CN111556070A - Webpage abnormal access detection method and device - Google Patents

Webpage abnormal access detection method and device Download PDF

Info

Publication number
CN111556070A
CN111556070A CN202010396775.0A CN202010396775A CN111556070A CN 111556070 A CN111556070 A CN 111556070A CN 202010396775 A CN202010396775 A CN 202010396775A CN 111556070 A CN111556070 A CN 111556070A
Authority
CN
China
Prior art keywords
access
abnormal
webpage
determining
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202010396775.0A
Other languages
Chinese (zh)
Inventor
何琼惠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Huzhi Information Consulting Co ltd
Original Assignee
Guangzhou Huzhi Information Consulting Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Huzhi Information Consulting Co ltd filed Critical Guangzhou Huzhi Information Consulting Co ltd
Priority to CN202010396775.0A priority Critical patent/CN111556070A/en
Publication of CN111556070A publication Critical patent/CN111556070A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/316User authentication by observing the pattern of computer usage, e.g. typical user behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Social Psychology (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention relates to a method and a device for detecting abnormal access of a webpage. The method comprises the following steps: the server receives an access request from the client; obtaining the access characteristics of the access request; judging whether the webpage access is abnormal or not according to the access characteristics; and when the webpage access is judged to be abnormal, performing abnormal processing operation. By the technical scheme of the invention, the judgment efficiency and accuracy of the webpage access abnormity can be improved, and further, when the webpage access abnormity is judged, the abnormity access processing operation is automatically carried out, so that the occurrence of the webpage access abnormity is fully avoided.

Description

Webpage abnormal access detection method and device
Technical Field
The invention relates to the technical field of internet, in particular to a method and a device for detecting abnormal access of a webpage.
Background
At present, in the field of internet access, abnormal access often occurs, and in the prior art, judgment is usually performed according to the experience of a technician when abnormal access is judged, and the judgment method is obviously inflexible and inaccurate, cannot ensure the judgment accuracy and the judgment efficiency of abnormal access of a webpage, and is easy to waste a large amount of manpower.
Disclosure of Invention
The embodiment of the invention provides a method and a device for detecting abnormal access of a webpage. The technical scheme is as follows:
according to a first aspect of the embodiments of the present invention, a method for detecting abnormal access to a web page is provided, which includes:
the server receives an access request from the client;
obtaining the access characteristics of the access request;
judging whether the webpage access is abnormal or not according to the access characteristics;
and when the webpage access is judged to be abnormal, performing abnormal processing operation.
In one embodiment, the determining whether the web page access is abnormal according to the access characteristics includes:
judging whether the access characteristics carry user behaviors or not;
when the access characteristics carry user behaviors, determining that the webpage from the client side is normally accessed;
when the access characteristics do not carry user behaviors, determining the access time of the access request;
and when the access time is within the user historical rest time period, determining that the webpage access from the client is abnormal.
In one embodiment, the determining whether the web page access is abnormal according to the access characteristic includes:
determining the total current access times from the client in unit time according to the number of the access requests from the client in unit time;
acquiring a preset access frequency threshold value in unit time;
judging whether the total number of the current accesses is within the threshold of the number of the accesses;
when the total current access times are within the access time threshold, judging that the webpage access is normal;
and when the total current access times are beyond the access times threshold, judging that the webpage access is abnormal.
In one embodiment, the determining whether the web page access is abnormal according to the access characteristics includes:
determining a feature set A formed by the access features;
A={a1,a2,…,an}
wherein, aiThe value of i is from 1 to n, and n is the total number of the access features in the feature set A;
determining a feature set B formed by abnormal reference features;
B={b1,b2,…,bm}
wherein, bjJ is the jth abnormal reference feature in the feature set B, the value of j is from 1 to m, and m is the total number of the abnormal reference features contained in the feature set B;
calculating the matching degree r (A, B) of the feature set A and the feature set B;
Figure BDA0002487868930000021
wherein α and β are empirical coefficients, A (a)i) Representing the ith access characteristic, B (B), in set Aj) J abnormal reference features in the set B are represented;
judging whether the r (A, B) is larger than an abnormal matching threshold q;
when the r (A, B) is larger than an abnormal matching threshold q, determining that the webpage access is abnormal;
and when the r (A, B) is not larger than an abnormal matching threshold q, determining that the webpage is accessed normally.
In one embodiment, when it is determined that the web page access is abnormal, the performing an exception handling operation step is as follows:
step A1, constructing attribute data information of webpage access according to the following steps:
Figure BDA0002487868930000031
wherein X represents attribute data information total data of webpage access, and X1Representing attribute web page information, x2Return value, x, representing access to the attribute web page3Representing attribute server information, and m representing the number of attribute data information accessed by the constructed web page;
step A2, the attribute data value of the replaced abnormal web page access is obtained according to the following formula:
Figure BDA0002487868930000032
where a represents the attribute data value of the web page visit replacing the outlier, xijRepresenting the attribute data value of the webpage access with coordinates (i, j), m representing the number of the constructed attribute data information of the webpage access, n representing the mean value of the attribute data in the neighborhood, s representing the variance of the attribute data in the neighborhood, L being the dynamic range of the standard variance, and k being a preset parameter;
and step A3, replacing the abnormal value in the attribute data information total data for constructing the webpage access according to the attribute data value of the webpage access for replacing the abnormal value obtained in the step A2, and finishing the abnormal value processing.
In one embodiment, the access characteristic includes a total number of current accesses, the access request includes a plurality of accesses, and the method further includes:
when the webpage access is judged to be abnormal, determining a target webpage accessed by each access request in a plurality of access requests;
when the target web pages comprise a plurality of target web pages, counting the number of times of accessing each target web page;
determining a webpage which is accessed most frequently from a plurality of target webpages;
and determining the abnormal access reason of the webpage according to the webpage with the most accessed times.
In one embodiment, when it is determined that the web page access is normal, a URL address carried in the access request is acquired;
judging whether the local of the server stores the page resource corresponding to the URL address or not;
when the corresponding page resources are stored, sending the corresponding page resources to the client;
when the corresponding page resources are not stored, determining a standby address corresponding to the URL address and a standby server corresponding to the standby address;
establishing a TCP communication connection with the standby server to send a resource request to the standby server;
receiving standby resources sent by the standby server based on the resource request;
and sending the standby resource to the client.
In one embodiment, a pre-stored user behavior monitoring script is invoked;
when the page resource or the standby resource is sent to the client, the user behavior monitoring script is injected into the page resource or the standby resource;
receiving current user operation sent by the client while the client displays the page resource or the standby resource, wherein the current operation behavior is acquired by the client through the user behavior monitoring script;
calling pre-stored historical user operation from the client;
analyzing a user operation habit corresponding to the client according to the current user operation and the historical user operation;
and storing the operation habits of the user.
According to a second aspect of the embodiments of the present invention, there is provided an apparatus for detecting abnormal web page access, including:
the receiving module is used for receiving an access request from a client;
the acquisition module is used for acquiring the access characteristics of the access request;
the judging module is used for judging whether the webpage access is abnormal or not according to the access characteristics;
and the processing module is used for performing exception handling operation when the webpage access exception is judged.
In one embodiment, the determining module comprises:
the first judgment submodule is used for judging whether the access characteristics carry user behaviors or not;
the first determining submodule is used for determining that the webpage from the client side is normally accessed when the access characteristics carry user behaviors;
the second determining submodule is used for determining the access time of the access request when the access characteristics do not carry user behaviors;
and the third determining submodule is used for determining that the webpage access from the client is abnormal when the access time is within the user historical rest time period.
In one embodiment, the access characteristic includes a total number of current accesses, and the determining module includes:
a fourth determining submodule, configured to determine, according to the number of access requests from the client in a unit time, a total current access frequency from the client in the unit time;
the acquisition submodule is used for acquiring a preset access time threshold in unit time;
the second judgment submodule is used for judging whether the total current access times are within the access times threshold value;
the first judgment submodule is used for judging that the webpage access is normal when the total current access times are within the access time threshold;
and the second judging submodule is used for judging that the webpage access is abnormal when the total current access times are beyond the access times threshold.
In one embodiment, the determining module comprises:
a fifth determining submodule, configured to determine a feature set a formed by the access features;
A={a1,a2,…,an}
wherein, aiThe value of i is from 1 to n, and n is the total number of the access features in the feature set A;
a sixth determining submodule, configured to determine a feature set B formed by the abnormal reference features;
B={b1,b2,…,bm}
wherein, bjJ is the jth abnormal reference feature in the feature set B, the value of j is from 1 to m, and m is the total number of the abnormal reference features contained in the feature set B;
a calculating submodule for calculating a matching degree r (A, B) of the feature set A and the feature set B;
Figure BDA0002487868930000061
wherein α and β are empirical coefficients, A (a)i) Representing the ith access characteristic, B (B), in set Aj) J abnormal reference features in the set B are represented;
a third judgment submodule, configured to judge whether r (a, B) is greater than an abnormal matching threshold q;
a fifth determining submodule, configured to determine that the web page access is abnormal when the r (a, B) is greater than an abnormal matching threshold q;
a sixth determining sub-module, configured to determine that the web page access is normal when r (a, B) is not greater than an abnormal matching threshold q.
In one embodiment, the access characteristic includes a total number of current accesses, the access request includes a plurality of accesses, and the apparatus is further configured to:
when the webpage access is judged to be abnormal, determining a target webpage accessed by each access request in a plurality of access requests;
when the target web pages comprise a plurality of target web pages, counting the number of times of accessing each target web page;
determining a webpage which is accessed most frequently from a plurality of target webpages;
and determining the abnormal access reason of the webpage according to the webpage with the most accessed times.
In one embodiment, the apparatus is further configured to:
when the webpage access is judged to be normal, acquiring a URL address carried in the access request;
judging whether the local of the server stores the page resource corresponding to the URL address or not;
when the corresponding page resources are stored, sending the corresponding page resources to the client;
when the corresponding page resources are not stored, determining a standby address corresponding to the URL address and a standby server corresponding to the standby address;
establishing a TCP communication connection with the standby server to send a resource request to the standby server;
receiving standby resources sent by the standby server based on the resource request;
and sending the standby resource to the client.
In one embodiment, the apparatus further comprises:
the first calling module is used for calling a pre-stored user behavior monitoring script;
the injection module is used for injecting the user behavior monitoring script into the page resource or the standby resource when the page resource or the standby resource is sent to the client;
a receiving module, configured to receive a current user operation sent by the client while the client displays the page resource or the standby resource, where the current operation behavior is acquired by the client through the user behavior monitoring script;
the second calling module is used for calling the pre-stored historical user operation from the client;
the analysis module is used for analyzing the user operation habit corresponding to the client according to the current user operation and the historical user operation;
and the storage module is used for storing the operation habits of the user.
The technical scheme provided by the embodiment of the invention can have the following beneficial effects:
the server can automatically acquire the access characteristics of the access request after receiving the access request from the client, and then automatically identify and judge whether the webpage access is abnormal according to the access characteristics so as to avoid technical personnel from judging whether the webpage access is abnormal according to personal experience, thereby improving the judgment efficiency and accuracy of the webpage access abnormality, further automatically performing abnormal access processing operation when judging the webpage access abnormality, such as forbidding the client to access the webpage corresponding to the access request, giving an abnormality alarm to the client, forbidding the client to access the server, pulling the client into an access blacklist and the like, and further fully avoiding the occurrence of the webpage access abnormality.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
Fig. 1 is a flowchart illustrating a web page abnormal access detection method according to an exemplary embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.
In order to solve the above technical problem, an embodiment of the present invention provides a method for detecting abnormal access to a web page, where the method may be used in a front-end page building program or device, as shown in fig. 1, and the method includes steps S101 to S104:
in step S101, the server receives an access request from the client;
in step S101, acquiring an access characteristic of the access request; the access characteristics are used to characterize the access request, and may be many, such as access time, access frequency, identification of the client, characteristics of the accessed web content, and the like.
In step S101, determining whether web page access is abnormal according to the access characteristics;
in step S101, when it is determined that the web page access is abnormal, an abnormality processing operation is performed.
The server can automatically acquire the access characteristics of the access request after receiving the access request from the client, and then automatically identify and judge whether the webpage access is abnormal according to the access characteristics so as to avoid technical personnel from judging whether the webpage access is abnormal according to personal experience, thereby improving the judgment efficiency and accuracy of the webpage access abnormality, further automatically performing abnormal access processing operation when judging the webpage access abnormality, such as forbidding the client to access the webpage corresponding to the access request, giving an abnormality alarm to the client, forbidding the client to access the server, pulling the client into an access blacklist and the like, and further fully avoiding the occurrence of the webpage access abnormality.
In one embodiment, the determining whether the web page access is abnormal according to the access characteristics includes:
judging whether the access characteristics carry user behaviors or not;
when the access characteristics carry user behaviors, determining that the webpage from the client side is normally accessed;
when the access characteristics do not carry user behaviors, determining the access time of the access request;
and when the access time is within the user historical rest time period, determining that the webpage access from the client is abnormal.
Because some user traces exist when the user autonomously accesses the webpage, when the access characteristic is judged to carry the user behavior, the webpage access of the current time is from the normal operation of the user, and therefore the webpage access from the client side can be determined to be normal; if the access characteristics do not carry user behaviors, the webpage access may come from programs such as trojans and the like or intrusion scripts and the like, but the webpage access is not the access of the user, the access time of the access request can be further determined, if the access time is just within the user historical rest time period, the access is determined to be not the access of the user, and the access is determined to be the access of the user or the intrusion programs or the intrusion scripts imitating the user, so that the webpage access can be determined to be abnormal.
In one embodiment, the determining whether the web page access is abnormal according to the access characteristic includes:
determining the total current access times from the client in unit time according to the number of the access requests from the client in unit time;
acquiring a preset access frequency threshold value in unit time;
judging whether the total number of the current accesses is within the threshold of the number of the accesses;
when the total current access times are within the access time threshold, judging that the webpage access is normal;
and when the total current access times are beyond the access times threshold, judging that the webpage access is abnormal.
Because the normal access frequency of the user in unit time is limited, when judging whether the webpage access is abnormal, the current access total frequency from the client in unit time can be determined according to the number of access requests from the client in unit time, then whether the current access total frequency is within the access frequency threshold is judged, if the current access total frequency is within the access frequency threshold, the webpage access frequency from the client in unit time is proper, the webpage access is judged to be normal, and when the current access total frequency is outside the access frequency threshold (namely, is greater than the upper limit of the access frequency threshold), the access frequency is too high, the webpage access is not artificially accessed, and the webpage access is judged to be abnormal.
In one embodiment, the determining whether the web page access is abnormal according to the access characteristics includes:
determining a feature set A formed by the access features;
A={a1,a2,…,an}
wherein, aiThe value of i is from 1 to n, and n is the total number of the access features in the feature set A;
determining a feature set B formed by abnormal reference features; the abnormal reference features are the features counted according to the historical webpage access abnormal records.
B={b1,b2,…,bm}
Wherein, bjJ is the jth abnormal reference feature in the feature set B, the value of j is from 1 to m, and m is the total number of the abnormal reference features contained in the feature set B;
calculating the matching degree r (A, B) of the feature set A and the feature set B;
Figure BDA0002487868930000111
wherein α and β are empirical coefficients, such as α is 2, β is 1, A (a)i) Representing the ith access characteristic, B (B), in set Aj) J abnormal reference features in the set B are represented; n is less than or equal to m.
Judging whether the r (A, B) is larger than an abnormal matching threshold q;
when the r (A, B) is larger than an abnormal matching threshold q, determining that the webpage access is abnormal;
and when the r (A, B) is not larger than an abnormal matching threshold q, determining that the webpage is accessed normally.
By calculating the matching degree of the feature set A and the feature set B, the matching degree between the access features and the abnormal reference features at this time or in this period can be confirmed, if r (A, B) is greater than the abnormal matching threshold q, the matching degree between the access features and the abnormal reference features at this time or in this period is higher, and an abnormality occurs, so that the web page access abnormality can be determined, and if r (A, B) is not greater than the abnormal matching threshold q, the matching degree between the access features and the abnormal reference features at this time or in this period is lower, and no abnormality occurs, so that the web page access normality can be determined.
In one embodiment, when it is determined that the web page access is abnormal, the performing an exception handling operation step is as follows:
step A1, constructing attribute data information of webpage access according to the following steps:
Figure BDA0002487868930000112
wherein X represents attribute data information total data of webpage access, and X1Representing attribute web page information, x2Return value, x, representing access to the attribute web page3Representing attribute server information, and m representing the number of attribute data information accessed by the constructed web page;
step A2, the attribute data value of the replaced abnormal web page access is obtained according to the following formula:
Figure BDA0002487868930000121
where a represents the attribute data value of the web page visit replacing the outlier, xijRepresenting the attribute data value of the webpage access with coordinates (i, j), m representing the number of the constructed attribute data information of the webpage access, n representing the mean value of the attribute data in the neighborhood, s representing the variance of the attribute data in the neighborhood, L being the dynamic range of the standard variance, and k being a preset parameter;
and step A3, replacing the abnormal value in the attribute data information total data for constructing the webpage access according to the attribute data value of the webpage access for replacing the abnormal value obtained in the step A2, and finishing the abnormal value processing.
Has the advantages that: the method adopts an image processing algorithm to create attribute data information of the webpage access, wherein abnormal values in the attribute data information of the webpage access are processed, the abnormal values are processed by adopting an average value, the abnormal access condition of the current webpage is solved, the method is simple and easy, the webpage access performance can be improved, the error frequency is reduced, the algorithm can automatically analyze the abnormal data values according to the abnormality when the webpage is accessed, and the abnormal data values are solved.
In one embodiment, the access characteristic includes a total number of current accesses, the access request includes a plurality of accesses, and the method further includes:
when the webpage access is judged to be abnormal, determining a target webpage accessed by each access request in a plurality of access requests;
when the target web pages comprise a plurality of target web pages, counting the number of times of accessing each target web page;
determining a webpage which is accessed most frequently from a plurality of target webpages;
and determining the abnormal access reason of the webpage according to the webpage with the most accessed times.
When the webpage access is judged to be abnormal, a target webpage specifically accessed by each access request in the multiple access requests can be further determined, then the accessed times of each target webpage are counted, so that the webpage with the largest accessed times can be determined, and therefore a specific webpage abnormal access reason can be determined according to the webpage with the largest accessed times, abnormal access can be avoided later, for example, the abnormal reason is determined according to the webpage content of the webpage with the largest accessed times, or the abnormal access reason of the webpage is analyzed through a pre-established page access quantity abnormal model.
In an embodiment, when it is determined that the web page access is normal, acquiring a Uniform Resource Locator (URL) address carried in the access request;
judging whether the local of the server stores the page resource corresponding to the URL address or not;
when the corresponding page resources are stored, sending the corresponding page resources to the client;
when the corresponding page resources are not stored, determining a standby address corresponding to the URL address and a standby server corresponding to the standby address;
establishing a TCP (Transmission Control Protocol) communication connection with the standby server to send a resource request to the standby server;
receiving standby resources sent by the standby server based on the resource request; the spare resource may be the same resource as the page resource or a similar resource with a similarity higher than a threshold.
And sending the standby resource to the client.
When the webpage access is judged to be normal, the URL address carried in the access request can be obtained, then whether the page resource corresponding to the URL address is stored locally in the server is judged, if the page resource is stored locally, the page resource is sent to the client, so that the client can receive the page resource and render the page resource in time, if the page resource is not stored locally, the backup address corresponding to the URL address and the backup server are determined through the association relation among the pre-stored URL address, the backup address and the backup server, then the current server and the backup server establish communication connection, so as to request and receive the backup resource from the backup server, so that the backup resource is sent to the client, and even if the resource corresponding to the URL address is not stored locally in the current server, the backup resource can still be obtained from the backup server, thereby performing normal access to the web page.
In one embodiment, a pre-stored user behavior monitoring script is invoked;
when the page resource or the standby resource is sent to the client, the user behavior monitoring script is injected into the page resource or the standby resource;
receiving current user operation sent by the client while the client displays the page resource or the standby resource, wherein the current operation behavior is acquired by the client through the user behavior monitoring script;
calling pre-stored historical user operation from the client;
analyzing a user operation habit corresponding to the client according to the current user operation and the historical user operation;
and storing the operation habits of the user.
By injecting the user behavior monitoring script into the page resource or the standby resource, the client can display the network resource or the standby resource, and simultaneously, the user behavior monitoring script is utilized to track and record the current user operation (such as clicking operation, sliding operation and the like of the user, and certainly, the current user operation carries characteristics of an operation position, time and the like) on the webpage, so that the user operation habit of the user individuation using the client can be analyzed based on the current user operation and the historical user operation, and the user operation habit can be stored if the user is used to click for several times, click for how long, sliding speed, sliding gesture and the like, so that the user operation habit can be combined later, and the judgment accuracy of abnormal access of the webpage can be improved.
Finally, it is clear that: the above embodiments can be freely combined by those skilled in the art according to actual needs.
Corresponding to the method for detecting the abnormal access of the webpage provided by the embodiment of the invention, the embodiment of the invention also provides a device for detecting the abnormal access of the webpage, and the device comprises:
the receiving module is used for receiving an access request from a client;
the acquisition module is used for acquiring the access characteristics of the access request;
the judging module is used for judging whether the webpage access is abnormal or not according to the access characteristics;
and the processing module is used for performing exception handling operation when the webpage access exception is judged.
In one embodiment, the determining module comprises:
the first judgment submodule is used for judging whether the access characteristics carry user behaviors or not;
the first determining submodule is used for determining that the webpage from the client side is normally accessed when the access characteristics carry user behaviors;
the second determining submodule is used for determining the access time of the access request when the access characteristics do not carry user behaviors;
and the third determining submodule is used for determining that the webpage access from the client is abnormal when the access time is within the user historical rest time period.
In one embodiment, the access characteristic includes a total number of current accesses, and the determining module includes:
a fourth determining submodule, configured to determine, according to the number of access requests from the client in a unit time, a total current access frequency from the client in the unit time;
the acquisition submodule is used for acquiring a preset access time threshold in unit time;
the second judgment submodule is used for judging whether the total current access times are within the access times threshold value;
the first judgment submodule is used for judging that the webpage access is normal when the total current access times are within the access time threshold;
and the second judging submodule is used for judging that the webpage access is abnormal when the total current access times are beyond the access times threshold.
In one embodiment, the determining module comprises:
a fifth determining submodule, configured to determine a feature set a formed by the access features;
A={a1,a2,…,an}
wherein, aiThe value of i is from 1 to n, and n is the total number of the access features in the feature set A;
a sixth determining submodule, configured to determine a feature set B formed by the abnormal reference features;
B={b1,b2,…,bm}
wherein, bjIs the jth abnormal reference feature, j, in the feature set BIs from 1 to m, wherein m is the total number of abnormal reference features contained in the feature set B;
a calculating submodule for calculating a matching degree r (A, B) of the feature set A and the feature set B;
Figure BDA0002487868930000161
wherein α and β are empirical coefficients, A (a)i) Representing the ith access characteristic, B (B), in set Aj) J abnormal reference features in the set B are represented;
a third judgment submodule, configured to judge whether r (a, B) is greater than an abnormal matching threshold q;
a fifth determining submodule, configured to determine that the web page access is abnormal when the r (a, B) is greater than an abnormal matching threshold q;
a sixth determining sub-module, configured to determine that the web page access is normal when r (a, B) is not greater than an abnormal matching threshold q.
In one embodiment, the access characteristic includes a total number of current accesses, the access request includes a plurality of accesses, and the apparatus is further configured to:
when the webpage access is judged to be abnormal, determining a target webpage accessed by each access request in a plurality of access requests;
when the target web pages comprise a plurality of target web pages, counting the number of times of accessing each target web page;
determining a webpage which is accessed most frequently from a plurality of target webpages;
and determining the abnormal access reason of the webpage according to the webpage with the most accessed times.
In one embodiment, the apparatus is further configured to:
when the webpage access is judged to be normal, acquiring a URL address carried in the access request;
judging whether the local of the server stores the page resource corresponding to the URL address or not;
when the corresponding page resources are stored, sending the corresponding page resources to the client;
when the corresponding page resources are not stored, determining a standby address corresponding to the URL address and a standby server corresponding to the standby address;
establishing a TCP communication connection with the standby server to send a resource request to the standby server;
receiving standby resources sent by the standby server based on the resource request;
and sending the standby resource to the client.
In one embodiment, the apparatus further comprises:
the first calling module is used for calling a pre-stored user behavior monitoring script;
the injection module is used for injecting the user behavior monitoring script into the page resource or the standby resource when the page resource or the standby resource is sent to the client;
a receiving module, configured to receive a current user operation sent by the client while the client displays the page resource or the standby resource, where the current operation behavior is acquired by the client through the user behavior monitoring script;
the second calling module is used for calling the pre-stored historical user operation from the client;
the analysis module is used for analyzing the user operation habit corresponding to the client according to the current user operation and the historical user operation;
and the storage module is used for storing the operation habits of the user.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.

Claims (11)

1. A webpage abnormal access detection method is characterized by comprising the following steps:
the server receives an access request from the client;
obtaining the access characteristics of the access request;
judging whether the webpage access is abnormal or not according to the access characteristics;
and when the webpage access is judged to be abnormal, performing abnormal processing operation.
2. The method of claim 1, wherein the determining whether the web page access is abnormal according to the access characteristic comprises:
judging whether the access characteristics carry user behaviors or not;
when the access characteristics carry user behaviors, determining that the webpage from the client side is normally accessed;
when the access characteristics do not carry user behaviors, determining the access time of the access request;
and when the access time is within the user historical rest time period, determining that the webpage access from the client is abnormal.
3. The method of claim 1, wherein the access characteristic comprises a total number of current accesses, and the determining whether the web page access is abnormal according to the access characteristic comprises:
determining the total current access times from the client in unit time according to the number of the access requests from the client in unit time;
acquiring a preset access frequency threshold value in unit time;
judging whether the total number of the current accesses is within the threshold of the number of the accesses;
when the total current access times are within the access time threshold, judging that the webpage access is normal;
and when the total current access times are beyond the access times threshold, judging that the webpage access is abnormal.
4. The method of claim 1,
the judging whether the webpage access is abnormal according to the access characteristics comprises the following steps:
determining a feature set A formed by the access features;
A={a1,a2,…,an}
wherein, aiThe value of i is from 1 to n, and n is the total number of the access features in the feature set A;
determining a feature set B formed by abnormal reference features;
B={b1,b2,…,bm}
wherein, bjJ is the jth abnormal reference feature in the feature set B, the value of j is from 1 to m, and m is the total number of the abnormal reference features contained in the feature set B;
calculating the matching degree r (A, B) of the feature set A and the feature set B;
Figure FDA0002487868920000021
wherein α and β are empirical coefficients, A (a)i) Representing the ith access characteristic, B (B), in set Aj) J abnormal reference features in the set B are represented;
judging whether the r (A, B) is larger than an abnormal matching threshold q;
when the r (A, B) is larger than an abnormal matching threshold q, determining that the webpage access is abnormal;
and when the r (A, B) is not larger than an abnormal matching threshold q, determining that the webpage is accessed normally.
5. The method according to claim 1, wherein when it is determined that the web page access is abnormal, the performing an exception handling operation step is as follows:
step A1, constructing attribute data information of webpage access according to the following steps:
Figure FDA0002487868920000022
wherein X represents attribute data information total data of webpage access, and X1Representing attribute web page information, x2Return value, x, representing access to the attribute web page3Representing attribute server information, and m representing the number of attribute data information accessed by the constructed web page;
step A2, the attribute data value of the replaced abnormal web page access is obtained according to the following formula:
Figure FDA0002487868920000031
where a represents the attribute data value of the web page visit replacing the outlier, xijRepresenting the attribute data value of the webpage access with coordinates (i, j), m representing the number of the constructed attribute data information of the webpage access, n representing the mean value of the attribute data in the neighborhood, s representing the variance of the attribute data in the neighborhood, L being the dynamic range of the standard variance, and k being a preset parameter;
and step A3, replacing the abnormal value in the attribute data information total data for constructing the webpage access according to the attribute data value of the webpage access for replacing the abnormal value obtained in the step A2, and finishing the abnormal value processing.
6. The method of claim 1, wherein the access characteristic comprises a total number of current accesses, wherein the access request comprises a plurality of access requests, and wherein the method further comprises:
when the webpage access is judged to be abnormal, determining a target webpage accessed by each access request in a plurality of access requests;
when the target web pages comprise a plurality of target web pages, counting the number of times of accessing each target web page;
determining a webpage which is accessed most frequently from a plurality of target webpages;
and determining the abnormal access reason of the webpage according to the webpage with the most accessed times.
7. The method according to any one of claims 1 to 6,
when the webpage access is judged to be normal, acquiring a URL address carried in the access request;
judging whether the local of the server stores the page resource corresponding to the URL address or not;
when the corresponding page resources are stored, sending the corresponding page resources to the client;
when the corresponding page resources are not stored, determining a standby address corresponding to the URL address and a standby server corresponding to the standby address;
establishing a TCP communication connection with the standby server to send a resource request to the standby server;
receiving standby resources sent by the standby server based on the resource request;
and sending the standby resource to the client.
8. The method of claim 7,
calling a pre-stored user behavior monitoring script;
when the page resource or the standby resource is sent to the client, the user behavior monitoring script is injected into the page resource or the standby resource;
receiving current user operation sent by the client while the client displays the page resource or the standby resource, wherein the current operation behavior is acquired by the client through the user behavior monitoring script;
calling pre-stored historical user operation from the client;
analyzing a user operation habit corresponding to the client according to the current user operation and the historical user operation;
and storing the operation habits of the user.
9. An apparatus for detecting abnormal access to a web page, used in a server, comprising:
the receiving module is used for receiving an access request from a client;
the acquisition module is used for acquiring the access characteristics of the access request;
the judging module is used for judging whether the webpage access is abnormal or not according to the access characteristics;
and the processing module is used for performing exception handling operation when the webpage access exception is judged.
10. The apparatus of claim 8, wherein the determining module comprises:
the first judgment submodule is used for judging whether the access characteristics carry user behaviors or not;
the first determining submodule is used for determining that the webpage from the client side is normally accessed when the access characteristics carry user behaviors;
the second determining submodule is used for determining the access time of the access request when the access characteristics do not carry user behaviors;
and the third determining submodule is used for determining that the webpage access from the client is abnormal when the access time is within the user historical rest time period.
11. The apparatus of claim 9 or 10, wherein the access characteristic comprises a total number of current accesses, and the determining module comprises:
a fourth determining submodule, configured to determine, according to the number of access requests from the client in a unit time, a total current access frequency from the client in the unit time;
the acquisition submodule is used for acquiring a preset access time threshold in unit time;
the second judgment submodule is used for judging whether the total current access times are within the access times threshold value;
the first judgment submodule is used for judging that the webpage access is normal when the total current access times are within the access time threshold;
and the second judging submodule is used for judging that the webpage access is abnormal when the total current access times are beyond the access times threshold.
CN202010396775.0A 2020-05-12 2020-05-12 Webpage abnormal access detection method and device Withdrawn CN111556070A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010396775.0A CN111556070A (en) 2020-05-12 2020-05-12 Webpage abnormal access detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010396775.0A CN111556070A (en) 2020-05-12 2020-05-12 Webpage abnormal access detection method and device

Publications (1)

Publication Number Publication Date
CN111556070A true CN111556070A (en) 2020-08-18

Family

ID=72008115

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010396775.0A Withdrawn CN111556070A (en) 2020-05-12 2020-05-12 Webpage abnormal access detection method and device

Country Status (1)

Country Link
CN (1) CN111556070A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114168880A (en) * 2021-11-30 2022-03-11 北京达佳互联信息技术有限公司 Webpage state determination method, device, equipment and storage medium
CN114244685A (en) * 2021-11-16 2022-03-25 国家电网有限公司客户服务中心 Cloud service center access exception handling system
CN114978881A (en) * 2022-06-08 2022-08-30 上海华客信息科技有限公司 Early warning method and device for webpage element acquisition abnormity and storage medium
CN117235797A (en) * 2023-09-28 2023-12-15 广州工程技术职业学院 Intelligent management method, device, equipment and system for big data resource access

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114244685A (en) * 2021-11-16 2022-03-25 国家电网有限公司客户服务中心 Cloud service center access exception handling system
CN114168880A (en) * 2021-11-30 2022-03-11 北京达佳互联信息技术有限公司 Webpage state determination method, device, equipment and storage medium
CN114978881A (en) * 2022-06-08 2022-08-30 上海华客信息科技有限公司 Early warning method and device for webpage element acquisition abnormity and storage medium
CN117235797A (en) * 2023-09-28 2023-12-15 广州工程技术职业学院 Intelligent management method, device, equipment and system for big data resource access

Similar Documents

Publication Publication Date Title
CN111556070A (en) Webpage abnormal access detection method and device
CN102946319B (en) Networks congestion control information analysis system and analytical method thereof
CN104348810B (en) The detection method of stolen account number, apparatus and system
CN107508809B (en) Method and device for identifying website type
CN109587001A (en) A kind of performance indicator method for detecting abnormality and device
EP4198775A1 (en) Abnormal user auditing method and apparatus, electronic device, and storage medium
CN111163054B (en) Method and device for detecting malicious behavior of webpage
CN110830445B (en) Method and device for identifying abnormal access object
US20180225320A1 (en) Anomaly Detection at Coarser Granularity of Data
CN111130845B (en) Method and device for testing IPv6 support degree of website page based on visual information
CN106302350A (en) URL monitoring method, device and equipment
CN113489713A (en) Network attack detection method, device, equipment and storage medium
CN111309635A (en) Test case generation method, device, server and storage medium
CN110912874A (en) Method and system for effectively identifying machine access behaviors
CN111177725B (en) Method, device, equipment and storage medium for detecting malicious click operation
CN114996103A (en) Page abnormity detection method and device, electronic equipment and storage medium
CN110659954B (en) Cheating identification method and device, electronic equipment and readable storage medium
CN116015842A (en) Network attack detection method based on user access behaviors
CN110633412A (en) Page stay intention analysis method and device, computer equipment and storage medium
CN110659435A (en) Page data acquisition processing method and device, computer equipment and storage medium
CN113918438A (en) Method and device for detecting server abnormality, server and storage medium
CN112130944A (en) Page abnormity detection method, device, equipment and storage medium
CN110321711A (en) Detect the method and system of application server SQL injection point
CN113076487B (en) User interest characterization and content recommendation method, device and equipment
CN115309638A (en) Method and device for assisting model optimization

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20200818

WW01 Invention patent application withdrawn after publication