CN112165466B - Method and device for false alarm identification, electronic device and storage medium - Google Patents
Method and device for false alarm identification, electronic device and storage medium Download PDFInfo
- Publication number
- CN112165466B CN112165466B CN202010974093.3A CN202010974093A CN112165466B CN 112165466 B CN112165466 B CN 112165466B CN 202010974093 A CN202010974093 A CN 202010974093A CN 112165466 B CN112165466 B CN 112165466B
- Authority
- CN
- China
- Prior art keywords
- website
- log
- protection
- request
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Abstract
The application relates to a method, a device, an electronic device and a storage medium for false alarm identification, wherein the method comprises the steps of receiving an access request of a client IP to a website and recording a protection log of the website; generating request data according to the access request, and generating protection data according to the protection log of the website; calculating log productivity of the URL of the accessed website according to the request data and the protection data; when the log productivity is larger than a preset log productivity threshold value, calculating the dispersion of the IP of the client; and when the dispersion of the client IP is larger than a preset dispersion threshold value of the client IP, judging that the access request is a false alarm request. The method and the device solve the problem of low false alarm recognition rate, and can accurately recognize false alarms.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a method, an apparatus, an electronic apparatus, and a storage medium for false alarm identification.
Background
With the development of the internet, more and more private persons or businesses share resources on the internet. There is a strong need for a reliable product for securing private or enterprise networks. The reliability of network security products in the current market is uneven, and most network security products are configured with a fixed security policy by setting a designated protection server or a protection client to protect or detect the server or the client. Such a protection approach may result in a protection policy that is erroneously hit by normal access, resulting in a large number of users not having normal access to the server.
In the related art, a solution for misinformation of a Web application security protection product is to periodically analyze a field protection log by a technical service staff of a company, find misinformation by combining the characteristics of the security protection product and the experience of the security protection product, and then manually disable the found misinformation protection strategy. However, the protection log on the site is usually in units of thousands or tens of thousands, and the false alarm recognition rate is low. In addition, after a false positive is discovered, by disabling the protection strategy to resolve the false positive, it is possible that the true attack request may be passed through.
At present, no effective solution is provided for the problem of low false alarm recognition rate in the related technology.
Disclosure of Invention
The embodiment of the application provides a false alarm identification method, a false alarm identification device, an electronic device and a storage medium, and aims to at least solve the problem of low false alarm identification rate in the related technology.
In a first aspect, an embodiment of the present application provides a method for false alarm identification, including: receiving an access request of a client IP to a website and recording a protection log of the website; generating request data according to the access request, and generating protection data according to a protection log of the website; calculating log productivity of the URL of the accessed website according to the request data and the protection data; when the log productivity is larger than a preset log productivity threshold value, calculating the dispersion of the client IP; and when the dispersion of the client IP is larger than a preset dispersion threshold value of the client IP, judging that the access request is a false alarm request.
In some embodiments, the generating request data according to the access request comprises: and according to the access request, counting the number of URLs in the website in the access request, and counting the number of client IPs accessing all the URLs in the website in the access request.
In some embodiments, the generating protection data from the protection log of the website includes: and counting the number of URLs of the website in the protection log and the number of the client IP accessing the URL of the website in the protection log according to the protection log of the website.
In some embodiments, said calculating log productivity for said web site from said request data and said guard data comprises: and dividing the number of the URLs of the website in the access request by the number of the URLs of the website in the protection log to obtain the log generation rate of the website.
In some embodiments, the calculating the dispersion of the client IP comprises: and dividing the number of the client IP accessing the URL of the website in the access request by the number of the client IP accessing the URL of the website in the protection log to obtain the dispersion of the client IP.
In some embodiments, after said determining that the access request is a false positive request, the method further comprises: and establishing a white model of a protection strategy according to URL information, parameter information, a request header and/or load information in the false alarm request, and carrying out false alarm identification through the white model when an access request of the client IP to the website is received again.
In a second aspect, an embodiment of the present application provides a device for false alarm identification, including: the system comprises a request statistical analysis module, a protection log recording module, a log productivity calculation module, a dispersion calculation module and a false alarm judgment module; the request statistical analysis module is used for receiving an access request of a client IP to a website and recording a protection log of the website; the protection log recording module is used for generating request data and protection data according to the access request and the protection log of the website; the log productivity calculation module is used for calculating the log productivity of the URL of the accessed website according to the request data and the protection data; the dispersion calculation module is used for calculating the dispersion of the client IP when the log productivity is greater than a preset log productivity threshold value; and the false alarm judging module is used for judging that the access request is a false alarm request when the dispersion of the client IP is greater than a preset dispersion threshold of the client IP.
