CN110933080B - IP group identification method and device for user login abnormity - Google Patents

IP group identification method and device for user login abnormity Download PDF

Info

Publication number
CN110933080B
CN110933080B CN201911200324.9A CN201911200324A CN110933080B CN 110933080 B CN110933080 B CN 110933080B CN 201911200324 A CN201911200324 A CN 201911200324A CN 110933080 B CN110933080 B CN 110933080B
Authority
CN
China
Prior art keywords
log
login
period
preset
logs
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911200324.9A
Other languages
Chinese (zh)
Other versions
CN110933080A (en
Inventor
殷钱安
梁淑云
刘胜
马影
陶景龙
王启凡
魏国富
徐�明
余贤喆
周晓勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information and Data Security Solutions Co Ltd
Original Assignee
Information and Data Security Solutions Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information and Data Security Solutions Co Ltd filed Critical Information and Data Security Solutions Co Ltd
Priority to CN201911200324.9A priority Critical patent/CN110933080B/en
Publication of CN110933080A publication Critical patent/CN110933080A/en
Application granted granted Critical
Publication of CN110933080B publication Critical patent/CN110933080B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The invention discloses an IP group identification method and device for user login abnormity, wherein the method comprises the following steps: acquiring login logs, counting the login logs in each preset period, and acquiring login frequency sequences of all IPs; training an isolated forest algorithm by taking the login frequency sequence as a sample set to obtain the score of each IP address; aiming at each score, acquiring a mode of the score, and acquiring a login log set corresponding to the mode; screening out a frequency sequence of the log logs corresponding to the mode from the log frequency sequence, and carrying out binarization processing on the screened frequency sequence to obtain a mark of each IP in each period; and acquiring a kappa coefficient among the data of the log collection by using a kappa algorithm according to the mark of each IP in each period, wherein the log collection with the kappa coefficient larger than a preset threshold value is used as a log abnormal group. By applying the embodiment of the invention, the independent black production behaviors between the IPs can be identified.

Description

IP group identification method and device for user login abnormity
Technical Field
The invention relates to the technical field of network security, in particular to an IP group identification method for user login abnormity.
Background
With the rapid development of internet technology and application, the internet security problem is concerned, and system attack and black-yielding activities cause serious economic loss and influence the enterprise image. With the development of the technology, black product group is making system library collision, malicious wool and other technologies are updated day by day, for example, black product group is more and more common to IP batch modification, batch call and other behaviors. In addition, modern internet platform services also have higher and higher complexity and variability, and further the prevention effect of the traditional regular wind control scheme is poorer and poorer.
Currently, in the field of internet attack prevention, identifying IP login groups is a relatively effective prevention means. Common approaches are the use of graph analysis based relationship discovery, and population clustering based on population characteristics. However, the relationship discovery method based on graph analysis requires that the nodes are connected with each other in a relationship, and with the development of the modern internet technology, the IP calling and simulation technology is more and more common, so that the black product group adopts a one-to-one combination mode of IP and number to avoid the existing security detection system, and the IPs are independent from each other in the relationship, thereby causing that the graph analysis cannot discover the black product group.
Therefore, the prior art cannot find the black production behavior independent of the IPs.
Disclosure of Invention
The technical problem to be solved by the invention is how to provide an IP group identification method and device for user login abnormity to find out mutually independent black production behaviors among IPs.
The invention solves the technical problems through the following technical means:
the embodiment of the invention provides an IP group identification method for user login abnormity, which comprises the following steps:
acquiring login logs, counting the login logs in each preset period, and acquiring login frequency sequences of all IPs;
training an isolated forest algorithm by taking the login frequency sequence as a sample set to obtain the score of each IP address;
aiming at each score, acquiring a mode of the score, and acquiring a login log set corresponding to the mode;
screening out a frequency sequence of the log logs corresponding to the mode from the log frequency sequence, and carrying out binarization processing on the screened frequency sequence to obtain a mark of each IP in each period; and acquiring a kappa coefficient among the data of the log collection by using a kappa algorithm according to the mark of each IP in each period, wherein the log collection with the kappa coefficient larger than a preset threshold value is used as a log abnormal group.
In general, even if black product group uses a one-to-one combination of IP and number, i.e. the IP is independent of each other, the inventor finds that: the black product group uses each independent IP to perform corresponding operation or is realized by a program control machine, so that IP log logs used by the black product group have certain consistency, and therefore, by applying the embodiment of the invention, the log logs of each IP are classified by an isolated forest algorithm to obtain a plurality of log sets of the log logs, and then a consistency coefficient between the IP log logs in each category is calculated by a kappa algorithm, so that the log sets with higher IP consistency can be screened out, and the log logs among real users are randomly distributed, therefore, the consistency between the log sets of the real users is lower, and further, the mutually independent black product behaviors among the IPs can be identified.
Optionally, before counting the login logs and obtaining the login frequency sequence of each IP, the method further includes:
screening logs of the public network IP segment contained in the log according to a preset internal network IP segment;
the counting of the log logs in each preset period includes:
and counting the logs of the public network IP section contained in the log logs.
Optionally, the obtaining of the login frequency sequence of each IP includes:
counting the login times of each IP in each period by taking a preset time length as a period to obtain a login frequency subsequence of each period;
and sequencing the periods according to the time sequence, and combining the corresponding login frequency sub-sequences according to the period sequence to obtain the login frequency sequence of each IP.
Optionally, the obtaining a mode of the score based on the score includes:
extracting two effective numerical values of the score based on the score;
and obtaining a mode corresponding to the score according to the effective numerical value.
Optionally, the binarizing the frequency of each IP located in each preset period in the log collection to obtain a label of each IP in each period includes:
aiming at the frequency of each IP in each preset period of the total log collection, judging whether the frequency of the IP is greater than a preset threshold value;
if yes, setting a mark corresponding to the preset period of the IP as a first preset mark, wherein the first preset mark comprises: 1;
if not, setting a mark corresponding to the IP in the preset period as a second preset mark, wherein the second preset mark comprises: 0.
the embodiment of the invention also provides an IP group identification device for the user with abnormal login, which comprises:
the first acquisition module is used for acquiring login logs, counting the login logs in each preset period and acquiring login frequency sequences of all IPs;
the second acquisition module is used for training an isolated forest algorithm by taking the login frequency sequence as a sample set to obtain the score of each IP address;
a third obtaining module, configured to obtain, for each score, a mode of the score, and obtain a log set corresponding to the mode;
the setting module is used for screening out a frequency sequence of the log logs corresponding to the mode from the log frequency sequence, and carrying out binarization processing on the screened frequency sequence to obtain a mark of each IP in each period; and acquiring a kappa coefficient among the data of the log collection by using a kappa algorithm according to the mark of each IP in each period, wherein the log collection with the kappa coefficient larger than a preset threshold value is used as a log abnormal group.
Optionally, the apparatus further comprises: a screening module to:
screening logs of the public network IP segment contained in the log according to a preset internal network IP segment;
and counting the logs of the public network IP section contained in the log logs.
Optionally, the first obtaining module is configured to:
counting the login times of each IP in each period by taking a preset time length as a period to obtain a login frequency subsequence of each period;
and sequencing the periods according to the time sequence, and combining the corresponding login frequency sub-sequences according to the period sequence to obtain the login frequency sequence of each IP.
Optionally, the third obtaining module is configured to:
extracting two effective numerical values of the score based on the score;
and obtaining a mode corresponding to the score according to the effective numerical value.
Optionally, the setting module is configured to:
aiming at the frequency of each IP in each preset period of the total log collection, judging whether the frequency of the IP is greater than a preset threshold value;
if yes, setting a mark corresponding to the preset period of the IP as a first preset mark, wherein the first preset mark comprises: 1;
if not, setting a mark corresponding to the Ip in the preset period as a second preset mark, wherein the second preset mark comprises: 0.
the invention has the advantages that:
in general, even if black product group uses a one-to-one combination of IP and number, i.e. the IP is independent of each other, the inventor finds that: the black product group uses each independent IP to perform corresponding operation or is realized by a program control machine, so that IP log logs used by the black product group have certain consistency, and therefore, by applying the embodiment of the invention, the log logs of each IP are classified by an isolated forest algorithm to obtain a plurality of log sets of the log logs, and then a consistency coefficient between the IP log logs in each category is calculated by a kappa algorithm, so that the log sets with higher IP consistency can be screened out, and the log logs among real users are randomly distributed, therefore, the consistency between the log sets of the real users is lower, and further, the mutually independent black product behaviors among the IPs can be identified.
Drawings
Fig. 1 is a schematic flowchart of an IP group identification method for user login abnormality according to an embodiment of the present invention;
FIG. 2 is a schematic diagram illustrating a method for identifying an abnormal IP group when a user logs in according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an IP group identification apparatus with abnormal user login according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Fig. 1 is a schematic flowchart of an IP group identification method for user login abnormality according to an embodiment of the present invention; fig. 2 is a schematic diagram of a principle of an IP group identification method for user login abnormality according to an embodiment of the present invention, as shown in fig. 1 and fig. 2, the method includes:
s101: and acquiring login logs, counting the login logs in each preset period, and acquiring login frequency sequences of all IPs.
Illustratively, a server login log in one day is obtained, login times of all IPs in each period are counted by taking a preset time length, such as a half hour period, so as to obtain a login frequency sub-sequence of each period; and sequencing the periods according to the time sequence, and combining the corresponding login frequency sub-sequences according to the period sequence to obtain the login frequency sequence of each IP.
Dividing 0-24 hours by taking half an hour as a time interval to obtain T1,T2,…,T48For a total of 48 cycles. For T1,T2,…,T48In each period, the log of each IP in the period is counted to obtain the log frequency of each IP, and a log frequency sequence of each IP in the period is formed.
Then, according to the time sequence, the log-in frequency sequence corresponding to each period is sequenced to obtain, for example, T1Log-in frequency sequence of (1), T2…, T48The log-in frequency sequence of (1).
In practical applications, the log in a month or a year can be obtained as the log to be processed in this step.
S102: and training an isolated forest algorithm by taking the login frequency sequence as a sample set to obtain the score of each IP address.
Illustratively, first, the log-on frequency sequence obtained in step S101 is converted into IP and TnWhere n is 1,2, …, 48.
The wide table structure is listed as IP, T1,T2,…,T48The 48 characteristic variables are formed as rows, i.e. the value of the first column cell of a row of the wide table indicates the number of entries of the first IP in a cycle.
And then, taking the wide table as a training data set, carrying out model training by using an isolated forest algorithm, and outputting a score of each IP. The embodiment of the invention can use the existing isolated forest algorithm model, and therefore, the embodiment of the invention is not described herein again.
For example, the score result for each IP of the first cycle output by the isolated forest algorithm is as follows:
IP1 score of 11.1, IP2 score of 11.1, IP3 score of 12.3; IP4 score of 11.1, IP5 score of 11.3, IP6 score of 12.3; IP7 score of 11.1, IP8 score of 11.1, IP9 score of 11.9; then, extracting the first two digits of each score as effective digits, and obtaining the scores as follows:
the score of IP1 is 11, the score of IP2 is 11, and the score of IP3 is 12; the score of IP4 is 11, the score of IP5 is 11, and the score of IP6 is 12; IP7 score 11, IP8 score 11, and IP9 score 11.
It can be understood that the log logs in other cycles are also processed according to the above method, and the embodiment of the present invention is not described herein again.
S103: and aiming at each score, acquiring a mode of the score, and acquiring a login log set corresponding to the mode.
Specifically, two valid numerical values of the score may be extracted based on the score; and obtaining a mode corresponding to the score according to the effective numerical value.
Illustratively, taking the first period as an example, the number of times each score appears in the period is counted, wherein 11 appears 7 times and has the largest number, so that 11 is the mode of the first period. Further, the IP corresponding to 11 is selected as:
IP1, IP2, IP4, IP5, IP7, IP8, IP 9; and using the set of the login logs corresponding to the IP addresses as the login log set corresponding to the mode.
S104: screening out a frequency sequence of the log logs corresponding to the mode from the log frequency sequence, and carrying out binarization processing on the screened frequency sequence to obtain a mark of each IP in each period; and acquiring a kappa coefficient among the data of the log collection by using a kappa algorithm according to the mark of each IP in each period, wherein the log collection with the kappa coefficient larger than a preset threshold value is used as a log abnormal group.
For example, taking the setting value as 5 as an example, the flag of the IP address with the frequency greater than 5 is set to 1, and the flag of the IP address with the frequency less than 5 is set to 0, so that the flag of the IP address can be obtained as:
the label of IP1 is 1, the label of IP5 is 1, and the label of IP9 is 0.
Then, the total number of all IP login logs in the login log set obtained in the step is calculated, the number of the login logs which really belong to the black yield login behavior in the samples is counted, and the classification precision p which really belongs to the black yield login behavior is obtainedo
Suppose the number of true samples of each class is a1,a2,…,acAnd the predicted number of samples of each class is b1,b2,…,bcAnd if the total sample number is n, the following are provided:
Figure BDA0002295719170000091
illustratively, the kappa coefficient between IP1 and IP2 is calculated based on the 48-period 0-1 sequence of IPs obtained by the above method. Constructing a confusion matrix by using 0-1 sequences of IP1 and IP 2:
Figure BDA0002295719170000092
Figure BDA0002295719170000093
Figure BDA0002295719170000094
then, using the formula
Figure BDA0002295719170000095
Consistency between IP log logs contained in the log collection is calculated.
The kappa calculation results are-1 to 1, but usually kappa falls between 0 and 1, and the general analysis criteria can be divided into five groups to represent different levels of consistency:
0.0 to 0.20 extremely low consistency
A consistency of 0.21 to 0.40
0.41-0.60 medium consistency
Uniformity of 0.61-0.80 height
0.81 to 1 in total.
Correspondingly, the kappa coefficient in the previous step is:
Figure BDA0002295719170000101
then a high degree of correspondence between IP1 and IP2 is considered.
In the embodiment of the invention, if the kappa coefficient between the IPs in the log collection is greater than 0.8, the IPs are considered to have consistent behaviors and belong to the same group.
In general, even if black product group uses a one-to-one combination of IP and number, i.e. the IP is independent of each other, the inventor finds that: the black product group uses each independent IP to perform corresponding operation or is realized by a program control machine, so that IP log logs used by the black product group have certain consistency, and therefore, by applying the embodiment of the invention, the log logs of each IP are classified by an isolated forest algorithm to obtain a plurality of log sets of the log logs, and then a consistency coefficient between the IP log logs in each category is calculated by a kappa algorithm, so that the log sets with higher IP consistency can be screened out, and the log logs among real users are randomly distributed, therefore, the consistency between the log sets of the real users is lower, and further, the mutually independent black product behaviors among the IPs can be identified.
In addition, in the prior art, a population clustering method based on population characteristics is provided, but in the method, because the clustering analysis is based on similarity calculation of various distances, population judgment is performed, the accuracy of the clustering result is affected by the construction of characteristics, the processing of characteristic values and the algorithm fitting degree, and the significance of the characteristics of population edge members is not high, so that the population edge members are easily misjudged. Therefore, the black product group can simulate normal system user behaviors in order to bypass the security detection scene of the system, and the normal group and the black product group in a certain group cannot be distinguished based on the group clustering discovery of the group characteristics.
In the embodiment of the invention, the Kappa coefficient is a proportion representing the proportion of reduced generation errors of classification and completely random classification, and the difference degree between the group behavior and the random behavior of the normal user group is shown in the invention. The method utilizes the kappa coefficient to judge the IP group with high behavior consistency in the IP, effectively avoids the deviation of the similarity value of the IP group caused by the numerical data fluctuation and certain difference of numerical distribution in each time period, and improves the identification effect of the IP group.
In a further improved technical solution of the embodiment of the present invention, before the logging logs in each preset period can be counted, a step of screening out the logs of the public network IP segment included in the logging logs according to the preset intranet IP segment is added.
Illustratively, in the tcp/IP protocol of the network, three IP address regions are reserved exclusively as private addresses, and the address ranges are as follows:
address of type A: 10.0.0.0-10.255.255.255
Type B address: 172.16.0.0-172.31.255.255
A class C address: 192.168.0.0-192.168.255.255
Based on the private IP addresses, the login logs obtained in step S101 are screened by using corresponding screening rules, and the private addresses are screened out, so that the public network IP and the login logs corresponding to the public network IP can be selected.
By applying the embodiment of the invention, the operation amount of data can be reduced, and the operation efficiency of the algorithm can be improved.
Example 2
Corresponding to the embodiment 1 of the invention, the embodiment of the invention also provides an IP group identification device for the user with abnormal login.
Fig. 3 is a schematic structural diagram of an IP group identification apparatus with abnormal user login according to an embodiment of the present invention, as shown in fig. 3, the apparatus includes:
a first obtaining module 301, configured to obtain login logs, count the login logs in each preset period, and obtain a login frequency sequence of each IP;
a second obtaining module 302, configured to train an isolated forest algorithm with the login frequency sequence as a sample set, so as to obtain a score of each IP address;
a third obtaining module 303, configured to obtain, for each score, a mode of the score, and obtain a log set corresponding to the mode;
a setting module 304, configured to screen out a frequency sequence of the log logs corresponding to the mode from the log frequency sequence, and perform binarization processing on the screened frequency sequence to obtain a label of each IP in each period; and acquiring a kappa coefficient among the data of the log collection by using a kappa algorithm according to the mark of each IP in each period, wherein the log collection with the kappa coefficient larger than a preset threshold value is used as a log abnormal group.
In general, even if black product group uses a one-to-one combination of IP and number, i.e. the IP is independent of each other, the inventor finds that: the black product group uses each independent IP to perform corresponding operation or is realized by a program control machine, so that IP log logs used by the black product group have certain consistency, and therefore, by applying the embodiment of the invention, the log logs of each IP are classified by an isolated forest algorithm to obtain a plurality of log sets of the log logs, and then a consistency coefficient between the IP log logs in each category is calculated by a kappa algorithm, so that the log sets with higher IP consistency can be screened out, and the log logs among real users are randomly distributed, therefore, the consistency between the log sets of the real users is lower, and further, the mutually independent black product behaviors among the IPs can be identified.
In a specific implementation manner of the embodiment of the present invention, the apparatus further includes: a screening module to:
screening logs of the public network IP segment contained in the log according to a preset internal network IP segment;
and counting the logs of the public network IP section contained in the log logs.
In a specific implementation manner of the embodiment of the present invention, the first obtaining module 301 is configured to:
counting the login times of each IP in each period by taking a preset time length as a period to obtain a login frequency subsequence of each period;
and sequencing the periods according to the time sequence, and combining the corresponding login frequency sub-sequences according to the period sequence to obtain the login frequency sequence of each IP.
In a specific implementation manner of the embodiment of the present invention, the third obtaining module 303 is configured to:
extracting two effective numerical values of the score based on the score;
and obtaining a mode corresponding to the score according to the effective numerical value.
In a specific implementation manner of the embodiment of the present invention, the setting module 304 is configured to:
aiming at the frequency of each IP in each preset period of the total log collection, judging whether the frequency of the IP is greater than a preset threshold value;
if yes, setting a mark corresponding to the preset period of the IP as a first preset mark, wherein the first preset mark comprises: 1;
if not, setting a mark corresponding to the Ip in the preset period as a second preset mark, wherein the second preset mark comprises: 0.
the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. An IP group identification method for user login abnormity is characterized by comprising the following steps:
acquiring login logs, counting the login logs in each preset period, and acquiring login frequency sequences of all IPs;
training an isolated forest algorithm by taking the login frequency sequence as a sample set to obtain the score of each IP address;
aiming at each score, acquiring a mode of the score, and acquiring a login log set corresponding to the mode;
screening out a frequency sequence of the log logs corresponding to the mode from the log frequency sequence, and carrying out binarization processing on the screened frequency sequence to obtain a mark of each IP in each period; and acquiring a kappa coefficient among the data of the log collection by using a kappa algorithm according to the mark of each IP in each period, and taking the log collection with the kappa coefficient larger than a preset threshold value as a log abnormal group.
2. The method as claimed in claim 1, wherein before counting the log-in logs and obtaining log-in frequency sequences of the IPs, the method further comprises:
screening logs of the public network IP segment contained in the log according to a preset internal network IP segment;
the counting of the log logs in each preset period includes:
and counting the logs of the public network IP section contained in the log logs.
3. The method as claimed in claim 1, wherein the obtaining of the log-in frequency sequence of each IP comprises:
counting the login times of each IP in each period by taking a preset time length as a period to obtain a login frequency subsequence of each period;
and sequencing the periods according to the time sequence, and combining the corresponding login frequency sub-sequences according to the period sequence to obtain the login frequency sequence of each IP.
4. The method as claimed in claim 3, wherein obtaining the mode of the score based on the score comprises:
extracting two effective numerical values of the score based on the score;
and obtaining a mode corresponding to the score according to the effective numerical value.
5. The method as claimed in claim 1, wherein the step of binarizing the frequency of each IP in each preset period in the log collection to obtain the label of each IP in each period comprises:
aiming at the frequency of each IP in each preset period of the total log collection, judging whether the frequency of the IP is greater than a preset threshold value;
if yes, setting a mark corresponding to the preset period of the IP as a first preset mark, wherein the first preset mark comprises: 1;
if not, setting a mark corresponding to the IP in the preset period as a second preset mark, wherein the second preset mark comprises: 0.
6. an IP group identification apparatus for user login abnormality, the apparatus comprising:
the first acquisition module is used for acquiring login logs, counting the login logs in each preset period and acquiring login frequency sequences of all IPs;
the second acquisition module is used for training an isolated forest algorithm by taking the login frequency sequence as a sample set to obtain the score of each IP address;
a third obtaining module, configured to obtain, for each score, a mode of the score, and obtain a log set corresponding to the mode;
the setting module is used for screening out a frequency sequence of the log logs corresponding to the mode from the log frequency sequence, and carrying out binarization processing on the screened frequency sequence to obtain a mark of each IP in each period; and acquiring a kappa coefficient among the data of the log collection by using a kappa algorithm according to the mark of each IP in each period, wherein the log collection with the kappa coefficient larger than a preset threshold value is used as a log abnormal group.
7. The apparatus of claim 6, wherein the apparatus further comprises: a screening module to:
screening logs of the public network IP segment contained in the log according to a preset internal network IP segment;
and counting the logs of the public network IP section contained in the log logs.
8. The apparatus for identifying an IP group having an abnormal user login according to claim 6, wherein the first obtaining module is configured to:
counting the login times of each IP in each period by taking a preset time length as a period to obtain a login frequency subsequence of each period;
and sequencing the periods according to the time sequence, and combining the corresponding login frequency sub-sequences according to the period sequence to obtain the login frequency sequence of each IP.
9. The IP group recognition apparatus of claim 8, wherein the third obtaining module is configured to:
extracting two effective numerical values of the score based on the score;
and obtaining a mode corresponding to the score according to the effective numerical value.
10. The IP group recognition apparatus of claim 6, wherein the setting module is configured to:
aiming at the frequency of each IP in each preset period of the total log collection, judging whether the frequency of the IP is greater than a preset threshold value;
if yes, setting a mark corresponding to the preset period of the IP as a first preset mark, wherein the first preset mark comprises: 1;
if not, setting a mark corresponding to the IP in the preset period as a second preset mark, wherein the second preset mark comprises: 0.
CN201911200324.9A 2019-11-29 2019-11-29 IP group identification method and device for user login abnormity Active CN110933080B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911200324.9A CN110933080B (en) 2019-11-29 2019-11-29 IP group identification method and device for user login abnormity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911200324.9A CN110933080B (en) 2019-11-29 2019-11-29 IP group identification method and device for user login abnormity

Publications (2)

Publication Number Publication Date
CN110933080A CN110933080A (en) 2020-03-27
CN110933080B true CN110933080B (en) 2021-10-26

Family

ID=69847903

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911200324.9A Active CN110933080B (en) 2019-11-29 2019-11-29 IP group identification method and device for user login abnormity

Country Status (1)

Country Link
CN (1) CN110933080B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111814436B (en) * 2020-07-27 2023-10-17 上海观安信息技术股份有限公司 User behavior sequence detection method and system based on mutual information and entropy
CN113271322B (en) * 2021-07-20 2021-11-23 北京明略软件系统有限公司 Abnormal flow detection method and device, electronic equipment and storage medium
CN113726783B (en) * 2021-08-31 2023-03-24 北京知道创宇信息技术股份有限公司 Abnormal IP address identification method and device, electronic equipment and readable storage medium

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103297435A (en) * 2013-06-06 2013-09-11 中国科学院信息工程研究所 Abnormal access behavior detection method and system on basis of WEB logs
CN107046550A (en) * 2017-06-14 2017-08-15 微梦创科网络科技(中国)有限公司 A kind of detection method and device of abnormal login behavior
CN108154029A (en) * 2017-10-25 2018-06-12 上海观安信息技术股份有限公司 Intrusion detection method, electronic equipment and computer storage media
CN108512827A (en) * 2018-02-09 2018-09-07 世纪龙信息网络有限责任公司 The identification of abnormal login and method for building up, the device of supervised learning model
CN108777873A (en) * 2018-06-04 2018-11-09 江南大学 The wireless sensor network abnormal deviation data examination method of forest is isolated based on weighted blend
CN108989150A (en) * 2018-07-19 2018-12-11 新华三信息安全技术有限公司 A kind of login method for detecting abnormality and device
CN109640312A (en) * 2018-11-21 2019-04-16 上海观安信息技术股份有限公司 " black card " recognition methods, electronic equipment and computer program product
JP2019074927A (en) * 2017-10-16 2019-05-16 株式会社ブリヂストン Abnormal data detecting method and apparatus thereof from use history data on tire
CN109873812A (en) * 2019-01-28 2019-06-11 腾讯科技(深圳)有限公司 Method for detecting abnormality, device and computer equipment
CN110134834A (en) * 2019-05-15 2019-08-16 四川新网银行股份有限公司 A method of accelerate IP to position using dynamic AVL forest cache
CN110198310A (en) * 2019-05-20 2019-09-03 腾讯科技(深圳)有限公司 A kind of anti-cheat method of network behavior, device and storage medium
CN110198305A (en) * 2019-05-05 2019-09-03 平安科技(深圳)有限公司 It attends a banquet method for detecting abnormality, system, computer equipment and the storage medium of IP

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6879239B2 (en) * 2018-03-14 2021-06-02 オムロン株式会社 Anomaly detection system, support device and model generation method
JP2019179395A (en) * 2018-03-30 2019-10-17 オムロン株式会社 Abnormality detection system, support device and abnormality detection method

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103297435A (en) * 2013-06-06 2013-09-11 中国科学院信息工程研究所 Abnormal access behavior detection method and system on basis of WEB logs
CN107046550A (en) * 2017-06-14 2017-08-15 微梦创科网络科技(中国)有限公司 A kind of detection method and device of abnormal login behavior
JP2019074927A (en) * 2017-10-16 2019-05-16 株式会社ブリヂストン Abnormal data detecting method and apparatus thereof from use history data on tire
CN108154029A (en) * 2017-10-25 2018-06-12 上海观安信息技术股份有限公司 Intrusion detection method, electronic equipment and computer storage media
CN108512827A (en) * 2018-02-09 2018-09-07 世纪龙信息网络有限责任公司 The identification of abnormal login and method for building up, the device of supervised learning model
CN108777873A (en) * 2018-06-04 2018-11-09 江南大学 The wireless sensor network abnormal deviation data examination method of forest is isolated based on weighted blend
CN108989150A (en) * 2018-07-19 2018-12-11 新华三信息安全技术有限公司 A kind of login method for detecting abnormality and device
CN109640312A (en) * 2018-11-21 2019-04-16 上海观安信息技术股份有限公司 " black card " recognition methods, electronic equipment and computer program product
CN109873812A (en) * 2019-01-28 2019-06-11 腾讯科技(深圳)有限公司 Method for detecting abnormality, device and computer equipment
CN110198305A (en) * 2019-05-05 2019-09-03 平安科技(深圳)有限公司 It attends a banquet method for detecting abnormality, system, computer equipment and the storage medium of IP
CN110134834A (en) * 2019-05-15 2019-08-16 四川新网银行股份有限公司 A method of accelerate IP to position using dynamic AVL forest cache
CN110198310A (en) * 2019-05-20 2019-09-03 腾讯科技(深圳)有限公司 A kind of anti-cheat method of network behavior, device and storage medium

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Aqeel Sahi.An Efficient DDoS TCP Flood Attack Detection and Prevention System in a Cloud Environment.《IEEE Access ( Volume: 5)》.2017, *
Comparing unsupervised learning approaches to detect network intrusion using NetFlow data;Julina Zhang;《2017 Systems and Information Engineering Design Symposium (SIEDS)》;20170601;全文 *
一种基于机器学习的安全威胁分析系统;司德睿等;《信息技术与网络安全》;20190410(第04期);全文 *
基于数据挖掘的自适应入侵检测系统设计与仿真;苏昕;《中国优秀硕士学位论文全文数据库 (信息科技辑)》;20190115;全文 *

Also Published As

Publication number Publication date
CN110933080A (en) 2020-03-27

Similar Documents

Publication Publication Date Title
CN110933080B (en) IP group identification method and device for user login abnormity
CN110380896B (en) Network security situation awareness system and method based on attack graph
CN107579956B (en) User behavior detection method and device
CN108616498A (en) A kind of web access exceptions detection method and device
CN111131260B (en) Mass network malicious domain name identification and classification method and system
CN108768883B (en) Network traffic identification method and device
CN107360145B (en) Multi-node honeypot system and data analysis method thereof
Giatsoglou et al. Retweeting activity on twitter: Signs of deception
CN112104677A (en) Controlled host detection method and device based on knowledge graph
CN108449342A (en) Malicious requests detection method and device
CN113206860B (en) DRDoS attack detection method based on machine learning and feature selection
CN109670302B (en) SVM-based classification method for false data injection attacks
CN102708186A (en) Identification method of phishing sites
CN107392022A (en) Reptile identification, processing method and relevant apparatus
CN110365636B (en) Method and device for judging attack data source of industrial control honeypot
CN103457909A (en) Botnet detection method and device
Yamak et al. Detection of multiple identity manipulation in collaborative projects
Ajdani et al. Introduced a new method for enhancement of intrusion detection with random forest and PSO algorithm
CN116318924A (en) Small sample intrusion detection method, system, medium, equipment and terminal
CN111866196A (en) Domain name traffic characteristic extraction method, device, equipment and readable storage medium
CN113098912A (en) User account abnormity identification method and device, electronic equipment and storage medium
CN117294497A (en) Network traffic abnormality detection method and device, electronic equipment and storage medium
Pan et al. An integrated model of intrusion detection based on neural network and expert system
CN112070161A (en) Network attack event classification method, device, terminal and storage medium
CN111431883A (en) Web attack detection method and device based on access parameters

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant