CN112153009A - IP address processing method, device, electronic device and storage medium - Google Patents
IP address processing method, device, electronic device and storage medium Download PDFInfo
- Publication number
- CN112153009A CN112153009A CN202010887356.7A CN202010887356A CN112153009A CN 112153009 A CN112153009 A CN 112153009A CN 202010887356 A CN202010887356 A CN 202010887356A CN 112153009 A CN112153009 A CN 112153009A
- Authority
- CN
- China
- Prior art keywords
- address
- target
- list
- index data
- time period
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 18
- 238000000034 method Methods 0.000 claims abstract description 38
- 238000012545 processing Methods 0.000 claims abstract description 21
- 230000008569 process Effects 0.000 claims abstract description 14
- 238000004590 computer program Methods 0.000 claims description 15
- 230000002159 abnormal effect Effects 0.000 claims description 12
- 230000006399 behavior Effects 0.000 claims description 8
- 238000005516 engineering process Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 6
- 238000011161 development Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003044 adaptive effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a processing method, a device, an electronic device and a storage medium of an IP address; wherein, the method comprises the following steps: acquiring N index data corresponding to a target IP address; the index data is used for representing the behavior characteristics of the target IP address in the access process; determining N weighted values corresponding to the N index data according to a preset corresponding relation; the preset corresponding relation is used for indicating the corresponding relation between the index data and the weight value; and under the condition that the sum of the N weighted values is greater than a preset threshold value, determining that the target IP address is an IP address to be processed, wherein N is an integer greater than or equal to 1. By the method and the device, the problem that threat information is inapplicable in a threat information system established on the basis of purchased generalized threat information in the related technology is solved, and the quality of processing the IP address is improved.
Description
Technical Field
The present application relates to the field of computers, and in particular, to a method and an apparatus for processing an IP address, an electronic apparatus, and a storage medium.
Background
With the continuous development of information technology, the internet has been integrated into the aspects of life. However, the hacker technology, as a derivative of internet development, also becomes ubiquitous and seriously threatens network security. For network attacks launched by hacker organizations and black-producing organizations, threat intelligence matched detection is a commonly used mode at present. At present, many enterprises and units build threat information systems by themselves, collect information and evaluate by themselves, but the difficulties and errors in practice are mainly expressed as follows: 1) the business threat information purchase of enterprises needs a large expense, and the generalized business threat information is not necessarily suitable for the industry of the enterprises, so that the resources are difficult to utilize. 2) Threat intelligence needs to be continuously updated, invalid intelligence cannot provide value, and false alarm generated can influence the use of a normal self-constructed threat intelligence system user.
At present, an effective solution is not provided aiming at the problem that a threat information system established on the basis of purchased generalized threat information is inapplicable in the related technology.
Disclosure of Invention
The embodiment of the application provides a processing method, a device, an electronic device and a storage medium of an IP address, which at least solve the problem that a threat information system established on the basis of purchased generalized threat information in the related technology is inapplicable to the threat information.
In a first aspect, an embodiment of the present application provides a method for processing an internet protocol IP address, including: acquiring N index data corresponding to a target IP address; the index data is used for representing the behavior characteristics of the target IP address in the access process; determining N weighted values corresponding to the N index data according to a preset corresponding relation; the preset corresponding relation is used for indicating the corresponding relation between the index data and the weight value; and under the condition that the sum of the N weighted values is greater than a preset threshold value, determining that the target IP address is an IP address to be processed, wherein N is an integer greater than or equal to 1.
In a second aspect, an embodiment of the present application provides an apparatus for processing an IP address, including: the acquisition module is used for acquiring N index data corresponding to the target IP address; the index data is used for representing the behavior characteristics of the target IP address in the access process; the first determining module is used for determining N weighted values corresponding to the N index data according to a preset corresponding relation; the preset corresponding relation is used for indicating the corresponding relation between the index data and the weight value; and the second determining module is used for determining that the target IP address is the IP address to be processed under the condition that the sum of the N weighted values is greater than a preset threshold, wherein N is an integer greater than or equal to 1.
In a third aspect, an embodiment of the present application provides an electronic apparatus, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the processor implements the method for processing an IP address according to the first aspect.
In a fourth aspect, an embodiment of the present application provides a storage medium, on which a computer program is stored, and when the program is executed by a processor, the program implements the processing method for the IP address as described in the first aspect.
Compared with the related art, the embodiment of the application provides a processing method of an IP address, wherein N index data corresponding to a target IP address are acquired; the index data is used for representing the behavior characteristics of the target IP address in the access process; determining N weighted values corresponding to the N index data according to a preset corresponding relation; the preset corresponding relation is used for indicating the corresponding relation between the index data and the weight value; and under the condition that the sum of the N weighted values is greater than a preset threshold value, determining the target IP address as the IP address to be processed, solving the problem that a threat information system established on the basis of purchased generalized threat information in the related technology is inapplicable in threat information, and improving the quality of processing the IP address.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a block diagram of a hardware configuration of a terminal of a method of processing an IP address according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for processing an IP address according to an embodiment of the present application;
fig. 3 is a flow chart of a method of processing an IP address according to the preferred embodiment of the present application;
fig. 4 is a schematic structural diagram of an IP address processing apparatus according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The method provided by the embodiment can be executed in a terminal, a computer or a similar operation device. Taking an operation on a terminal as an example, fig. 1 is a hardware configuration block diagram of the terminal of the IP address processing method according to the embodiment of the present invention. As shown in fig. 1, the terminal may include one or more (only one shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally, a transmission device 106 for communication functions and an input-output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the terminal. For example, the terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store computer programs, for example, software programs and modules of application software, such as computer programs corresponding to the processing method of the IP address in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer programs stored in the memory 104, so as to implement the above-mentioned method. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the terminal. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
The present embodiment provides a method for processing an IP address, and fig. 2 is a flowchart of the method for processing an IP address according to the embodiment of the present application, and as shown in fig. 2, the flowchart includes the following steps:
step S201, obtaining N index data corresponding to a target IP address; the index data is used for representing behavior characteristics of the target IP address in the access process;
step S202, determining N weighted values corresponding to the N index data according to a preset corresponding relation; the preset corresponding relation is used for indicating the corresponding relation between the index data and the weight value;
step S203, under the condition that the sum of the N weighted values is larger than a preset threshold value, determining that the target IP address is the IP address to be processed, wherein N is an integer larger than or equal to 1.
Through the steps S201 to S203, the obtained index data generated by the target IP address in the access process is real-time index data, and then N weighted values corresponding to the N index data are determined according to the preset corresponding relationship, and when the sum of the N weighted values is greater than the preset threshold value, the target IP address is determined to be the IP address to be processed, that is, whether the IP address is the IP to be processed is determined according to the real-time index data of the IP address, that is, whether the IP address is the IP to be processed can be determined by combining the actual application scenario, instead of determining whether the IP needs to be processed by purchasing general information, so that the problem that a threat information system established based on purchased general threat information in the related art has inapplicability of threat information is solved, and the quality of processing the IP address is improved.
In an optional implementation manner of the embodiment of the present application, the index data in the embodiment of the present application may include at least one of:
the number of user-agents (user-agent) accessed by the target IP, whether the target IP is from the target area, the occupation ratio of abnormal state codes in the HTTP state codes accessed by the target IP, whether the access time period of the target IP is the target time period and the number of sensitive ports accessed by the target IP.
It should be noted that, whether the target IP is from the target area or not is preferred, in a specific application scenario, whether the target IP is from abroad or not, where abroad is relatively speaking, if the user is in country a, country B is abroad, and if the user is in country B, country a is abroad. And the abnormal state codes in the HTTP state codes may be selected as the aggregate ratio of 4xx and/or 5 xx. In addition, the target time period mentioned above may be set according to actual conditions, for example, the target time period is set to be 8 am to 12 am, or may be 12 am to 5 am, and the specific time period is not limited in this application. In addition, the sensitive port in the embodiment of the present application may be: 445. 3306, 3389; of course, this is merely an example, and other sensitive ports are within the scope of the present application, such as: 1433. 1521, etc., can be set according to actual conditions or requirements.
In an optional implementation manner of the embodiment of the present application, the weight value corresponding to the index data in the preset corresponding relationship in the embodiment of the present application may be set in advance, in a specific application scenario, a weight value corresponding to the number of target IP accesses user-agent is shown in table 1, whether a target IP is from a target area (taking whether the target IP is from abroad as an example) is shown in table 2, an occupation ratio of an abnormal status code (i.e., an occupation ratio of an abnormal request) in an HTTP status code of the target IP access is shown in table 3, whether an access time period of the target IP is a target time period (taking an abnormal time period, for example, in the morning) is shown in table 4, and an example number of sensitive ports of the target IP access (taking an abnormal access port as an example) is shown in table 5.
| Number of User-agents used | Weighted value |
| 1-2 | 0 |
| 3-4 | 2 |
| 5 or more | 4 |
TABLE 1
| Whether or not it is from the countryOuter cover | Weighted value |
| Is that | 4 |
| Whether or not | 0 |
TABLE 2
| Abnormal request duty ratio | Weighted value |
| Less than 10% | 0 |
| 10%-30% | 1 |
| 31%-50% | 2 |
| Over 51 percent | 4 |
TABLE 3
| Whether to visit in abnormal time periodQuestion asked | Weighted value |
| Is that | 4 |
| Whether or not | 0 |
TABLE 4
| Number of abnormal port accesses | Weighted value |
| 0-1 | 0 |
| 2-3 | 1 |
| 3 or more | 4 |
TABLE 5
Of course, the correspondence between the weight values and the index data in tables 1 to 5 is merely an example, and may be adjusted according to actual situations. The weight values in tables 1 to 5 are set in 10-point system, and the corresponding weight values may be set in 100-point system, or in other ways.
In a specific application scenario, taking target IPs as 1.1.1.1, 2.2.2, 3.3.3.3, 4.4.4.4, 5.5.5.5, 6.6.6.6, and 7.7.7.7 as examples, the index data corresponding to each IP address is shown in table 6.
TABLE 6
In an optional implementation manner of the embodiment of the present application, regarding the manner of determining that the target IP address is the to-be-processed IP address in step S203 in the embodiment of the present application, the method may further include:
step S203-11, adding the target IP address into the first list;
step S203-12, judging whether the target IP address triggers an alarm within a first preset time period after being added to the first list;
step S203-13, under the condition that the target IP address triggers an alarm within a first preset time period after being added into the first list, deleting the target IP address from the first list, and adding the target IP address into a second list, wherein the IP address in the second list is the IP address to be processed.
With reference to tables 1 to 5, in step S203-11, in a specific application scenario, a sum of weight values corresponding to the target IP, that is, a sum of weight values of N index data, is shown in table 7.
If the preset threshold is set to 8 in the embodiment of the present application, the IP address with sequence number 1/4/5/6 is added to the first list, that is, 1.1.1.1, 4.4.4, 5.5.5.5, 6.6.6.6 is added to the first list, and in a specific application scenario, to be able to directly know the role of the list, the first list may be referred to as an observation list.
TABLE 7
Further, in the specific application scenario, taking the first preset time period as 7 days as an example, in the following 7 days of adding to the observation list (first list), the IPs with addresses of 1.1.1.1 and 5.5.5.5 trigger the alarm of the local security device, and then add the two IPs to the threat intelligence list (second list). The IP addresses included in the to-be-observed list at this time are: 4.4.4.4 and 6.6.6.6, the IP addresses included in the intelligence base are: 1.1.1.1 and 5.5.5.5.
In an implementation manner of the embodiment of the present application, the method of the embodiment of the present application may further include:
step S204, judging whether a target IP address has a new access record within a first preset time period after the target IP address is added to the first list;
and step S205, deleting the target IP address from the first list when the target IP address does not have a new access record in a first preset time period after being added to the first list.
With reference to tables 1 to 7, in the specific application scenario, for step S204 and step S205, in the following 7 days of adding the watch list (first list), the IP address of 4.4.4.4 is not audited to a new access record, and then the new access record may be deleted from the watch list. That is, it is also possible for the IP addresses added to the first list to be changed from pending to trusted, and in the case of trusted, to be deleted from the first list.
Optionally, in an implementation manner of the embodiment of the present application, after adding the target IP address to the second list, the method of the embodiment of the present application may further include:
step S206, judging whether the target IP address has a new access record in a second preset time period after being added to the second list;
and step S207, deleting the target IP address from the second list when the target IP address does not have a new access record in a second preset time period after being added to the second list.
With reference to tables 1 to 7, for step S206 and step S207, in a specific application scenario, taking a second preset time period as an example of 14 days, in 14 days after the second list is added, the IP with the address of 1.1.1.1 is not audited to a new access record, and is deleted from the second list.
Through the above steps S204 to S207, the IP addresses in the first list and the second list can be dynamically adjusted, that is, some IP addresses are pending in some time periods, and some IP addresses are trusted in some time periods. Therefore, whether the IP address is the IP needing to be processed or not can be ensured in real time through a dynamic adjustment mode.
In an optional implementation manner of the embodiment of the present application, the method of the embodiment of the present application may further include:
step S208, after adding the target IP address to the second list, sends the second list to the target object.
It can be seen that, through the above steps S201 to S207, after the IP address to be processed is added to the second list, the second list can be transmitted to a target object, such as a subordinate unit. Thereby informing the target object that the IP addresses in the second list are dangerous.
In addition, in the embodiment of the present application, the method may further include: in step S209, after deleting the target IP address from the second list, the second list after deleting the target IP address is transmitted to the target object.
That is to say, the IP addresses in the second list are dynamically adjusted, and if a certain IP address is converted from a pending IP address to a trusted IP address, the certain IP address needs to be deleted from the second list, and the second list from which the IP address is deleted is sent to the target object, so that the target object can know which IP addresses are pending in real time.
The examples of the present application will be described and illustrated below by way of preferred examples in conjunction with the above tables 1 to 7.
Fig. 3 is a flowchart of a processing method of an IP address according to a preferred embodiment of the present application, and as shown in fig. 3, the processing method of the IP address includes the following steps:
step S301, traversing and retrieving the traffic data within 24 hours, collecting multiple indexes of each access source IP and recording the indexes to the local;
in the method, traffic data (generally, traffic logs) within 24 hours are searched and traversed, and the following key indexes of each IP are counted: 1) number of used user-agents; 2) whether the source region of the IP belongs to foreign countries or not; 3) in the response code of the IP access http resource, the total ratio of 4xx and 5xx is; 4) whether the IP has an access record of an abnormal time period, for example, whether the IP has accessed in a late night-early morning time period, and the time range needs to be adjusted according to the actual condition of the service; 5) the number of IP access sensitive ports, e.g., 445, 3306, 3389, 1433, 1521, etc.
And corresponding the indexes to each IP, and recording and storing the indexes to the local.
Step S302, setting a weight value for each index, calculating a threat value of each access IP, and adding the IP with the result higher than a set threshold value into a list to be observed;
wherein, the initial threat score of each IP is 0, a stepwise weight value is set for each index, as shown in tables 1 to 5, and if the IP meets the conditions, the corresponding score is added, and finally the threat score of each IP is counted and recorded correspondingly.
Step S303, if a certain IP is in the list to be observed and any alarm of the network security equipment is triggered within 7 days in the future, a threat information base is input (deleted from the observation list at the same time) and is issued to subordinate units;
and adding the IP with the threat score higher than the set threshold value into a list to be observed, wherein the threshold value is self-determined according to the actual accurate requirement. If a certain IP in the observation list triggers the alarm of the local network safety equipment within 7 days in the future, the IP is judged to be a threat IP, added into a threat information library (deleted from the observation list at the same time) and issued to subordinate units according to the actual situation.
Step S304, if a certain IP in the list to be observed does not have any new access record in the future 7 days, clearing the IP from the list; if a certain IP in the information base has no new access record in the future 14 days, the IP is cleared from the information base and is issued after being updated.
If a certain IP in the list to be observed does not have any new access record in the future 7 days, clearing the IP from the list; if an IP in the intelligence repository has no new access record for 14 days in the future, the IP is cleared from the intelligence repository. Thereby updating the threat information library and sending the threat information library to subordinate units.
Through the preferred implementation manner of the embodiment of the application, a closed loop for collecting and updating self-established threat information can be formed through the steps from S301 to S304, indexes and threshold values of each flow can be adjusted by self, and the method is adaptive according to actual conditions, so that the problems of low quality and high maintenance cost caused by collecting open source threat information in the prior art are solved.
It should be noted that the steps illustrated in the above-described flow diagrams or in the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order different than here. For example, step S303 and step S304.
This embodiment further provides a device for processing an IP address, where the device is used to implement the foregoing embodiments and preferred embodiments, and details are not described again after the description is given. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 4 is a block diagram of a structure of an IP address processing apparatus according to an embodiment of the present application, and as shown in fig. 4, the apparatus includes:
an obtaining module 42, configured to obtain N pieces of index data corresponding to the target IP address; the index data is used for representing behavior characteristics of the target IP address in the access process;
a first determining module 44, configured to determine, according to a preset correspondence, N weight values corresponding to the N index data; the preset corresponding relation is used for indicating the corresponding relation between the index data and the weight value;
and a second determining module 46, configured to determine that the target IP address is an IP address to be processed when a sum of the N weight values is greater than a preset threshold, where N is an integer greater than or equal to 1.
Optionally, the second determining module 46 in this embodiment of the application further includes: a first adding unit configured to add the destination IP address to the first list; the first judgment unit is used for judging whether the target IP address triggers an alarm within a first preset time period after being added to the first list; and the processing unit is used for deleting the target IP address from the first list and adding the target IP address into the second list under the condition that the target IP address triggers an alarm within a first preset time period after being added into the first list, wherein the IP address in the second list is the IP address to be processed.
Optionally, the apparatus according to the embodiment of the present application may further include: the first judgment module is used for judging whether a new access record exists in the target IP address within a first preset time period after the target IP address is added to the first list; and the first deleting module is used for deleting the target IP address from the first list when no new access record exists in the first preset time period after the target IP address is added to the first list.
Optionally, after adding the target IP address to the second list, the apparatus of the embodiment of the present application may further include: the second judgment module is used for judging whether the target IP address has a new access record within a second preset time period after the target IP address is added to the second list; and the second deleting module is used for deleting the target IP address from the second list when no new access record exists in the target IP address within a second preset time period after the target IP address is added to the second list.
Optionally, the apparatus according to the embodiment of the present application may further include: and the first sending module is used for sending the second list to the target object after the target IP address is added into the second list.
Optionally, the apparatus according to the embodiment of the present application may further include: and the second sending module is used for sending the second list after the target IP address is deleted to the target object after the target IP address is deleted from the second list.
Optionally, the obtaining module 42 in this embodiment of the application further includes: the retrieval unit is used for retrieving the IP address in the flow data in the third preset time period; the acquisition unit is used for acquiring N index data of the target IP address from the retrieval result; wherein, the retrieval result comprises a plurality of target IP addresses.
Optionally, the index data in the embodiment of the present application includes at least one of: the number of user agents accessed by the target IP, whether the target IP is from a target area, the proportion of abnormal state codes in HTTP state codes accessed by the target IP, whether the access time period of the target IP is a target time period and the number of sensitive ports accessed by the target IP.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
The present embodiment also provides an electronic device comprising a memory having a computer program stored therein and a processor configured to execute the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, acquiring N index data corresponding to the target IP address; the index data is used for representing the behavior characteristics of the target IP address in the access process;
s2, determining N weighted values corresponding to the N index data according to a preset corresponding relation; the preset corresponding relation is used for indicating the corresponding relation between the index data and the weight value;
s3, determining the target IP address as the IP address to be processed under the condition that the sum of the N weighted values is greater than a preset threshold, wherein N is an integer greater than or equal to 1.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
In addition, in combination with the IP address processing method in the foregoing embodiment, the embodiment of the present application may provide a storage medium to implement. The storage medium having stored thereon a computer program; the computer program realizes the processing method of any one of the IP addresses in the above embodiments when executed by a processor.
It should be understood by those skilled in the art that various features of the above-described embodiments can be combined in any combination, and for the sake of brevity, all possible combinations of features in the above-described embodiments are not described in detail, but rather, all combinations of features which are not inconsistent with each other should be construed as being within the scope of the present disclosure.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A method for processing an internet protocol, IP, address, comprising:
acquiring N index data corresponding to a target IP address; the index data is used for representing the behavior characteristics of the target IP address in the access process;
determining N weighted values corresponding to the N index data according to a preset corresponding relation; the preset corresponding relation is used for indicating the corresponding relation between the index data and the weight value;
and under the condition that the sum of the N weighted values is greater than a preset threshold value, determining that the target IP address is an IP address to be processed, wherein N is an integer greater than or equal to 1.
2. The processing method of claim 1, wherein determining the target IP address as the IP address to be processed comprises:
adding the target IP address to a first list;
judging whether the target IP address triggers an alarm within a first preset time period after the target IP address is added to the first list;
and under the condition that the target IP address triggers an alarm within a first preset time period after being added into the first list, deleting the target IP address from the first list, and adding the target IP address into a second list, wherein the IP address in the second list is the IP address to be processed.
3. The processing method of claim 2, further comprising:
judging whether the target IP address has a new access record within the first preset time period after the target IP address is added to the first list;
and deleting the target IP address from the first list when no new access record exists in the target IP address within the first preset time period after the target IP address is added to the first list.
4. The process of claim 2, wherein after adding the target IP address to the second list, the process further comprises:
judging whether the target IP address has a new access record within a second preset time period after the target IP address is added to the second list;
and deleting the target IP address from the second list when no new access record exists in the second preset time period after the target IP address is added to the second list.
5. The processing method of claim 4, further comprising:
after adding the target IP address to a second list, sending the second list to a target object.
6. The processing method of claim 5, further comprising:
and after the target IP address is deleted from the second list, sending the second list after the target IP address is deleted to the target object.
7. The processing method of claim 1, wherein obtaining N pieces of index data corresponding to the target IP address comprises:
retrieving the IP address in the flow data in a third preset time period;
acquiring N index data of the target IP address from a retrieval result; wherein, the retrieval result comprises a plurality of target IP addresses;
the metric data includes at least one of: the number of the target IP access user agents, whether the target IP comes from a target area, the proportion of abnormal state codes in HTTP state codes accessed by the target IP, whether the access time period of the target IP is a target time period and the number of sensitive ports accessed by the target IP.
8. An apparatus for processing an IP address, comprising:
the acquisition module is used for acquiring N index data corresponding to the target IP address; the index data is used for representing the behavior characteristics of the target IP address in the access process;
the first determining module is used for determining N weighted values corresponding to the N index data according to a preset corresponding relation; the preset corresponding relation is used for indicating the corresponding relation between the index data and the weight value;
and the second determining module is used for determining that the target IP address is the IP address to be processed under the condition that the sum of the N weighted values is greater than a preset threshold, wherein N is an integer greater than or equal to 1.
9. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the IP address processing method according to any one of claims 1 to 7.
10. A storage medium having stored thereon a computer program, wherein the computer program is arranged to execute the method of processing an IP address according to any one of claims 1 to 7 when running.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010887356.7A CN112153009A (en) | 2020-08-28 | 2020-08-28 | IP address processing method, device, electronic device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010887356.7A CN112153009A (en) | 2020-08-28 | 2020-08-28 | IP address processing method, device, electronic device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112153009A true CN112153009A (en) | 2020-12-29 |
Family
ID=73889579
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010887356.7A Pending CN112153009A (en) | 2020-08-28 | 2020-08-28 | IP address processing method, device, electronic device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112153009A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113225340A (en) * | 2021-05-07 | 2021-08-06 | 北京华云安信息技术有限公司 | Attack IP address judgment method, device, equipment and computer readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105208026A (en) * | 2015-09-29 | 2015-12-30 | 努比亚技术有限公司 | Hostile attack preventing method and network system |
| WO2016164403A1 (en) * | 2015-04-10 | 2016-10-13 | Level 3 Communications, Llc | Systems and methods for generating network threat intelligence |
| CN107911397A (en) * | 2018-01-02 | 2018-04-13 | 北京奇艺世纪科技有限公司 | A kind of intimidation estimating method and device |
| CN109861985A (en) * | 2019-01-02 | 2019-06-07 | 平安科技(深圳)有限公司 | IP air control method, apparatus, equipment and the storage medium divided based on risk class |
| CN110351280A (en) * | 2019-07-15 | 2019-10-18 | 杭州安恒信息技术股份有限公司 | A kind of method, system, equipment and readable storage medium storing program for executing for threatening information to extract |
-
2020
- 2020-08-28 CN CN202010887356.7A patent/CN112153009A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016164403A1 (en) * | 2015-04-10 | 2016-10-13 | Level 3 Communications, Llc | Systems and methods for generating network threat intelligence |
| CN105208026A (en) * | 2015-09-29 | 2015-12-30 | 努比亚技术有限公司 | Hostile attack preventing method and network system |
| CN107911397A (en) * | 2018-01-02 | 2018-04-13 | 北京奇艺世纪科技有限公司 | A kind of intimidation estimating method and device |
| CN109861985A (en) * | 2019-01-02 | 2019-06-07 | 平安科技(深圳)有限公司 | IP air control method, apparatus, equipment and the storage medium divided based on risk class |
| CN110351280A (en) * | 2019-07-15 | 2019-10-18 | 杭州安恒信息技术股份有限公司 | A kind of method, system, equipment and readable storage medium storing program for executing for threatening information to extract |
Non-Patent Citations (2)
| Title |
|---|
| 周松松等: "基于威胁情报的恶意软件识别", 《信息网络安全》 * |
| 莫凡等: "基于机器学习的用户实体行为分析技术在账号异常检测中的应用", 《通信技术》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113225340A (en) * | 2021-05-07 | 2021-08-06 | 北京华云安信息技术有限公司 | Attack IP address judgment method, device, equipment and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109829310B (en) | Similar attack defense method, device, system, storage medium and electronic device | |
| CN108809749B (en) | Performing upper layer inspection of a stream based on a sampling rate | |
| US10135857B2 (en) | Structuring data and pre-compiled exception list engines and internet protocol threat prevention | |
| US20210144120A1 (en) | Service resource scheduling method and apparatus | |
| US20030110393A1 (en) | Intrusion detection method and signature table | |
| CN111310196B (en) | Risk identification method and device and electronic equipment | |
| CN106302104B (en) | User relationship identification method and device | |
| CN111314328A (en) | Network attack protection method and device, storage medium and electronic equipment | |
| CN113408948A (en) | Network asset management method, device, equipment and medium | |
| CN111740868A (en) | Alarm data processing method and device and storage medium | |
| CN114139178A (en) | Data link-based data security monitoring method and device and computer equipment | |
| Yildiz et al. | The impact of incapacitation of multiple critical sensor nodes on wireless sensor network lifetime | |
| CN112153009A (en) | IP address processing method, device, electronic device and storage medium | |
| US9485166B2 (en) | Network abnormality detection system, measurement apparatus, and analysis apparatus | |
| WO2018225667A1 (en) | Information processing device, information processing system, information processing method, and recording medium | |
| CN107332856B (en) | Address information detection method and device, storage medium and electronic device | |
| CN113556342A (en) | DNS cache server prefix change attack protection method and device | |
| CN112532610A (en) | Intrusion prevention detection method and device based on TCP segmentation | |
| CN110022301A (en) | Firewall is used in internet of things equipment protection | |
| CN113545020A (en) | Data processing method and device | |
| CN115396280B (en) | Alarm data processing method, device, equipment and storage medium | |
| CN110830510B (en) | Method, device, equipment and storage medium for detecting DOS attack | |
| US20240179120A1 (en) | Network management for blocking unauthorized access | |
| CN114499949B (en) | Device binding method and device, electronic device and computer readable medium | |
| US11461463B2 (en) | Information processing device, information processing method, and recording medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201229 |