In some of these embodiments, the apparatus further comprises: a module for adapting a false alarm strategy; and the adaptive false alarm strategy module is used for establishing a white model of a protection strategy according to URL information, parameter information, a request head and/or load information in the false alarm request, and carrying out false alarm identification through the white model when an access request of the client IP to the website is received again.
In a third aspect, an embodiment of the present application provides an electronic apparatus, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor executes the computer program to implement a method for false positive identification as described in the first aspect.
In a fourth aspect, embodiments of the present application provide a storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a method for false positive identification as described in the first aspect above.
Compared with the related art, the method, the device, the electronic device and the storage medium for false alarm identification provided by the embodiment of the application receive the access request of the client IP to the website and record the protection log of the website; generating request data according to the access request, and generating protection data according to the protection log of the website; calculating log productivity of the URL of the website being accessed according to the request data and the protection data; when the log productivity is larger than a preset log productivity threshold value, calculating the dispersion of the IP of the client; when the dispersion of the client IP is larger than the preset dispersion threshold of the client IP, the access request is judged to be a false alarm request, the problem of low false alarm recognition rate is solved, and false alarm can be recognized accurately.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more concise and understandable description of the application, and features, objects, and advantages of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a block diagram of a hardware structure of an application terminal of a false alarm identification method according to an embodiment of the present application;
FIG. 2 is a flow chart of a method of false positive identification according to an embodiment of the present application;
FIG. 3 is a flow chart of another false positive identification method according to an embodiment of the present application;
FIG. 4 is a preferred flow chart of a method of false positive identification according to an embodiment of the present application;
FIG. 5 is a block diagram of an apparatus for false positive identification according to an embodiment of the present application;
FIG. 6 is a block diagram of an alternative apparatus for false positive identification according to an embodiment of the present application;
fig. 7 is a block diagram of a computer-readable storage medium according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The method provided by the embodiment can be executed in a terminal, a computer or a similar operation device. Taking the example of running on a terminal, fig. 1 is a hardware structure block diagram of an application terminal of a false alarm identification method according to an embodiment of the present application. As shown in fig. 1, the terminal may include one or more (only one shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally, a transmission device 106 for communication functions and an input-output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the terminal. For example, the terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 can be used for storing computer programs, for example, software programs and modules of application software, such as a computer program corresponding to a method for false positive identification in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer programs stored in the memory 104, so as to implement the method described above. The memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the terminal. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
The present embodiment provides a false alarm identification method, and fig. 2 is a flowchart of a false alarm identification method according to the present embodiment, and as shown in fig. 2, the flowchart includes the following steps:
step S201, receiving an access request of the client IP to the website, and recording a protection log of the website.
Specifically, when the client IP accesses the website, the client IP requests a different URL of the website, and at this time, the website records the relevant data; meanwhile, the website is provided with intercepted protection logs, and certain possibly attacked access request behaviors can be intercepted and recorded in the protection logs.
Step S202, request data is generated according to the access request, and protection data is generated according to the protection log of the website.
Specifically, the client IP requests different URLs when accessing the website, the request data records the number of times that the client IP accesses each URL, and each time the client IP accesses the URL of the website, the request count of the corresponding website is incremented by one.
Similarly, in the protection log of the website, the number of the URLs of the website appearing in the protection log needs to be counted; and the number of client IPs requesting the URL of the website in the guard log of the website.
Step S203, calculating the log productivity of the accessed URL of the website according to the request data and the protection data.
Specifically, when the number of URLs of the website reaches a preset threshold in the protection log, the log productivity of the website is obtained according to the ratio of the request data in the protection data, that is, the ratio of the number of URLs of the website to the number of URLs of the website intercepted in the protection log, and when the log production rate is greater than the preset threshold, it is necessary to further accurately determine whether a false report condition exists.
In step S204, when the log productivity is greater than a preset log productivity threshold, the dispersion of the client IP is calculated.
Specifically, when the number ratio of the URLs of the website appearing in the guard log is greater than a standard number, that is, when the log productivity reaches a preset log productivity threshold, the discrete degree of the IP of the client needs to be further calculated to determine whether the request is a false positive request.
In step S205, when the dispersion of the client IP is greater than a preset dispersion threshold of the client IP, it is determined that the access request is a false positive request. Specifically, when the dispersion of the IP of the client of the website is greater than the preset dispersion threshold of the IP of the client, it may be determined that the access request is a false positive request, and if the dispersion of the IP of the client of the website is less than the preset dispersion threshold of the IP of the client, it may be determined that the access request is an attack request.
Through the above steps S201 to S205, when the client IP accesses a website, the client IP will access different URLs of the website, and record the accessed interception information into the protection log, so as to generate request data and protection data, which data are recorded from the beginning of the access and which data are intercepted protection data of the website. And calculating the log productivity of the website according to the data, performing primary judgment on false alarm generation when the increase of the log productivity reaches a preset log productivity threshold value, and then performing next dispersion judgment on the client IP, wherein when the dispersion of the client IP is also larger than the preset threshold value, the access request is judged to be a false alarm request. The larger the dispersion, the higher the dispersion, and the access of the website is from a plurality of client IPs rather than one client IP, so that the access of the client IP can be proved to be stable rather than from a plurality of attacking client IPs. Whether the access request is a false alarm request can be determined through the steps, so that the problem of low false alarm recognition rate is solved, and the effect of improving the false alarm recognition rate is achieved.
In some embodiments, the step S202, generating the request data according to the access request includes: and counting the number of URLs in the website in the access request and the number of client IPs accessing all the URLs in the website in the access request according to the access request.
In step S202, generating protection data according to the protection log of the website includes: and counting the number of the URLs of the website in the protection log and the number of the client IP accessing the URLs of the website in the protection log according to the protection log of the website.
The number of the URLs in the website and the number of the client-side IPs of the URLs in the website are counted, so that the total number of the accesses of the URLs in the website can be known during searching, the number of the client-side IPs of the URLs in the website can also be known, and a user can conveniently search and judge the number of the URLs in the website and the number of the client-side IPs.
In some embodiments, the step S203 of calculating the log productivity of the website according to the request data and the protection data includes: and dividing the number of the URLs of the website in the access request by the number of the URLs of the website in the protection log to obtain the log generation rate of the website.
The log production rate can screen part of data which may be false alarm information, and the range of identifying the false alarm information is further reduced.
In some embodiments, in step S204, when the log productivity is greater than a preset log productivity threshold, calculating the dispersion of the client IP includes:
and dividing the number of the client IP accessing the URL of the website in the access request by the number of the client IP accessing the URL of the website in the protection log to obtain the dispersion of the client IP.
Under the condition of obtaining log productivity, the client IP with false alarm can be determined by calculating the discrete degree of the client IP, and the false alarm information can be accurately determined.
The embodiment also provides a method for false alarm identification. Fig. 3 is a flowchart of another false alarm identification method according to an embodiment of the present application, and as shown in fig. 3, the flowchart includes the following steps:
step S201, receiving an access request of a client IP to a website, and recording a protection log of the website;
step S202, generating request data according to the access request, and generating protection data according to the protection log of the website;
step S203, calculating the log productivity of the accessed URL of the website according to the request data and the protection data;
step S204, when the log productivity is greater than a preset log productivity threshold value, calculating the dispersion of the IP of the client;
step S205, when the dispersion of the client IP is larger than a preset dispersion threshold of the client IP, judging that the access request is a false alarm request;
step S301, a white model of a protection strategy is established according to URL information, parameter information, a request header and/or load information in the false alarm request, and false alarm identification is carried out through the white model when an access request of the client IP to the website is received again.
The probability of false alarm next time is reduced by establishing a white model of the protection strategy.
Fig. 4 is a preferred flowchart of a false alarm recognition method according to an embodiment of the present application, and as shown in fig. 4, the false alarm recognition method includes the following steps:
step S401, a website request URL record table and a URL/IP access record table are counted.
Specifically, the data stored in the website request URL record table is the request count of the client IP requesting the website URL, the request count of each website URL is recorded, the request count of a specific website URL is obtained by searching the data stored in the website request URL record table URL/IP request record table as the client IP requested by each URL, that is, the client IP accessing the corresponding website URL is accessed, and which client IPs are accessed by the specified URL is obtained by searching the URL/IP access record table. When the record in the table exceeds the designated time, the record is reinitialized for counting.
Step S402, a website protection URL record table and a URL/IP protection record table are counted.
Specifically, the data stored in the website protection URL record table is the count of the corresponding URL in the protection log, and the statistical count of each URL in the protection log is recorded. And acquiring the protection log count generated when the user wants to know the corresponding website URL by inquiring the website protection URL record table. The URL/IP protection record table stores client end IPs corresponding to URLs in the protection log, namely the client end IPs generating the protection log corresponding to the URLs, records exceeding appointed time in the table are obtained by searching the URL/IP protection record table, and if the user needs to know which client end IPs of the appointed URLs generate the protection log, the URL/IP protection record table is reinitialized to carry out statistical recording.
In step S403, a URL log generation rate is calculated.
Specifically, when the count of a website URL in the website protection URL record table of the log statistical analysis exceeds a specified number, the URL log generation rate is calculated. And dividing the corresponding URL protection log count in the website protection URL record table subjected to log statistical analysis by the corresponding URL access count in the website request URL record table to obtain the corresponding URL log generation rate, and using the URL log generation rate in false alarm analysis.
Step S404, judging whether the calculated log productivity is greater than a preset log productivity threshold value; if not, the step S409 is executed;
step S405, if yes, calculating the dispersion of the client IP.
Specifically, after calculating the URL log generation rate to obtain the corresponding URL parameter, the client IP dispersion corresponding to the protection log URL is calculated. And dividing the number of the client IP corresponding to the URL in the URL/IP protection record table by the number of the client IP corresponding to the URL in the URL/IP access record table to obtain the corresponding client IP dispersion for generating the protection log URL, and using the dispersion in the misinformation analysis and judgment. And judging whether the client IP request hitting the protection strategy is a normal client request.
Step S406, judging whether the dispersion of the client IP is larger than a preset dispersion threshold of the client IP; if not, the step S409 is executed;
in step S407, if yes, it is determined as a false alarm request.
Specifically, if the URL log generation rate and the dispersion of the client IP are both greater than a specified threshold, it is determined that the request of the client for accessing the URL of the website is a normal client request, and otherwise, it is a false-positive request.
And step S408, establishing a white model according to the false alarm request.
Specifically, the false alarm analysis is performed to judge the relevant information of the normal request: and recording the URL, the website IP, the request header and the request load, generating an access white model, and displaying the access white model to a maker of the protection strategy. And after the client IP request hits the protection strategy, checking whether the corresponding access white model is matched, if so, determining that the request is a normal request, and forwarding the request, otherwise, executing the subsequent protection strategy.
Step S409, intercepting the request data.
The present embodiment further provides a device for false alarm identification, which is used to implement the foregoing embodiments and preferred embodiments, and the description already made is omitted. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 5 is a block diagram of a false alarm recognition device according to an embodiment of the present application, and as shown in fig. 5, the false alarm recognition device includes: a request statistical analysis module 501, a protection log recording module 502, a log productivity calculation module 503, a dispersion calculation module 504 and a false alarm judgment module 505;
the request statistical analysis module 501 is configured to receive an access request of a client IP to a website, and record a protection log of the website;
the protection log recording module 502 is configured to generate request data and protection data according to the access request and the protection log of the website;
the log productivity calculation module 503 is configured to calculate the log productivity of the URL of the website being accessed according to the request data and the protection data;
the dispersion calculation module 504 is configured to calculate the dispersion of the client IP when the log productivity is greater than a preset log productivity threshold;
the false alarm determining module 505 is configured to determine that the access request is a false alarm request when the dispersion of the client IP is greater than a preset dispersion threshold of the client IP.
Fig. 6 is a block diagram of another false alarm recognition apparatus according to an embodiment of the present application, and as shown in fig. 6, the apparatus includes all the modules shown in fig. 5, and further includes: a module 601 for adapting a false alarm strategy;
and an adaptive false alarm policy module 601, configured to establish a white model of a protection policy according to URL information, parameter information, a request header, and/or load information in the false alarm request, and perform false alarm identification through the white model when receiving an access request of the client IP to the website again.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
The present embodiment also provides an electronic device comprising a memory having a computer program stored therein and a processor configured to execute the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
step S1, receiving an access request from the client IP to the website, and recording a protection log of the website.
Step S2, generating request data according to the access request, and generating protection data according to the protection log of the website.
In step S3, the log productivity of the URL of the website being accessed is calculated based on the request data and the guard data.
In step S4, when the log productivity is greater than a preset log productivity threshold, the dispersion of the client IP is calculated.
Step S5, when the dispersion of the client IP is greater than a preset dispersion threshold of the client IP, determining that the access request is a false positive request.
It should be noted that, for specific examples in this embodiment, reference may be made to the examples described in the foregoing embodiment and optional implementation manners, and details of this embodiment are not described herein again.
Those skilled in the art will appreciate that the architecture shown in fig. 7 is a block diagram of only a portion of the architecture associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as a particular computing device may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, which, when being executed by a processor, implements the steps of a method for false positive identification provided by the above embodiments.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, and these are all within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (7)
1. A method of false positive identification, comprising:
receiving an access request of a client IP to a website, and recording a protection log of the website;
generating request data according to the access request, and generating protection data according to a protection log of the website;
calculating log productivity of the URL of the accessed website according to the request data and the protection data;
when the log productivity is larger than a preset log productivity threshold value, calculating the dispersion of the client IP;
when the dispersion of the client IP is larger than a preset dispersion threshold value of the client IP, judging that the access request is a false alarm request;
wherein the generating request data according to the access request comprises: according to the access request, counting the number of all URLs in the website in the access request and counting the number of client end IPs accessing all URLs in the website in the access request;
the generating of the protection data according to the protection log of the website includes: according to the protection log of the website, counting the number of all URLs in the website in the protection log and the number of the client end IPs accessing all URLs in the website in the protection log;
the calculating log productivity for the web site from the request data and the guard data includes: and dividing the number of the URLs in the website in the protection log by the number of the URLs in the corresponding website in the access request to obtain the log generation rate of the website.
2. The method of claim 1, wherein the calculating the dispersion of the client IPs comprises:
and dividing the number of the client IP accessing each URL in the website in the protection log by the number of the client IP accessing each URL in the website in the access request to obtain the dispersion of the client IP.
3. The method of claim 1 or 2, wherein after said determining that said access request is a false positive request, said method further comprises:
and establishing a white model of a protection strategy according to URL information, parameter information, a request header and/or load information in the false alarm request, and carrying out false alarm identification through the white model when an access request of the client IP to the website is received again.
4. A false alarm identification device, comprising: the system comprises a request statistical analysis module, a protection log recording module, a log productivity calculation module, a dispersion calculation module and a false alarm judgment module;
the request statistical analysis module is used for receiving an access request of a client IP to a website and recording a protection log of the website;
the protection log recording module is used for generating request data and protection data according to the access request and the protection log of the website;
the log productivity calculation module is used for calculating the log productivity of the URL of the accessed website according to the request data and the protection data;
the dispersion calculation module is used for calculating the dispersion of the client IP when the log productivity is greater than a preset log productivity threshold value;
the false alarm judging module is used for judging the access request as a false alarm request when the dispersion of the client IP is larger than a preset dispersion threshold of the client IP;
wherein the generating request data according to the access request comprises: according to the access request, counting the number of all URLs in the website in the access request and counting the number of client end IPs (Internet protocol) accessing all URLs in the website in the access request;
the generating of the protection data according to the protection log of the website includes: according to the protection log of the website, counting the number of all URLs in the website in the protection log and the number of the client end IPs accessing all URLs in the website in the protection log;
the calculating log productivity of the website according to the request data and the protection data comprises: and dividing the number of the URLs in the website in the protection log by the number of the URLs in the corresponding website in the access request to obtain the log generation rate of the website.
5. The apparatus of claim 4, further comprising: a module for adapting a false alarm strategy;
and the adaptive false alarm strategy module is used for establishing a white model of a protection strategy according to URL information, parameter information, a request head and/or load information in the false alarm request, and carrying out false alarm identification through the white model when an access request of the client IP to the website is received again.
6. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and the processor is configured to execute the computer program to perform a method of false positive identification as claimed in any one of claims 1 to 3.
7. A storage medium, in which a computer program is stored, wherein the computer program is configured to execute a method of false positive identification according to any one of claims 1 to 3 when running.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010974093.3A CN112165466B (en) | 2020-09-16 | 2020-09-16 | Method and device for false alarm identification, electronic device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010974093.3A CN112165466B (en) | 2020-09-16 | 2020-09-16 | Method and device for false alarm identification, electronic device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112165466A CN112165466A (en) | 2021-01-01 |
| CN112165466B true CN112165466B (en) | 2022-06-17 |
Family
ID=73858003
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010974093.3A Active CN112165466B (en) | 2020-09-16 | 2020-09-16 | Method and device for false alarm identification, electronic device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112165466B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113783891B (en) * | 2021-09-26 | 2023-06-20 | 新华三信息安全技术有限公司 | Event identification method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103297435A (en) * | 2013-06-06 | 2013-09-11 | 中国科学院信息工程研究所 | Abnormal access behavior detection method and system on basis of WEB logs |
| CN104601556A (en) * | 2014-12-30 | 2015-05-06 | 中国科学院信息工程研究所 | Attack detection method and system for WEB |
| CN104618328A (en) * | 2014-12-29 | 2015-05-13 | 厦门欣欣信息有限公司 | Network security protection method and device |
| CN106936778A (en) * | 2015-12-29 | 2017-07-07 | 北京国双科技有限公司 | The abnormal detection method of website traffic and device |
| CN107172033A (en) * | 2017-05-10 | 2017-09-15 | 深信服科技股份有限公司 | A kind of WAF erroneous judgement recognition methods and device |
| CN108234462A (en) * | 2017-12-22 | 2018-06-29 | 杭州安恒信息技术有限公司 | A kind of method that intelligent intercept based on cloud protection threatens IP |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9083733B2 (en) * | 2011-08-01 | 2015-07-14 | Visicom Media Inc. | Anti-phishing domain advisor and method thereof |
| CN103023718B (en) * | 2012-11-29 | 2015-12-23 | 北京奇虎科技有限公司 | A kind of user logs in monitoring equipment and method |
-
2020
- 2020-09-16 CN CN202010974093.3A patent/CN112165466B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103297435A (en) * | 2013-06-06 | 2013-09-11 | 中国科学院信息工程研究所 | Abnormal access behavior detection method and system on basis of WEB logs |
| CN104618328A (en) * | 2014-12-29 | 2015-05-13 | 厦门欣欣信息有限公司 | Network security protection method and device |
| CN104601556A (en) * | 2014-12-30 | 2015-05-06 | 中国科学院信息工程研究所 | Attack detection method and system for WEB |
| CN106936778A (en) * | 2015-12-29 | 2017-07-07 | 北京国双科技有限公司 | The abnormal detection method of website traffic and device |
| CN107172033A (en) * | 2017-05-10 | 2017-09-15 | 深信服科技股份有限公司 | A kind of WAF erroneous judgement recognition methods and device |
| CN108234462A (en) * | 2017-12-22 | 2018-06-29 | 杭州安恒信息技术有限公司 | A kind of method that intelligent intercept based on cloud protection threatens IP |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112165466A (en) | 2021-01-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10715546B2 (en) | Website attack detection and protection method and system | |
| US9578040B2 (en) | Packet receiving method, deep packet inspection device and system | |
| US10218733B1 (en) | System and method for detecting a malicious activity in a computing environment | |
| US10257222B2 (en) | Cloud checking and killing method, device and system for combating anti-antivirus test | |
| CN111010409B (en) | Encryption attack network flow detection method | |
| CN107046518A (en) | The detection method and device of network attack | |
| TW201824047A (en) | Attack request determination method, apparatus and server | |
| CN110417717B (en) | Login behavior identification method and device | |
| WO2017050108A1 (en) | Authentication method, apparatus and system for accessing wifi hotspot | |
| CN110677384B (en) | Phishing website detection method and device, storage medium and electronic device | |
| CN111371639B (en) | Network delay analysis method and device, storage medium and computer equipment | |
| CN108418780A (en) | Filter method and device, system, the dns server of IP address | |
| CN112532605B (en) | Network attack tracing method and system, storage medium and electronic device | |
| CN111770106A (en) | Method, device, system, electronic device and storage medium for data threat analysis | |
| CN112491883A (en) | Method, device, electronic device and storage medium for detecting web attack | |
| CN112165466B (en) | Method and device for false alarm identification, electronic device and storage medium | |
| CN106790073B (en) | Blocking method and device for malicious attack of Web server and firewall | |
| CN113810381B (en) | Crawler detection method, web application cloud firewall device and storage medium | |
| CN104967632A (en) | Webpage abnormal data processing method, data server and system | |
| CN112839005B (en) | DNS domain name abnormal access monitoring method and device | |
| CN108880913B (en) | traffic characteristic management method and device and central node server | |
| CN106803830B (en) | Method, device and system for identifying internet access terminal and User Identity Module (UIM) card | |
| CN111314496B (en) | Registration request intercepting method and device, computer equipment and storage medium | |
| CN107124390B (en) | Security defense and implementation method, device and system of computing equipment | |
| CN112329021A (en) | Method and device for checking application bugs, electronic device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |