CN111079138A - Abnormal access detection method and device, electronic equipment and readable storage medium - Google Patents
Abnormal access detection method and device, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN111079138A CN111079138A CN201911321735.3A CN201911321735A CN111079138A CN 111079138 A CN111079138 A CN 111079138A CN 201911321735 A CN201911321735 A CN 201911321735A CN 111079138 A CN111079138 A CN 111079138A
- Authority
- CN
- China
- Prior art keywords
- access
- target
- session
- page
- target user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Abstract
The application provides an abnormal access detection method, an abnormal access detection device, electronic equipment and a readable storage medium, and relates to the technical field of network security. The method comprises the following steps: acquiring an access path of a target user for accessing a target website in a plurality of session processes, wherein the access path comprises page identifiers of all pages in the target website accessed by the target user in the plurality of session processes; and determining a target page abnormally accessed by the target user based on the access path. According to the scheme, the target page abnormally accessed by the target user is analyzed based on the access path of the user accessing the target website, manual detection is not needed, and the speed of access detection of abnormal behaviors can be effectively increased.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to an abnormal access detection method, an abnormal access detection device, an electronic device, and a readable storage medium.
Background
The rapid development of the internet brings great convenience to the life of people and brings new network security challenge, and the website inevitably suffers malicious intrusion or attack, so that the property and information security of people is threatened.
In the prior art, most of website attack analysis relies on manual analysis of log information of websites to find abnormal behaviors, and the method has large workload and low speed.
Disclosure of Invention
An object of the embodiments of the present application is to provide an abnormal access detection method, an abnormal access detection device, an electronic device, and a readable storage medium, so as to solve the problems that in the prior art, an abnormal behavior is found by manually analyzing log information, and thus the workload is large and the speed is slow.
In a first aspect, an embodiment of the present application provides an abnormal access detection method, where the method includes: acquiring an access path of a target user for accessing a target website in a plurality of session processes, wherein the access path comprises page identifiers of all pages in the target website accessed by the target user in the plurality of session processes; and determining a target page abnormally accessed by the target user based on the access path.
In the implementation process, the target page abnormally accessed by the target user is analyzed based on the access path of the user accessing the target website, manual detection is not needed, and the speed of access detection of abnormal behaviors can be effectively increased.
Optionally, the determining, based on the access path, a target page that is abnormally accessed by the target user further includes:
acquiring the weight corresponding to the edge connected by two adjacent pages in the access path;
and determining a target page abnormally accessed by the target user based on the weight.
In the implementation process, the page accessed abnormally can be determined more directly and quickly based on the weight of the edge of the two adjacent pages.
Optionally, the determining, based on the weight, a target page that the target user abnormally accesses includes:
determining a target weight of which the weight is greater than a preset value;
and determining two pages connected by the edges corresponding to the target weight as target pages abnormally accessed by the target user.
Optionally, the obtaining an access path of the target user accessing the target website in multiple session processes includes:
acquiring access data of the target user for accessing the target website;
carrying out session splitting based on the access data to obtain the access data of each session;
and generating access paths corresponding to the plurality of sessions based on the access data of each session.
In the implementation process, access paths of a plurality of sessions are generated based on the access data of each session, so that all access behaviors of the user to the target website are analyzed.
Optionally, the generating access paths corresponding to the multiple sessions based on the access data of each session includes:
generating a target access path corresponding to each session based on the access data of each session;
and merging the target access paths to obtain access paths corresponding to the sessions.
In the implementation process, the target access path of each session is generated based on each session data, and then the target access paths are combined to obtain the access paths of a plurality of sessions, so that the analysis of the overall access behavior of the user can be facilitated.
Optionally, the merging the multiple target access paths to obtain access paths corresponding to the multiple sessions includes:
and combining edges connected with the same two pages in the target access paths to obtain access paths corresponding to the multiple sessions.
Optionally, the performing session splitting based on the access data to obtain the access data of each session includes:
acquiring each session identifier in the access data;
and carrying out session splitting on the access data based on the session identifications to obtain the access data of each session.
In the implementation process, session splitting is performed on the access data based on the session identification, so that the access data of each session can be obtained quickly.
Optionally, the obtaining access data of the target user to access the target website includes:
acquiring all access data of the target website;
determining an account identifier of the target user;
and acquiring the access data of the target user accessing the target website from all the access data based on the account identification.
In the implementation process, the access data of the target user is screened out from the access data based on the account identification, so that the access data of each user can be distinguished, and the access behavior of the target user can be analyzed in an abnormal manner.
Optionally, the page identifier is a uniform resource locator URL, the access data includes a page identifier of the access page, and the access data further includes at least one of a session identifier, an access occurrence time, a parameter when the page is accessed, and a data traffic when the page is accessed.
Optionally, after determining the target page abnormally accessed by the target user based on the access path, the method further includes:
and outputting the alarm information aiming at the target page.
Optionally, after determining the target page abnormally accessed by the target user based on the access path, the method further includes:
and if a new user accesses the target page, outputting alarm information.
In the implementation process, the output alarm information can alarm the abnormal access of the user, so that a network administrator can know the abnormal access in time and take measures in time to protect the safety of the network information.
In a second aspect, an embodiment of the present application provides an abnormal access detection apparatus, where the apparatus includes:
the system comprises an access path acquisition module, a processing module and a processing module, wherein the access path acquisition module is used for acquiring an access path of a target website accessed by a target user in a plurality of session processes, and the access path comprises page identifiers of all pages in the target website accessed by the target user in the plurality of session processes;
and the abnormal access detection module is used for determining a target page which is abnormally accessed by the target user based on the access path.
Optionally, the access path further includes weights corresponding to edges connected to two adjacent pages, and the abnormal access detection module is configured to obtain the weights corresponding to the edges connected to two adjacent pages in the access path; and determining a target page abnormally accessed by the target user based on the weight.
Optionally, the abnormal access detection module is further configured to determine a target weight of which the weight is greater than a preset value; and determining two pages connected by the edges corresponding to the target weight as target pages abnormally accessed by the target user.
Optionally, the access path obtaining module is configured to obtain access data of the target user accessing the target website; carrying out session splitting based on the access data to obtain the access data of each session; and generating access paths corresponding to the plurality of sessions based on the access data of each session.
Optionally, the access path obtaining module is configured to generate a target access path corresponding to each session based on the access data of each session; and merging the target access paths to obtain access paths corresponding to the sessions.
Optionally, the access path obtaining module is configured to merge edges of two same pages in the multiple target access paths to obtain access paths corresponding to the multiple sessions.
Optionally, the access path obtaining module is configured to obtain each session identifier in the access data; and carrying out session splitting on the access data based on the session identifications to obtain the access data of each session.
Optionally, the access path obtaining module is configured to obtain all access data of the target website; determining an account identifier of the target user; and acquiring the access data of the target user accessing the target website from all the access data based on the account identification.
Optionally, the page identifier is a uniform resource locator URL, the access data includes a page identifier of the access page, and the access data further includes at least one of a session identifier, an access occurrence time, a parameter when the page is accessed, and a data traffic when the page is accessed.
Optionally, the apparatus further comprises:
and the warning module is used for outputting warning information aiming at the target page.
Optionally, the apparatus further comprises:
and the alarm information output module is used for outputting alarm information if a new user accesses the target page.
In a third aspect, an embodiment of the present application provides an electronic device, including a processor and a memory, where the memory stores computer-readable instructions, and when the computer-readable instructions are executed by the processor, the steps in the method as provided in the first aspect are executed.
In a fourth aspect, embodiments of the present application provide a readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, performs the steps in the method as provided in the first aspect.
Additional features and advantages of the present application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the embodiments of the present application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure;
fig. 2 is a flowchart of an abnormal access detection method according to an embodiment of the present application;
fig. 3 is a schematic diagram of an access path provided in an embodiment of the present application;
fig. 4 is a schematic diagram of access path merging provided in an embodiment of the present application;
fig. 5 is a schematic diagram of weights of edges in an access path according to an embodiment of the present disclosure;
fig. 6 is a block diagram of an abnormal access detection apparatus according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
The embodiment of the application provides an abnormal access detection method, which is used for analyzing a target page abnormally accessed by a target user through an access path based on a target website accessed by the user, does not need manual detection, is simple and convenient, and can effectively improve the speed of abnormal behavior access detection.
Referring to fig. 1, fig. 1 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure, where the electronic device may include: at least one processor 110, such as a CPU, at least one communication interface 120, at least one memory 130, and at least one communication bus 140. Wherein the communication bus 140 is used for realizing direct connection communication of these components. The communication interface 120 of the device in the embodiment of the present application is used for performing signaling or data communication with other node devices. The memory 130 may be a high-speed RAM memory or a non-volatile memory (e.g., at least one disk memory). Memory 130 may optionally be at least one memory device located remotely from the aforementioned processor. The memory 130 stores computer readable instructions, and when the computer readable instructions are executed by the processor 110, the electronic device performs the following method process shown in fig. 2, for example, the electronic device may be a server, which may communicate with a client through the communication bus 140, the memory 130 may be used to store an access path of a user to a website, and the processor 110 may obtain the access path from the memory 130 when determining an abnormally accessed page, and then analyze the access path to analyze the abnormally accessed page.
It will be appreciated that the configuration shown in fig. 1 is merely illustrative and that the electronic device may also include more or fewer components than shown in fig. 1 or have a different configuration than shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
Referring to fig. 2, fig. 2 is a flowchart of an abnormal access detection method according to an embodiment of the present application, where the method includes the following steps:
step S110: the method comprises the steps of obtaining an access path of a target user for accessing a target website in a plurality of session processes, wherein the access path comprises page identifiers of all pages of the target website accessed by the target user in the plurality of session processes.
The session refers to a series of processes of requests and responses continuously occurring between a client and a web server, and may be simply understood as that a user opens a browser, clicks one website in the browser, accesses different pages in the website, and quits accessing the website, and the whole process is called a session, that is, the user accesses the website through different browsers is called a different session.
If the target user accesses the target website for multiple times in different time periods, multiple sessions can be generated, if the target user opens the target website for the first time to browse three pages, the target website is closed, namely the first session, and if the target user opens the target website for the second time to browse four pages, the target website is closed, namely the second session. In each session process, access information of a target user browsing a page of a target website is generated, and based on the access information, an access path to the page may be generated, where the access path includes a page identifier of each page, for example, the access path may be represented as a page access path shown in fig. 3, and the access path is an access path for the target user to access the target website in multiple session processes.
The target user in the embodiment of the present application may refer to any user among all users who access the target website, or may refer to a specific user who accesses the target website, and the target website may refer to any website in the browser, or may refer to a specific website in the browser. In the embodiment of the application, in order to analyze the abnormal behavior of each user in accessing each website, the target user may refer to any user, and the target website may also refer to any website.
Step S120: and determining a target page abnormally accessed by the target user based on the access path.
The access path represents the access process of a target user to a related page of a target website, the access behavior of the target user can be analyzed by analyzing the access path, if the target user continues to browse another page which is completely not logically related to the page after visiting a certain page, and if the target user continues to browse the page 6 after browsing the page 2, the target user may represent that the target user has abnormal access behaviors to the page 2 and the page 6, so that the abnormally visited pages can be found, a website administrator can timely know that the page is possibly attacked by a hacker, and can timely take measures to intercept the abnormally visited pages, such as timely determining the attack source of the website administrator, finding a client which initiates the attack, and the like, thereby protecting network security.
In the implementation process, the target page abnormally accessed by the target user is analyzed based on the access path of the user accessing the target website, manual detection is not needed, and the speed of access detection of abnormal behaviors can be effectively increased.
As an implementation manner, in order to obtain an access path for a target user to access a target website in a process of multiple sessions, access data for the target user to access the target website may be obtained first, session splitting is performed based on the access data, access data for each session is obtained, and access paths corresponding to multiple sessions are generated based on the access data for each session.
The access data can be obtained from a log file of the target website, for example, a log acquisition tool can be used for acquiring the log file of the target website, and then the access data of the target website is screened out from the log file.
Because the log files of the target website are likely to be more, in order to reduce the analysis amount, the log files of the target website in a preset time period, such as the log files of the target website in a week, can be collected.
The log file includes access data of each user to the target website, the access data includes a page identifier, the page identifier may refer to a Uniform Resource Locator (URL), and the access data may further include at least one of a page identifier of the access page, an access occurrence time, a parameter when the access page is accessed, and a data traffic when the access page is accessed. The access parameters (i.e., parameters when accessing the page) of each page in the target website, such as an Internet Protocol (IP) address, a jump link relationship, a user agent, a site domain name, a request method, and the like.
Since the obtained access data to the target website are all the access data of the target website, in order to obtain the access data of the target user accessing the target website, the access data of the target user can be screened from all the access data, for example, an account identifier of the target user is determined first, and then the access data of the target user accessing the target website is obtained from all the access data based on the account identifier.
The account identifier of the target user may refer to an identifier of a client when the target user accesses the target website through the client, or account information of the target user logging in the target website, or related user personal information, and the like.
In the implementation process, the access data of the target user is screened out from the access data based on the account identification, so that the access data of each user can be distinguished, and the access behavior of the target user can be analyzed in an abnormal manner.
After obtaining the access data of the target user accessing the target website, since the access data is generated by the target user in a plurality of sessions, in order to obtain the access data of each session, session splitting may be performed on the access data to obtain the access data of each session.
It can be understood that, when a target user browses a web page at a client, the client sends access data to a server according to a web page access address of the target user, the access data may further include a session identifier of the target user, the session identifier is used to uniquely identify a network session of the target user initiated by the client, and the network session may include multiple network requests.
The client does not carry the session identifier when initiating the first network request of the network session to the server, the server generates the session identifier after receiving the first network access request, and carries the generated session identifier when returning response data to the client, the session identifier is used for uniquely identifying the network session and can be carried when carrying out the next network access request, and the server can judge whether the session is the same session by using the session identifier.
It can be understood that, generally, cookie and session technologies are used to track the whole session of the user, and in the process of communication between the client and the server, the server may create a session object for the session, and one browser corresponds to one session object. The server generates a unique session ID for the session object and returns the unique session ID to the cookie of the client, the session ID is a session identifier and corresponds to the session object created by the server, the client sends a request to the server each time and carries the session ID, the server finds the corresponding session object for use through the session ID, and the server can judge whether the session object is the same session through the session ID.
Therefore, each session corresponds to one session identifier, when the access data is access data of multiple sessions, each session identifier in the access data can be acquired, and then session splitting is performed on the access data based on each session identifier to acquire the access data of each session.
That is to say, when storing the access data of the user, the server stores the session identifier and the access data of the session in an associated manner, so that each session identifier can be obtained from the access data, and the session splitting can be performed on the access data based on each session identifier, thereby obtaining the access data corresponding to each session.
In the implementation process, session splitting is performed on the access data based on the session identification, so that the access data of each session can be obtained quickly.
In order to analyze all the access behaviors of the user to the target website from the whole, a target access path corresponding to each session can be generated based on the access data of each session, and then the multiple target access paths are combined to obtain access paths corresponding to multiple sessions.
For example, if the access of the target user to the target website includes 3 sessions, an access path corresponding to each session is as shown in fig. 4, an access path corresponding to a first session is page 1- > page 3- > page 4, an access path corresponding to a second session is page 3- > page 4- > page 5, and an access path corresponding to a third session is page 1- > page 2- > page 4, when the three access paths are merged, edges of two same page connections in multiple target access paths may be merged to obtain access paths corresponding to multiple sessions. If there are the same edges for page 3- > page 4 in the first session and page 3- > page 4 in the second session, then the two sub-paths can be merged into one path, as shown by the merged access path in fig. 4.
In the implementation process, the target access path of each session is generated based on each session data, and then the target access paths are combined to obtain the access paths of a plurality of sessions, so that the analysis of the overall access behavior of the user can be facilitated.
In the process of merging the access paths, because the same sub-paths occur in different sessions, in order to reflect the overall access behavior of the user, corresponding weights may be set for edges of two adjacent pages in the merged access path, that is, the access path further includes a weight corresponding to an edge connected between the two adjacent pages.
For example, the weight of the edge connecting two adjacent pages may be determined according to the relationship between the two adjacent pages, and if page 3 and page 4 are two pages with no logic association, the corresponding weight may be set to be larger, which indicates that there may be abnormal access behavior when the target user accesses page 4 after accessing page 3. The weight can be a value between 0 and 1, and the higher the weight is, the lower the relevance of two adjacent pages is, and the higher the possibility that the user has abnormal access behaviors is.
In addition, the weight of the edge may also be the number of times the edge appears in the multiple target access paths, for example, in fig. 4, page 3- > page 4 appears in both the first session and the second session, so its weight may be 2, and then the weight may be labeled as 2 in the access path at the edge of page 3- > page 4. Therefore, after the weight of each edge is obtained based on the method, the abnormal behavior of the user on frequent access of the page can be found.
Therefore, the weight of the edge can be set according to actual requirements, when a target page abnormally accessed by a target user is determined, the weight corresponding to the edge connected with two adjacent pages in the access path can be obtained first, then the target weight with the weight larger than a preset value is determined, and the two pages connected with the edge corresponding to the target weight are determined as the target page abnormally accessed by the target user.
The preset value may be set according to actual requirements, and if the weight of the edge is the number of times that the edge appears in multiple sessions, the preset value may be determined based on the number of sessions, where if the number of sessions is large, the preset value may be set to be relatively large, and if the number of sessions is small, the preset value may be set to be relatively small. If the weight of the edge is determined based on the relevance of two adjacent pages, the preset value may be set to 0.5. If the weight of the edge in fig. 5 is the number of times that the edge appears in multiple sessions, if the preset value is set to 5, the target weights of the two pages connected by the edge with the weights greater than 5 are 6 and 7, and the two pages connected by the edge corresponding to the target weights 6 and 7 are respectively page 3- > page 4 and page 1- > page 2, at this time, it is determined that the four pages are the target pages that the target user abnormally accesses.
It can be understood that, when determining the target page, the page identifier of the target page may be obtained from the access path, and the target page accessed abnormally may be determined based on the page identifier.
Therefore, according to the above manner, each user who accesses the target website can obtain the corresponding access path, and then the target page which is accessed abnormally can be determined based on the access path.
When there are access paths of multiple users, the multiple access paths may also be comprehensively analyzed to determine a target page with abnormal access, for example, weights of edges corresponding to two pages having the same adjacency may be added to obtain a weight sum value, and when the weight sum value is greater than a specified value, the two pages are determined as the target page with abnormal access.
In the implementation process, the page accessed abnormally can be determined more directly and quickly based on the weight of the edge of the two adjacent pages.
In addition, in order to alarm the abnormal access of the user, after the target page of the abnormal access is determined, alarm information for the target page can be output, and if the alarm information that the target page has the abnormal access can be sent to a network administrator, the network administrator is prompted to pay attention to the page, so that the network administrator can know the abnormal access in time, and measures can be taken in time to protect the safety of the network information.
When a new user accesses the target page, the warning information is also output to indicate that the new user may generate new attacks on the target page, the network administrator can verify the identity of the new user, the server can be informed to allow the new user to access the target page after the new user is verified to be a legal user, and if the new user is verified to be an illegal user, the server is informed to prevent the new user from accessing the target page, so that the network information safety can be protected.
Referring to fig. 6, fig. 6 is a block diagram of an abnormal access detection apparatus 200 according to an embodiment of the present disclosure, where the apparatus 200 may be a module, a program segment, or a code on an electronic device. It should be understood that the apparatus 200 corresponds to the above-mentioned embodiment of the method of fig. 2, and can perform various steps related to the embodiment of the method of fig. 2, and the specific functions of the apparatus 200 can be referred to the above description, and the detailed description is appropriately omitted here to avoid redundancy.
Optionally, the apparatus 200 comprises:
an access path obtaining module 210, configured to obtain an access path for a target user to access a target website in multiple session processes, where the access path includes a page identifier of each page in the target website accessed by the target user in the multiple session processes;
and the abnormal access detection module 220 is configured to determine a target page abnormally accessed by the target user based on the access path.
Optionally, the access path further includes a weight corresponding to an edge connected to two adjacent pages, and the abnormal access detection module 220 is configured to obtain the weight corresponding to the edge connected to two adjacent pages in the access path; and determining a target page abnormally accessed by the target user based on the weight.
Optionally, the abnormal access detection module 220 is further configured to determine a target weight that the weight is greater than a preset value; and determining two pages connected by the edges corresponding to the target weight as target pages abnormally accessed by the target user.
Optionally, the access path obtaining module 210 is configured to obtain access data of the target user accessing the target website; carrying out session splitting based on the access data to obtain the access data of each session; and generating access paths corresponding to the plurality of sessions based on the access data of each session.
Optionally, the access path obtaining module 210 is configured to generate a target access path corresponding to each session based on the access data of each session; and merging the target access paths to obtain access paths corresponding to the sessions.
Optionally, the access path obtaining module 210 is configured to merge edges of two same pages in the multiple target access paths to obtain access paths corresponding to the multiple sessions.
Optionally, the access path obtaining module 210 is configured to obtain each session identifier in the access data; and carrying out session splitting on the access data based on the session identifications to obtain the access data of each session.
Optionally, the access path obtaining module 210 is configured to obtain all access data of the target website; determining an account identifier of the target user; and acquiring the access data of the target user accessing the target website from all the access data based on the account identification.
Optionally, the page identifier is a uniform resource locator URL, the access data includes a page identifier of the accessed page, and the access data further includes at least one of a session identifier, an access occurrence time, a parameter when accessing the page, and a data traffic when accessing the page.
Optionally, the apparatus 200 further comprises:
and the warning module is used for outputting warning information aiming at the target page.
Optionally, the apparatus 200 further comprises:
and the alarm information output module is used for outputting alarm information if a new user accesses the target page.
The embodiment of the present application provides a readable storage medium, and when being executed by a processor, the computer program performs the method process performed by the electronic device in the method embodiment shown in fig. 2.
The present embodiments disclose a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the methods provided by the above-described method embodiments, for example, comprising: acquiring an access path of a target user for accessing a target website in a plurality of session processes, wherein the access path comprises page identifiers of all pages in the target website accessed by the target user in the plurality of session processes; and determining a target page abnormally accessed by the target user based on the access path.
In summary, the embodiments of the present application provide an abnormal access detection method, an abnormal access detection device, an electronic device, and a readable storage medium, where a target page that a target user abnormally accesses is analyzed based on an access path through which the user accesses a target website, and manual detection is not needed, so that the speed of access detection of abnormal behavior can be effectively increased.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (14)
1. An abnormal access detection method, characterized in that the method comprises:
acquiring an access path of a target user for accessing a target website in a plurality of session processes, wherein the access path comprises page identifiers of all pages in the target website accessed by the target user in the plurality of session processes;
and determining a target page abnormally accessed by the target user based on the access path.
2. The method of claim 1, wherein the access path further includes a weight corresponding to an edge connecting two adjacent pages, and wherein the determining the target page abnormally accessed by the target user based on the access path comprises:
acquiring the weight corresponding to the edge connected by two adjacent pages in the access path;
and determining a target page abnormally accessed by the target user based on the weight.
3. The method of claim 2, wherein the determining a target page that the target user abnormally visits based on the weight comprises:
determining a target weight of which the weight is greater than a preset value;
and determining two pages connected by the edges corresponding to the target weight as target pages abnormally accessed by the target user.
4. The method of claim 1, wherein the obtaining the access path of the target user to the target website in the process of multiple sessions comprises:
acquiring access data of the target user for accessing the target website;
carrying out session splitting based on the access data to obtain the access data of each session;
and generating access paths corresponding to a plurality of sessions based on the access data of each session.
5. The method of claim 4, wherein generating access paths corresponding to a plurality of sessions based on the access data of each session comprises:
generating a target access path corresponding to each session based on the access data of each session;
and merging the target access paths to obtain access paths corresponding to the sessions.
6. The method according to claim 5, wherein the merging the plurality of target access paths to obtain access paths corresponding to the plurality of sessions comprises:
and combining edges connected with the same two pages in the target access paths to obtain access paths corresponding to the multiple sessions.
7. The method of claim 4, wherein the performing session splitting based on the access data to obtain access data for each session comprises:
acquiring each session identifier in the access data;
and carrying out session splitting on the access data based on the session identifications to obtain the access data of each session.
8. The method of claim 4, wherein the obtaining access data of the target user to access the target website comprises:
acquiring all access data of the target website;
determining an account identifier of the target user;
and acquiring the access data of the target user accessing the target website from all the access data based on the account identification.
9. The method of claim 4, wherein the page identifier is a Uniform Resource Locator (URL), wherein the access data comprises a page identifier of the accessed page, and wherein the access data further comprises at least one of a session identifier, an occurrence time of the access, a parameter when the page is accessed, and a data traffic when the page is accessed.
10. The method according to any one of claims 1-9, wherein after determining the target page abnormally accessed by the target user based on the access path, further comprising:
and outputting the alarm information aiming at the target page.
11. The method according to any one of claims 1-9, wherein after determining the target page abnormally accessed by the target user based on the access path, further comprising:
and if a new target user accesses the target page, outputting alarm information.
12. An abnormal access detection apparatus, characterized in that the apparatus comprises:
the system comprises an access path acquisition module, a processing module and a processing module, wherein the access path acquisition module is used for acquiring an access path of a target website accessed by a target user in a plurality of session processes, and the access path comprises page identifiers of all pages in the target website accessed by the target user in the plurality of session processes;
and the abnormal access detection module is used for determining a target page which is abnormally accessed by the target user based on the access path.
13. An electronic device comprising a processor and a memory, the memory storing computer readable instructions that, when executed by the processor, perform the method of any of claims 1-11.
14. A readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911321735.3A CN111079138A (en) | 2019-12-19 | 2019-12-19 | Abnormal access detection method and device, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911321735.3A CN111079138A (en) | 2019-12-19 | 2019-12-19 | Abnormal access detection method and device, electronic equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111079138A true CN111079138A (en) | 2020-04-28 |
Family
ID=70315988
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911321735.3A Pending CN111079138A (en) | 2019-12-19 | 2019-12-19 | Abnormal access detection method and device, electronic equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111079138A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112328934A (en) * | 2020-10-16 | 2021-02-05 | 上海涛飞网络科技有限公司 | Access behavior path analysis method, device, equipment and storage medium |
| CN112527748A (en) * | 2020-12-24 | 2021-03-19 | 北京百度网讯科技有限公司 | Method, device, equipment and storage medium for analyzing user operation behaviors |
| CN113342612A (en) * | 2021-06-25 | 2021-09-03 | 长江存储科技有限责任公司 | Abnormal access behavior detection method, device, equipment and readable storage medium |
| CN113726786A (en) * | 2021-08-31 | 2021-11-30 | 上海观安信息技术股份有限公司 | Method and device for detecting abnormal access behavior, storage medium and electronic equipment |
| CN114666391A (en) * | 2020-12-03 | 2022-06-24 | 中国移动通信集团广东有限公司 | Access track determining method, device, equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102393849A (en) * | 2011-07-18 | 2012-03-28 | 电子科技大学 | Web log data preprocessing method |
| CN107426136A (en) * | 2016-05-23 | 2017-12-01 | 腾讯科技(深圳)有限公司 | A kind of recognition methods of network attack and device |
| CN108304410A (en) * | 2017-01-13 | 2018-07-20 | 阿里巴巴集团控股有限公司 | A kind of detection method, device and the data analysing method of the abnormal access page |
| CN108665297A (en) * | 2017-03-31 | 2018-10-16 | 北京京东尚科信息技术有限公司 | Detection method, device, electronic equipment and the storage medium of abnormal access behavior |
| CN109040073A (en) * | 2018-08-07 | 2018-12-18 | 北京神州绿盟信息安全科技股份有限公司 | A kind of detection method, device, medium and the equipment of the access of WWW abnormal behaviour |
| CN109450879A (en) * | 2018-10-25 | 2019-03-08 | 中国移动通信集团海南有限公司 | User access activity monitoring method, electronic device and computer readable storage medium |
-
2019
- 2019-12-19 CN CN201911321735.3A patent/CN111079138A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102393849A (en) * | 2011-07-18 | 2012-03-28 | 电子科技大学 | Web log data preprocessing method |
| CN107426136A (en) * | 2016-05-23 | 2017-12-01 | 腾讯科技(深圳)有限公司 | A kind of recognition methods of network attack and device |
| CN108304410A (en) * | 2017-01-13 | 2018-07-20 | 阿里巴巴集团控股有限公司 | A kind of detection method, device and the data analysing method of the abnormal access page |
| CN108665297A (en) * | 2017-03-31 | 2018-10-16 | 北京京东尚科信息技术有限公司 | Detection method, device, electronic equipment and the storage medium of abnormal access behavior |
| CN109040073A (en) * | 2018-08-07 | 2018-12-18 | 北京神州绿盟信息安全科技股份有限公司 | A kind of detection method, device, medium and the equipment of the access of WWW abnormal behaviour |
| CN109450879A (en) * | 2018-10-25 | 2019-03-08 | 中国移动通信集团海南有限公司 | User access activity monitoring method, electronic device and computer readable storage medium |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112328934A (en) * | 2020-10-16 | 2021-02-05 | 上海涛飞网络科技有限公司 | Access behavior path analysis method, device, equipment and storage medium |
| CN114666391A (en) * | 2020-12-03 | 2022-06-24 | 中国移动通信集团广东有限公司 | Access track determining method, device, equipment and storage medium |
| CN114666391B (en) * | 2020-12-03 | 2023-09-19 | 中国移动通信集团广东有限公司 | Method, device, equipment and storage medium for determining access track |
| CN112527748A (en) * | 2020-12-24 | 2021-03-19 | 北京百度网讯科技有限公司 | Method, device, equipment and storage medium for analyzing user operation behaviors |
| CN112527748B (en) * | 2020-12-24 | 2024-04-09 | 北京百度网讯科技有限公司 | Method, device, equipment and storage medium for analyzing user operation behavior |
| CN113342612A (en) * | 2021-06-25 | 2021-09-03 | 长江存储科技有限责任公司 | Abnormal access behavior detection method, device, equipment and readable storage medium |
| CN113726786A (en) * | 2021-08-31 | 2021-11-30 | 上海观安信息技术股份有限公司 | Method and device for detecting abnormal access behavior, storage medium and electronic equipment |
| CN113726786B (en) * | 2021-08-31 | 2023-05-05 | 上海观安信息技术股份有限公司 | Abnormal access behavior detection method and device, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111079138A (en) | Abnormal access detection method and device, electronic equipment and readable storage medium | |
| CN107465651B (en) | Network attack detection method and device | |
| US20180219907A1 (en) | Method and apparatus for detecting website security | |
| Maggi et al. | Two years of short urls internet measurement: security threats and countermeasures | |
| US8949990B1 (en) | Script-based XSS vulnerability detection | |
| US8321934B1 (en) | Anti-phishing early warning system based on end user data submission statistics | |
| US9817969B2 (en) | Device for detecting cyber attack based on event analysis and method thereof | |
| CN105871850B (en) | Crawler detection method and system | |
| US8898272B1 (en) | Identifying information in resource locators | |
| US11451583B2 (en) | System and method to detect and block bot traffic | |
| US9830453B1 (en) | Detection of code modification | |
| US9027128B1 (en) | Automatic identification of malicious budget codes and compromised websites that are employed in phishing attacks | |
| US20090064337A1 (en) | Method and apparatus for preventing web page attacks | |
| CN107209831B (en) | System and method for identifying network attacks | |
| CN110535806B (en) | Method, device and equipment for monitoring abnormal website and computer storage medium | |
| CN107896219B (en) | Method, system and related device for detecting website vulnerability | |
| EP3101580B1 (en) | Website information extraction device, system, website information extraction method, and website information extraction program | |
| US8893270B1 (en) | Detection of cross-site request forgery attacks | |
| US20190222587A1 (en) | System and method for detection of attacks in a computer network using deception elements | |
| CN107733699B (en) | Internet asset security management method, system, device and readable storage medium | |
| CN110782374A (en) | Electronic evidence obtaining method and system based on block chain | |
| CN111488572B (en) | User behavior analysis log generation method and device, electronic equipment and medium | |
| CN113518077A (en) | Malicious web crawler detection method, device, equipment and storage medium | |
| CN105635064A (en) | CSRF attack detection method and device | |
| CN112565226A (en) | Request processing method, device, equipment and system and user portrait generation method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200428 |