices based on the total click log and the total exposure log;
for each target device, determining a target log of the target device from the total click log and the total exposure log; any one target log is one of a click log or an exposure log;
determining at least one group of logs from a target log of the target device; each log group comprises a plurality of target logs with association relations;
and if any target log of the target equipment is confirmed to be the abnormal flow log, determining other target logs having an association relation with the any target log as the abnormal flow log based on the log group.
In an optional implementation manner, the obtaining a total click log and a total exposure log of the to-be-detected push message includes:
acquiring a total exposure log of the to-be-detected push message exposed on a plurality of devices in a preset historical time period, and acquiring a total click log of the to-be-detected push message clicked by each device in the preset historical time period.
In an alternative embodiment, the determining a plurality of target devices based on the total click log and the total exposure log includes:
reading a first target field including equipment identification information from each click log included in the total click log;
reading a second target field including equipment identification information from each exposure log included in the total exposure log;
determining a plurality of the target devices based on the first target field and the second target field.
In an alternative embodiment, determining at least one group of logs from the target log of the target device comprises:
aiming at the target equipment, sequencing each item of target log according to the timestamp corresponding to each item of the target equipment;
detecting whether the difference value between the time stamps of every two adjacent target logs in the sequencing result is smaller than a preset time difference threshold value or not, and if so, establishing an association relation between the two adjacent target logs;
determining at least one group of log groups from the target logs of the target equipment based on the incidence relation; the target log in any log group has an incidence relation with at least one other target log in the same log group.
In an optional embodiment, the method further includes filtering an abnormal traffic log in the total click log and the total exposure log.
In a second aspect, an embodiment of the present application further provides an apparatus for monitoring abnormal traffic, including:
the acquisition module is used for acquiring a total click log and a total exposure log of a to-be-detected push message and determining a plurality of target devices based on the total click log and the total exposure log;
the determining module is used for determining a target log of each target device from the total click log and the total exposure log; any one target log is one of a click log or an exposure log;
the determining module is further used for determining at least one group of log groups from the target log of the target device; each log group comprises a plurality of target logs with association relations;
the determining module is further configured to determine, based on the log group, other target logs having an association relationship with any one of the target logs as abnormal traffic logs if the any one of the target logs of the target device is confirmed as an abnormal traffic log.
In an optional implementation manner, the obtaining module is configured to obtain a total click log and a total exposure log of a to-be-detected push message, and specifically is configured to:
acquiring a total exposure log of the to-be-detected push message exposed on a plurality of devices in a preset historical time period, and acquiring a total click log of the to-be-detected push message clicked by each device in the preset historical time period.
In an optional embodiment, the determining module, when determining the plurality of target devices based on the total click log and the total exposure log, comprises:
reading a first target field including equipment identification information from each click log included in the total click log;
reading a second target field including equipment identification information from each exposure log included in the total exposure log;
determining a plurality of the target devices based on the first target field and the second target field.
In an optional implementation manner, when determining at least one log group from the target log of the target device, the determining module is specifically configured to:
aiming at the target equipment, sequencing each item of target log according to the timestamp corresponding to each item of the target equipment;
detecting whether the difference value between the time stamps of every two adjacent target logs in the sequencing result is smaller than a preset time difference threshold value or not, and if so, establishing an association relation between the two adjacent target logs;
determining at least one group of log groups from the target logs of the target equipment based on the incidence relation; the target log in any log group has an incidence relation with at least one other target log in the same log group.
In an alternative embodiment, the method further comprises: and the filtering module is used for filtering the abnormal flow logs in the total click logs and the total exposure logs.
In a third aspect, an embodiment of the present application further provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is running, the machine-readable instructions when executed by the processor performing the steps of the first aspect described above, or any possible implementation of the first aspect.
In a fourth aspect, this application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to perform the steps in the first aspect or any one of the possible implementation manners of the first aspect.
According to the method, the device and the system for monitoring the abnormal flow, a total click log and a total exposure log of a to-be-detected push message are obtained, and a plurality of target devices are determined based on the total click log and the total exposure log; for each target device, determining a target log of the target device from the obtained total click log and the total exposure log; determining at least one group of logs from a target log of the target device; each log group comprises a plurality of target logs with incidence relations; and if any target log of the target equipment is confirmed to be the abnormal flow log, determining other target logs having an association relation with the any target log as the abnormal flow log based on the log group.
In the application, in the process of monitoring the abnormal traffic, if any one target log can be a click log or an exposure log, the target log is determined as the abnormal traffic log, and other target logs related to the target log are also determined as the abnormal traffic log.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 is a flowchart illustrating an abnormal traffic monitoring method provided in an embodiment of the present application;
fig. 2 is a flowchart illustrating an abnormal traffic log association method according to an abnormal traffic monitoring method provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram illustrating an abnormal flow monitoring apparatus provided in an embodiment of the present application;
fig. 4 shows a schematic structural diagram of an electronic device provided in an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.
Research shows that the conventional abnormal flow monitoring method generally includes that abnormal flow calculation and filtering are respectively performed on click flow and abnormality for monitoring abnormal click or exposure behaviors, so that the situation that one party is judged as abnormal flow and is filtered, and the other party is not judged as abnormal flow can be caused, the situation is not in accordance with the operation situation of an actual user, and a delivery party cannot accurately know real delivery effect data.
Therefore, in the prior art, the current abnormal traffic detection method for the push message has the problem of low detection precision.
Based on the above research, the present application provides a method and an apparatus for monitoring abnormal traffic, in the process of monitoring abnormal traffic, if any target log may be a click log or an exposure log, the target log is determined as an abnormal traffic log, and other target logs associated with the target log are also determined as abnormal traffic logs, so that when determining abnormal traffic logs, consideration is added to the relevance between the target logs, and therefore, the accuracy of detecting abnormal traffic with respect to a push message is improved.
The above-mentioned drawbacks are the results of the inventor after practical and careful study, and therefore, the discovery process of the above-mentioned problems and the solution proposed by the present application to the above-mentioned problems in the following should be the contribution of the inventor to the present application in the process of the present application.
The technical solutions in the present application will be described clearly and completely with reference to the drawings in the present application, and it should be understood that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. The components of the present application, as generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
For the convenience of understanding of the present embodiment, a detailed description is first given to a method for monitoring abnormal traffic disclosed in the embodiments of the present application, and an execution subject of the method for monitoring abnormal traffic provided in the embodiments of the present application is generally a target monitoring device. In particular, the execution subject may also be other computer devices.
Example one
Referring to fig. 1, a flowchart of an abnormal flow monitoring method provided in an embodiment of the present application is shown, where the method includes steps S101 to S104, where:
s101: and acquiring a total click log and a total exposure log of the push message to be detected, and determining a plurality of target devices based on the total click log and the total exposure log.
S102: aiming at each target device, determining a target log of the target device from a total click log and a total exposure log; any one of the target logs is one of a click log or an exposure log.
S103: determining at least one group of logs from a target log of the target device; each log group comprises a plurality of target logs with association relations.
S104: if any target log of the target device is confirmed to be an abnormal flow log, other target logs having an association relation with the any target log are also determined to be abnormal flow logs on the basis of the log group.
The following describes each of the above-mentioned steps S101 to S104 in detail.
Firstly, the method comprises the following steps: the push message described in S101 includes push information sent by the server to the user terminal, where the push message may include a network advertisement, and the advertisement push brings revenue to the advertiser, and most network platforms may charge the advertiser according to the number of clicks and exposures of the advertisement, so that a large number of abnormal clicks or exposures may exist for illegal profit, and it is very important for the advertiser to accurately count the number of clicks and exposures.
Illustratively, the click history records user information, time, address, search terms, serial number of the click record and ID of the click record of the current click record, wherein the recorded time comprises the hour when the search occurs, the day of the week and the date information of the day; recording whether the product is clicked in the search result or the recommendation result in the click log; the address information includes province, city, district and county information.
In addition, the exposure log functions similarly to the click log, and the description will not be expanded here.
In a possible implementation manner, when the total click log and the total exposure log of the push message to be detected are obtained, an activity can be created at the monitoring end, and it is ensured that the total click log and the total exposure log of the push message can be monitored simultaneously.
In another embodiment, the obtaining the total click log and the total exposure log of the to-be-detected push message includes:
the method comprises the steps of obtaining a total exposure log of the push message to be detected exposed on a plurality of devices in a preset historical time period, and obtaining the total click log of the push message to be detected subjected to click operation by each device in the preset historical time period.
When determining the plurality of target devices based on the total click log and the total exposure log, a first target field including device identification information may be read from each click log included in the total click log, a second target field including device identification information may be read from each exposure log included in the total exposure log, and finally, the plurality of target devices may be determined based on the first target field and the second target field.
It should be noted that the first target field may be a target field representing time information in the click log or identification information of the log, and the second target field may be a target field representing time information in the exposure log or identification information of the log.
The device identification information includes some parameter information according to the device itself, such as a Media Access Control (MAC) address, an International Mobile Equipment Identity (IMEI), an Android Identity (Android ID), an advertisement Identifier (IDFA), an assisted Development Software Development Kit (SDK), and the like.
II, secondly: in the above S102, for each target device, determining a target log of the target device from the total click log and the total exposure log; either the click log or the exposure log may be used as the target log.
In one possible implementation, in order to accurately count the number of clicks and exposures, the abnormal clicks or exposures need to be filtered, that is, the click log which violates a preset abnormal click log rule or the exposure log which violates a preset abnormal exposure log rule are filtered.
For example, the click log which violates the preset abnormal click log rule or the exposure log which violates the preset abnormal exposure log rule may be directly deleted, or the click log which violates the preset abnormal click log rule or the exposure log which violates the preset abnormal exposure log rule may be stored in a specific location, not as the traffic statistic information.
Thirdly, the method comprises the following steps: in the above S103, at least one log group is determined from the target log of the target device; each log group comprises a plurality of target logs with association relations.
Fourthly, the method comprises the following steps: in S104, if any target log of the target device is confirmed as an abnormal traffic log, another target log having an association relationship with the any target log is also determined as an abnormal traffic log based on the log group.
For example, if a log group includes a plurality of target logs having an association relationship, and any one of the target logs is determined as a target log, the other target logs having the association relationship are also determined as abnormal traffic logs.
For example, if the click log is determined as an abnormal traffic log, the associated exposure log is also determined as an abnormal traffic log.
For example, if the exposure log is determined as an abnormal traffic log, the associated click log is also determined as an abnormal traffic log.
In a possible application scenario, after determining the abnormal traffic log based on the above method, the click log and the exposure log determined as the abnormal traffic log may be filtered.
Referring to fig. 2, a flowchart of an abnormal traffic log association method of an abnormal traffic monitoring method provided in an embodiment of the present application is shown, where the method includes steps S201 to S203, where:
s201: and aiming at the target equipment, sequencing the entry mark logs according to the time stamps corresponding to the entry mark logs of the target equipment.
Illustratively, based on the same device, the corresponding information of the starting time stamps in the total click log and the total exposure log is extracted, which may be information such as fields, and then the target logs are sorted in a reverse order according to the information corresponding to the time stamps.
For example, in a general case, the push information is exposed on the user interface first, and then the user is attracted to click the push information, so that based on the same push information, the exposure log should be prior to the click log, and the target logs are sorted in a reverse order manner, so that the click log and the exposure log corresponding to the same push information can be conveniently obtained.
S202: and detecting whether the difference value between the time stamps of every two adjacent target logs in the sequencing result is smaller than a preset time difference threshold value or not, and if so, establishing the association relationship between the two adjacent target logs.
And detecting whether the difference value between the timestamps of the two adjacent target logs is smaller than a preset time difference threshold value or not based on the target logs sequenced by the same equipment, wherein the time difference threshold value can be set to be 1 second, and when the difference value between the timestamps of the two adjacent target logs is smaller than or equal to 1 second, the two adjacent target logs can be judged to be related logs. If any one of the two adjacent target logs violates an abnormal click log or exposure log rule, the two adjacent target logs can be determined as an abnormal flow log together, and the two adjacent target logs are filtered together.
For example, if any target log corresponds to multiple associated logs and any target log in the multiple target logs violates an abnormal click log or exposure log rule, the multiple target logs may be collectively determined as an abnormal flow log, and the multiple logs may be collectively filtered.
S203: determining at least one group of log groups from the target logs of the target equipment based on the incidence relation; the target log in any log group has an incidence relation with at least one other target log in the same log group.
The association relationship may be based on that, in any log group of the same device, a difference value of timestamps between the exposure log and the click log is smaller than a preset time difference threshold.
In the abnormal traffic monitoring device provided by the embodiment of the application, in the process of monitoring abnormal traffic, if any one target log can be a click log or an exposure log, the target log is determined as an abnormal traffic log, and other target logs related to the target log are also determined as abnormal traffic logs.
Example two
Referring to fig. 3, a schematic view of an abnormal flow monitoring apparatus provided in the second embodiment of the present application is shown, where the apparatus includes: acquisition module 31, determination module 32, and filtering module 33:
the acquiring module 31 is configured to acquire a total click log and a total exposure log of a to-be-detected push message, and determine multiple pieces of target equipment based on the total click log and the total exposure log;
a determining module 32, configured to determine, for each target device, a target log of the target device from the total click log and the total exposure log; any one target log is one of a click log or an exposure log;
the determining module 32 is further configured to determine at least one log group from the target log of the target device; each log group comprises a plurality of target logs with association relations;
the determining module 32 is further configured to, if any target log of the target device is confirmed as an abnormal traffic log, determine, based on the log group, another target log having an association relationship with the any target log as the abnormal traffic log.
The embodiment of the application provides a device for monitoring abnormal flow, which can acquire a total click log and a total exposure log of a to-be-detected push message, and determine a plurality of target devices based on the total click log and the total exposure log; for each target device, determining a target log of the target device from the total click log and the total exposure log; any one target log is one of a click log or an exposure log; determining at least one group of logs from a target log of the target device; each log group comprises a plurality of target logs with association relations; and if any target log of the target equipment is confirmed to be the abnormal flow log, determining other target logs having an association relation with the any target log as the abnormal flow log based on the log group. The abnormal flow detection method for the push message has higher detection precision.
In a possible implementation manner, the obtaining module 31, when obtaining the total click log and the total exposure log of the to-be-detected push message, is specifically configured to:
acquiring a total exposure log of the to-be-detected push message exposed on a plurality of devices in a preset historical time period, and acquiring a total click log of the to-be-detected push message clicked by each device in the preset historical time period.
In a possible implementation manner, the determining module 32 is configured to, when determining the plurality of target devices based on the total click log and the total exposure log, specifically:
reading a first target field including equipment identification information from each click log included in the total click log;
reading a second target field including equipment identification information from each exposure log included in the total exposure log;
determining a plurality of the target devices based on the first target field and the second target field. In a possible implementation manner, when determining at least one group of log groups from the target log of the target device, the determining module 32 is specifically configured to:
aiming at the target equipment, sequencing each item of target log according to the timestamp corresponding to each item of the target equipment;
detecting whether the difference value between the time stamps of every two adjacent target logs in the sequencing result is smaller than a preset time difference threshold value or not, and if so, establishing an association relation between the two adjacent target logs;
determining at least one group of log groups from the target logs of the target equipment based on the incidence relation; the target log in any log group has an incidence relation with at least one other target log in the same log group.
In a possible implementation manner, the filtering module 33 is configured to filter the abnormal traffic log in the total click log and the total exposure log.
In the abnormal traffic monitoring device provided by the embodiment of the application, in the process of monitoring abnormal traffic, if any one target log can be a click log or an exposure log, the target log is determined as an abnormal traffic log, and other target logs related to the target log are also determined as abnormal traffic logs.
EXAMPLE III
An embodiment of the present application further provides a computer device 400, as shown in fig. 4, which is a schematic structural diagram of the computer device 400 provided in the embodiment of the present application, and includes:
a processor 41, a memory 42, and a bus 43; the memory 42 is used for storing execution instructions and includes a memory 421 and an external memory 422; the memory 421 is also referred to as an internal memory, and is used for temporarily storing the operation data in the processor 41 and the data exchanged with the external memory 422 such as a hard disk, the processor 41 exchanges data with the external memory 422 through the memory 421, and when the computer apparatus 400 operates, the processor 41 communicates with the memory 42 through the bus 43, so that the processor 41 executes the following instructions in a user mode:
acquiring a total click log and a total exposure log of a to-be-detected push message, and determining a plurality of target devices based on the total click log and the total exposure log;
for each target device, determining a target log of the target device from the total click log and the total exposure log; any one target log is one of a click log or an exposure log;
determining at least one group of logs from a target log of the target device; each log group comprises a plurality of target logs with association relations;
and if any target log of the target equipment is confirmed to be the abnormal flow log, determining other target logs having an association relation with the any target log as the abnormal flow log based on the log group.
In a possible implementation manner, in the instructions executed by the processor 41, the acquiring a total click log and a total exposure log of the push message to be detected includes:
acquiring a total exposure log of the to-be-detected push message exposed on a plurality of devices in a preset historical time period, and acquiring a total click log of the to-be-detected push message clicked by each device in the preset historical time period.
In one possible embodiment, the instructions executed by processor 41 for determining a plurality of target devices based on the total click log and the total exposure log include:
reading a first target field including equipment identification information from each click log included in the total click log;
reading a second target field including equipment identification information from each exposure log included in the total exposure log;
determining a plurality of the target devices based on the first target field and the second target field.
In one possible embodiment, the instructions executed by processor 41 to determine at least one log group from the target log of the target device include:
aiming at the target equipment, sequencing each item of target log according to the timestamp corresponding to each item of the target equipment;
detecting whether the difference value between the time stamps of every two adjacent target logs in the sequencing result is smaller than a preset time difference threshold value or not, and if so, establishing an association relation between the two adjacent target logs;
determining at least one group of log groups from the target logs of the target equipment based on the incidence relation; the target log in any log group has an incidence relation with at least one other target log in the same log group.
In a possible implementation, the instructions executed by the processor 41 further include: and filtering abnormal flow logs in the total click log and the total exposure log.
The present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program performs the steps of the method for monitoring abnormal traffic in the foregoing method embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the exemplary embodiments of the present application, and are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A method of abnormal traffic monitoring, comprising:
acquiring a total click log and a total exposure log of a to-be-detected push message, and determining a plurality of target devices based on the total click log and the total exposure log;
for each target device, determining a target log of the target device from the total click log and the total exposure log; any one target log is one of a click log or an exposure log;
determining at least one group of logs from a target log of the target device; each log group comprises a plurality of target logs with association relations;
if any target log of the target equipment is confirmed to be an abnormal flow log, determining other target logs having an association relation with the any target log as the abnormal flow log based on the log group;
determining at least one group of logs from the target log of the target device, including:
aiming at the target equipment, sequencing each item of target log according to the timestamp corresponding to each item of the target equipment;
detecting whether the difference value between the time stamps of every two adjacent target logs in the sequencing result is smaller than a preset time difference threshold value or not, and if so, establishing an association relation between the two adjacent target logs;
determining at least one group of log groups from the target logs of the target equipment based on the incidence relation; the target log in any log group has an incidence relation with at least one other target log in the same log group.
2. The abnormal traffic monitoring method according to claim 1, wherein the acquiring a total click log and a total exposure log of the to-be-detected push message comprises:
acquiring a total exposure log of the to-be-detected push message exposed on a plurality of devices in a preset historical time period, and acquiring a total click log of the to-be-detected push message clicked by each device in the preset historical time period.
3. The method of abnormal traffic monitoring according to claim 1, wherein the determining a plurality of target devices based on the total click log and the total exposure log comprises:
reading a first target field including equipment identification information from each click log included in the total click log;
reading a second target field including equipment identification information from each exposure log included in the total exposure log;
determining a plurality of the target devices based on the first target field and the second target field.
4. The method of abnormal flow monitoring of claim 1, further comprising: and filtering abnormal flow logs in the total click log and the total exposure log.
5. An apparatus for abnormal flow monitoring, comprising:
the acquisition module is used for acquiring a total click log and a total exposure log of a to-be-detected push message and determining a plurality of target devices based on the total click log and the total exposure log;
the determining module is used for determining a target log of each target device from the total click log and the total exposure log; any one target log is one of a click log or an exposure log;
the determining module is further used for determining at least one group of log groups from the target log of the target device; each log group comprises a plurality of target logs with association relations;
the determining module is further configured to determine, based on the log group, other target logs having an association relationship with any one of the target logs as abnormal traffic logs if the any one of the target logs of the target device is confirmed as an abnormal traffic log;
the determining module, when determining at least one group of log groups from the target log of the target device, is specifically configured to:
aiming at the target equipment, sequencing each item of target log according to the timestamp corresponding to each item of the target equipment;
detecting whether the difference value between the time stamps of every two adjacent target logs in the sequencing result is smaller than a preset time difference threshold value or not, and if so, establishing an association relation between the two adjacent target logs;
determining at least one group of log groups from the target logs of the target equipment based on the incidence relation; the target log in any log group has an incidence relation with at least one other target log in the same log group.
6. The abnormal traffic monitoring device according to claim 5, wherein the obtaining module, when obtaining the total click log and the total exposure log of the to-be-detected push message, is specifically configured to:
acquiring a total exposure log of the to-be-detected push message exposed on a plurality of devices in a preset historical time period, and acquiring a total click log of the to-be-detected push message clicked by each device in the preset historical time period.
7. The apparatus for abnormal traffic monitoring according to claim 5, wherein the determining module, when determining the plurality of target devices based on the total click log and the total exposure log, comprises:
reading a first target field including equipment identification information from each click log included in the total click log;
reading a second target field including equipment identification information from each exposure log included in the total exposure log;
determining a plurality of the target devices based on the first target field and the second target field.
8. The abnormal flow monitoring device of claim 5, further comprising:
and the filtering module is used for filtering the abnormal flow logs in the total click logs and the total exposure logs.
9. An electronic device, comprising: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating over the bus when the electronic device is operating, the machine-readable instructions when executed by the processor performing the steps of the method of abnormal traffic monitoring according to any one of claims 1 to 4.
10. A computer-readable storage medium, having stored thereon a computer program for performing, when being executed by a processor, the steps of the method for abnormal flow monitoring according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910935734.1A CN110545292B (en) | 2019-09-29 | 2019-09-29 | Abnormal flow monitoring method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910935734.1A CN110545292B (en) | 2019-09-29 | 2019-09-29 | Abnormal flow monitoring method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110545292A CN110545292A (en) | 2019-12-06 |
| CN110545292B true CN110545292B (en) | 2021-07-30 |
Family
ID=68715072
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910935734.1A Active CN110545292B (en) | 2019-09-29 | 2019-09-29 | Abnormal flow monitoring method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110545292B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113538022B (en) * | 2020-04-10 | 2024-07-16 | 北京沃东天骏信息技术有限公司 | Flow monitoring method, device, equipment and storage medium |
| CN111882349B (en) * | 2020-07-14 | 2021-09-14 | 腾讯科技(深圳)有限公司 | Data processing method, device and storage medium |
| CN113225325B (en) * | 2021-04-23 | 2022-09-13 | 北京明略昭辉科技有限公司 | IP (Internet protocol) blacklist determining method, device, equipment and storage medium |
| CN113641634B (en) * | 2021-07-07 | 2022-07-26 | 荣耀终端有限公司 | Method for controlling log flow and electronic equipment |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107330731A (en) * | 2017-06-30 | 2017-11-07 | 北京京东尚科信息技术有限公司 | It is a kind of to recognize that advertisement position clicks on abnormal method and apparatus |
| US10037546B1 (en) * | 2012-06-14 | 2018-07-31 | Rocket Fuel Inc. | Honeypot web page metrics |
| CN108459936A (en) * | 2017-02-20 | 2018-08-28 | 北京畅游时空软件技术有限公司 | A kind of accurate statistical method and device based on contents pattern blocked |
| CN108629610A (en) * | 2017-03-23 | 2018-10-09 | 腾讯科技(深圳)有限公司 | The determination method and apparatus of promotion message light exposure |
| CN109146546A (en) * | 2018-07-23 | 2019-01-04 | 广州至真信息科技有限公司 | A kind of method and device of cheating detection |
| CN110020129A (en) * | 2017-10-27 | 2019-07-16 | 腾讯科技(深圳)有限公司 | Clicking rate bearing calibration, device, calculates equipment and storage medium at predictor method |
| CN110138720A (en) * | 2019-03-21 | 2019-08-16 | 秒针信息技术有限公司 | Anomaly classification detection method, device, storage medium and the processor of network flow |
| CN110191119A (en) * | 2019-05-28 | 2019-08-30 | 秒针信息技术有限公司 | A kind of determination method and device for the APP generating abnormal flow |
| CN110213655A (en) * | 2019-06-04 | 2019-09-06 | 秒针信息技术有限公司 | A kind of the exposure Probability Detection method and exposure Probability Detection device of browsing resource |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160275548A1 (en) * | 2015-03-16 | 2016-09-22 | Facebook, Inc. | Integrating advertisement impressions with user identity for search advertisements |
-
2019
- 2019-09-29 CN CN201910935734.1A patent/CN110545292B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10037546B1 (en) * | 2012-06-14 | 2018-07-31 | Rocket Fuel Inc. | Honeypot web page metrics |
| CN108459936A (en) * | 2017-02-20 | 2018-08-28 | 北京畅游时空软件技术有限公司 | A kind of accurate statistical method and device based on contents pattern blocked |
| CN108629610A (en) * | 2017-03-23 | 2018-10-09 | 腾讯科技(深圳)有限公司 | The determination method and apparatus of promotion message light exposure |
| CN107330731A (en) * | 2017-06-30 | 2017-11-07 | 北京京东尚科信息技术有限公司 | It is a kind of to recognize that advertisement position clicks on abnormal method and apparatus |
| CN110020129A (en) * | 2017-10-27 | 2019-07-16 | 腾讯科技(深圳)有限公司 | Clicking rate bearing calibration, device, calculates equipment and storage medium at predictor method |
| CN109146546A (en) * | 2018-07-23 | 2019-01-04 | 广州至真信息科技有限公司 | A kind of method and device of cheating detection |
| CN110138720A (en) * | 2019-03-21 | 2019-08-16 | 秒针信息技术有限公司 | Anomaly classification detection method, device, storage medium and the processor of network flow |
| CN110191119A (en) * | 2019-05-28 | 2019-08-30 | 秒针信息技术有限公司 | A kind of determination method and device for the APP generating abnormal flow |
| CN110213655A (en) * | 2019-06-04 | 2019-09-06 | 秒针信息技术有限公司 | A kind of the exposure Probability Detection method and exposure Probability Detection device of browsing resource |
Non-Patent Citations (2)
| Title |
|---|
| "Optimally Connected Deep Belief Net for Click Through Rate Prediction in Online Advertising";Rongbin Xu、Menglong Wang、Ying Xie;《IEEE Access》;IEEE;20180809;第6卷;全文 * |
| "社交网站广告反作弊系统的实现和优化";刘子微;《中国优秀硕士学位论文全文数据库 信息科技辑》;20150815(第8期);2.2.5小节、4.3.1小节、4.6.1小节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110545292A (en) | 2019-12-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110545292B (en) | Abnormal flow monitoring method and device | |
| US10929879B2 (en) | Method and apparatus for identification of fraudulent click activity | |
| CN108009844B (en) | Method and device for determining advertisement cheating behaviors and cloud server | |
| CN104699710B (en) | User structure judgment method and device and account state recording method and device | |
| CN108833453B (en) | Method and device for determining application account | |
| CN107483381B (en) | Monitoring method and device of associated account | |
| CN113516529B (en) | Abnormal order determining method and device, storage medium and electronic equipment | |
| CN110661794B (en) | Flow identification method and device, electronic equipment and readable storage medium | |
| CN104866296A (en) | Data processing method and device | |
| CN106301979B (en) | Method and system for detecting abnormal channel | |
| CN110990244B (en) | Target equipment identification determining method and device, electronic equipment and readable storage medium | |
| CN112307297A (en) | User identification unification method and system based on priority rule | |
| CN112507041B (en) | Equipment model identification method and device, electronic equipment and storage medium | |
| CN114445088A (en) | Method and device for judging fraudulent conduct, electronic equipment and storage medium | |
| CN110138892B (en) | Method and device for determining equipment regional information | |
| CN105681097B (en) | Method and device for acquiring replacement cycle of terminal equipment | |
| CN109598525B (en) | Data processing method and device | |
| CN108629610B (en) | Method and device for determining popularization information exposure | |
| CN107622065B (en) | Data processing method and server | |
| CN111127094B (en) | Account matching method and device, electronic equipment and storage medium | |
| CN110830314B (en) | Method and device for determining abnormal traffic | |
| CN112486935B (en) | Log record processing method, device, equipment and machine-readable storage medium | |
| CN108805778B (en) | Electronic device, method for collecting credit investigation data and storage medium | |
| CN110866241A (en) | Evaluation model generation and equipment association method, device and storage medium | |
| CN110662169B (en) | Terminal equipment matching method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |