CN112182629A - Malicious access identification method, device, equipment and storage medium - Google Patents

Malicious access identification method, device, equipment and storage medium Download PDF

Info

Publication number
CN112182629A
CN112182629A CN202011173158.0A CN202011173158A CN112182629A CN 112182629 A CN112182629 A CN 112182629A CN 202011173158 A CN202011173158 A CN 202011173158A CN 112182629 A CN112182629 A CN 112182629A
Authority
CN
China
Prior art keywords
application system
access
user
application
identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011173158.0A
Other languages
Chinese (zh)
Inventor
胡哲文
吴海山
殷磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WeBank Co Ltd
Original Assignee
WeBank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WeBank Co Ltd filed Critical WeBank Co Ltd
Priority to CN202011173158.0A priority Critical patent/CN112182629A/en
Publication of CN112182629A publication Critical patent/CN112182629A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Abstract

The invention provides a malicious access identification method, a malicious access identification device, malicious access identification equipment and a malicious access identification storage medium. The limiting object is determined by the recognition system that the number of pages of different page numbers of the paging resources of the application system, which are accessed within the set period determined by the recognition system, is greater than the preset threshold, so that a normal user can be prevented from being determined as a malicious access user, and the malicious access user can be prevented from maliciously crawling the data of the application system, thereby being beneficial to ensuring the normal use of the application system, improving the user experience, and ensuring the security of the data.

Description

Malicious access identification method, device, equipment and storage medium
Technical Field
The invention relates to the field of financial technology (Fintech), in particular to a malicious access identification method, a malicious access identification device, malicious access identification equipment and a storage medium.
Background
With the development of computer technology, more and more technologies are applied in the financial field, and the traditional financial industry is gradually changing to financial technology, but due to the requirements of the financial industry on safety and real-time performance, higher requirements are also put forward on the technologies. With the rapid growth of networks, the world wide web has become a carrier for large amounts of information. How to obtain effective information from each web page of the world wide web becomes a key point of attention. Particularly in business services in the financial field, most valuable financial data is published on the network for each user to access.
However, some lawbreakers find the data interface of the application system by analyzing the page request and perform data crawling, so as to maliciously acquire a large amount of financial data; meanwhile, the crawling process also causes a plurality of hidden dangers to the application system.
In summary, a malicious access identification method is needed to ensure the normal use of the application system and ensure the security of data.
Disclosure of Invention
The invention provides a malicious access identification method, a malicious access identification device, malicious access identification equipment and a malicious access identification storage medium, which are used for ensuring the normal use of an application system and ensuring the safety of data.
In a first aspect, the present invention provides a malicious access identification method, including:
the application system determines whether an access user corresponding to the access request is a restricted object of the application system;
the application system refuses the access request after determining that the access user is a restricted object of the application system;
the limiting object of the application system is determined by the identification system according to the condition that the access user meets the preset condition; the preset condition is that the number of pages of different pages of the paging resources of the application system accessed by the accessing user in a set period is greater than a preset threshold.
In the technical scheme, the limiting object is determined by the recognition system according to the condition that the number of the different page numbers of the paging resources of the application system accessed by the access user in the set period is greater than the preset threshold, so that the normal user can be prevented from being determined as a malicious access user, the malicious access user can be prevented from maliciously crawling the data of the application system, the normal user can normally acquire the data, and the user experience is improved. In addition, the application system acquires the corresponding restricted object from the identification system and stores the restricted object locally, so that when an access request of an access user is detected, the access user is matched with the restricted object, whether the access user exists in the restricted object is judged, and the access request of the access user is rejected after the access user is determined to be the restricted object of the application system, therefore, the identification efficiency of the application system on a malicious access user can be improved, the normal use of the application system can be ensured, and the data security can be ensured.
Optionally, the method further comprises:
after the application system determines that the access user is not the restricted object of the application system, the access request is executed, and the access request is fed back to the identification system; the identification system is used for updating the restriction object of the application system according to each access request fed back by the application system.
In the above technical solution, when it is determined that the access user does not exist in the restricted object, the access user is allowed to access the application system, so that normal access of a normal user to the application system can be ensured, so as to normally acquire data of the application system, and thus user experience can be improved. In addition, the access request information of the access user is synchronized to the identification system, so that the identification system judges whether the number of pages of the paged resource of the application system accessed by the access user is greater than or equal to a preset threshold value according to a preset identification strategy to identify whether the first user is a restricted object, and support is provided for subsequently judging whether the access user has malicious access behaviors to the application system.
Optionally, the method further comprises:
the application system receives an updating instruction sent by the identification system;
the application system updates a locally stored blacklist of the application system according to the updating indication; the black list of the application system is recorded with the restriction object of the application system.
In the technical scheme, the blacklist of the locally stored application system can be timely and accurately updated according to the updating indication sent by the identification system, so that support is provided for the application system to timely and accurately identify the malicious access user.
Optionally, before the application system determines whether an access user corresponding to the access request is a restricted object of the application system, the method further includes:
and after the application system is started, obtaining the blacklist of the application system from the identification system or obtaining the blacklist of the application system from a database when the identification system is not started.
In the technical scheme, when the identification system is not started, the blacklist can be obtained through the database, or when the identification system is started, the blacklist can be obtained in real time through the communication interface of the identification system, so that the application system can obtain the blacklist in time conveniently, and the application system can timely and accurately judge whether the access user is a support for limiting the object.
In a second aspect, the present invention provides a malicious access identification method, including:
the identification system acquires access requests sent by each application system;
for any application system, the identification system counts access requests of the same access user to the paging resources of the application system within a set period; if the number of pages aiming at different pages in the access request of the paging resource is greater than a preset threshold value, determining that the access user is a restricted object of the application system; the restriction object of the application system is used for the application system as a basis for rejecting the access request;
the recognition system notifies the application systems to update their respective restriction objects.
In the technical scheme, as the limiting object is determined when the page number of the paging resource of the application system in a set period of time of the same access user is counted and is greater than or equal to the preset threshold value aiming at any application system, the normal user can be prevented from being determined as the malicious access user, the malicious access user can be prevented from maliciously crawling the data of the application system, the normal user can be facilitated to normally obtain the data, and the user experience is improved. And then informing each application system to update the respective limit object so as to determine whether the access user provides support for the limit object according to the respective updated limit object for each application system. In addition, since the corresponding restriction object is determined according to the application system, if the restriction object does not exist in the restriction object of any other application system, the restriction object can access any other application system.
Optionally, the counting access requests of the same access user to the paged resources of the application system within a set period includes:
the identification system sorts the page numbers related to the access requests of the paging resources according to the page number sequence;
if the number of pages for different page numbers in the access request of the paged resource is greater than a preset threshold, determining that the access user is a restricted object of the application system, including:
and if the identification system determines that the sequenced page numbers are continuously increased and the number of the page numbers is greater than a first preset threshold value, determining that the access user is a restricted object of the application system.
According to the technical scheme, the page numbers of the paging resources are sorted and stored without being stored according to the input sequence of the page numbers of the paging resources accessed by the user, so that the recognition system can quickly and accurately discriminate the user even if the user accesses the page numbers of the paging resources out of order. That is, when it is determined that the sorted page numbers are continuously increasing, whether the access user is a restricted object can be accurately determined according to the magnitude relationship between the number of pages and the first preset threshold. Therefore, the efficiency of identifying the malicious access user by the application system can be improved, the normal use of the application system can be ensured, and the data security can be ensured.
Optionally, the method further comprises:
and if the identification system determines that the sequenced pages are not continuously increased and the number of the pages is greater than a second preset threshold, determining that the access user is a restricted object of the application system.
In the above technical solution, when it is determined that the sorted page numbers are not continuously increasing, that is, when the user accesses the page numbers of the paged resources, it can be accurately determined whether the accessing user is a restricted object according to the size relationship between the number of the page numbers and the second preset threshold. Therefore, the identification efficiency of the application system to the abnormal access user can be improved, the normal use of the application system can be ensured, and the data security can be ensured.
Optionally, the notifying, by the identification system, the application systems to update their respective restriction objects includes:
the identification system stores the updated restriction objects of each application system in a message queue and sends the restriction objects to each application system;
the recognition system periodically updates the restriction objects of the application systems in the database.
In the technical scheme, the limit objects updated by each application system are stored in the message queue, so that the application systems can acquire the limit objects in time or periodically update the limit objects of each application system in the database, and the application systems can acquire the limit objects from the database in time, so that support is provided for the subsequent application systems to quickly and accurately identify the malicious access users.
In a third aspect, the present invention further provides a malicious access identification apparatus, including:
the determining unit is used for determining whether an access user corresponding to the access request is a limiting object of the application system; the limiting object of the application system is determined by the identification system according to the condition that the access user meets the preset condition; the preset condition is that the number of pages of different page numbers of the paging resources of the application system accessed by the access user in a set period of time is greater than a preset threshold value;
and the first processing unit is used for refusing the access request after determining that the access user is a restricted object of the application system.
Optionally, the first processing unit is further configured to:
after the access user is determined not to be the limiting object of the application system, executing the access request, and feeding back the access request to the identification system; the identification system is used for updating the restriction object of the application system according to each access request fed back by the application system.
Optionally, the first processing unit is further configured to:
receiving an updating indication sent by the identification system;
updating a locally stored blacklist of the application system according to the update indication; the black list of the application system is recorded with the restriction object of the application system.
Optionally, the first processing unit is further configured to:
and after the application system is started, acquiring the blacklist of the application system from the identification system or acquiring the blacklist of the application system from a database when the application system is not started.
In a fourth aspect, the present invention further provides a malicious access identification apparatus, including:
the acquisition unit is used for acquiring the access requests sent by each application system;
the second processing unit is used for counting the access requests of the same access user to the paging resources of the application system in a set time period aiming at any application system; if the number of pages aiming at different pages in the access request of the paging resource is greater than a preset threshold value, determining that the access user is a restricted object of the application system; the restriction object of the application system is used for the application system as a basis for rejecting the access request; and informing the application systems to update the respective restriction objects.
Optionally, the second processing unit is specifically configured to:
sorting the page numbers related to the access requests of the paging resources according to the order of the page numbers;
the second processing unit is specifically configured to:
and if the sequenced page numbers are determined to be continuously increased and the number of the page numbers is greater than a first preset threshold value, determining that the access user is a restricted object of the application system.
Optionally, the second processing unit is further configured to:
and if the sequenced pages are determined to be discontinuously increased and the number of the pages is greater than a second preset threshold value, determining that the access user is a restricted object of the application system.
Optionally, the second processing unit is specifically configured to:
storing the updated limit object of each application system in a message queue and sending the message queue to each application system;
and periodically updating the limiting objects of the application systems in the database.
In a fifth aspect, the present invention provides a computing device comprising:
a memory for storing a computer program;
and the processor is used for calling the computer program stored in the memory and executing the malicious access identification method according to the obtained program.
In a sixth aspect, the present invention provides a computer-readable storage medium storing a computer-executable program for causing a computer to execute a malicious access identification method.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of a system architecture according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a malicious access identification method according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating an identification system determining a blacklist corresponding to each application system according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating that an application system identifies an access user according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a malicious access identification apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of another malicious access identification apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a system architecture provided in an embodiment of the present invention. As shown in fig. 1, the system architecture may be a server 100 including a processor 110, a communication interface 120, and a memory 130.
The communication interface 120 is used for communicating with a terminal device, and transceiving information transmitted by the terminal device to implement communication.
The processor 110 is a control center of the server 100, connects various parts of the entire server 100 using various interfaces and lines, performs various functions of the server 100 and processes data by running or executing software programs and/or modules stored in the memory 130 and calling data stored in the memory 130. Alternatively, processor 110 may include one or more processing units.
The memory 130 may be used to store software programs and modules, and the processor 110 executes various functional applications and data processing by operating the software programs and modules stored in the memory 130. The memory 130 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to a business process, and the like. Further, the memory 130 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
It should be noted that the structure shown in fig. 1 is only an example, and the embodiment of the present invention is not limited thereto.
Based on the above description, fig. 2 exemplarily shows a flow of a malicious access identification method provided by an embodiment of the present invention, and the flow may be performed by a malicious access identification apparatus.
As shown in fig. 2, the process specifically includes:
step 201, the identification system obtains an access request sent by an application system.
Step 202, the identification system counts the access requests of the same access user to the paging resources of the application system in a set time period; and if the number of the pages aiming at different pages in the access request of the paging resource is greater than a preset threshold, determining that the access user is a restricted object of the application system.
Step 203, the recognition system notifies the application system to update the restriction object of the application system.
Step 204, the application system determines whether the access user corresponding to the access request is a restricted object of the application system.
Step 205, after determining that the accessing user is the restricted object of the application system, the application system rejects the accessing request.
In the embodiment of the invention, for the distributed system, if the access of one user to the application system is legal, one application system needs to be selected from the distributed system to be used as a special identification system for judgment, so that the malicious access users can be identified uniformly through the identification system, the management is convenient, and the workload of developers is saved. If each application system independently identifies the malicious access user, the development difficulty is high for developers, the workload of the developers is greatly increased, and the respective independent identification is not convenient for management, so that the management difficulty of managers is increased. In addition, the identification system can be an independent physical server, can also be a server cluster formed by a plurality of physical servers, and can also be a cloud server for providing basic cloud computing services such as cloud service, a cloud database, cloud computing, cloud storage, network service, cloud communication, middleware service, security service, big data and artificial intelligence platform and the like. It should be noted that, in the specific implementation process of the embodiment of the present invention, the identification system is a server cluster formed by a plurality of physical servers, so that high availability of the identification system can be ensured, and thus, failure of the identification system due to a single server failure is avoided.
In step 201, for any application system, when any access user initiates an access request to the application system, the application system sends the access request of the access user to the identification system for caching after identifying the access request of the access user.
It should be noted that, before the access user is not determined as the restricted object, each access request initiated by the access user to the application system, when the application system detects the access request of the access user, the access request information of the access user is synchronized to the identification system for storage, so that the identification system analyzes and identifies the access request information of the access user according to a preset identification policy and determines whether the access user is the restricted object.
In addition, it should be noted that, in order to avoid that access barring based on a URL (Uniform Resource Locator) affects the use of other application systems, that is, a certain application system blocks a certain accessing user and prohibits the certain accessing user from accessing the URL of the certain application system, since the other application systems do not block the access of the certain accessing user, in order not to affect the access of the certain accessing user to the URLs of the other application systems, in the design of the URLs of the respective application systems accessed by the accessing user, it is ensured that there is no intersection between the URLs of the respective application systems. For example, as shown in fig. 3, if the user a is disabled in the application system a but not disabled by the application system B, the user a is not affected to access the application system B even if the user a is disabled by the application system a; or the user A is forbidden in the application system B but is not forbidden by the application system A, even if the user A is forbidden by the application system B, the user A is not influenced to access the application system A. In addition, after acquiring access requests of various access users (such as user a, user B, user C, user D, and the like) to a certain application system or various application systems, the identification system caches the access requests of various access users to a certain application system or various application systems, so that the identification system determines whether various access users are blacklist users of a certain application system or various application systems according to a preset blocking rule condition.
In step 202, for any application system, the restriction object of the application system is determined by the recognition system according to that the number of pages of different pages of the paged resources of the application system accessed by the accessing user within the set period is greater than the preset threshold. Specifically, in the process of determining the restriction object of the application system by the identification system, firstly, the access requests of the same access user to the paged resource of the application system in a set period are counted. And sequencing the pages related to the access request of the paging resource according to the page sequence, determining whether the sequenced pages are continuously increased and the number of the pages is greater than or equal to a first preset threshold, determining that the access user is a limiting object of the application system when the sequenced pages are continuously increased and the number of the pages is greater than or equal to the first preset threshold, and sending the limiting object to the application system. And if the sequenced page numbers are determined not to be continuously increased, determining whether the number of the page numbers is greater than or equal to a second preset threshold, determining that the access user is a restricted object of the application system when the number of the page numbers is greater than or equal to the second preset threshold, and sending the restricted object to the application system. In addition, whether the access user is a restricted object of the application system may be determined according to whether the ratio of the number of pages to the total number of pages of the paged resource is greater than or equal to a set threshold, and when the ratio is determined to be greater than or equal to the set threshold, the access user is determined to be the restricted object of the application system, and the restricted object is sent to the application system. The second preset threshold is greater than the first preset threshold, the first preset threshold and the second preset threshold can be set according to the specific actual situation of the application scene, and the set threshold is a proportional value and is determined according to the ratio of the second preset threshold to the total page number of the paging resources; the set time period may be set according to an actual application scenario or specific requirements, for example, set for 5 seconds, 10 seconds, 30 seconds, 1 minute, 2 minutes, 1 day, or 2 days, and is not limited specifically.
Specifically, the identification system determines whether the user a crawls a certain paged resource of the application system a (for example, the total number of pages of the certain paged resource is 30 pages), caches and sorts the pages of the certain paged resource of the application system a within a certain period of time (for example, within 2 minutes) by using a caching technology (for example, a local cache, and stores data in a hard disk or a local memory), performs statistical processing on the pages of the certain paged resource after sorting, determines whether the pages of the certain paged resource after sorting are continuously increased, calculates a maximum continuously increased subset of the certain paged resource after sorting (that is, the number of pages of the maximum continuously increased page accessing the certain paged resource), and determines whether the maximum continuously increased subset is greater than or equal to a first preset threshold (for example, 8 pages), if the maximum continuously-increasing subset (for example, the number of pages of the maximum continuous pages for accessing a certain paged resource is 11 pages) is determined to be greater than the first preset threshold, it is determined that the user a crawls a certain paged resource of the application system a, and adds the user a into a blacklist, and then notifies the application system a through a message queue, so that the application system a blocks the user a. Of course, the identification system may also store the cached blacklisted user into the database periodically (for example, specifically, but not limited to, 10 minutes, 15 minutes, 20 minutes, 1 day, or 2 days), so that the application system a can obtain the blacklisted user data from the database timely and effectively.
In addition, when it is determined that the page number of the sorted certain paged resource is not continuously incremented (i.e. the page number of the certain paged resource accessed by the user a does not show continuous increment), it is determined whether the page number of the certain paged resource accessed by the user a is greater than or equal to a second preset threshold (e.g. 15 pages), or it may be determined whether the user a is a limitation object of the application a according to whether the ratio of the page number of the certain paged resource accessed by the user a to the total page number of the certain paged resource is greater than or equal to a set threshold (e.g. 0.5), if it is determined that the page number of the certain paged resource accessed by the user a (e.g. 18 pages) is greater than the second preset threshold, or it is determined that the ratio of the page number of the certain paged resource accessed by the user a (e.g. 18 pages) to the total page number of the certain paged resource (e.g. 0.6) is greater than the set threshold (e, determining that the user A crawls certain paging resources of the application system A, adding the user A into a blacklist, and then notifying the application system A through a message queue so that the application system A can block the user A. Of course, the identification system may also periodically (for example, but not limited to, 10 minutes, 15 minutes, 20 minutes, 1 day, or 2 days, etc.) store the cached blacklist in the database, so that the application system a can timely and effectively obtain the blacklist from the database.
Furthermore, if the user a is unblocked after being blocked by the application system a, if the number of pages of a certain paged resource accessed to the application system after the user a is unblocked again satisfies the condition of the blocking rule that the recognition system determines that a certain user is a restricted object (i.e. the condition that the two recognition systems determine whether the accessing user is a restricted object), the user a is blacklisted by the application system a again and is forbidden by the application system a, and this repeatedly causes the forbidden number of times of the user a to be greater than or equal to the preset number threshold, the user a will be permanently disabled by the application system a, for example, the number of times (for example, 6 times) that the user a is disabled is greater than a preset number threshold (for example, 5 times), the user a is permanently blocked by the application a so that the user a is permanently prohibited from accessing all the paged resources of the application a or from accessing the application a.
It should be noted that, the three preset blocking rule conditions are used in a matching manner, and the first preset threshold, the second preset threshold, and the third preset threshold are reasonably determined according to the number of site resources (paging resources of the application system a or page number information of a certain paging resource of the application system a), so that the operation efficiency of the application system a can be greatly improved, and the paging resources of the application system a can be protected. In addition, if the preset identification strategy is adjusted or upgraded later, only the identification system needs to be modified and set in cooperation with a new rule, and the use of other application systems cannot be influenced in the process of adjusting or upgrading the preset conditions of the forbidden rule.
In step 203, after determining the restriction object, the recognition system notifies each application system to update the restriction object of each application system. Specifically, when notifying the application system to update its own restriction object, the recognition system may store the updated restriction object in a message queue and send the updated restriction object to the application system, or may periodically update the restriction object of the application system in the database, so that the application system obtains the restriction object from the database.
In step 204 and step 205, when it is determined that the restriction object corresponding to each application system is updated, each application system may obtain the updated restriction object from each application system in real time, or may obtain the updated restriction object from the database, and when it is determined that the restriction object corresponding to each application system is not updated, each application system may obtain the restriction object from the database. Of course, the identification system may also actively issue the updated restriction object corresponding to each application system.
In addition, before the application system determines whether the access user corresponding to the access request is a restricted object of the application system, the application system needs to obtain a blacklist (i.e., a restricted object) of the application system from the identification system or the database. The application system may obtain the blacklist in two ways, that is, after the application system is started, the blacklist of the application system may be obtained from the identification system, or when the identification system is not started, the blacklist of the application system may be obtained from the database. Specifically, there are two ways for each application system and the identification system to interactively obtain the corresponding blacklist: one is an initialization process, which pulls a full blacklist, and if the identification system is in an unavailable state (such as network failure and unable to communicate) in the initialization process, the black list can be tried to be loaded from a database; another is to add blacklisted users in real time through a message queue. For example, for obtaining a corresponding black list in the initialization process of each application system, the first case is: and starting the application system A, wherein the blacklist is pulled in a database mode if the application system A fails to pull the blacklist through an interface of the identification system because the identification system is not started yet, and the application system A is started successfully after the blacklist is loaded successfully. In the second case: and starting the application system A, starting the identification system at the moment, successfully pulling the blacklist from the application system A through the interface of the identification system, and successfully loading the blacklist and starting the application system A. In the third case: the application system A starts to be started, and the identification system cannot be connected or the database cannot be connected due to network faults, so that the blacklist loading fails, the application system A fails to start, and the application system A automatically goes off line.
For any application system, the application system determines whether an access user corresponding to the access request is a restricted object of the application system. If the access user is determined to be the restricted object of the application system, the access request of the access user is refused; and if the access user is determined not to be the restricted object of the application system, executing the access request of the access user, and feeding the access request back to the identification system, wherein the identification system is used for updating the restricted object of the application system according to each access request fed back by the application system. After receiving the update instruction sent by the identification system, the application system updates the locally stored blacklist of the application system according to the update instruction, and the blacklist of the application system records the restricted object of the application system.
Specifically, for example, as shown in fig. 4, a user a initiates an access request to an M1 module resource in an application a, an access URL is/a/M1 page ═ 1, the application a finds that the user a is not in a blacklist by comparing with a blacklist cached by itself, and attempts to send an access information copy to an identification system and release the access request of the user a. And the user B initiates an access request to the M1 module resource in the application system B, the access URL is/B/M1 page is 1, the application system A compares the blacklist cached by the application system A to find that the user B is in the blacklist, and then the access request of the user B is rejected. After a user C initiates an access request to M1 module resources in an application system A for multiple times in a short time, a preset blocking rule condition in an identification system is triggered, the user C is pushed to a blacklist of the application system A, after the user C accesses the blacklist with URL/A/M1 page being 23 again, the application system A compares the blacklist cached by the application system A to find that the user C is in the blacklist, and the access request of the user C is rejected.
The embodiment shows that the restriction object is determined by the recognition system according to the fact that the number of the different page numbers of the paging resources of the application system accessed by the accessing user in the set period is greater than the preset threshold, so that the normal user can be prevented from being determined as a malicious accessing user, the malicious accessing user can be prevented from maliciously crawling the data of the application system, the normal user can be facilitated to normally obtain the data, and the user experience is improved. In addition, the application system acquires the corresponding restricted object from the identification system and stores the restricted object locally, so that when an access request of an access user is detected, the access user is matched with the restricted object, whether the access user exists in the restricted object is judged, and the access request of the access user is rejected after the access user is determined to be the restricted object of the application system, therefore, the identification efficiency of the application system on a malicious access user can be improved, the normal use of the application system can be ensured, and the data security can be ensured.
Based on the same technical concept, fig. 5 exemplarily illustrates a malicious access identification apparatus provided by an embodiment of the present invention, and the apparatus may perform a flow of the malicious access identification method.
As shown in fig. 5, the apparatus includes:
a determining unit 501, configured to determine whether an access user corresponding to the access request is a restricted object of the application system; the limiting object of the application system is determined by the identification system according to the condition that the access user meets the preset condition; the preset condition is that the number of pages of different page numbers of the paging resources of the application system accessed by the access user in a set period of time is greater than a preset threshold value;
a first processing unit 502, configured to deny the access request after determining that the accessing user is a restricted object of the application system.
Optionally, the first processing unit 502 is further configured to:
after the access user is determined not to be the limiting object of the application system, executing the access request, and feeding back the access request to the identification system; the identification system is used for updating the restriction object of the application system according to each access request fed back by the application system.
Optionally, the first processing unit 502 is further configured to:
receiving an updating indication sent by the identification system;
updating a locally stored blacklist of the application system according to the update indication; the black list of the application system is recorded with the restriction object of the application system.
Optionally, the first processing unit 502 is further configured to:
and after the application system is started, acquiring the blacklist of the application system from the identification system or acquiring the blacklist of the application system from a database when the application system is not started.
Based on the same technical concept, fig. 6 exemplarily shows another malicious access identification apparatus provided by the embodiment of the present invention, which may perform a flow of the malicious access identification method.
As shown in fig. 6, the apparatus includes:
an obtaining unit 601, configured to obtain access requests sent by each application system;
a second processing unit 602, configured to count, for any application system, access requests of the same access user to paged resources of the application system within a set time period; if the number of pages aiming at different pages in the access request of the paging resource is greater than a preset threshold value, determining that the access user is a restricted object of the application system; the restriction object of the application system is used for the application system as a basis for rejecting the access request; and informing the application systems to update the respective restriction objects.
Optionally, the second processing unit 602 is specifically configured to:
sorting the page numbers related to the access requests of the paging resources according to the order of the page numbers;
the second processing unit 602 is specifically configured to:
and if the sequenced page numbers are determined to be continuously increased and the number of the page numbers is greater than a first preset threshold value, determining that the access user is a restricted object of the application system.
Optionally, the second processing unit 602 is further configured to:
and if the sequenced pages are determined to be discontinuously increased and the number of the pages is greater than a second preset threshold value, determining that the access user is a restricted object of the application system.
Optionally, the second processing unit 602 is specifically configured to:
storing the updated limit object of each application system in a message queue and sending the message queue to each application system;
and periodically updating the limiting objects of the application systems in the database.
Based on the same technical concept, an embodiment of the present invention provides a computing device, including:
a memory for storing a computer program;
and the processor is used for calling the computer program stored in the memory and executing the malicious access identification method according to the obtained program.
Based on the same technical concept, an embodiment of the present invention provides a computer-readable storage medium storing a computer-executable program for causing a computer to execute a malicious access identification method.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present application and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (12)

1. A malicious access identification method, comprising:
the application system determines whether an access user corresponding to the access request is a restricted object of the application system;
the application system refuses the access request after determining that the access user is a restricted object of the application system;
the limiting object of the application system is determined by the identification system according to the condition that the access user meets the preset condition; the preset condition is that the number of pages of different pages of the paging resources of the application system accessed by the accessing user in a set period is greater than a preset threshold.
2. The method of claim 1, wherein the method further comprises:
after the application system determines that the access user is not the restricted object of the application system, the access request is executed, and the access request is fed back to the identification system; the identification system is used for updating the restriction object of the application system according to each access request fed back by the application system.
3. The method of claim 1, wherein the method further comprises:
the application system receives an updating instruction sent by the identification system;
the application system updates a locally stored blacklist of the application system according to the updating indication; the black list of the application system is recorded with the restriction object of the application system.
4. The method of claim 1, before the application system determines whether the access user corresponding to the access request is a restricted object of the application system, further comprising:
and after the application system is started, obtaining the blacklist of the application system from the identification system or obtaining the blacklist of the application system from a database when the identification system is not started.
5. A malicious access identification method, comprising:
the identification system acquires access requests sent by each application system;
for any application system, the identification system counts access requests of the same access user to the paging resources of the application system within a set period; if the number of pages aiming at different pages in the access request of the paging resource is greater than a preset threshold value, determining that the access user is a restricted object of the application system; the restriction object of the application system is used for the application system as a basis for rejecting the access request;
the recognition system notifies the application systems to update their respective restriction objects.
6. The method of claim 5, wherein the counting access requests of the same access user to the paged resources of the application system within a set period of time comprises:
the identification system sorts the page numbers related to the access requests of the paging resources according to the page number sequence;
if the number of pages for different page numbers in the access request of the paged resource is greater than a preset threshold, determining that the access user is a restricted object of the application system, including:
and if the identification system determines that the sequenced page numbers are continuously increased and the number of the page numbers is greater than a first preset threshold value, determining that the access user is a restricted object of the application system.
7. The method of claim 6, wherein the method further comprises:
and if the identification system determines that the sequenced pages are not continuously increased and the number of the pages is greater than a second preset threshold, determining that the access user is a restricted object of the application system.
8. The method of claim 5, wherein the identifying system notifies the application systems to update the respective restriction objects, comprising:
the identification system stores the updated restriction objects of each application system in a message queue and sends the restriction objects to each application system;
the recognition system periodically updates the restriction objects of the application systems in the database.
9. A malicious access recognition apparatus, comprising:
the determining unit is used for determining whether an access user corresponding to the access request is a limiting object of the application system; the limiting object of the application system is determined by the identification system according to the condition that the access user meets the preset condition; the preset condition is that the number of pages of different page numbers of the paging resources of the application system accessed by the access user in a set period of time is greater than a preset threshold value;
and the first processing unit is used for refusing the access request after determining that the access user is a restricted object of the application system.
10. A malicious access recognition apparatus, comprising:
the acquisition unit is used for acquiring the access requests sent by each application system;
the second processing unit is used for counting the access requests of the same access user to the paging resources of the application system in a set time period aiming at any application system; if the number of pages aiming at different pages in the access request of the paging resource is greater than a preset threshold value, determining that the access user is a restricted object of the application system; the restriction object of the application system is used for the application system as a basis for rejecting the access request; and informing the application systems to update the respective restriction objects.
11. A computing device, comprising:
a memory for storing a computer program;
a processor for calling a computer program stored in said memory and executing the method of any one of claims 1 to 8 in accordance with the obtained program.
12. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer-executable program for causing a computer to execute the method of any one of claims 1 to 8.
CN202011173158.0A 2020-10-28 2020-10-28 Malicious access identification method, device, equipment and storage medium Pending CN112182629A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011173158.0A CN112182629A (en) 2020-10-28 2020-10-28 Malicious access identification method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011173158.0A CN112182629A (en) 2020-10-28 2020-10-28 Malicious access identification method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN112182629A true CN112182629A (en) 2021-01-05

Family

ID=73923525

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011173158.0A Pending CN112182629A (en) 2020-10-28 2020-10-28 Malicious access identification method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112182629A (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101674293A (en) * 2008-09-11 2010-03-17 阿里巴巴集团控股有限公司 Method and system for processing abnormal request in distributed application
CN105187396A (en) * 2015-08-11 2015-12-23 小米科技有限责任公司 Method and device for identifying web crawler
CN105282047A (en) * 2015-09-25 2016-01-27 小米科技有限责任公司 Access request processing method and device
CN106649371A (en) * 2015-10-30 2017-05-10 北京国双科技有限公司 Data processing method and device for crawlers
CN106960158A (en) * 2017-03-22 2017-07-18 福建中金在线信息科技有限公司 A kind of method and apparatus for preventing blog from being retrieved by web crawlers
CN108388794A (en) * 2018-02-01 2018-08-10 金蝶软件(中国)有限公司 Page data guard method, device, computer equipment and storage medium
CN111711617A (en) * 2020-05-29 2020-09-25 北京金山云网络技术有限公司 Method and device for detecting web crawler, electronic equipment and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101674293A (en) * 2008-09-11 2010-03-17 阿里巴巴集团控股有限公司 Method and system for processing abnormal request in distributed application
CN105187396A (en) * 2015-08-11 2015-12-23 小米科技有限责任公司 Method and device for identifying web crawler
CN105282047A (en) * 2015-09-25 2016-01-27 小米科技有限责任公司 Access request processing method and device
CN106649371A (en) * 2015-10-30 2017-05-10 北京国双科技有限公司 Data processing method and device for crawlers
CN106960158A (en) * 2017-03-22 2017-07-18 福建中金在线信息科技有限公司 A kind of method and apparatus for preventing blog from being retrieved by web crawlers
CN108388794A (en) * 2018-02-01 2018-08-10 金蝶软件(中国)有限公司 Page data guard method, device, computer equipment and storage medium
CN111711617A (en) * 2020-05-29 2020-09-25 北京金山云网络技术有限公司 Method and device for detecting web crawler, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN108683604B (en) Concurrent access control method, terminal device, and medium
CN111818112B (en) Kafka system-based message sending method and device
US7360208B2 (en) Rolling upgrade of distributed software with automatic completion
CN108768948B (en) Access right management method, server and computer readable storage medium
US20090106844A1 (en) System and method for vulnerability assessment of network based on business model
CN111885050B (en) Data storage method and device based on block chain network, related equipment and medium
US20140108319A1 (en) Autonomic network sentinels
CN112953945B (en) Access request processing method and system
EP3633948B1 (en) Anti-attack method and device for server
CN109189578B (en) Storage server allocation method, device, management server and storage system
CN112671928A (en) Equipment centralized management architecture, load balancing method, electronic equipment and storage medium
CN114371931A (en) Service cluster resource allocation method and device and computer equipment
CN111212079B (en) Service-based micro-isolation flow traction method and system
CN112182629A (en) Malicious access identification method, device, equipment and storage medium
US11562042B2 (en) Intelligent hotspot scattering method, apparatus, storage medium, and computer device
CN101729569B (en) Distributed Denial of Service (DDOS) attack protection method, device and system
CN113891309A (en) Method and system for detecting malicious node in wireless sensor network and sink node
CN113377866A (en) Load balancing method and device for virtualized database proxy service
CN112291199A (en) Message processing method and device, electronic equipment and storage medium
CN112929347A (en) Frequency limiting method, device, equipment and medium
CN108134697B (en) Hadoop architecture cloud platform risk assessment and early warning method
CN117040929B (en) Access processing method, device, equipment, medium and program product
CN111949612B (en) Unstructured data storage middleware system based on hadoop and use method thereof
CN115065526A (en) Block chain based dynamic endorsement method and device, electronic equipment and storage medium
CN116633866A (en) Control method and device of server flow, processor and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination