CN112003833A - Abnormal behavior detection method and device - Google Patents

Abnormal behavior detection method and device Download PDF

Info

Publication number
CN112003833A
CN112003833A CN202010752178.7A CN202010752178A CN112003833A CN 112003833 A CN112003833 A CN 112003833A CN 202010752178 A CN202010752178 A CN 202010752178A CN 112003833 A CN112003833 A CN 112003833A
Authority
CN
China
Prior art keywords
web page
abnormal
user operation
user
frequency
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010752178.7A
Other languages
Chinese (zh)
Inventor
郑霖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruishu Information Technology Shanghai Co ltd
Original Assignee
Ruishu Information Technology Shanghai Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruishu Information Technology Shanghai Co ltd filed Critical Ruishu Information Technology Shanghai Co ltd
Priority to CN202010752178.7A priority Critical patent/CN112003833A/en
Publication of CN112003833A publication Critical patent/CN112003833A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user

Abstract

The application discloses an abnormal behavior detection method and device, wherein the method comprises the following steps: the threat perception platform acquires user operation event information generated on a web page collected by a front-end code; at least one of the following abnormal analysis is carried out on the user operation event information occurring on each web page so as to identify whether abnormal operation behaviors exist on the web page or not: analyzing whether a user operation event occurring on a web page is missing or not; analyzing whether the number of user operation events occurring on the web page is abnormal or not; and analyzing whether the frequency of the user operation events occurring on the web page is abnormal. According to the method and the device, whether abnormal operation behaviors exist on the web page can be identified by acquiring and analyzing the user operation event information generated on the web page collected by the front-end code, so that the accuracy of the anti-crawler technology is improved.

Description

Abnormal behavior detection method and device
[ technical field ] A method for producing a semiconductor device
The present application relates to the field of computer security technologies, and in particular, to a method and an apparatus for detecting abnormal behavior.
[ background of the invention ]
This section is intended to provide a background or context to the embodiments of the application that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
Crawlers are a way to obtain website information in batches using any technical means. On one hand, a large number of crawlers can seriously occupy the performance and bandwidth of the server, influence normal user access, and cause Distributed denial of service attack (DDoS) in serious cases. On the other hand, important data, information and property of the website cannot be revealed at will, and if the important data, information and property are easily stolen, serious loss is caused. A corresponding anti-crawler mechanism has emerged. However, with the evolution of attack and defense opposition of online service security, the automated crawler is gradually developed to simulate normal user operation in order to bypass the anti-crawler mechanism, and therefore, the behavior of a normal user and the abnormal behavior need to be detected, so that the abnormal behavior of the simulated user is detected.
[ summary of the invention ]
In view of this, the present application provides an abnormal behavior detection method and apparatus, so as to identify the abnormal behavior of the simulated user, and improve the accuracy of the anti-crawler technology.
The specific technical scheme is as follows:
in a first aspect, the present application provides a method for detecting abnormal behavior, including:
the threat perception platform acquires user operation event information generated on a web page collected by a front-end code;
at least one of the following abnormal analysis is carried out on the user operation event information occurring on each web page so as to identify whether abnormal operation behaviors exist on the web page or not:
analyzing whether a user operation event occurring on a web page is missing or not;
analyzing whether the number of user operation events occurring on the web page is abnormal or not;
and analyzing whether the frequency of the user operation events occurring on the web page is abnormal.
According to a preferred embodiment of the present application, the front-end code comprises: a script JS code embedded in a web page, a code embedded in a mobile application, or a code embedded in a desktop client;
the operation event information includes: mouse keyboard event information, touch screen event information, or motion sensor event information.
According to a preferred embodiment of the present application, the analyzing whether the user operation event occurring on the web page is missing includes:
if no user operation event occurs when the network request is triggered on the web page, identifying that abnormal operation behaviors exist on the web page; alternatively, the first and second electrodes may be,
and if the user operation event which occurs when the network request is triggered on the web page does not accord with the correct operation event corresponding to the network request, identifying that the abnormal operation behavior exists on the web page.
According to a preferred embodiment of the present application, the analyzing whether the number of the user operation events occurring on the web page is abnormal includes:
and if the number of the user operation events occurring on the web page is less than the number of the normal operation events of the web page, identifying that abnormal operation behaviors exist on the web page.
According to a preferred embodiment of the present application, the analyzing whether the frequency of the user operation events occurring on the web page is abnormal includes:
if the frequency of the user operation events occurring on the web page is higher than a preset first frequency threshold, identifying that abnormal operation behaviors exist on the web page; alternatively, the first and second electrodes may be,
if the frequency of user operation events triggering page jumping is higher than a preset second frequency threshold value in a browsing path formed by continuous web pages, identifying that abnormal operation behaviors exist on the continuous web pages; alternatively, the first and second electrodes may be,
if the vibration frequency acquired by the motion sensor is lower than a preset third frequency threshold when a touch event occurs on the web page, identifying that an abnormal operation behavior exists on the web page; alternatively, the first and second electrodes may be,
if the frequency of the user operation events occurring on the web page presents known non-random distribution, identifying that abnormal operation behaviors exist on the web page; alternatively, the first and second electrodes may be,
if the frequency of the user operation events occurring on a plurality of web pages corresponding to the same user identifier, application identifier or equipment identifier shows a consistent rule, identifying that abnormal operation behaviors exist on the plurality of web pages.
According to a preferred embodiment of the present application, the method further comprises:
counting the conditions of the web pages with abnormal operation behaviors corresponding to the same user identification, application identification or equipment identification;
and determining the abnormal user identification, application identification or equipment identification according to the counted conditions.
In a second aspect, the present application provides an abnormal behavior detection apparatus, comprising:
the acquisition unit is used for acquiring user operation event information generated on a web page acquired by a front-end code;
the analysis unit is used for performing at least one of the following abnormal analysis on the user operation event information occurring on each web page to identify whether abnormal operation behaviors exist on the web page:
analyzing whether a user operation event occurring on a web page is missing or not;
analyzing whether the number of user operation events occurring on the web page is abnormal or not;
and analyzing whether the frequency of the user operation events occurring on the web page is abnormal.
According to a preferred embodiment of the present application, the front-end code comprises: a script JS code embedded in a web page, a code embedded in a mobile application, or a code embedded in a desktop client;
the operation event information includes: mouse keyboard event information, touch screen event information, or motion sensor event information.
According to a preferred embodiment of the present application, the analyzing unit specifically performs, when analyzing whether there is a loss of a user operation event occurring on a web page:
if no user operation event occurs when the network request is triggered on the web page, identifying that abnormal operation behaviors exist on the web page; alternatively, the first and second electrodes may be,
and if the user operation event which occurs when the network request is triggered on the web page does not accord with the correct operation event corresponding to the network request, identifying that the abnormal operation behavior exists on the web page.
According to a preferred embodiment of the present application, when analyzing whether the number of user operation events occurring on the web page is abnormal, the analyzing unit specifically performs:
and if the number of the user operation events occurring on the web page is less than the number of the normal operation events of the web page, identifying that abnormal operation behaviors exist on the web page.
According to a preferred embodiment of the present application, when analyzing whether the frequency of the user operation event occurring on the web page is abnormal, the analyzing unit specifically performs:
if the frequency of the user operation events occurring on the web page is higher than a preset first frequency threshold, identifying that abnormal operation behaviors exist on the web page; alternatively, the first and second electrodes may be,
if the frequency of user operation events triggering page jumping is higher than a preset second frequency threshold value in a browsing path formed by continuous web pages, identifying that abnormal operation behaviors exist on the continuous web pages; alternatively, the first and second electrodes may be,
if the vibration frequency acquired by the motion sensor is lower than a preset third frequency threshold when a touch event occurs on the web page, identifying that an abnormal operation behavior exists on the web page; alternatively, the first and second electrodes may be,
if the frequency of the user operation events occurring on the web page presents known non-random distribution, identifying that abnormal operation behaviors exist on the web page; alternatively, the first and second electrodes may be,
if the frequency of the user operation events occurring on a plurality of web pages corresponding to the same user identifier, application identifier or equipment identifier shows a consistent rule, identifying that abnormal operation behaviors exist on the plurality of web pages.
According to a preferred embodiment of the present application, the apparatus further comprises:
the statistical unit is used for counting the conditions of the web pages with abnormal operation behaviors corresponding to the same user identifier, application identifier or equipment identifier; and determining the abnormal user identification, application identification or equipment identification according to the counted conditions.
In a third aspect, the present application provides an apparatus comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method as described above.
In a fourth aspect, the present application provides a storage medium containing computer-executable instructions for performing the method as described above when executed by a computer processor.
According to the technical scheme, the information of the user operation events occurring on the web page collected by the front-end code is obtained and analyzed, whether abnormal operation behaviors exist on the web page can be identified, and therefore the accuracy of the anti-crawler technology is improved.
[ description of the drawings ]
FIG. 1 illustrates an exemplary system architecture to which an abnormal behavior detection method or apparatus of an embodiment of the present invention may be applied;
FIG. 2 is a flow chart of a method provided by an embodiment of the present application;
FIG. 3 is a block diagram of an apparatus according to an embodiment of the present disclosure;
FIG. 4 illustrates a block diagram of an exemplary computer system/server suitable for use in implementing embodiments of the present invention.
[ detailed description ] embodiments
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in detail below with reference to the accompanying drawings and specific embodiments.
Fig. 1 shows an exemplary system architecture to which an abnormal behavior detection method or apparatus according to an embodiment of the present invention may be applied.
As shown in fig. 1, the system architecture may include a terminal device 101, a network 102, and a server 103. Network 102 is the medium used to provide communication links between terminal devices 101 and server 103. Network 102 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
A user may use terminal device 101 to interact with server 103 through network 102. Various applications, such as a voice interaction application, a web browser application, a communication-type application, etc., may be installed on the terminal device 101.
Terminal device 101 may be any terminal device including, but not limited to, a smartphone, a smart tablet, a laptop, a PC, an intelligent wearable device, and so on. The browsing and operation of the web page may be performed by a browser, a mobile application (referring to an application installed in the mobile device), and a desktop client (referring to a client installed in a PC or a notebook computer) in the terminal device 101. In the application, a code, called a front-end code, can be embedded in a web page, a mobile application or a desktop client, and is responsible for collecting user operation event information occurring on the web page and uploading the information to a threat perception platform. The threat awareness platform may be located and run in the server 103 described above. It may be implemented as a plurality of software or software modules (for example, for providing distributed services), or as a single software or software module, which is not specifically limited herein. The server 103 may be a single server or a server group including a plurality of servers.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Fig. 2 is a flowchart of a method provided by an embodiment of the present application, and as shown in fig. 2, the method may include the following steps:
in 201, the threat awareness platform obtains information of user operation events occurring on a web page collected by the front-end code.
The method and the device aim at the web page for identifying the abnormal behavior, and based on the characteristic that the web page has extremely strong interactivity, JS codes (the JS codes run after the web page is loaded) can be embedded into the web page, codes are embedded into mobile applications or desktop clients, and the codes are used for collecting user operation event information occurring on the web page.
The collected operation events may include mouse and keyboard events occurring on a web page of a desktop client, touch screen events and motion sensor events occurring on a web page of a mobile application, and the like.
The front-end code can upload the collected user operation event information occurring on the web page to the threat awareness platform in a streaming or periodic mode so as to be stored by the threat awareness platform. The threat awareness platform can acquire user operation event information occurring on a specific web page, and acquire a user ID (identification), an application ID or a device ID from which the user operation event information originates through session information. The application ID may be an ID of the desktop client or an ID of the mobile application. If the user is in an anonymous state, a tourist state, or the like during browsing the web page, the user ID is not usually carried in the session information, but may carry an application ID or a device ID. If the user is in a login state during browsing the web page, the session information usually carries the user ID.
At 202, the threat awareness platform performs data cleansing and normalization processing on the collected user operation event information occurring on the web page.
The data cleaning of the user operation event information may include, but is not limited to, filtering out user operation event information with an incorrect data format or missing data, performing a complement process on some user operation event information, and the like.
In 203, the threat awareness platform performs anomaly analysis on the user operation event information occurring on each web page to identify whether an abnormal operation behavior exists on the web page.
When the threat awareness platform performs exception analysis on the user operation event information occurring on each web page, at least one of the following analysis modes can be adopted, but is not limited to:
the first mode is as follows: whether the user operation event occurring on the web page is missing or not is analyzed, so that whether abnormal operation behaviors exist or not is identified.
Typically, almost all network requests on a web page are triggered by user-operated events, such as a user clicking a login button on a touch screen, pressing a keyboard enter key, or clicking a login button with a mouse. If the automated crawler operates instead of a human, the network request may be triggered by the automated crawler program, in which case the user operation event does not occur on the web page or does not occur correctly. Therefore, correct operation event information for triggering various types of network requests on the web page can be configured in advance, and based on the correct operation event information, if no user operation event occurs when the network requests are triggered on the web page, it can be considered that abnormal operation behaviors exist on the web page. And/or if the user operation event which occurs when the network request is triggered on the web page is not consistent with the correct operation event corresponding to the network request, identifying that the abnormal operation behavior exists on the web page.
And for some special network requests which can be triggered without user operation, filtering can be performed in a white list mode. That is, network requests that are not within the white list may be analyzed in this manner.
The second mode is as follows: and analyzing whether the number of the user operation events occurring on the web page is abnormal or not to identify whether abnormal operation behaviors exist on the web page or not.
Generally, a certain number of user operations are required on a web page, and once a user operation event occurs on the web page, a certain number of user operations are required to be input. For example, on a web page for login, there are usually certain requirements for account number length, password length, etc. In particular, passwords generally do not allow copy and paste. For an automated crawler, there may be only a localized operation for automatically generating and entering a password through a program, and may not be simulated for a user's input operation in a password box. Therefore, if the password input is completed by positioning the password input box and inputting the password with the length larger than 6 characters, at least 7 user operations are required. If there are less than 7 operations, then there is a high probability of abnormal operation behavior. Therefore, if the number of the user operation events occurring on the web page is smaller than the number of the normal operation events of the web page, it is recognized that an abnormal operation behavior exists on the web page.
The number of normal operation events of a Web page may be related to a UI (User Interface) component on the Web page, such as a password entry box described above, requiring at least a certain number of User operations. Or from historical operational behavior statistics of normal users on the web page.
The third mode is as follows: and analyzing whether the frequency of the user operation events occurring on the web page is abnormal or not to identify whether abnormal operation behaviors exist on the web page or not.
Generally, when a user performs user operations on a web page, a certain time interval exists between each user operation, for example, each time a key is pressed, a few tenths of a second is the fastest. However, if an automated crawler or other malicious program simulates user input, it is typically very fast, less frequent than the user's normal input. Therefore, if the frequency of the user operation events occurring on the web page is higher than the preset first frequency threshold, it is recognized that an abnormal operation behavior exists on the web page. The first frequency threshold may be an empirical value, or may be statistically determined by the frequency of normal operations on the web page by normal users.
In addition, when a user continuously browses a plurality of web pages, for example, after logging in from a login page, the user selects commodities from a commodity page, adds the commodities to a shopping cart, places orders on the shopping cart page, and then jumps to a payment page for payment. When jumping between the pages, it usually takes a certain time for a common user, for example, it takes a certain time to complete login and then trigger page jumping, it takes a certain time to select goods and then trigger page jumping, and so on. But for automated crawlers or other malicious programs, it is not usually necessary to take such time to care about the page content, and completing the input soon triggers a page jump. Therefore, if the frequency of the user operation event triggering the page jump in the browsing path formed by the continuous web pages is higher than the preset second frequency threshold, the abnormal operation behavior existing on the continuous web pages is identified. The second frequency threshold may be an empirical value, or may be statistically determined by the frequency of the normal operation in which the normal user triggers the web page jump.
For a user of the mobile terminal, a certain frequency of vibration may be generated during the operation of the user on the web page, but for an automated crawler program or other malicious programs, the vibration may hardly be generated during the operation on the web page, and the operation is usually completed automatically by the automated crawler program or other malicious programs by placing the mobile terminal on a support, or by remote program control. Therefore, if the vibration frequency acquired by the motion sensor is lower than the preset third frequency threshold when the touch screen event occurs on the web page, it is recognized that an abnormal operation behavior exists on the web page. The motion sensor may be a gyroscope, a vibration sensor, or the like. The third frequency threshold may be an empirical value, or may be statistically determined by a normal vibration frequency generated when a normal user performs a touch screen operation on a web page.
For a user, the user operation on a web page is generally prone to irregularity, and for an automated crawler program or other malicious programs, the automated crawler program or other malicious programs often exhibit regular frequency, and if the regular frequency can be identified, the behavior of a machine account can be considered. Based on this, there are several identification methods, for example, if the frequency of the user operation events occurring on the web page presents a known non-random distribution, the existence of abnormal operation behavior on the web page is identified. For another example, if the frequency of the user operation events occurring on a plurality of web pages corresponding to the same user ID, application ID or device ID exhibits a consistent rule, it is recognized that abnormal operation behaviors exist on the plurality of web pages.
It should be noted that, several of the above-mentioned anomaly analysis methods may be executed alternatively, or may be executed in combination. For example, whether a user operation event occurring on a web page has a loss or not may be analyzed first, and if the user operation event has a loss, an abnormal operation behavior on the web page is identified; if the web page is not missing, whether the number of the user operation events occurring on the web page is abnormal or not can be further analyzed, and if the number of the user operation events occurring on the web page is abnormal, abnormal operation behaviors exist on the web page; and if not, further analyzing whether the frequency of the user operation events occurring on the web page is abnormal or not.
In 204, the condition of the web page with abnormal operation behavior corresponding to the same user ID, application ID or device ID is counted, and the user identifier, application identifier or device identifier with abnormal behavior is determined according to the counted condition.
In the application, the web pages with abnormal operation behaviors corresponding to the same user ID, application ID or equipment ID can be counted. For example, if the number of web pages with abnormal operation behavior is greater than or equal to a preset number threshold, the user, application or device is considered abnormal. For another example, if the web page ratio with abnormal operation behavior is greater than or equal to the preset ratio threshold, the user, application or device is considered abnormal.
In addition to the above analysis, other analysis methods may be further adopted to assist, for example, whether historical motion data exists in the mobile device is judged through data collected by the motion sensor, and if the mobile device with a user operation event does not have motion data for a long time, it is likely that the mobile device is placed on the support for a long time and is automatically operated by an automatic crawler program or other malicious programs. The mobile device is very suspicious and is likely to be an anomalous device.
The determined user identification, application identification or equipment identification with the abnormality can be displayed to the manager through an interface provided by the threat perception platform, and can also be provided to the manager through system messages, short messages, mails and other modes. Besides, the web page information which is displayed to the manager simultaneously and has abnormal operation behavior and corresponds to the abnormal user identifier, the application identifier or the equipment identifier, the corresponding abnormal operation behavior information and the like can also be included. Thus, the manager can analyze the information and further close the corresponding account or add specific users, applications and devices to a blacklist, etc.
The above is a detailed description of the method provided in the present application, and the following is a detailed description of the apparatus provided in the present application with reference to the embodiments.
Fig. 3 is a structural diagram of an apparatus provided in an embodiment of the present application, where the apparatus is disposed at a server side to implement the functions of the threat awareness platform. As shown in fig. 3, the apparatus may include: the acquisition unit 01 and the analysis unit 02 may further include a statistic unit 03. Wherein the main functions of each unit include:
the obtaining unit 01 is responsible for obtaining user operation event information occurring on a web page collected by a front-end code.
Wherein the front-end code may include: a script JS code embedded in a web page, a code embedded in a mobile application, or a code embedded in a desktop client. The operation event information may include: mouse keyboard event information, touch screen event information, or motion sensor event information.
The analysis unit 02 is responsible for performing at least one of the following abnormal analyses on the user operation event information occurring on each web page to identify whether an abnormal operation behavior exists on the web page:
analyzing whether a user operation event occurring on a web page is missing or not;
analyzing whether the number of user operation events occurring on the web page is abnormal or not;
and analyzing whether the frequency of the user operation events occurring on the web page is abnormal.
Wherein, the analyzing unit 02 may perform, when analyzing whether there is a loss of the user operation event occurring on the web page:
if no user operation event occurs when the network request is triggered on the web page, identifying that abnormal operation behaviors exist on the web page; alternatively, the first and second electrodes may be,
and if the user operation event which occurs when the network request is triggered on the web page does not accord with the correct operation event corresponding to the network request, identifying that the abnormal operation behavior exists on the web page.
The analysis unit 02 may perform, when analyzing whether the number of user operation events occurring on the web page is abnormal: and if the number of the user operation events occurring on the web page is less than the number of the normal operation events of the web page, identifying that abnormal operation behaviors exist on the web page.
The analysis unit 02 may perform, when analyzing whether the frequency of the user operation event occurring on the web page is abnormal:
if the frequency of the user operation events occurring on the web page is higher than a preset first frequency threshold, identifying that abnormal operation behaviors exist on the web page; alternatively, the first and second electrodes may be,
if the frequency of the user operation event triggering the page jump is higher than a preset second frequency threshold value in a browsing path formed by the continuous web pages, identifying that abnormal operation behaviors exist on the continuous web pages; alternatively, the first and second electrodes may be,
if the vibration frequency acquired by the motion sensor is lower than a preset third frequency threshold when a touch event occurs on the web page, identifying that an abnormal operation behavior exists on the web page; alternatively, the first and second electrodes may be,
if the frequency of the user operation events occurring on the web page presents known non-random distribution, identifying that abnormal operation behaviors exist on the web page; alternatively, the first and second electrodes may be,
and if the frequency of the user operation events occurring on a plurality of web pages corresponding to the same user identifier, application identifier or equipment identifier shows a consistent rule, identifying that abnormal operation behaviors exist on the plurality of web pages.
The counting unit 03 is responsible for counting the conditions of the web pages with abnormal operation behaviors corresponding to the same user identifier, application identifier or equipment identifier; and determining the abnormal user identification, application identification or equipment identification according to the counted conditions.
The determined user identification, application identification or equipment identification with the abnormality can be displayed to the manager through an interface provided by the threat perception platform, and can also be provided to the manager through system messages, short messages, mails and other modes. Besides, the web page information which is displayed to the manager simultaneously and has abnormal operation behavior and corresponds to the abnormal user identifier, the application identifier or the equipment identifier, the corresponding abnormal operation behavior information and the like can also be included. Thus, the manager can analyze the information and further close the corresponding account or add specific users, applications and devices to a blacklist, etc.
FIG. 4 illustrates a block diagram of an exemplary computer system/server suitable for use in implementing embodiments of the present invention. The computer system/server 012 shown in fig. 4 is only an example, and should not bring any limitation to the function and the scope of use of the embodiment of the present invention.
As shown in fig. 4, the computer system/server 012 is embodied as a general purpose computing device. The components of computer system/server 012 may include, but are not limited to: one or more processors or processing units 016, a system memory 028, and a bus 018 that couples various system components including the system memory 028 and the processing unit 016.
Bus 018 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Computer system/server 012 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer system/server 012 and includes both volatile and nonvolatile media, removable and non-removable media.
System memory 028 can include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)030 and/or cache memory 032. The computer system/server 012 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 034 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 4, commonly referred to as a "hard drive"). Although not shown in FIG. 4, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In such cases, each drive may be connected to bus 018 via one or more data media interfaces. Memory 028 can include at least one program product having a set (e.g., at least one) of program modules configured to carry out the functions of embodiments of the present invention.
Program/utility 040 having a set (at least one) of program modules 042 can be stored, for example, in memory 028, such program modules 042 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof might include an implementation of a network environment. Program modules 042 generally perform the functions and/or methodologies of embodiments of the present invention as described herein.
The computer system/server 012 may also communicate with one or more external devices 014 (e.g., keyboard, pointing device, display 024, etc.), hi the present invention, the computer system/server 012 communicates with an external radar device, and may also communicate with one or more devices that enable a user to interact with the computer system/server 012, and/or with any device (e.g., network card, modem, etc.) that enables the computer system/server 012 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 022. Also, the computer system/server 012 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 020. As shown, the network adapter 020 communicates with the other modules of the computer system/server 012 via bus 018. It should be appreciated that although not shown in fig. 4, other hardware and/or software modules may be used in conjunction with the computer system/server 012, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 016 executes programs stored in the system memory 028, thereby executing various functional applications and data processing, such as implementing the method flow provided by the embodiment of the present invention.
The computer program described above may be provided in a computer storage medium encoded with a computer program that, when executed by one or more computers, causes the one or more computers to perform the method flows and/or apparatus operations shown in the above-described embodiments of the invention. For example, the method flows provided by the embodiments of the invention are executed by one or more processors described above.
With the development of time and technology, the meaning of media is more and more extensive, and the propagation path of computer programs is not limited to tangible media any more, and can also be downloaded from a network directly and the like. Any combination of one or more computer-readable media may be employed. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (14)

1. A method for detecting abnormal behavior, the method comprising:
the threat perception platform acquires user operation event information generated on a web page collected by a front-end code;
at least one of the following abnormal analysis is carried out on the user operation event information occurring on each web page so as to identify whether abnormal operation behaviors exist on the web page or not:
analyzing whether a user operation event occurring on a web page is missing or not;
analyzing whether the number of user operation events occurring on the web page is abnormal or not;
and analyzing whether the frequency of the user operation events occurring on the web page is abnormal.
2. The method of claim 1, wherein the front-end code comprises: a script JS code embedded in a web page, a code embedded in a mobile application, or a code embedded in a desktop client;
the operation event information includes: mouse keyboard event information, touch screen event information, or motion sensor event information.
3. The method of claim 1, wherein analyzing whether the user operation event occurring on the web page is missing comprises:
if no user operation event occurs when the network request is triggered on the web page, identifying that abnormal operation behaviors exist on the web page; alternatively, the first and second electrodes may be,
and if the user operation event which occurs when the network request is triggered on the web page does not accord with the correct operation event corresponding to the network request, identifying that the abnormal operation behavior exists on the web page.
4. The method of claim 1, wherein analyzing whether the number of user operation events occurring on the web page is abnormal comprises:
and if the number of the user operation events occurring on the web page is less than the number of the normal operation events of the web page, identifying that abnormal operation behaviors exist on the web page.
5. The method of claim 1, wherein analyzing whether a frequency of user operation events occurring on a web page is abnormal comprises:
if the frequency of the user operation events occurring on the web page is higher than a preset first frequency threshold, identifying that abnormal operation behaviors exist on the web page; alternatively, the first and second electrodes may be,
if the frequency of user operation events triggering page jumping is higher than a preset second frequency threshold value in a browsing path formed by continuous web pages, identifying that abnormal operation behaviors exist on the continuous web pages; alternatively, the first and second electrodes may be,
if the vibration frequency acquired by the motion sensor is lower than a preset third frequency threshold when a touch event occurs on the web page, identifying that an abnormal operation behavior exists on the web page; alternatively, the first and second electrodes may be,
if the frequency of the user operation events occurring on the web page presents known non-random distribution, identifying that abnormal operation behaviors exist on the web page; alternatively, the first and second electrodes may be,
if the frequency of the user operation events occurring on a plurality of web pages corresponding to the same user identifier, application identifier or equipment identifier shows a consistent rule, identifying that abnormal operation behaviors exist on the plurality of web pages.
6. The method according to any one of claims 1 to 5, characterized in that the method further comprises:
counting the conditions of the web pages with abnormal operation behaviors corresponding to the same user identification, application identification or equipment identification;
and determining the abnormal user identification, application identification or equipment identification according to the counted conditions.
7. An abnormal behavior detection apparatus, characterized in that the apparatus comprises:
the acquisition unit is used for acquiring user operation event information generated on a web page acquired by a front-end code;
the analysis unit is used for performing at least one of the following abnormal analysis on the user operation event information occurring on each web page to identify whether abnormal operation behaviors exist on the web page:
analyzing whether a user operation event occurring on a web page is missing or not;
analyzing whether the number of user operation events occurring on the web page is abnormal or not;
and analyzing whether the frequency of the user operation events occurring on the web page is abnormal.
8. The apparatus of claim 7, wherein the front-end code comprises: a script JS code embedded in a web page, a code embedded in a mobile application, or a code embedded in a desktop client;
the operation event information includes: mouse keyboard event information, touch screen event information, or motion sensor event information.
9. The apparatus according to claim 7, wherein the analyzing unit, when analyzing whether there is a lack of a user operation event occurring on the web page, specifically performs:
if no user operation event occurs when the network request is triggered on the web page, identifying that abnormal operation behaviors exist on the web page; alternatively, the first and second electrodes may be,
and if the user operation event which occurs when the network request is triggered on the web page does not accord with the correct operation event corresponding to the network request, identifying that the abnormal operation behavior exists on the web page.
10. The apparatus according to claim 7, wherein the analysis unit, when analyzing whether the number of user operation events occurring on the web page is abnormal, specifically performs:
and if the number of the user operation events occurring on the web page is less than the number of the normal operation events of the web page, identifying that abnormal operation behaviors exist on the web page.
11. The apparatus according to claim 7, wherein the analyzing unit, when analyzing whether the frequency of the user operation events occurring on the web page is abnormal, specifically performs:
if the frequency of the user operation events occurring on the web page is higher than a preset first frequency threshold, identifying that abnormal operation behaviors exist on the web page; alternatively, the first and second electrodes may be,
if the frequency of user operation events triggering page jumping is higher than a preset second frequency threshold value in a browsing path formed by continuous web pages, identifying that abnormal operation behaviors exist on the continuous web pages; alternatively, the first and second electrodes may be,
if the vibration frequency acquired by the motion sensor is lower than a preset third frequency threshold when a touch event occurs on the web page, identifying that an abnormal operation behavior exists on the web page; alternatively, the first and second electrodes may be,
if the frequency of the user operation events occurring on the web page presents known non-random distribution, identifying that abnormal operation behaviors exist on the web page; alternatively, the first and second electrodes may be,
if the frequency of the user operation events occurring on a plurality of web pages corresponding to the same user identifier, application identifier or equipment identifier shows a consistent rule, identifying that abnormal operation behaviors exist on the plurality of web pages.
12. The apparatus of any one of claims 7 to 11, further comprising:
the statistical unit is used for counting the conditions of the web pages with abnormal operation behaviors corresponding to the same user identifier, application identifier or equipment identifier; and determining the abnormal user identification, application identification or equipment identification according to the counted conditions.
13. An apparatus, characterized in that the apparatus comprises:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-6.
14. A storage medium containing computer-executable instructions for performing the method of any one of claims 1-6 when executed by a computer processor.
CN202010752178.7A 2020-07-30 2020-07-30 Abnormal behavior detection method and device Pending CN112003833A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010752178.7A CN112003833A (en) 2020-07-30 2020-07-30 Abnormal behavior detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010752178.7A CN112003833A (en) 2020-07-30 2020-07-30 Abnormal behavior detection method and device

Publications (1)

Publication Number Publication Date
CN112003833A true CN112003833A (en) 2020-11-27

Family

ID=73463271

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010752178.7A Pending CN112003833A (en) 2020-07-30 2020-07-30 Abnormal behavior detection method and device

Country Status (1)

Country Link
CN (1) CN112003833A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112565271A (en) * 2020-12-07 2021-03-26 瑞数信息技术(上海)有限公司 Web attack detection method and device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106657057A (en) * 2016-12-20 2017-05-10 北京金堤科技有限公司 Anti-crawler system and method
CN109189660A (en) * 2018-09-30 2019-01-11 北京诸葛找房信息技术有限公司 A kind of crawler recognition methods based on user's mouse interbehavior
CN110933103A (en) * 2019-12-11 2020-03-27 江苏满运软件科技有限公司 Anti-crawler method, device, equipment and medium
CN111064745A (en) * 2019-12-30 2020-04-24 厦门市美亚柏科信息股份有限公司 Self-adaptive back-climbing method and system based on abnormal behavior detection
CN111090856A (en) * 2020-03-23 2020-05-01 杭州有数金融信息服务有限公司 Crawler detection method based on browser feature detection and event monitoring
CN111209601A (en) * 2020-01-06 2020-05-29 南京安璟信息科技有限公司 Man-machine recognition system for anti-fraud
CN111209566A (en) * 2019-12-26 2020-05-29 武汉极意网络科技有限公司 Intelligent anti-crawler system and method for multi-layer threat interception

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106657057A (en) * 2016-12-20 2017-05-10 北京金堤科技有限公司 Anti-crawler system and method
CN109189660A (en) * 2018-09-30 2019-01-11 北京诸葛找房信息技术有限公司 A kind of crawler recognition methods based on user's mouse interbehavior
CN110933103A (en) * 2019-12-11 2020-03-27 江苏满运软件科技有限公司 Anti-crawler method, device, equipment and medium
CN111209566A (en) * 2019-12-26 2020-05-29 武汉极意网络科技有限公司 Intelligent anti-crawler system and method for multi-layer threat interception
CN111064745A (en) * 2019-12-30 2020-04-24 厦门市美亚柏科信息股份有限公司 Self-adaptive back-climbing method and system based on abnormal behavior detection
CN111209601A (en) * 2020-01-06 2020-05-29 南京安璟信息科技有限公司 Man-machine recognition system for anti-fraud
CN111090856A (en) * 2020-03-23 2020-05-01 杭州有数金融信息服务有限公司 Crawler detection method based on browser feature detection and event monitoring

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112565271A (en) * 2020-12-07 2021-03-26 瑞数信息技术(上海)有限公司 Web attack detection method and device

Similar Documents

Publication Publication Date Title
US11570211B1 (en) Detection of phishing attacks using similarity analysis
EP1894081B1 (en) Web usage overlays for third-party web plug-in content
CN110933103B (en) Anti-crawler method, device, equipment and medium
US8621613B1 (en) Detecting malware in content items
CN110442712B (en) Risk determination method, risk determination device, server and text examination system
CN112003834B (en) Abnormal behavior detection method and device
CN111711617A (en) Method and device for detecting web crawler, electronic equipment and storage medium
CN111586005B (en) Scanner scanning behavior identification method and device
CN112491602A (en) Behavior data monitoring method and device, computer equipment and medium
CN111683047A (en) Unauthorized vulnerability detection method and device, computer equipment and medium
US10129278B2 (en) Detecting malware in content items
CN114024764A (en) Monitoring method, monitoring system, equipment and storage medium for abnormal access of database
US10015181B2 (en) Using natural language processing for detection of intended or unexpected application behavior
CN113971284B (en) JavaScript-based malicious webpage detection method, equipment and computer readable storage medium
CN112003833A (en) Abnormal behavior detection method and device
CN113362173A (en) Anti-duplication mechanism verification method, anti-duplication mechanism verification system, electronic equipment and storage medium
CN110955890B (en) Method and device for detecting malicious batch access behaviors and computer storage medium
CN110276183B (en) Reverse Turing verification method and device, storage medium and electronic equipment
CN112905935A (en) Page recording method, page recording animation generation method, equipment and storage medium
CN112307464A (en) Fraud identification method and device and electronic equipment
CN110650126A (en) Method and device for preventing website traffic attack, intelligent terminal and storage medium
CN111859235A (en) Webpage data acquisition method, device, equipment and computer storage medium
CN111741046B (en) Data reporting method, data acquisition method, device, equipment and medium
CN114205156A (en) Message detection method and device for tangent plane technology, electronic equipment and medium
CN110875919B (en) Network threat detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20201127

RJ01 Rejection of invention patent application after publication