CN110912861A - AI detection method and device for deeply tracking group attack behavior - Google Patents
AI detection method and device for deeply tracking group attack behavior Download PDFInfo
- Publication number
- CN110912861A CN110912861A CN201811085395.4A CN201811085395A CN110912861A CN 110912861 A CN110912861 A CN 110912861A CN 201811085395 A CN201811085395 A CN 201811085395A CN 110912861 A CN110912861 A CN 110912861A
- Authority
- CN
- China
- Prior art keywords
- information
- user
- statistical
- attack
- average number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an AI detection method and a device for deeply tracking a group attack behavior, wherein the method comprises the following steps: extracting first information, second information and third information of each user IP from a network access log; acquiring first statistical characteristics of user IPs based on the first information, and performing theme clustering on the user IPs based on the first statistical characteristics to obtain large clusters respectively corresponding to different themes; acquiring second statistical characteristics of user IPs based on second information, and performing behavior clustering on the user IPs in each large cluster based on the second statistical characteristics to obtain a plurality of small clusters corresponding to different behaviors respectively; acquiring a third statistical characteristic of each small cluster based on the third information; and when the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model, determining that the group attack behavior exists in the user IP of the small cluster. The invention improves the accuracy of detecting the gang attack behavior.
Description
Technical Field
The invention relates to the technical field of internet security, in particular to an AI (artificial intelligence) detection method and device for deeply tracking a group attack behavior.
Background
With the development of computers and network technologies, the processing capacity of computers is rapidly increased, the memory is increased, and the network bandwidth is improved, so that the harm caused by the previous one-to-one network attack form is greatly reduced, and the ganged attack form of the internet appears.
The group attack on the internet means that a hacker installs an agent program on a plurality of computers on the network, the computers with the agent program installed are used as agent servers, the hacker uses the agent servers as a springboard to attack a target server, the attack behavior sent by the agent servers is very similar to the access behavior of normal users, the frequency of sent attack messages is very low, but the number of the agent servers is large, a large amount of requests for access to the target server result in denial of service or crash of the target server, and a new technical scheme needs to be provided for effectively detecting the group attack behavior.
Disclosure of Invention
In order to solve the technical problem, the invention provides an AI detection method and device for deeply tracking a group attack behavior.
The invention provides an AI (artificial intelligence) detection method for deeply tracking a group attack behavior, which comprises the following steps:
extracting first information, second information and third information of each user IP from a network access log;
acquiring first statistical characteristics of user IPs based on the first information, and performing theme clustering on the user IPs based on the first statistical characteristics to obtain large clusters respectively corresponding to different themes;
acquiring second statistical characteristics of user IPs based on the second information, and performing behavior clustering on the user IPs in each large cluster based on the second statistical characteristics to obtain a plurality of small clusters corresponding to different behaviors respectively;
acquiring a third statistical characteristic of each small cluster based on the third information;
and when the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model, determining that the group attack behavior exists in each user IP in the small cluster.
The above method also has the following features:
the first information includes: URL in the network access log of each user IP;
the first statistical feature comprises: and segmenting the URL according to the URL grammar based on each user IP to obtain segmented information.
The above method also has the following features:
the second information includes at least one of: URL, GET request message, HEAD request message, POST request message, PUT request message, DELETE request message, OPTIONS request message, TRACE request message, CONNECT request message, 1XX response message, 2XX response message, 3XX response message, 4XX response message and 5XX response message in each user IP network access log;
the second statistical characteristic includes at least one of the following characteristics corresponding to the second information: average number of URIs, average number of GET request messages, average number of HEAD request messages, average number of POST request messages, average number of PUT request messages, average number of DELETE request messages, average number of OPTIONS request messages, average number of TRACE request messages, average number of CONNECT request messages, average number of 1XX response messages, average number of 2XX response messages, average number of 3XX response messages, average number of 4XX response messages, average number of 5XX response messages, average number of URL PATNs, average REFER number, average number of TERuser agents for each user IP.
The above method also has the following features:
the third information includes at least one of: network segment information of each user IP in each small cluster and URL in each user IP network access log;
the third statistical characteristic includes at least one of the following characteristics corresponding to the third information: the total IP number of each small cluster, the number of B-type IP network segments, the number of C-type IP network segments, the number of time windows for URL access of each user IP and the number of URL access of each user IP.
The above method also has the following features:
pre-extracting the attack features of the partnership attack behavior model based on detected historical data with partnership attack behavior.
The above method also has the following features:
and when all the characteristics in the current small cluster are determined to meet the corresponding threshold value and attack judgment logic in the attack characteristics of the group attack behavior model, determining that the third statistical characteristics of the small cluster are matched with the attack characteristics of the group attack behavior model.
The above method also has the following features:
at least two user IPs per small cluster.
The invention also provides an AI detection device for deeply tracking the gang attack behavior, which comprises the following steps:
the information extraction module is used for extracting the first information, the second information and the third information of each user IP from the network access log;
the first statistical feature extraction and topic clustering module is used for acquiring first statistical features of user IPs based on the first information, and performing topic clustering on the user IPs based on the first statistical features to acquire large clusters corresponding to different topics respectively;
a second statistical characteristic extracting and behavior clustering module, configured to obtain a second statistical characteristic of each user IP based on the second information, perform behavior clustering on the user IPs in each large cluster based on the second statistical characteristic, and obtain a plurality of small clusters corresponding to different behaviors, respectively;
a third statistical feature extraction module, configured to obtain a third statistical feature of each small cluster based on the third information;
and the identification module is used for determining that the user IP of the small cluster has the group attack behavior when the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model.
The above device also has the following features:
and the attack characteristic extraction module is used for extracting the attack characteristics of the group attack behavior model in advance based on the detected historical data with the group attack behavior.
The above device also has the following features:
and when all the characteristics in the current small cluster are determined to meet the corresponding threshold value and attack judgment logic in the attack characteristics of the group attack behavior model, determining that the third statistical characteristics of the small cluster are matched with the attack characteristics of the group attack behavior model.
The technical scheme of the invention improves the accuracy rate of detecting the gang attack behavior.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the invention and together with the description, serve to explain the principles of the invention. In the drawings, like reference numerals are used to indicate like elements. The drawings in the following description are directed to some, but not all embodiments of the invention. For a person skilled in the art, other figures can be derived from these figures without inventive effort.
FIG. 1 is a flow chart of an AI detection method for deep tracking of a group attack behavior according to an embodiment;
fig. 2 is a block diagram of an AI detection apparatus for deep tracking of a group attack behavior in an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
Fig. 1 is a flowchart of an AI detection method for deep tracing of a partnership attack behavior in an embodiment, where the AI detection method for deep tracing of a partnership attack behavior includes:
step 101: extracting first information, second information and third information of each user IP from an original network access log;
step 102: acquiring first statistical characteristics of user IPs based on the first information, and performing theme clustering on the user IPs based on the first statistical characteristics to obtain large clusters respectively corresponding to different themes;
step 103: acquiring second statistical characteristics of user IPs based on second information, and performing behavior clustering on the user IPs in each large cluster based on the second statistical characteristics to obtain a plurality of small clusters corresponding to different behaviors respectively;
step 104: acquiring a third statistical characteristic of each small cluster based on the third information;
step 105: and when the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model, determining that the group attack behavior exists in the user IP of the small cluster.
Wherein the content of the first and second substances,
the first information in step 101 includes: URL in the network access log of each user IP;
due to the complexity of the internet, a scene that a plurality of users or devices share the Internet Protocol (IP) exists, so for the detection accuracy, the user IP in the invention is not limited to the IP address as the identification, and can also be the device ID or the user ID.
The second information includes at least one of: URL, GET request message, HEAD request message, POST request message, PUT request message, DELETE request message, OPTIONS request message, TRACE request message, CONNECT request message, 1XX response message, 2XX response message, 3XX response message, 4XX response message and 5XX response message in each user IP network access log;
the third information includes at least one of: network segment information of each user IP in each small cluster and URL in each user IP network access log.
For example, the first information, the second information, and the third information may be partially or entirely derived from a server log containing historical access information of the respective users.
Two examples of historical access information are given below:
100.116.239.81 GET 27289 26/Jun/2018:10:35:27+0800 bsc_web_20180510165403/app_share/styles/program_complete-ffd7db883c.css Mozilla/5.0(compatible;MSIE 9.0;Windows NT 6.1;Trident/5.0)--0.001-0/app_share/program_complete.html?id=76&uid=94516934&version=648.2&share_id=110061542030147183.3.239.163 HTTP/1.0 0 200
100.116.239.81 GET 1944 26/Jun/2018:10:35:27+0800 bsc_web_20180510165403/app_share/program_complete.html?id=76&uid=94516934&version=648.2&share_id=110061542030147 Mozilla/5.0(compatible;MSIE 9.0;Windows NT6.1;Trident/5.0)id=76&uid=94516934&version=648.2&share_id=110061542030147-0.000-0-183.3.239.163 HTTP/1.0 0 200
in step 102, a first statistical characteristic of each user IP is obtained based on the first information, including word segmentation information extracted by performing word segmentation on the URL according to the URL syntax based on each user IP.
For example, in the first example, a URL in the network access log of a user IP is/app _ sha re/styles/program _ complete-ffd7db883c.cs, the words obtained by segmenting the URL according to the URL syntax are "app _ share", "styles", "program _ complete-ffd7db883 c.cs", the words are counted based on the user IPs to obtain a first statistical feature, and the user IPs are subject-clustered based on the words to obtain large clusters respectively corresponding to different subjects.
The topic clustering algorithm in step 102 is a topic model algorithm commonly used in the prior art, such as LDA, PLSA, Word2vec, etc.
In step 103, a second statistical characteristic of each user IP is obtained based on the second information, the user IPs in each large cluster are clustered based on the second statistical characteristic to obtain a plurality of small clusters respectively corresponding to different behaviors,
wherein, the second statistical characteristics of each user IP include: average number of URIs, average number of GET request messages, average number of HEAD request messages, average number of POST request messages, average number of PUT request messages, average number of DELETE request messages, average number of OPTIONS request messages, average number of TRACE request messages, average number of CONNECT request messages, average number of 1XX response messages, average number of 2XX response messages, average number of 3XX response messages, average number of 4XX response messages, average number of 5XX response messages, average number of URL PATNs, average REFER number, average number of TERuser agents for each user IP.
For example:
the behavior clustering algorithm in step 103 is a behavior model algorithm commonly used in the prior art, such as KMEANS algorithm, K-MEDOIDS algorithm, CLARANS algorithm, etc.
In step 104, a third statistical characteristic of each small cluster is obtained based on the third information, where the third statistical characteristic of each small cluster includes: the total IP number of each small cluster, the number of B-type IP network segments, the number of C-type IP network segments and the number of accessed URLs.
For example: a third statistical characteristic of a small cluster is:
name of third statistical feature | Statistical results |
Total IP number | 130 |
Class B IP network segment number | 80 |
Class C IP network segment number | 50 |
Number of URLs visited | 4 |
And step 105, when the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model, determining that the group attack behavior exists in each user IP in the small cluster.
The attack characteristics of the group attack behavior model are extracted in advance from historical data based on the detected group attack behavior.
For example: the attack characteristics are: (number of IP in small cluster >5) and (number of IP in small cluster/number of class C IP segments >2) and (number of IP in small cluster/number of class B IP segments < ═ 3) and (number of URLs visited by small cluster < ═ 5).
The third statistical characteristic of the small cluster in the above example is matched with the attack characteristic, i.e.
"130 >5 and 130/50>2 and 130/80< ═ 3 and 4< ═ 5", therefore, the above small cluster can determine that there is a partnership attack behavior.
In the implementation of the method, various statistical characteristics, clustering algorithms and attack characteristics are designed, and particularly, the corresponding statistical characteristics, clustering algorithms and attack characteristics can be selected according to the use requirements, so that the detection of the gang attacks is realized.
Fig. 2 is a block diagram of an AI detection apparatus for deep tracking of a group attack behavior in an embodiment. The AI detection device for deeply tracking the gang attack behavior comprises an information extraction module, a first statistical feature extraction and topic clustering module, a second statistical feature extraction and behavior clustering module, a third statistical feature extraction module, a feature extraction module and an identification module:
the information extraction module is used for extracting the first information, the second information and the third information of each user IP from the network access log;
the first statistical feature extraction and topic clustering module is used for acquiring first statistical features of user IPs based on the first information, and performing topic clustering on the user IPs based on the first statistical features to acquire large clusters corresponding to different topics respectively;
the second statistical characteristic extraction and behavior clustering module is used for acquiring second statistical characteristics of user IPs based on second information, and performing behavior clustering on the user IPs in each large cluster based on the second statistical characteristics to acquire a plurality of small clusters corresponding to different behaviors respectively;
the third statistical feature extraction module is used for acquiring third statistical features of the small clusters based on third information;
and the attack characteristic extraction module is used for extracting the attack characteristics of the group attack behavior model in advance based on the detected historical data with the group attack behavior.
And the identification module is used for determining that the user IP of the small cluster has the group attack behavior when the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model.
The identification module is further used for determining that the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model when all the characteristics in the current small cluster are determined to meet the corresponding threshold value and the attack judgment logic in the attack characteristic of the group attack behavior model.
The invention utilizes the characteristics of the network group attack, extracts the statistical characteristics by analyzing the original network access log, divides the user IP with higher behavior similarity into a cluster after performing subject clustering and behavior clustering on the statistical characteristics, matches the statistical characteristics in the cluster with the attack characteristics extracted from the historical group attack data, and can determine that the user IP in the cluster is the group attack behavior if the matching is successful.
The above-described aspects may be implemented individually or in various combinations, and such variations are within the scope of the present invention.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
Finally, it should be noted that: the above examples are only for illustrating the technical solutions of the present invention, and are not limited thereto. Although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. An AI detection method for deeply tracking a group attack behavior is characterized by comprising the following steps:
extracting first information, second information and third information of each user IP from a network access log;
acquiring first statistical characteristics of user IPs based on the first information, and performing theme clustering on the user IPs based on the first statistical characteristics to obtain large clusters respectively corresponding to different themes;
acquiring second statistical characteristics of user IPs based on the second information, and performing behavior clustering on the user IPs in each large cluster based on the second statistical characteristics to obtain a plurality of small clusters corresponding to different behaviors respectively;
acquiring a third statistical characteristic of each small cluster based on the third information;
and when the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model, determining that the group attack behavior exists in each user IP in the small cluster.
2. The AI detection method of claim 1, wherein:
the first information includes: URL in the network access log of each user IP;
the first statistical feature comprises: and segmenting the URL according to the URL grammar based on each user IP to obtain segmented information.
3. The AI detection method of claim 1, wherein:
the second information includes at least one of: URL, GET request message, HEAD request message, POST request message, PUT request message, DELETE request message, OPTIONS request message, TRACE request message, CONNECT request message, 1XX response message, 2XX response message, 3XX response message, 4XX response message and 5XX response message in each user IP network access log;
the second statistical characteristic includes at least one of the following characteristics corresponding to the second information: average number of URIs, average number of GET request messages, average number of HEAD request messages, average number of POST request messages, average number of PUT request messages, average number of DELETE request messages, average number of OPTIONS request messages, average number of TRACE request messages, average number of CONNECT request messages, average number of 1XX response messages, average number of 2XX response messages, average number of 3XX response messages, average number of 4XX response messages, average number of 5XX response messages, average number of URL PATNs, average REFER number, average number of TERuser agents for each user IP.
4. The AI detection method of claim 1, wherein:
the third information includes at least one of: network segment information of each user IP in each small cluster and URL in each user IP network access log;
the third statistical characteristic includes at least one of the following characteristics corresponding to the third information: the total IP number of each small cluster, the number of B-type IP network segments, the number of C-type IP network segments, the number of time windows for URL access of each user IP and the number of URL access of each user IP.
5. The AI detection method of claim 1, further comprising:
pre-extracting the attack features of the partnership attack behavior model based on detected historical data with partnership attack behavior.
6. The AI detection method of claim 1, further comprising:
and when all the characteristics in the current small cluster are determined to meet the corresponding threshold value and attack judgment logic in the attack characteristics of the group attack behavior model, determining that the third statistical characteristics of the small cluster are matched with the attack characteristics of the group attack behavior model.
7. The AI detection method of claim 1, wherein:
at least two user IPs per small cluster.
8. An AI detection apparatus for deeply tracking a group attack behavior, comprising:
the information extraction module is used for extracting the first information, the second information and the third information of each user IP from the network access log;
the first statistical feature extraction and topic clustering module is used for acquiring first statistical features of user IPs based on the first information, and performing topic clustering on the user IPs based on the first statistical features to acquire large clusters corresponding to different topics respectively;
a second statistical characteristic extracting and behavior clustering module, configured to obtain a second statistical characteristic of each user IP based on the second information, perform behavior clustering on the user IPs in each large cluster based on the second statistical characteristic, and obtain a plurality of small clusters corresponding to different behaviors, respectively;
a third statistical feature extraction module, configured to obtain a third statistical feature of each small cluster based on the third information;
and the identification module is used for determining that the user IP of the small cluster has the group attack behavior when the third statistical characteristic of the small cluster is matched with the attack characteristic of the group attack behavior model.
9. The AI detection device of claim 7, further comprising:
and the attack characteristic extraction module is used for extracting the attack characteristics of the group attack behavior model in advance based on the detected historical data with the group attack behavior.
10. The AI detection device of claim 7, wherein the identification module is further to:
and when all the characteristics in the current small cluster are determined to meet the corresponding threshold value and attack judgment logic in the attack characteristics of the group attack behavior model, determining that the third statistical characteristics of the small cluster are matched with the attack characteristics of the group attack behavior model.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811085395.4A CN110912861B (en) | 2018-09-18 | 2018-09-18 | AI detection method and device for deeply tracking group attack behavior |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811085395.4A CN110912861B (en) | 2018-09-18 | 2018-09-18 | AI detection method and device for deeply tracking group attack behavior |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110912861A true CN110912861A (en) | 2020-03-24 |
CN110912861B CN110912861B (en) | 2022-02-15 |
Family
ID=69812686
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811085395.4A Active CN110912861B (en) | 2018-09-18 | 2018-09-18 | AI detection method and device for deeply tracking group attack behavior |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110912861B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111740855A (en) * | 2020-05-06 | 2020-10-02 | 首都师范大学 | Risk identification method, device and equipment based on data migration and storage medium |
CN111756720A (en) * | 2020-06-16 | 2020-10-09 | 深信服科技股份有限公司 | Targeted attack detection method, apparatus thereof and computer-readable storage medium |
CN113051570A (en) * | 2021-05-25 | 2021-06-29 | 深圳市积汇天成科技有限公司 | Server access monitoring method and device |
CN114389857A (en) * | 2021-12-24 | 2022-04-22 | 国家计算机网络与信息安全管理中心 | Network attack group fusion method based on core attack resources |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105528422A (en) * | 2015-12-07 | 2016-04-27 | 中国建设银行股份有限公司 | Focused crawler processing method and apparatus |
CN105956004A (en) * | 2016-04-20 | 2016-09-21 | 广州精点计算机科技有限公司 | Method and device for analyzing mobile user internet behavior based on URL analysis model |
CN106778260A (en) * | 2016-12-31 | 2017-05-31 | 网易无尾熊(杭州)科技有限公司 | Attack detection method and device |
CN107241352A (en) * | 2017-07-17 | 2017-10-10 | 浙江鹏信信息科技股份有限公司 | A kind of net security accident classificaiton and Forecasting Methodology and system |
CN107800684A (en) * | 2017-09-20 | 2018-03-13 | 贵州白山云科技有限公司 | A kind of low frequency reptile recognition methods and device |
CN109145179A (en) * | 2017-07-26 | 2019-01-04 | 北京数安鑫云信息技术有限公司 | A kind of crawler behavioral value method and device |
CN109145934A (en) * | 2017-12-22 | 2019-01-04 | 北京数安鑫云信息技术有限公司 | User behavior data processing method, medium, equipment and device based on log |
US20200195667A1 (en) * | 2017-12-28 | 2020-06-18 | Alibaba Group Holding Limited | Url attack detection method and apparatus, and electronic device |
-
2018
- 2018-09-18 CN CN201811085395.4A patent/CN110912861B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105528422A (en) * | 2015-12-07 | 2016-04-27 | 中国建设银行股份有限公司 | Focused crawler processing method and apparatus |
CN105956004A (en) * | 2016-04-20 | 2016-09-21 | 广州精点计算机科技有限公司 | Method and device for analyzing mobile user internet behavior based on URL analysis model |
CN106778260A (en) * | 2016-12-31 | 2017-05-31 | 网易无尾熊(杭州)科技有限公司 | Attack detection method and device |
CN107241352A (en) * | 2017-07-17 | 2017-10-10 | 浙江鹏信信息科技股份有限公司 | A kind of net security accident classificaiton and Forecasting Methodology and system |
CN109145179A (en) * | 2017-07-26 | 2019-01-04 | 北京数安鑫云信息技术有限公司 | A kind of crawler behavioral value method and device |
CN107800684A (en) * | 2017-09-20 | 2018-03-13 | 贵州白山云科技有限公司 | A kind of low frequency reptile recognition methods and device |
CN109145934A (en) * | 2017-12-22 | 2019-01-04 | 北京数安鑫云信息技术有限公司 | User behavior data processing method, medium, equipment and device based on log |
US20200195667A1 (en) * | 2017-12-28 | 2020-06-18 | Alibaba Group Holding Limited | Url attack detection method and apparatus, and electronic device |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111740855A (en) * | 2020-05-06 | 2020-10-02 | 首都师范大学 | Risk identification method, device and equipment based on data migration and storage medium |
CN111740855B (en) * | 2020-05-06 | 2023-04-18 | 首都师范大学 | Risk identification method, device and equipment based on data migration and storage medium |
CN111756720A (en) * | 2020-06-16 | 2020-10-09 | 深信服科技股份有限公司 | Targeted attack detection method, apparatus thereof and computer-readable storage medium |
CN111756720B (en) * | 2020-06-16 | 2023-03-24 | 深信服科技股份有限公司 | Targeted attack detection method, apparatus thereof and computer-readable storage medium |
CN113051570A (en) * | 2021-05-25 | 2021-06-29 | 深圳市积汇天成科技有限公司 | Server access monitoring method and device |
CN113051570B (en) * | 2021-05-25 | 2021-08-17 | 深圳市积汇天成科技有限公司 | Server access monitoring method and device |
CN114389857A (en) * | 2021-12-24 | 2022-04-22 | 国家计算机网络与信息安全管理中心 | Network attack group fusion method based on core attack resources |
CN114389857B (en) * | 2021-12-24 | 2024-04-05 | 国家计算机网络与信息安全管理中心 | Network attack group fusion method based on core attack resource |
Also Published As
Publication number | Publication date |
---|---|
CN110912861B (en) | 2022-02-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110912861B (en) | AI detection method and device for deeply tracking group attack behavior | |
KR102238612B1 (en) | DoS/DDoS attack detection method, device, server and storage medium | |
CN107707545B (en) | Abnormal webpage access fragment detection method, device, equipment and storage medium | |
CN106713324B (en) | Flow detection method and device | |
CN110033302B (en) | Malicious account identification method and device | |
CN111581397A (en) | Network attack tracing method, device and equipment based on knowledge graph | |
CN108924118B (en) | Method and system for detecting database collision behavior | |
CN112087744B (en) | Method, system, device and storage medium for identifying terminal model | |
CN108718298B (en) | Malicious external connection flow detection method and device | |
WO2018001078A1 (en) | Url matching method and device, and storage medium | |
CN108390856B (en) | DDoS attack detection method and device and electronic equipment | |
CN111277461B (en) | Method, system and equipment for identifying content distribution network node | |
CN113726783B (en) | Abnormal IP address identification method and device, electronic equipment and readable storage medium | |
US20210250404A1 (en) | Video data storage method and device in cloud storage system | |
CN113992340B (en) | User abnormal behavior identification method, device, equipment and storage medium | |
CN109088788B (en) | Data processing method, device, equipment and computer readable storage medium | |
CN108683631B (en) | Method and system for preventing scanning of authority file | |
CN113507471A (en) | Method, device, router and storage medium for acquiring terminal system type | |
US10637878B2 (en) | Multi-dimensional data samples representing anomalous entities | |
CN115189914A (en) | Application Programming Interface (API) identification method and device for network traffic | |
CN110619075A (en) | Webpage identification method and equipment | |
CN111541687B (en) | Network attack detection method and device | |
CN105099996B (en) | Website verification method and device | |
CN109600361B (en) | Hash algorithm-based verification code anti-attack method and device, electronic equipment and non-transitory computer readable storage medium | |
CN110198294B (en) | Security attack detection method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |