CN110912861A - AI detection method and device for deeply tracking group attack behavior - Google Patents

AI detection method and device for deeply tracking group attack behavior Download PDF

Info

Publication number
CN110912861A
CN110912861A CN201811085395.4A CN201811085395A CN110912861A CN 110912861 A CN110912861 A CN 110912861A CN 201811085395 A CN201811085395 A CN 201811085395A CN 110912861 A CN110912861 A CN 110912861A
Authority
CN
China
Prior art keywords
information
user
statistical
attack
average number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811085395.4A
Other languages
Chinese (zh)
Other versions
CN110912861B (en
Inventor
陈�峰
丛磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shuan Xin Yun Information Technology Co Ltd
Original Assignee
Beijing Shuan Xin Yun Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shuan Xin Yun Information Technology Co Ltd filed Critical Beijing Shuan Xin Yun Information Technology Co Ltd
Priority to CN201811085395.4A priority Critical patent/CN110912861B/en
Publication of CN110912861A publication Critical patent/CN110912861A/en
Application granted granted Critical
Publication of CN110912861B publication Critical patent/CN110912861B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an AI detection method and a device for deeply tracking a group attack behavior, wherein the method comprises the following steps: extracting first information, second information and third information of each user IP from a network access log; acquiring first statistical characteristics of user IPs based on the first information, and performing theme clustering on the user IPs based on the first statistical characteristics to obtain large clusters respectively corresponding to different themes; acquiring second statistical characteristics of user IPs based on second information, and performing behavior clustering on the user IPs in each large cluster based on the second statistical characteristics to obtain a plurality of small clusters corresponding to different behaviors respectively; acquiring a third statistical characteristic of each small cluster based on the third information; and when the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model, determining that the group attack behavior exists in the user IP of the small cluster. The invention improves the accuracy of detecting the gang attack behavior.

Description

AI detection method and device for deeply tracking group attack behavior
Technical Field
The invention relates to the technical field of internet security, in particular to an AI (artificial intelligence) detection method and device for deeply tracking a group attack behavior.
Background
With the development of computers and network technologies, the processing capacity of computers is rapidly increased, the memory is increased, and the network bandwidth is improved, so that the harm caused by the previous one-to-one network attack form is greatly reduced, and the ganged attack form of the internet appears.
The group attack on the internet means that a hacker installs an agent program on a plurality of computers on the network, the computers with the agent program installed are used as agent servers, the hacker uses the agent servers as a springboard to attack a target server, the attack behavior sent by the agent servers is very similar to the access behavior of normal users, the frequency of sent attack messages is very low, but the number of the agent servers is large, a large amount of requests for access to the target server result in denial of service or crash of the target server, and a new technical scheme needs to be provided for effectively detecting the group attack behavior.
Disclosure of Invention
In order to solve the technical problem, the invention provides an AI detection method and device for deeply tracking a group attack behavior.
The invention provides an AI (artificial intelligence) detection method for deeply tracking a group attack behavior, which comprises the following steps:
extracting first information, second information and third information of each user IP from a network access log;
acquiring first statistical characteristics of user IPs based on the first information, and performing theme clustering on the user IPs based on the first statistical characteristics to obtain large clusters respectively corresponding to different themes;
acquiring second statistical characteristics of user IPs based on the second information, and performing behavior clustering on the user IPs in each large cluster based on the second statistical characteristics to obtain a plurality of small clusters corresponding to different behaviors respectively;
acquiring a third statistical characteristic of each small cluster based on the third information;
and when the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model, determining that the group attack behavior exists in each user IP in the small cluster.
The above method also has the following features:
the first information includes: URL in the network access log of each user IP;
the first statistical feature comprises: and segmenting the URL according to the URL grammar based on each user IP to obtain segmented information.
The above method also has the following features:
the second information includes at least one of: URL, GET request message, HEAD request message, POST request message, PUT request message, DELETE request message, OPTIONS request message, TRACE request message, CONNECT request message, 1XX response message, 2XX response message, 3XX response message, 4XX response message and 5XX response message in each user IP network access log;
the second statistical characteristic includes at least one of the following characteristics corresponding to the second information: average number of URIs, average number of GET request messages, average number of HEAD request messages, average number of POST request messages, average number of PUT request messages, average number of DELETE request messages, average number of OPTIONS request messages, average number of TRACE request messages, average number of CONNECT request messages, average number of 1XX response messages, average number of 2XX response messages, average number of 3XX response messages, average number of 4XX response messages, average number of 5XX response messages, average number of URL PATNs, average REFER number, average number of TERuser agents for each user IP.
The above method also has the following features:
the third information includes at least one of: network segment information of each user IP in each small cluster and URL in each user IP network access log;
the third statistical characteristic includes at least one of the following characteristics corresponding to the third information: the total IP number of each small cluster, the number of B-type IP network segments, the number of C-type IP network segments, the number of time windows for URL access of each user IP and the number of URL access of each user IP.
The above method also has the following features:
pre-extracting the attack features of the partnership attack behavior model based on detected historical data with partnership attack behavior.
The above method also has the following features:
and when all the characteristics in the current small cluster are determined to meet the corresponding threshold value and attack judgment logic in the attack characteristics of the group attack behavior model, determining that the third statistical characteristics of the small cluster are matched with the attack characteristics of the group attack behavior model.
The above method also has the following features:
at least two user IPs per small cluster.
The invention also provides an AI detection device for deeply tracking the gang attack behavior, which comprises the following steps:
the information extraction module is used for extracting the first information, the second information and the third information of each user IP from the network access log;
the first statistical feature extraction and topic clustering module is used for acquiring first statistical features of user IPs based on the first information, and performing topic clustering on the user IPs based on the first statistical features to acquire large clusters corresponding to different topics respectively;
a second statistical characteristic extracting and behavior clustering module, configured to obtain a second statistical characteristic of each user IP based on the second information, perform behavior clustering on the user IPs in each large cluster based on the second statistical characteristic, and obtain a plurality of small clusters corresponding to different behaviors, respectively;
a third statistical feature extraction module, configured to obtain a third statistical feature of each small cluster based on the third information;
and the identification module is used for determining that the user IP of the small cluster has the group attack behavior when the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model.
The above device also has the following features:
and the attack characteristic extraction module is used for extracting the attack characteristics of the group attack behavior model in advance based on the detected historical data with the group attack behavior.
The above device also has the following features:
and when all the characteristics in the current small cluster are determined to meet the corresponding threshold value and attack judgment logic in the attack characteristics of the group attack behavior model, determining that the third statistical characteristics of the small cluster are matched with the attack characteristics of the group attack behavior model.
The technical scheme of the invention improves the accuracy rate of detecting the gang attack behavior.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the invention and together with the description, serve to explain the principles of the invention. In the drawings, like reference numerals are used to indicate like elements. The drawings in the following description are directed to some, but not all embodiments of the invention. For a person skilled in the art, other figures can be derived from these figures without inventive effort.
FIG. 1 is a flow chart of an AI detection method for deep tracking of a group attack behavior according to an embodiment;
fig. 2 is a block diagram of an AI detection apparatus for deep tracking of a group attack behavior in an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
Fig. 1 is a flowchart of an AI detection method for deep tracing of a partnership attack behavior in an embodiment, where the AI detection method for deep tracing of a partnership attack behavior includes:
step 101: extracting first information, second information and third information of each user IP from an original network access log;
step 102: acquiring first statistical characteristics of user IPs based on the first information, and performing theme clustering on the user IPs based on the first statistical characteristics to obtain large clusters respectively corresponding to different themes;
step 103: acquiring second statistical characteristics of user IPs based on second information, and performing behavior clustering on the user IPs in each large cluster based on the second statistical characteristics to obtain a plurality of small clusters corresponding to different behaviors respectively;
step 104: acquiring a third statistical characteristic of each small cluster based on the third information;
step 105: and when the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model, determining that the group attack behavior exists in the user IP of the small cluster.
Wherein the content of the first and second substances,
the first information in step 101 includes: URL in the network access log of each user IP;
due to the complexity of the internet, a scene that a plurality of users or devices share the Internet Protocol (IP) exists, so for the detection accuracy, the user IP in the invention is not limited to the IP address as the identification, and can also be the device ID or the user ID.
The second information includes at least one of: URL, GET request message, HEAD request message, POST request message, PUT request message, DELETE request message, OPTIONS request message, TRACE request message, CONNECT request message, 1XX response message, 2XX response message, 3XX response message, 4XX response message and 5XX response message in each user IP network access log;
the third information includes at least one of: network segment information of each user IP in each small cluster and URL in each user IP network access log.
For example, the first information, the second information, and the third information may be partially or entirely derived from a server log containing historical access information of the respective users.
Two examples of historical access information are given below:
100.116.239.81 GET 27289 26/Jun/2018:10:35:27+0800 bsc_web_20180510165403/app_share/styles/program_complete-ffd7db883c.css Mozilla/5.0(compatible;MSIE 9.0;Windows NT 6.1;Trident/5.0)--0.001-0/app_share/program_complete.html?id=76&uid=94516934&version=648.2&share_id=110061542030147183.3.239.163 HTTP/1.0 0 200
100.116.239.81 GET 1944 26/Jun/2018:10:35:27+0800 bsc_web_20180510165403/app_share/program_complete.html?id=76&uid=94516934&version=648.2&share_id=110061542030147 Mozilla/5.0(compatible;MSIE 9.0;Windows NT6.1;Trident/5.0)id=76&uid=94516934&version=648.2&share_id=110061542030147-0.000-0-183.3.239.163 HTTP/1.0 0 200
in step 102, a first statistical characteristic of each user IP is obtained based on the first information, including word segmentation information extracted by performing word segmentation on the URL according to the URL syntax based on each user IP.
For example, in the first example, a URL in the network access log of a user IP is/app _ sha re/styles/program _ complete-ffd7db883c.cs, the words obtained by segmenting the URL according to the URL syntax are "app _ share", "styles", "program _ complete-ffd7db883 c.cs", the words are counted based on the user IPs to obtain a first statistical feature, and the user IPs are subject-clustered based on the words to obtain large clusters respectively corresponding to different subjects.
The topic clustering algorithm in step 102 is a topic model algorithm commonly used in the prior art, such as LDA, PLSA, Word2vec, etc.
In step 103, a second statistical characteristic of each user IP is obtained based on the second information, the user IPs in each large cluster are clustered based on the second statistical characteristic to obtain a plurality of small clusters respectively corresponding to different behaviors,
wherein, the second statistical characteristics of each user IP include: average number of URIs, average number of GET request messages, average number of HEAD request messages, average number of POST request messages, average number of PUT request messages, average number of DELETE request messages, average number of OPTIONS request messages, average number of TRACE request messages, average number of CONNECT request messages, average number of 1XX response messages, average number of 2XX response messages, average number of 3XX response messages, average number of 4XX response messages, average number of 5XX response messages, average number of URL PATNs, average REFER number, average number of TERuser agents for each user IP.
For example:
Figure BDA0001802987970000061
Figure BDA0001802987970000071
the behavior clustering algorithm in step 103 is a behavior model algorithm commonly used in the prior art, such as KMEANS algorithm, K-MEDOIDS algorithm, CLARANS algorithm, etc.
In step 104, a third statistical characteristic of each small cluster is obtained based on the third information, where the third statistical characteristic of each small cluster includes: the total IP number of each small cluster, the number of B-type IP network segments, the number of C-type IP network segments and the number of accessed URLs.
For example: a third statistical characteristic of a small cluster is:
name of third statistical feature Statistical results
Total IP number 130
Class B IP network segment number 80
Class C IP network segment number 50
Number of URLs visited 4
And step 105, when the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model, determining that the group attack behavior exists in each user IP in the small cluster.
The attack characteristics of the group attack behavior model are extracted in advance from historical data based on the detected group attack behavior.
For example: the attack characteristics are: (number of IP in small cluster >5) and (number of IP in small cluster/number of class C IP segments >2) and (number of IP in small cluster/number of class B IP segments < ═ 3) and (number of URLs visited by small cluster < ═ 5).
The third statistical characteristic of the small cluster in the above example is matched with the attack characteristic, i.e.
"130 >5 and 130/50>2 and 130/80< ═ 3 and 4< ═ 5", therefore, the above small cluster can determine that there is a partnership attack behavior.
In the implementation of the method, various statistical characteristics, clustering algorithms and attack characteristics are designed, and particularly, the corresponding statistical characteristics, clustering algorithms and attack characteristics can be selected according to the use requirements, so that the detection of the gang attacks is realized.
Fig. 2 is a block diagram of an AI detection apparatus for deep tracking of a group attack behavior in an embodiment. The AI detection device for deeply tracking the gang attack behavior comprises an information extraction module, a first statistical feature extraction and topic clustering module, a second statistical feature extraction and behavior clustering module, a third statistical feature extraction module, a feature extraction module and an identification module:
the information extraction module is used for extracting the first information, the second information and the third information of each user IP from the network access log;
the first statistical feature extraction and topic clustering module is used for acquiring first statistical features of user IPs based on the first information, and performing topic clustering on the user IPs based on the first statistical features to acquire large clusters corresponding to different topics respectively;
the second statistical characteristic extraction and behavior clustering module is used for acquiring second statistical characteristics of user IPs based on second information, and performing behavior clustering on the user IPs in each large cluster based on the second statistical characteristics to acquire a plurality of small clusters corresponding to different behaviors respectively;
the third statistical feature extraction module is used for acquiring third statistical features of the small clusters based on third information;
and the attack characteristic extraction module is used for extracting the attack characteristics of the group attack behavior model in advance based on the detected historical data with the group attack behavior.
And the identification module is used for determining that the user IP of the small cluster has the group attack behavior when the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model.
The identification module is further used for determining that the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model when all the characteristics in the current small cluster are determined to meet the corresponding threshold value and the attack judgment logic in the attack characteristic of the group attack behavior model.
The invention utilizes the characteristics of the network group attack, extracts the statistical characteristics by analyzing the original network access log, divides the user IP with higher behavior similarity into a cluster after performing subject clustering and behavior clustering on the statistical characteristics, matches the statistical characteristics in the cluster with the attack characteristics extracted from the historical group attack data, and can determine that the user IP in the cluster is the group attack behavior if the matching is successful.
The above-described aspects may be implemented individually or in various combinations, and such variations are within the scope of the present invention.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
Finally, it should be noted that: the above examples are only for illustrating the technical solutions of the present invention, and are not limited thereto. Although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. An AI detection method for deeply tracking a group attack behavior is characterized by comprising the following steps:
extracting first information, second information and third information of each user IP from a network access log;
acquiring first statistical characteristics of user IPs based on the first information, and performing theme clustering on the user IPs based on the first statistical characteristics to obtain large clusters respectively corresponding to different themes;
acquiring second statistical characteristics of user IPs based on the second information, and performing behavior clustering on the user IPs in each large cluster based on the second statistical characteristics to obtain a plurality of small clusters corresponding to different behaviors respectively;
acquiring a third statistical characteristic of each small cluster based on the third information;
and when the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model, determining that the group attack behavior exists in each user IP in the small cluster.
2. The AI detection method of claim 1, wherein:
the first information includes: URL in the network access log of each user IP;
the first statistical feature comprises: and segmenting the URL according to the URL grammar based on each user IP to obtain segmented information.
3. The AI detection method of claim 1, wherein:
the second information includes at least one of: URL, GET request message, HEAD request message, POST request message, PUT request message, DELETE request message, OPTIONS request message, TRACE request message, CONNECT request message, 1XX response message, 2XX response message, 3XX response message, 4XX response message and 5XX response message in each user IP network access log;
the second statistical characteristic includes at least one of the following characteristics corresponding to the second information: average number of URIs, average number of GET request messages, average number of HEAD request messages, average number of POST request messages, average number of PUT request messages, average number of DELETE request messages, average number of OPTIONS request messages, average number of TRACE request messages, average number of CONNECT request messages, average number of 1XX response messages, average number of 2XX response messages, average number of 3XX response messages, average number of 4XX response messages, average number of 5XX response messages, average number of URL PATNs, average REFER number, average number of TERuser agents for each user IP.
4. The AI detection method of claim 1, wherein:
the third information includes at least one of: network segment information of each user IP in each small cluster and URL in each user IP network access log;
the third statistical characteristic includes at least one of the following characteristics corresponding to the third information: the total IP number of each small cluster, the number of B-type IP network segments, the number of C-type IP network segments, the number of time windows for URL access of each user IP and the number of URL access of each user IP.
5. The AI detection method of claim 1, further comprising:
pre-extracting the attack features of the partnership attack behavior model based on detected historical data with partnership attack behavior.
6. The AI detection method of claim 1, further comprising:
and when all the characteristics in the current small cluster are determined to meet the corresponding threshold value and attack judgment logic in the attack characteristics of the group attack behavior model, determining that the third statistical characteristics of the small cluster are matched with the attack characteristics of the group attack behavior model.
7. The AI detection method of claim 1, wherein:
at least two user IPs per small cluster.
8. An AI detection apparatus for deeply tracking a group attack behavior, comprising:
the information extraction module is used for extracting the first information, the second information and the third information of each user IP from the network access log;
the first statistical feature extraction and topic clustering module is used for acquiring first statistical features of user IPs based on the first information, and performing topic clustering on the user IPs based on the first statistical features to acquire large clusters corresponding to different topics respectively;
a second statistical characteristic extracting and behavior clustering module, configured to obtain a second statistical characteristic of each user IP based on the second information, perform behavior clustering on the user IPs in each large cluster based on the second statistical characteristic, and obtain a plurality of small clusters corresponding to different behaviors, respectively;
a third statistical feature extraction module, configured to obtain a third statistical feature of each small cluster based on the third information;
and the identification module is used for determining that the user IP of the small cluster has the group attack behavior when the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model.
9. The AI detection device of claim 7, further comprising:
and the attack characteristic extraction module is used for extracting the attack characteristics of the group attack behavior model in advance based on the detected historical data with the group attack behavior.
10. The AI detection device of claim 7, wherein the identification module is further to:
and when all the characteristics in the current small cluster are determined to meet the corresponding threshold value and attack judgment logic in the attack characteristics of the group attack behavior model, determining that the third statistical characteristics of the small cluster are matched with the attack characteristics of the group attack behavior model.
CN201811085395.4A 2018-09-18 2018-09-18 AI detection method and device for deeply tracking group attack behavior Active CN110912861B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811085395.4A CN110912861B (en) 2018-09-18 2018-09-18 AI detection method and device for deeply tracking group attack behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811085395.4A CN110912861B (en) 2018-09-18 2018-09-18 AI detection method and device for deeply tracking group attack behavior

Publications (2)

Publication Number Publication Date
CN110912861A true CN110912861A (en) 2020-03-24
CN110912861B CN110912861B (en) 2022-02-15

Family

ID=69812686

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811085395.4A Active CN110912861B (en) 2018-09-18 2018-09-18 AI detection method and device for deeply tracking group attack behavior

Country Status (1)

Country Link
CN (1) CN110912861B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111740855A (en) * 2020-05-06 2020-10-02 首都师范大学 Risk identification method, device and equipment based on data migration and storage medium
CN111756720A (en) * 2020-06-16 2020-10-09 深信服科技股份有限公司 Targeted attack detection method, apparatus thereof and computer-readable storage medium
CN113051570A (en) * 2021-05-25 2021-06-29 深圳市积汇天成科技有限公司 Server access monitoring method and device
CN114389857A (en) * 2021-12-24 2022-04-22 国家计算机网络与信息安全管理中心 Network attack group fusion method based on core attack resources

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105528422A (en) * 2015-12-07 2016-04-27 中国建设银行股份有限公司 Focused crawler processing method and apparatus
CN105956004A (en) * 2016-04-20 2016-09-21 广州精点计算机科技有限公司 Method and device for analyzing mobile user internet behavior based on URL analysis model
CN106778260A (en) * 2016-12-31 2017-05-31 网易无尾熊(杭州)科技有限公司 Attack detection method and device
CN107241352A (en) * 2017-07-17 2017-10-10 浙江鹏信信息科技股份有限公司 A kind of net security accident classificaiton and Forecasting Methodology and system
CN107800684A (en) * 2017-09-20 2018-03-13 贵州白山云科技有限公司 A kind of low frequency reptile recognition methods and device
CN109145179A (en) * 2017-07-26 2019-01-04 北京数安鑫云信息技术有限公司 A kind of crawler behavioral value method and device
CN109145934A (en) * 2017-12-22 2019-01-04 北京数安鑫云信息技术有限公司 User behavior data processing method, medium, equipment and device based on log
US20200195667A1 (en) * 2017-12-28 2020-06-18 Alibaba Group Holding Limited Url attack detection method and apparatus, and electronic device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105528422A (en) * 2015-12-07 2016-04-27 中国建设银行股份有限公司 Focused crawler processing method and apparatus
CN105956004A (en) * 2016-04-20 2016-09-21 广州精点计算机科技有限公司 Method and device for analyzing mobile user internet behavior based on URL analysis model
CN106778260A (en) * 2016-12-31 2017-05-31 网易无尾熊(杭州)科技有限公司 Attack detection method and device
CN107241352A (en) * 2017-07-17 2017-10-10 浙江鹏信信息科技股份有限公司 A kind of net security accident classificaiton and Forecasting Methodology and system
CN109145179A (en) * 2017-07-26 2019-01-04 北京数安鑫云信息技术有限公司 A kind of crawler behavioral value method and device
CN107800684A (en) * 2017-09-20 2018-03-13 贵州白山云科技有限公司 A kind of low frequency reptile recognition methods and device
CN109145934A (en) * 2017-12-22 2019-01-04 北京数安鑫云信息技术有限公司 User behavior data processing method, medium, equipment and device based on log
US20200195667A1 (en) * 2017-12-28 2020-06-18 Alibaba Group Holding Limited Url attack detection method and apparatus, and electronic device

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111740855A (en) * 2020-05-06 2020-10-02 首都师范大学 Risk identification method, device and equipment based on data migration and storage medium
CN111740855B (en) * 2020-05-06 2023-04-18 首都师范大学 Risk identification method, device and equipment based on data migration and storage medium
CN111756720A (en) * 2020-06-16 2020-10-09 深信服科技股份有限公司 Targeted attack detection method, apparatus thereof and computer-readable storage medium
CN111756720B (en) * 2020-06-16 2023-03-24 深信服科技股份有限公司 Targeted attack detection method, apparatus thereof and computer-readable storage medium
CN113051570A (en) * 2021-05-25 2021-06-29 深圳市积汇天成科技有限公司 Server access monitoring method and device
CN113051570B (en) * 2021-05-25 2021-08-17 深圳市积汇天成科技有限公司 Server access monitoring method and device
CN114389857A (en) * 2021-12-24 2022-04-22 国家计算机网络与信息安全管理中心 Network attack group fusion method based on core attack resources
CN114389857B (en) * 2021-12-24 2024-04-05 国家计算机网络与信息安全管理中心 Network attack group fusion method based on core attack resource

Also Published As

Publication number Publication date
CN110912861B (en) 2022-02-15

Similar Documents

Publication Publication Date Title
CN110912861B (en) AI detection method and device for deeply tracking group attack behavior
KR102238612B1 (en) DoS/DDoS attack detection method, device, server and storage medium
CN107707545B (en) Abnormal webpage access fragment detection method, device, equipment and storage medium
CN106713324B (en) Flow detection method and device
CN110033302B (en) Malicious account identification method and device
CN111581397A (en) Network attack tracing method, device and equipment based on knowledge graph
CN108924118B (en) Method and system for detecting database collision behavior
CN112087744B (en) Method, system, device and storage medium for identifying terminal model
CN108718298B (en) Malicious external connection flow detection method and device
WO2018001078A1 (en) Url matching method and device, and storage medium
CN108390856B (en) DDoS attack detection method and device and electronic equipment
CN111277461B (en) Method, system and equipment for identifying content distribution network node
CN113726783B (en) Abnormal IP address identification method and device, electronic equipment and readable storage medium
US20210250404A1 (en) Video data storage method and device in cloud storage system
CN113992340B (en) User abnormal behavior identification method, device, equipment and storage medium
CN109088788B (en) Data processing method, device, equipment and computer readable storage medium
CN108683631B (en) Method and system for preventing scanning of authority file
CN113507471A (en) Method, device, router and storage medium for acquiring terminal system type
US10637878B2 (en) Multi-dimensional data samples representing anomalous entities
CN115189914A (en) Application Programming Interface (API) identification method and device for network traffic
CN110619075A (en) Webpage identification method and equipment
CN111541687B (en) Network attack detection method and device
CN105099996B (en) Website verification method and device
CN109600361B (en) Hash algorithm-based verification code anti-attack method and device, electronic equipment and non-transitory computer readable storage medium
CN110198294B (en) Security attack detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant