CN111177513A - Method and device for determining abnormal access address, electronic equipment and storage medium - Google Patents

Method and device for determining abnormal access address, electronic equipment and storage medium Download PDF

Info

Publication number
CN111177513A
CN111177513A CN201911417519.9A CN201911417519A CN111177513A CN 111177513 A CN111177513 A CN 111177513A CN 201911417519 A CN201911417519 A CN 201911417519A CN 111177513 A CN111177513 A CN 111177513A
Authority
CN
China
Prior art keywords
address
access
access information
target
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911417519.9A
Other languages
Chinese (zh)
Other versions
CN111177513B (en
Inventor
胡滨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201911417519.9A priority Critical patent/CN111177513B/en
Publication of CN111177513A publication Critical patent/CN111177513A/en
Application granted granted Critical
Publication of CN111177513B publication Critical patent/CN111177513B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/951Indexing; Web crawling techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The method, the device, the electronic equipment and the storage medium for determining the abnormal access address provided by the present disclosure include: randomly sending the received access information to any equipment in the server cluster; determining a preset sampling number of target devices in a server cluster, and acquiring target access information corresponding to a specified address from the target devices; and determining whether the specified address is an abnormal access address according to the acquired target access information. According to the method, the device, the electronic equipment and the storage medium, the access information of the user terminal can be randomly distributed to any equipment of the server cluster, and the problem that the load pressure of single equipment is overlarge can be solved. In addition, the target access information corresponding to a specified address is sampled from the server cluster, and then the target access information is identified, so that the problem that the data volume of the access information which needs to be processed is overlarge when the specified address is identified to be an abnormal access address can be solved.

Description

Method and device for determining abnormal access address, electronic equipment and storage medium
Technical Field
The scheme relates to a computer technology, in particular to an abnormal access identification technology.
Background
At present, in the network access process, there are situations of abnormal access, such as situations where some terminals crawl website data by frequently accessing websites, situations where some terminals obtain website rewards by frequently accessing websites, and situations where servers are paralyzed due to multiple accesses to the same service.
In the prior art, the access frequency of the same address is counted, so as to determine whether the address is an abnormal access address.
However, in this scheme, all access requests corresponding to a large number of addresses need to be counted, and the amount of data to be processed is large. In addition, according to the scheme, access data of the same address needs to be synchronized into the same device, whether an address is abnormal or not is determined through the device, and if the address is an abnormally accessed address, the mode easily causes the problem that a single device is overloaded, and further services provided by the device are unavailable.
Disclosure of Invention
The disclosure provides a method and a device for determining an abnormal access address, electronic equipment and a storage medium, which are used for solving the problem that the data processing amount is too large when the abnormal access address is identified in the prior art.
The first aspect of the present disclosure provides a method for determining an abnormal access address, including:
randomly sending the received access information to any equipment in the server cluster;
determining a preset sampling number of target devices in the server cluster, and acquiring target access information corresponding to a specified address from the target devices;
and determining whether the specified address is an abnormal access address according to the acquired target access information.
In an optional embodiment, the access information comprises a terminal address;
the acquiring target access information corresponding to a specified address from the target device includes:
and reading the access information in the target equipment, and determining target access information matched with the specified address according to the terminal address included in the access information.
In this embodiment, the target access address matching the designated address can be sampled from the server cluster, so that when determining whether the designated address is an abnormal access address, the identification can be performed based on the sampled data without processing all the access information corresponding to the designated address, thereby reducing the data processing amount.
In an optional embodiment, the method further comprises:
and determining the preset sampling number according to a preset proportion and the total number of the devices in the server cluster.
In the embodiment, by setting the proportion, the sampling number can still be determined based on the number of devices in the server cluster under the condition of server cluster capacity expansion, and the problem of inaccurate determination of the abnormal access address caused by unreasonable sampling number is avoided.
In an optional embodiment, the method further comprises:
and determining whether a preset access peak rule is met or not according to the access information, and if so, reducing the preset sampling number based on a first preset rule.
In the peak access period, the amount of access information is large, and in this embodiment, the overall operation speed can be increased by appropriately reducing the number of the predetermined samples.
In an alternative embodiment, the access information includes an access time;
the determining whether the designated address is an abnormal access address according to the acquired target access information includes:
determining the access frequency corresponding to the designated address within a preset time length according to the access time in the target access information;
and determining whether the specified address is an abnormal access address according to the access frequency.
In this embodiment, the access frequency of the designated address can be determined according to the sampled target access information, and then the access condition of the designated address can be determined based on a small amount of data, so as to determine whether the designated address is an abnormal access address.
In an optional implementation manner, the determining whether the designated address is an abnormal access address according to the access frequency includes:
determining whether a preset original assumption is established or not according to the access frequency and the quantity of the target access information;
and determining whether the specified address is an abnormal access address according to the determination result and the original hypothesis.
In an optional implementation manner, the determining whether a preset original assumption holds according to the access frequency and the number of the target access information includes:
determining a probability value according to the access frequency and the quantity of the target access information;
and determining whether the preset original hypothesis is established or not according to the probability value and a preset significance level.
In an optional implementation manner, the determining, according to the determination result and the original hypothesis, whether the designated address is an abnormal access address includes:
when the preset original hypothesis is that the access frequency is greater than or equal to a frequency threshold value, if the determination result is that the original hypothesis is true, determining that the designated address is an abnormal access address;
or,
and when the preset original hypothesis is that the access frequency is less than or equal to a frequency threshold value, if the determination result is that the original hypothesis is true, determining that the specified address is not an abnormal access address.
In the above embodiment, it may be determined more accurately whether a designated address is an abnormal access address according to the sampled target access information, by combining with the probabilistic knowledge.
In an alternative embodiment, it is determined whether a preset on-peak rule is satisfied based on the access information, and if so, the value of the significance level is decreased based on a second preset rule.
In this embodiment, the overall computation speed can be increased by appropriately reducing the value of the significance level.
The method, the device, the electronic equipment and the storage medium for determining the abnormal access address provided by the present disclosure include: randomly sending the received access information to any equipment in the server cluster; determining a preset sampling number of target devices in a server cluster, and acquiring target access information corresponding to a specified address from the target devices; and determining whether the specified address is an abnormal access address according to the acquired target access information. According to the method, the device, the electronic equipment and the storage medium, the access information of the user terminal can be randomly distributed to any equipment of the server cluster, and the problem that the load pressure of single equipment is overlarge can be solved. In addition, the target access information corresponding to a specified address is sampled from the server cluster, and then the target access information is identified, so that the problem that the data volume of the access information which needs to be processed is overlarge when the specified address is identified to be an abnormal access address can be solved.
Drawings
The drawings are included to provide a better understanding of the present solution and are not intended to limit the present application. Wherein:
FIG. 1 is a diagram illustrating a system architecture according to an exemplary embodiment of the present application;
FIG. 2 is a flow chart illustrating a method for determining an anomalous access address in accordance with an illustrative embodiment;
FIG. 3 is a schematic diagram of a first interactive interface shown in an exemplary embodiment of the application;
FIG. 4 is a flowchart illustrating a method for determining an anomalous access address in accordance with another illustrative embodiment;
FIG. 5 is a block diagram illustrating an apparatus for determining an abnormal access address in accordance with an exemplary embodiment;
fig. 6 is a block diagram of an apparatus for determining an abnormal access address according to another exemplary embodiment;
fig. 7 is a block diagram of an electronic device shown in an exemplary embodiment of the application.
Detailed Description
The following description of the exemplary embodiments of the present application, taken in conjunction with the accompanying drawings, includes various details of the embodiments of the application for the understanding of the same, which are to be considered exemplary only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present application. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
At present, in many application scenarios, it is necessary to identify whether an IP (Internet Protocol, Protocol for interconnecting networks) address is an abnormal access address, so as to restrict access to the IP address. For example, when an IP address frequently accesses a server and then crawls data in the server, limited access to the IP address is required. For another example, an IP address frequently accesses the server and steals the site reward, and in this case, limited access to the IP address is also required.
The access data of an IP address is usually collected directly, for example, when an access request with a source IP address a is received, the access information generated by the access request is stored in a device, when an access request with a source IP address a is received again, the access request is stored in the device, and whether the IP address a is an abnormal access address is determined by identifying the access frequency of the a within a period of time. For example, if the number of times the address a accesses the server within one minute is 100 times, it may be determined as an abnormal access address.
However, when the number of IP addresses accessing the server is large, the amount of data is very large by performing statistical processing on access information generated for each access of the IP addresses. For example, there are m IP address access servers, and if the number of access information corresponding to each IP address is n on average within a preset time period, m × n pieces of access information need to be processed.
In addition, if the IP address a is an abnormal access address, it can be said that the access frequency is very high, and then the device for receiving the address access information bears a large load, which easily causes the device to have an excessively large load and fail to provide services to the outside normally, even a downtime occurs.
Therefore, how to identify whether a designated address is an abnormal access address under the condition of reducing the data processing amount of the device is a technical problem to be solved by the scheme of the application.
FIG. 1 is a diagram illustrating a system architecture according to an exemplary embodiment of the present application.
As shown in fig. 1, the system architecture of the present application may include a server cluster 11, where the server cluster may include multiple devices, for example, multiple computers. The devices can be used for receiving an access request of a user terminal and can also be used as a background server to provide services to the outside.
The system architecture may further include an electronic device 12, where the electronic device 12 may be a device in the server cluster 11 or may not belong to the server cluster 11. The electronic device 12 may be connected to the server cluster 11 and obtain data from the server cluster 11.
In the scheme of the application, the access information of the user terminal accessing the server is randomly sent to any device in the server cluster 11, the electronic device 12 may obtain the access information from a target device with a preset sampling number in the server cluster 11 based on the specified address, and then determine whether the specified address is an abnormal access address based on the extracted access information. Therefore, it is not necessary to process all the access information of the same access address, and it is possible to identify whether or not the designated access address is an abnormal access address while reducing the data processing amount.
Fig. 2 is a flowchart illustrating a method for determining an abnormal access address according to an exemplary embodiment.
As shown in fig. 2, the method for determining an abnormal access address provided in this embodiment includes:
step 201, randomly sending the received access information to any device in the server cluster.
The method provided in this embodiment may be executed by an electronic device with computing capability, and the device may be, for example, the electronic device 12 shown in fig. 1, or may be the server cluster 11 itself.
When the user operates on the terminal side, the user terminal can be triggered to access the background server, so that the service provided by the background server is used. The background server may be provided with a server cluster 11 and may also be provided with an electronic device 12.
Server clustering refers to the process of concentrating many servers together to perform the same service, and appearing to a client as if there is only one server. A server cluster may include multiple devices, such as multiple computers.
After the background server side receives the access request of the user terminal, the access information corresponding to the request can be randomly distributed to any equipment in the server cluster. The access information may specifically include address information and access time of the user terminal. The address information may be, for example, an IP address of the user terminal.
The electronic device 12 shown in fig. 1 may also receive an access request from a user terminal, and then randomly allocate corresponding access information to any device in the server cluster. In this way, the access information of the user terminal can be distributed and stored in a plurality of devices, so that the access information of the same address is prevented from being stored in one device in a centralized manner. And further, the problem that when one address is an abnormal access address, the load of equipment for storing the access information corresponding to the abnormal access address is overlarge is avoided.
Step 202, determining a preset sampling number of target devices in the server cluster, and acquiring target access information corresponding to a specified address from the target devices.
Specifically, whether a designated address is an abnormal access address or not can be identified according to the existing access information in the server cluster. For example, a user may input a designated address, and the electronic device or the server cluster itself may determine n target devices in the server cluster and then obtain target access information corresponding to the designated address from the target devices.
Further, n is a preset sampling number, a specific value may be preset, or a ratio may be preset, and a product of the total amount of the devices in the server cluster and the ratio is used as the preset sampling number.
In addition, a designated address may also be automatically determined based on the server cluster. For example, if access information corresponding to an address is received in a short time and exceeds a preset number, the address can be used as a designated address to perform abnormal address identification.
FIG. 3 is a schematic diagram of a first interactive interface shown in an exemplary embodiment of the application.
As shown in fig. 3, a query may be made based on a user trigger whether a specified address is an anomalous access address. The user may enter a specified address in the interface, such as input 223.22.33.123, and then click a confirmation button, thereby triggering an identification of whether the address is an anomalous address.
In practical applications, n target devices may be determined in the server cluster, and then target access information corresponding to the address 223.22.33.123 may be obtained from the target devices. For example, if n is 10, the target access information corresponding to 223.22.33.123 can be obtained from these 10 devices.
The access information may include a source address of the user terminal, for example, if the user terminal a accesses the background server, the access information corresponding to the access request includes an address of the user terminal a, which may specifically be an IP address. The access information including the specified address may be acquired from the target device, thereby obtaining target access information.
Since the access information is randomly sent to the devices of the server cluster, the access information in the n target devices determined in the server cluster can represent the global situation, and then the target access information of the designated address is acquired from the target devices for identification, so that whether the designated address is an abnormal access address can be determined based on a small amount of access information, and the data processing amount can be reduced.
And step 203, determining whether the specified address is an abnormal access address according to the acquired target access information.
After the electronic device or the server cluster itself obtains the target access information, the electronic device or the server cluster can identify the target access information to determine whether the designated address is an abnormal access address.
Specifically, the target access information is access information corresponding to a specified address, and is access information generated by initiating an access request by the address, and the target access information is sampled from the server cluster and can represent access characteristics of the specified address. Therefore, it is possible to identify whether a specified address is an abnormal access address based on a small amount of target access information.
Furthermore, the access frequency corresponding to the designated address can be determined according to the target access information, and if the frequency is too high, the designated address can be considered as an abnormal access address. For example, the number of accesses within a certain period of time, for example, the number of accesses within one minute, may be determined according to the target access information, and a frequency threshold may be set, and if the access frequency of the designated address is greater than the frequency threshold, the designated address may be considered as an abnormal access address.
In practical application, because the target access information is sampling data, whether the specified address is an abnormal access address or not can be determined according to the sampling data by combining probability theory knowledge.
Where a hypothesis t test may be utilized to determine if the specified address is an anomalous access address. Assumptions H0, H1 may be established, such as the established assumption H0: mu is more than or equal to mu 0, H1: μ < μ 0, where μ is used to indicate the frequency of access to a given address and μ 0 is a frequency threshold.
specifically, a significance level α may be set, for example, α is 0.05. a t-test may be performed on the sampled data to determine the size of the possibility of sampling out the target access information on the premise that H0 is true, if the possibility is greater than α, the sampled out target access information may be an approximate probability event if H0 is deemed to be true, and the assumption of H0 may be received.
Further, it is possible to determine whether the specified address is an abnormal access address in conjunction with the result of the reception or rejection of H0 and the assumed content of H0. For example, H0: mu is more than or equal to mu 0, and as a result, the original assumption H0 is received, the access frequency probability of the designated address is considered to be more than or equal to the frequency threshold value, and therefore, the designated address can be considered to be an abnormal access address.
The method provided by the present embodiment is used for determining an abnormal access address, and is performed by a device provided with the method provided by the present embodiment, and the device is generally implemented in a hardware and/or software manner.
The method for determining the abnormal access address provided by the embodiment comprises the steps of randomly sending received access information to any equipment in a server cluster; determining a preset sampling number of target devices in a server cluster, and acquiring target access information corresponding to a specified address from the target devices; and determining whether the specified address is an abnormal access address according to the acquired target access information. In the method provided by this embodiment, the access information of the user terminal can be randomly allocated to any device in the server cluster, and the problem of excessive load pressure of a single device can be avoided. In addition, the target access information corresponding to a specified address is sampled from the server cluster, and then the target access information is identified, so that the problem that the data volume of the access information which needs to be processed is overlarge when the specified address is identified to be an abnormal access address can be solved.
Fig. 4 is a flowchart illustrating a method for determining an abnormal access address according to another exemplary embodiment.
As shown in fig. 4, the method for determining an abnormal access address disclosed in the present application includes:
step 401, randomly sending the received access information to any device in the server cluster.
The specific principle and implementation of step 401 are similar to those of step 201, and are not described herein again.
And 402, determining a preset sampling number according to a preset proportion and the total number of the devices in the server cluster.
The total number of devices in the server cluster may be predetermined based on the architecture of the server cluster. For example, a server cluster includes 100 devices in total. The device here refers to a device capable of recording access information.
Specifically, a ratio value may be preset, so that the preset sampling number may be determined according to the preset ratio and the total number of devices. For example, if the total number of devices is m and the ratio is k, the preset number of samples n is m × k.
Optionally, step 403 may be further included after step 402.
And step 403, determining whether a preset access peak rule is met according to the access information.
If yes, go to step 404, otherwise, go to step 405.
Step 404, the number of samples is reduced by a predetermined amount based on a first predetermined rule.
Step 405 continues after step 404.
Further, an access peak rule may be preset, for example, after an access request received by a one-minute server cluster obtains a threshold, the current situation may be considered as an access peak situation. For another example, an average load condition of the server cluster may be determined, and when the average load reaches a certain condition, the current condition may also be considered as an access peak condition. For example, when the average CPU occupancy reaches an occupancy threshold, it is determined that the peak access rule is met.
In practical applications, if the predetermined peak access rule is satisfied, the number of the predetermined samples may be reduced. For example, the current preset number of samples may be multiplied by an adjustment factor, where the adjustment factor is smaller than 1, so as to obtain a reduced preset number of samples. For another example, a plurality of adjustment coefficients may be set according to an actual situation, for example, the peak level may be determined according to the total number of access requests received by the server cluster in the preset time period, different levels may correspond to different adjustment coefficients, and for example, the more the total number of access requests received in the preset time period is, the smaller the corresponding adjustment coefficient is.
Step 405, determining a preset sampling number of target devices in the server cluster.
The specific principle and implementation of step 405 is similar to that of step 202, and will not be described herein again.
Step 406, reading the access information in the target device, and determining the target access information matched with the specified address according to the terminal address included in the access information.
After the target device is determined, target access information matched with the specified address can be read from the target device, and specifically, the target access information including the specified address can be read.
Specifically, the access information recorded by the server cluster may include a terminal address, for example, if one piece of access information is generated according to the user terminal a accessing the background server, the information may include the address of the terminal a. When determining the target access information, the access information existing in the target device may be read, and a target access address including the specified address may be determined therefrom.
Step 407, determining the access frequency corresponding to the designated address within the preset duration according to the access time in the target access information.
Further, the access information stored by the server cluster may further include access time, for example, the access information may specifically record that an IP address accesses the background server at time t.
In practical application, the access frequency corresponding to the specified address within a preset time length can be determined according to the access time in the obtained target access information, for example, within one minute, one address accesses the background server for 10 times.
if the time span of the obtained target access information is long, an access total amount Q can be determined according to the access information, and a maximum time difference included in the target access information can also be determined, for example, the earliest time in the target access information is t1, and the latest time is t2, then the difference between t2 and t1 can be calculated to obtain a time span △ t, a ratio of Q to △ t can be calculated, and then a product of the ratio and a preset time duration is calculated to serve as an access frequency corresponding to a designated address in the preset time duration.
In another embodiment, the time span and the access frequency may be determined for the target access information read from each target device. Target access information corresponding to a specified address in one minute can be read, for example, the reading result is as follows:
Figure BDA0002351570970000101
from the first target device, two pieces of target access information can be acquired, the access time span of the two pieces of access information being 40 s. The second target device does not obtain the target access information corresponding to the designated address, and the time span may be determined to be 120s based on a preset rule. From the third target device, two pieces of target access information can be acquired, the access time span of the two pieces of access information being 40 s. From the tenth target device, a piece of target access information can be acquired, and the time span can be directly determined to be 61s based on a preset rule. The access frequency corresponding to each target device can be determined through the collected data, and then a final average access frequency is determined.
And step 408, determining whether the specified address is an abnormal access address according to the access frequency.
In one embodiment, a frequency threshold may be set, and if it is determined that the access frequency of the specified address is greater than the frequency threshold, it may be considered that the access address accesses the background server too frequently, and is most likely to be an abnormal access address.
In another embodiment, whether the specified address is an abnormal access address may be determined based on current sample data based on probability.
An original hypothesis H0 may be preset, and a selected hypothesis H1 may also be set. For example, the preset original hypothesis may be that the access frequency μ is greater than or equal to the frequency threshold μ 0, and the corresponding selected hypothesis H1 may be that the access frequency μ is less than the frequency threshold μ 0. For another example, the preset original hypothesis may be that the access frequency μ is smaller than or equal to the frequency threshold μ 0, and the corresponding selected hypothesis H1 may be that the access frequency μ is greater than the frequency threshold μ 0.
Whether the preset original assumption H0 is established can be determined according to the access frequency and the number of the target access information. The number of target access information may be understood as a sampling number, i.e. the number of pieces of target access information, for example, if 10 pieces of target access information are obtained, the number of pieces of target access information is 10.
Specifically, a probability value may be determined according to the access frequency and the number of target access information. The probability value is used to indicate the probability value of the current sample data when the preset original assumption H0 holds.
A preset significance level can be preset, and whether the original hypothesis is established or not can be determined by comparing the probability value with the preset significance level. For example, when the probability value is less than the preset significance level, the original hypothesis may be rejected, the selected hypothesis is received, and the original hypothesis is considered to be false, that is, the original hypothesis is not true; and when the probability value is greater than or equal to the preset significance level, receiving the original hypothesis, rejecting the selected hypothesis, and considering the original hypothesis as true, namely the original hypothesis is established.
After determining whether the original hypothesis is true, whether the designated address is an abnormal access address can be determined according to the determination result and the original hypothesis.
Specifically, when the original assumption is preset that the access frequency is greater than or equal to the frequency threshold, if the determination result is that the original assumption is true, the specified address is determined to be an abnormal access address. That is, it can be determined that the access frequency of the designated address is greater than or equal to the frequency threshold value by means of probability statistics, and therefore, the designated address is determined to be an abnormal access address.
Or when the preset original assumption is that the access frequency is less than or equal to the frequency threshold, if the determination result is that the original assumption is true, determining that the specified address is not an abnormal access address. That is, it can be determined that the determined access frequency of the specified address is less than or equal to the frequency threshold value by means of probability statistics, and therefore, it is determined that the specified address is not an abnormal access address.
Optionally, when determining whether the preset original assumption is satisfied according to the probability value and the preset significance level, it may also be determined whether a preset access peak rule is satisfied according to the access information, and if so, the value of the significance level is reduced based on a second preset rule.
The manner of determining whether the preset on-peak rule is satisfied is similar to that of step 403, and will not be described in detail.
A second rule for reducing the significance level can be preset, and when the preset peak rule is met, the significance level can be reduced based on the second preset rule, so that the operation speed is increased.
The second preset rule may be, for example, setting a plurality of significance levels, and determining a corresponding significance level according to a specific peak level. For example, the peak level may be determined according to the total number of access requests received by the server cluster within the preset time period, and different levels may correspond to different significance levels, for example, the greater the total number of access requests received within the preset time period, the lower the corresponding significance level.
Fig. 5 is a block diagram of an apparatus for determining an abnormal access address according to an exemplary embodiment of the present invention.
As shown in fig. 5, the apparatus for determining an abnormal access address provided in this embodiment includes:
the distribution module 51 is configured to randomly send the received access information to any device in the server cluster;
the sampling module 52 is configured to determine a preset sampling number of target devices in the server cluster, and acquire target access information corresponding to a specified address from the target devices;
and the determining module 53 is configured to determine whether the specified address is an abnormal access address according to the acquired target access information.
The apparatus for determining an abnormal access address provided in this embodiment includes: the distribution module is used for randomly sending the received access information to any equipment in the server cluster; the sampling module is used for determining a preset sampling number of target devices in the server cluster and acquiring target access information corresponding to a specified address from the target devices; and the determining module is used for determining whether the specified address is an abnormal access address according to the acquired target access information. In the apparatus provided in this embodiment, the access information of the user terminal may be randomly allocated to any device in the server cluster, so that the problem of excessive load pressure on a single device may be avoided. In addition, the target access information corresponding to a specified address is sampled from the server cluster, and then the target access information is identified, so that the problem that the data volume of the access information which needs to be processed is overlarge when the specified address is identified to be an abnormal access address can be solved.
The specific principle and implementation of the apparatus for determining an abnormal access address provided in this embodiment are similar to those of the embodiment shown in fig. 2, and are not described herein again
Fig. 6 is a block diagram of an apparatus for determining an abnormal access address according to another exemplary embodiment of the present invention.
On the basis of the foregoing embodiment, in the apparatus for determining an abnormal access address provided in this embodiment, optionally, the access information includes a terminal address;
the sampling module 52 includes:
a reading unit 521, configured to read the access information in the target device;
a determining unit 522, configured to determine, according to the terminal address included in the access information, target access information that matches the specified address.
Optionally, the apparatus further comprises a number determining module 54, configured to:
and determining the preset sampling number according to a preset proportion and the total number of the devices in the server cluster.
Optionally, the apparatus further comprises a peak determining module 55 for:
it is determined whether a preset on-peak rule is satisfied according to the access information, and if so, the number determination module 54 reduces the preset sampling number based on a first preset rule.
Optionally, the access information includes an access time;
the determining module 53 includes:
a frequency determining unit 531, configured to determine, according to access time in the target access information, an access frequency corresponding to the specified address within a preset duration;
an identifying unit 532, configured to determine whether the specified address is an abnormal access address according to the access frequency.
Optionally, the identification unit 532 is specifically configured to:
determining whether a preset original assumption is established or not according to the access frequency and the quantity of the target access information;
and determining whether the specified address is an abnormal access address according to the determination result and the original hypothesis.
Optionally, the identification unit 532 is specifically configured to:
determining a probability value according to the access frequency and the quantity of the target access information;
and determining whether the preset original hypothesis is established or not according to the probability value and a preset significance level.
Optionally, the identification unit 532 is specifically configured to:
when the preset original hypothesis is that the access frequency is greater than or equal to a frequency threshold value, if the determination result is that the original hypothesis is true, determining that the designated address is an abnormal access address;
or,
and when the preset original hypothesis is that the access frequency is less than or equal to a frequency threshold value, if the determination result is that the original hypothesis is true, determining that the specified address is not an abnormal access address.
Optionally, the peak determining module 55 is configured to determine whether a preset peak visiting rule is satisfied according to the visiting information;
if so, the identifying unit 532 is further configured to decrease the value of the significance level based on a second preset rule.
The specific principle and implementation of the apparatus for determining an abnormal access address provided in this embodiment are similar to those of the embodiment shown in fig. 4, and are not described herein again
According to an embodiment of the present application, an electronic device and a readable storage medium are also provided.
Fig. 7 is a block diagram of an electronic device according to an embodiment of the present application. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the present application that are described and/or claimed herein.
As shown in fig. 7, the electronic apparatus includes: one or more processors 701, a memory 702, and interfaces for connecting the various components, including a high-speed interface and a low-speed interface. The various components are interconnected using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions for execution within the electronic device, including instructions stored in or on the memory to display graphical information of a GUI on an external input/output apparatus (such as a display device coupled to the interface). In other embodiments, multiple processors and/or multiple buses may be used, along with multiple memories and multiple memories, as desired. Also, multiple electronic devices may be connected, with each device providing portions of the necessary operations (e.g., as a server array, a group of blade servers, or a multi-processor system). In fig. 7, one processor 701 is taken as an example.
The memory 702 is a non-transitory computer readable storage medium as provided herein. The memory stores instructions executable by at least one processor to cause the at least one processor to perform the method for determining an abnormal access address provided herein. The non-transitory computer-readable storage medium of the present application stores computer instructions for causing a computer to execute the determination method of an abnormal access address provided by the present application.
The memory 702, which is a non-transitory computer-readable storage medium, may be used to store non-transitory software programs, non-transitory computer-executable programs, and modules, such as program instructions/modules (for example, the allocating module 51, the sampling module 52, and the determining module 53 shown in fig. 5) corresponding to the determination method of the abnormal access address in the embodiment of the present application. The processor 701 executes various functional applications of the server and data processing, i.e., a method of determining an abnormal access address in the above-described method embodiment, by executing a non-transitory software program, instructions, and modules stored in the memory 702.
The memory 702 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created from use of the electronic device according to determination of the abnormal access address, and the like. Further, the memory 702 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 702 may optionally include memory located remotely from the processor 701, and these remote memories may be networked to the electronic device for determination of the anomalous access address. Examples of such networks include, but are not limited to, the internet, intranets, blockchain networks, local area networks, mobile communication networks, and combinations thereof.
The electronic device of the method of determination of an abnormal access address may further include: an input device 703 and an output device 704. The processor 701, the memory 702, the input device 703 and the output device 704 may be connected by a bus or other means, and fig. 7 illustrates an example of a connection by a bus.
The input device 703 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the electronic apparatus for determination of an abnormal access address, such as a touch screen, a keypad, a mouse, a track pad, a touch pad, a pointer, one or more mouse buttons, a track ball, a joystick, or other input devices. The output devices 704 may include a display device, auxiliary lighting devices (e.g., LEDs), and tactile feedback devices (e.g., vibrating motors), among others. The display device may include, but is not limited to, a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display, and a plasma display. In some implementations, the display device can be a touch screen.
Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, integrated circuitry, application specific ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
These computer programs (also known as programs, software applications, or code) include machine instructions for a programmable processor, and may be implemented using high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, apparatus, and/or device (e.g., magnetic discs, optical disks, memory, Programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), blockchain networks, and the internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present application may be executed in parallel, sequentially, or in different orders, and the present invention is not limited thereto as long as the desired results of the technical solutions disclosed in the present application can be achieved.
The above-described embodiments should not be construed as limiting the scope of the present application. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (12)

1. A method for determining an abnormal access address, comprising:
randomly sending the received access information to any equipment in the server cluster;
determining a preset sampling number of target devices in the server cluster, and acquiring target access information corresponding to a specified address from the target devices;
and determining whether the specified address is an abnormal access address according to the acquired target access information.
2. The method of claim 1, wherein the access information comprises a terminal address;
the acquiring target access information corresponding to a specified address from the target device includes:
and reading the access information in the target equipment, and determining target access information matched with the specified address according to the terminal address included in the access information.
3. The method of claim 1, further comprising:
and determining the preset sampling number according to a preset proportion and the total number of the devices in the server cluster.
4. The method of claim 1, further comprising:
and determining whether a preset access peak rule is met or not according to the access information, and if so, reducing the preset sampling number based on a first preset rule.
5. The method of claim 1, wherein the access information comprises an access time;
the determining whether the designated address is an abnormal access address according to the acquired target access information includes:
determining the access frequency corresponding to the designated address within a preset time length according to the access time in the target access information;
and determining whether the specified address is an abnormal access address according to the access frequency.
6. The method of claim 5, wherein the determining whether the designated address is an abnormal access address according to the access frequency comprises:
determining whether a preset original assumption is established or not according to the access frequency and the quantity of the target access information;
and determining whether the specified address is an abnormal access address according to the determination result and the original hypothesis.
7. The method of claim 6, wherein the determining whether a predetermined primitive assumption holds according to the access frequency and the amount of the target access information comprises:
determining a probability value according to the access frequency and the quantity of the target access information;
and determining whether the preset original hypothesis is established or not according to the probability value and a preset significance level.
8. The method of claim 7, wherein the determining whether the designated address is an abnormal access address according to the determination result and the original hypothesis comprises:
when the preset original hypothesis is that the access frequency is greater than or equal to a frequency threshold value, if the determination result is that the original hypothesis is true, determining that the designated address is an abnormal access address;
or,
and when the preset original hypothesis is that the access frequency is less than or equal to a frequency threshold value, if the determination result is that the original hypothesis is true, determining that the specified address is not an abnormal access address.
9. The method of claim 7, wherein it is determined from the access information whether a preset on-peak rule is satisfied, and if so, the value of the significance level is decreased based on a second preset rule.
10. An apparatus for determining an abnormal access address, comprising:
the distribution module is used for randomly sending the received access information to any equipment in the server cluster;
the sampling module is used for determining a preset sampling number of target devices in the server cluster and acquiring target access information corresponding to a specified address from the target devices;
and the determining module is used for determining whether the specified address is an abnormal access address according to the acquired target access information.
11. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-9.
12. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of claims 1-9.
CN201911417519.9A 2019-12-31 2019-12-31 Determination method and device of abnormal access address, electronic equipment and storage medium Active CN111177513B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911417519.9A CN111177513B (en) 2019-12-31 2019-12-31 Determination method and device of abnormal access address, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911417519.9A CN111177513B (en) 2019-12-31 2019-12-31 Determination method and device of abnormal access address, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111177513A true CN111177513A (en) 2020-05-19
CN111177513B CN111177513B (en) 2023-10-31

Family

ID=70654415

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911417519.9A Active CN111177513B (en) 2019-12-31 2019-12-31 Determination method and device of abnormal access address, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111177513B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113238812A (en) * 2021-04-23 2021-08-10 北京明略昭辉科技有限公司 Abnormal IP (Internet protocol) determination method, device, equipment and storage medium
CN115396509A (en) * 2022-08-09 2022-11-25 上海宝创网络科技有限公司 IPv6 network proxy service-based method and equipment for processing access limitation
CN116471126A (en) * 2023-06-20 2023-07-21 江苏苏宁银行股份有限公司 Data processing method and device for identifying abnormal IP

Citations (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002097563A2 (en) * 2001-05-30 2002-12-05 Cybersource Corporation Method and apparatus for evaluating fraud risk in an electronic commerce transaction
CN101026505A (en) * 2006-01-03 2007-08-29 阿尔卡特朗讯公司 Method and apparatus for monitoring malicious traffic in communication networks
WO2008011576A2 (en) * 2006-07-20 2008-01-24 Breach Security, Inc. System and method of securing web applications across an enterprise
CN102821081A (en) * 2011-06-10 2012-12-12 中国电信股份有限公司 Method and system for monitoring DDOS (distributed denial of service) attacks in small flow
CN102891829A (en) * 2011-07-18 2013-01-23 航天信息股份有限公司 Method and system for detecting and defending distributed denial of service attack
JP2013522936A (en) * 2010-01-21 2013-06-13 アリババ・グループ・ホールディング・リミテッド Block malicious access
CN104219110A (en) * 2014-09-25 2014-12-17 中国人民解放军信息工程大学 Data packet sampling method and device
CN104539645A (en) * 2014-11-28 2015-04-22 百度在线网络技术(北京)有限公司 Method and equipment for processing http request
CN105187411A (en) * 2015-08-18 2015-12-23 福建省海峡信息技术有限公司 Distributed abnormal detection method for network data stream
CN105493450A (en) * 2013-04-29 2016-04-13 瑞典爱立信有限公司 A method and system to dynamically detect traffic anomalies in a network
CN105577679A (en) * 2016-01-14 2016-05-11 华东师范大学 Method for detecting anomaly traffic based on feature selection and density peak clustering
CN105635331A (en) * 2014-11-18 2016-06-01 阿里巴巴集团控股有限公司 Service addressing method and apparatus in distributed environment
CN106982196A (en) * 2016-01-19 2017-07-25 阿里巴巴集团控股有限公司 A kind of abnormal access detection method and equipment
US20170364680A1 (en) * 2016-06-20 2017-12-21 Sap Se Detecting attacks by matching of access frequencies and sequences in different software layers
CN107515820A (en) * 2016-06-17 2017-12-26 阿里巴巴集团控股有限公司 Monitoring server method and device, detection service device
CN108121618A (en) * 2016-11-28 2018-06-05 华为技术有限公司 A kind of method and apparatus of repair data
CN108429651A (en) * 2018-06-06 2018-08-21 腾讯科技(深圳)有限公司 Data on flows detection method, device, electronic equipment and computer-readable medium
US10097566B1 (en) * 2015-07-31 2018-10-09 Amazon Technologies, Inc. Identifying targets of network attacks
CN108683562A (en) * 2018-05-18 2018-10-19 深圳壹账通智能科技有限公司 Abnormality detection localization method, device, computer equipment and storage medium
CN108737531A (en) * 2018-05-11 2018-11-02 北京奇艺世纪科技有限公司 A kind of method and apparatus of business processing
CN108762917A (en) * 2018-05-04 2018-11-06 平安科技(深圳)有限公司 Access request processing method, device, system, computer equipment and storage medium
CN109327550A (en) * 2018-11-30 2019-02-12 网宿科技股份有限公司 A kind of distribution method of access request, device, storage medium and computer equipment
CN109981605A (en) * 2019-03-07 2019-07-05 北京华安普特网络科技有限公司 A kind of DDOS defensive attack system for dns server
WO2019148164A1 (en) * 2018-01-29 2019-08-01 Qualcomm Incorporated Signaling and reporting interactivity usage in streaming services
CN110177082A (en) * 2019-04-25 2019-08-27 阿里巴巴集团控股有限公司 A kind of data processing method, equipment, medium and device
US20190342308A1 (en) * 2018-05-02 2019-11-07 Sri International Method of malware characterization and prediction
CN110505232A (en) * 2019-08-27 2019-11-26 百度在线网络技术(北京)有限公司 The detection method and device of network attack, electronic equipment, storage medium
CN110502739A (en) * 2018-05-17 2019-11-26 国际商业机器公司 The building of the machine learning model of structuring input

Patent Citations (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002097563A2 (en) * 2001-05-30 2002-12-05 Cybersource Corporation Method and apparatus for evaluating fraud risk in an electronic commerce transaction
CN101026505A (en) * 2006-01-03 2007-08-29 阿尔卡特朗讯公司 Method and apparatus for monitoring malicious traffic in communication networks
WO2008011576A2 (en) * 2006-07-20 2008-01-24 Breach Security, Inc. System and method of securing web applications across an enterprise
JP2013522936A (en) * 2010-01-21 2013-06-13 アリババ・グループ・ホールディング・リミテッド Block malicious access
CN102821081A (en) * 2011-06-10 2012-12-12 中国电信股份有限公司 Method and system for monitoring DDOS (distributed denial of service) attacks in small flow
CN102891829A (en) * 2011-07-18 2013-01-23 航天信息股份有限公司 Method and system for detecting and defending distributed denial of service attack
CN105493450A (en) * 2013-04-29 2016-04-13 瑞典爱立信有限公司 A method and system to dynamically detect traffic anomalies in a network
CN104219110A (en) * 2014-09-25 2014-12-17 中国人民解放军信息工程大学 Data packet sampling method and device
CN105635331A (en) * 2014-11-18 2016-06-01 阿里巴巴集团控股有限公司 Service addressing method and apparatus in distributed environment
CN104539645A (en) * 2014-11-28 2015-04-22 百度在线网络技术(北京)有限公司 Method and equipment for processing http request
US10097566B1 (en) * 2015-07-31 2018-10-09 Amazon Technologies, Inc. Identifying targets of network attacks
CN105187411A (en) * 2015-08-18 2015-12-23 福建省海峡信息技术有限公司 Distributed abnormal detection method for network data stream
CN105577679A (en) * 2016-01-14 2016-05-11 华东师范大学 Method for detecting anomaly traffic based on feature selection and density peak clustering
CN106982196A (en) * 2016-01-19 2017-07-25 阿里巴巴集团控股有限公司 A kind of abnormal access detection method and equipment
CN107515820A (en) * 2016-06-17 2017-12-26 阿里巴巴集团控股有限公司 Monitoring server method and device, detection service device
US20170364680A1 (en) * 2016-06-20 2017-12-21 Sap Se Detecting attacks by matching of access frequencies and sequences in different software layers
CN108121618A (en) * 2016-11-28 2018-06-05 华为技术有限公司 A kind of method and apparatus of repair data
WO2019148164A1 (en) * 2018-01-29 2019-08-01 Qualcomm Incorporated Signaling and reporting interactivity usage in streaming services
US20190342308A1 (en) * 2018-05-02 2019-11-07 Sri International Method of malware characterization and prediction
CN108762917A (en) * 2018-05-04 2018-11-06 平安科技(深圳)有限公司 Access request processing method, device, system, computer equipment and storage medium
CN108737531A (en) * 2018-05-11 2018-11-02 北京奇艺世纪科技有限公司 A kind of method and apparatus of business processing
CN110502739A (en) * 2018-05-17 2019-11-26 国际商业机器公司 The building of the machine learning model of structuring input
CN108683562A (en) * 2018-05-18 2018-10-19 深圳壹账通智能科技有限公司 Abnormality detection localization method, device, computer equipment and storage medium
CN108429651A (en) * 2018-06-06 2018-08-21 腾讯科技(深圳)有限公司 Data on flows detection method, device, electronic equipment and computer-readable medium
CN109327550A (en) * 2018-11-30 2019-02-12 网宿科技股份有限公司 A kind of distribution method of access request, device, storage medium and computer equipment
CN109981605A (en) * 2019-03-07 2019-07-05 北京华安普特网络科技有限公司 A kind of DDOS defensive attack system for dns server
CN110177082A (en) * 2019-04-25 2019-08-27 阿里巴巴集团控股有限公司 A kind of data processing method, equipment, medium and device
CN110505232A (en) * 2019-08-27 2019-11-26 百度在线网络技术(北京)有限公司 The detection method and device of network attack, electronic equipment, storage medium

Non-Patent Citations (8)

* Cited by examiner, † Cited by third party
Title
BIN HU: "Automatic Balancing Chord: A Dynamic Load Balancing Mechanism for High Efficient" *
LI GUOYOU: "A novel approach to detecting worms based on particle filter", 《IEEE XPLORE》 *
宁卓: "高速网络中入侵检测的抽样方法", 《CNKI中国知网》 *
朱应武: "基于流量信息结构的异常检测", 《软件学报》, no. 21 *
杨安: "一种基于Hadoop的集群资源访问异常检测方法", 《北京信息科技大学学报》, no. 32 *
潘乔: "网络测量中的抽样技术研究", pages 1 *
王琮: "基于报文抽样的异常检测在高速网络入侵检测系统中的研究", pages 2 *
董书琴: "一种面向流量异常检测的概率流抽样方法" *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113238812A (en) * 2021-04-23 2021-08-10 北京明略昭辉科技有限公司 Abnormal IP (Internet protocol) determination method, device, equipment and storage medium
CN115396509A (en) * 2022-08-09 2022-11-25 上海宝创网络科技有限公司 IPv6 network proxy service-based method and equipment for processing access limitation
CN116471126A (en) * 2023-06-20 2023-07-21 江苏苏宁银行股份有限公司 Data processing method and device for identifying abnormal IP
CN116471126B (en) * 2023-06-20 2023-09-15 江苏苏宁银行股份有限公司 Data processing method and device for identifying abnormal IP

Also Published As

Publication number Publication date
CN111177513B (en) 2023-10-31

Similar Documents

Publication Publication Date Title
CN108776934B (en) Distributed data calculation method and device, computer equipment and readable storage medium
US9703980B2 (en) Centralized throttling service
CN111177513B (en) Determination method and device of abnormal access address, electronic equipment and storage medium
CN106778260B (en) Attack detection method and device
US20170185454A1 (en) Method and Electronic Device for Determining Resource Consumption of Task
CN111694646A (en) Resource scheduling method and device, electronic equipment and computer readable storage medium
CN114091704B (en) Alarm suppression method and device
CN112559086A (en) Applet page rendering method and device, electronic equipment and readable storage medium
CN113220420A (en) Service monitoring method, device, equipment, storage medium and computer program product
CN112965879A (en) Data processing method and device, electronic equipment and readable storage medium
CN113765873A (en) Method and apparatus for detecting abnormal access traffic
CN111865720B (en) Method, apparatus, device and storage medium for processing request
US10601954B2 (en) Sandboxing requests for web services
CN108764866B (en) Method and equipment for allocating resources and drawing resources
CN112615795A (en) Flow control method and device, electronic equipment, storage medium and product
CN110995687B (en) Cat pool equipment identification method, device, equipment and storage medium
CN116545905A (en) Service health detection method and device, electronic equipment and storage medium
CN115883647B (en) Service log recording method, system, device, terminal, server and medium
CN109831673B (en) Live broadcast room data processing method, device, equipment and storage medium
CN113676531B (en) E-commerce flow peak clipping method and device, electronic equipment and readable storage medium
CN113824689B (en) Edge computing network, data transmission method, device, equipment and storage medium
KR102464688B1 (en) Method and apparatus for detrmining event level of monitoring result
CN111597026B (en) Method and device for acquiring information
CN113656731A (en) Advertisement page processing method and device, electronic equipment and storage medium
CN110580322B (en) Independent visitor information processing method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant