CN113051570A - Server access monitoring method and device - Google Patents

Server access monitoring method and device Download PDF

Info

Publication number
CN113051570A
CN113051570A CN202110574393.7A CN202110574393A CN113051570A CN 113051570 A CN113051570 A CN 113051570A CN 202110574393 A CN202110574393 A CN 202110574393A CN 113051570 A CN113051570 A CN 113051570A
Authority
CN
China
Prior art keywords
client
access
server
local area
area network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110574393.7A
Other languages
Chinese (zh)
Other versions
CN113051570B (en
Inventor
赵志强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Jihui Tiancheng Technology Co ltd
Original Assignee
Shenzhen Jihui Tiancheng Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Jihui Tiancheng Technology Co ltd filed Critical Shenzhen Jihui Tiancheng Technology Co ltd
Priority to CN202110574393.7A priority Critical patent/CN113051570B/en
Publication of CN113051570A publication Critical patent/CN113051570A/en
Application granted granted Critical
Publication of CN113051570B publication Critical patent/CN113051570B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention is applicable to the field of computers, and provides a server access monitoring method and a server access monitoring device. The monitoring method can be used for judging that all the clients under the abnormal local area network are organized malicious attack behaviors by locking the abnormal local area network, directly rejecting the access of all the clients under the abnormal local area network and performing one-to-one monitoring check on other clients under the abnormal local area network without monitoring and verifying the other clients under the local area network.

Description

Server access monitoring method and device
Technical Field
The invention belongs to the field of computers, and particularly relates to a server access monitoring method and device.
Background
The remote access server is to connect a computer in the internet with a remote access server in a local area network, so as to establish a virtual private line between the remote access server and a remote access client (such as a notebook computer, a desktop computer, etc. which are commonly used) to directly access the remote access server, and after being connected with each other, the remote access server and the local area network where the remote access server is located can be accessed, so as to obtain data resources in the local area network.
The remote access service allows a client to log onto a network via a dial-up connection or a virtual private connection, which requires confirmation from the remote access server when the client accesses the remote server. In the actual use process, some organizations operate a plurality of carving machines to carry out malicious frequent access to the server, and the server needs to continuously verify the identity of the client, so that the information amount processed by the server in the same time is increased suddenly. The existing monitoring method is to monitor the access of the client and control the access times of the client in unit time.
However, for malicious access of a large number of organized clients, the method for verifying malicious access of the clients among the clients is not efficient and is too single, the server needs to process verification information for a long period of time, the speed of processing other effective information is greatly reduced, and the whole server access monitoring device is not rapid enough for processing and responding to crisis.
Disclosure of Invention
The embodiment of the invention provides a server access monitoring method and a server access monitoring device, and aims to solve the problems that a method for verifying malicious access clients one by one in many clients is low in efficiency and single, and the whole server access monitoring device is not rapid in crisis processing and response.
The embodiment of the invention is realized in such a way that a server access monitoring method comprises the following steps:
analyzing the identity information of the client which is judged to be maliciously accessed to obtain the client IP address of the maliciously accessed client;
extracting a field representing a local area network in the IP address of the client, and supplementing and setting the extracted field as address information of an abnormal local area network;
monitoring a client under an abnormal local area network;
and when the number of the clients with malicious access in the same local area network is larger than a first threshold value, rejecting the access of all the clients in the abnormal local area network.
As an improved scheme of the present invention, the monitoring of the client under the abnormal local area network specifically includes:
when a client in an abnormal local area network accesses a server, calculating the time interval value of the client for accessing the server once and quitting the server;
and when the time interval value is smaller than the minimum access time, directly storing the identity information of the client sending the access request into access blacklist information, and counting the number of malicious access clients in the same local area network.
As another improvement of the present invention, before the analyzing the identity information of the client determined as the malicious access client and obtaining the client IP address of the malicious access client, the method further includes:
identifying client identity information of the access server, and counting the times of the client accessing the server in unit time;
judging whether the final count value in unit time is greater than the access time threshold value or not;
and when the final count value in unit time is larger than the access time threshold, judging that the client is a malicious access client, and rejecting the access request of the client.
As another improvement of the present invention, after the rejecting the request for the client to continue accessing when the final count value per unit time is greater than the access number threshold, the method further includes:
storing the identity information of the client which is denied access into access blacklist information;
when a request of the client for accessing the server is received again, comparing the client identity information with the access blacklist information;
and when the comparison result shows that the client identity information is in the access blacklist information, rejecting the access request of the client.
As a further aspect of the present invention, the method further comprises:
receiving an application request for removing the limitation sent by a client;
verifying the identity information of the client and judging whether the identity information of the client is in the access blacklist information;
when the identity information of the client is verified to be valid and the identity information of the client is in the access blacklist information, an application channel is opened to the client;
receiving client identity authentication information submitted by a client from the application channel;
when the identity verification information is verified to be correct, the client identity information is removed from the access blacklist information.
As an optimization scheme of the invention: the client authentication information at least comprises one of video authentication information and voice authentication information; and the client machine also needs to submit the misoperation proof information to the application channel.
A server access monitoring apparatus comprising:
the IP address analysis module is used for analyzing the identity information of the client which is judged to be maliciously accessed to obtain the client IP address of the maliciously accessed client;
the abnormal local area network address integration module is used for extracting the field representing the local area network in the IP address of the client and setting the extracted field as the address information of the abnormal local area network;
the abnormal local area network monitoring module is used for monitoring the client under the abnormal local area network;
and the judging module is used for judging that all the clients in the abnormal local area network are denied access when the number of the malicious access clients in the same local area network is greater than a first threshold value.
The abnormal local area network monitoring module comprises:
the timing unit is used for calculating the time interval value of the client for accessing the server once and quitting the server when the client under the abnormal local area network accesses the server;
and the counting unit is used for directly storing the identity information of the client sending the access request into the access blacklist information and counting the number of the malicious access clients in the same local area network when the time interval value is smaller than the minimum access duration.
The invention has the beneficial effects that: by analyzing the identity information of the client which is judged to be maliciously accessed, the address information of the abnormal local area network where the maliciously accessed client is positioned is determined, the monitoring of the client under the abnormal local area network is emphasized and strengthened, when the number of the clients with malicious access under the local area network is larger than a first threshold value, the access of all the clients under the abnormal local area network is refused, the monitoring method can only monitor a plurality of clients on the basis of the mode of locking the abnormal local area network, if the clients are still malicious access clients, all the clients under the abnormal local area network can be judged to be organized malicious attack behaviors, the access of all clients in the abnormal local area network can be directly refused, monitoring and verification of other clients in the local area network are not needed, a large amount of processing time is shortened, and the speed of the server access monitoring device for crisis processing and response is improved.
Drawings
FIG. 1 is a schematic diagram of an implementation environment of a server access monitoring method;
FIG. 2 is a flow chart of monitoring of a client in a server access monitoring method;
FIG. 3 is a flow chart of a method for monitoring clients in an abnormal LAN for server access;
FIG. 4 is a flow chart of a client complaint in a server access monitoring method;
fig. 5 is a schematic diagram of an internal structure of a server access monitoring apparatus.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
By analyzing the identity information of the client which is judged to be maliciously accessed, the address information of the abnormal local area network where the maliciously accessed client is positioned is determined, the monitoring of the client under the abnormal local area network is emphasized and strengthened, when the number of the clients with malicious access under the local area network is larger than a first threshold value, the access of all the clients under the abnormal local area network is refused, the monitoring method can only monitor a plurality of clients on the basis of the mode of locking the abnormal local area network, if the clients are still malicious access clients, all the clients under the abnormal local area network can be judged to be organized malicious attack behaviors, the access of all clients in the abnormal local area network can be directly refused, monitoring and verification of other clients in the local area network are not needed, a large amount of processing time is shortened, and the speed of the server access monitoring device for crisis processing and response is improved.
Fig. 1 is a schematic diagram illustrating an implementation environment of a server access monitoring method according to the present invention, in which a server can be accessed by multiple clients simultaneously, the communication between the client and the server can be connected through a wireless network or a wired network, and when the communication is connected through a wireless network, the multiple clients can be distributed in different places or under different local area networks. In addition, one client can access a plurality of servers, and the actual geographic positions of the plurality of servers can be different. Therefore, the mode of accessing the server by the client is not limited by the geographical position to a certain extent, the data can be conveniently searched and transmitted, and the method is better in safety and convenience than ordinary mail transmission or mobile hard disk transfer. For example, a company working at a foreign place needs important files of the company, and does not want to transmit the important files by mail or other modes for preventing disclosure, at this time, the worker can use the notebook computer to connect with the remote access server, and access a local area network (company local area network) located at the remote access server to download the files through a virtual private network between the remote access server and the notebook computer.
Each server is provided with a server access monitoring device, and each client needs to be monitored by the server access monitoring device before accessing the server, wherein the purpose of monitoring is to find out a client with malicious access and limit the client to access the server again.
Fig. 2 shows a flow chart of monitoring a client in a server access monitoring method according to an embodiment of the present invention, which is detailed as follows:
step S101: and identifying the client identity information of the access server, and counting the number of times of the client accessing the server in unit time. When a client wants to access the server, the identity information of the client is confirmed and recorded in the historical access record. The unit time may be one minute, or 10 minutes, 1 hour, or even one day, and the unit time setting may be determined according to the functions and access frequency of different servers, some servers need to be accessed frequently, and need to be accessed every 10 minutes on average, which is that the monitored unit time may be set to 10 minutes, so that the unit time is set to ensure that the access request of the client is monitored as much as possible in the unit time, but the normal access operation of the client is not mistaken as malicious access.
Step S102: and judging whether the final counting value in the unit time is larger than the access time threshold value. The threshold, also called a threshold, refers to the lowest value or the highest value that an effect can produce. For example, some servers need to be accessed once every 10 minutes on average, but occasionally, the server needs to be accessed three times every 10 minutes, wherein in the case of 99.9% (for example), the number of accesses is less than or equal to three times, at this time, the threshold value can be set to 4, most cases that the client normally accesses the server can be included in the threshold value, and the threshold value of the number of accesses is set to 4 times, so that an effective monitoring effect can be achieved.
Step S103: when the final count value in the unit time is larger than the access time threshold value, which indicates that the client accesses the server too frequently in the unit time, the client may be determined as a malicious access client, and thereafter, if the client wants to access the server again, the access monitoring device may deny the access request of the client. The client is rejected to prevent the client from continuously requesting access in the next time, a certain time limit can be set for the rejection command, for example, the client is rejected to continuously access the server within three days, the workload of the access monitoring device and the server can be reduced to a certain extent, and the information processing speed of the access monitoring device and the server is improved.
Step S104: and storing the client identity information which is denied to access into the access blacklist information.
Step S105: and comparing the client identity information with the access blacklist information when the request of the client for accessing the server is received again. When a malicious client tries to access the server after being denied access, possibly after a period of time, if the above steps are further performed: counting, judging, identifying and rejecting are carried out, the consumed time is long, the processing memory of the access monitoring device is occupied, the information processing speed of the access monitoring device is reduced, the data processing speed of the access monitoring device is increased to avoid the situation, the rejected malicious client identity information is directly added into the access blacklist information, and when the client accesses again or even when other clients access for the first time, the identity information of the clients and the access blacklist information are preferentially compared one by one.
Step S106: and when the comparison result shows that the client identity information is in the access blacklist information, the client is denied access. Thus, the time for accessing the monitoring device to process information can be shortened, and the steps of counting and judging identification can be omitted.
Step S107: and when the final count value in unit time is smaller than the access time threshold value or when the comparison result shows that the client identity information is not in the access blacklist information, allowing the client to continuously access the server. After the client is allowed to access, the access times of the client in unit time need to be monitored and counted continuously, and when the access times of the client exceed the access time threshold, the identity information of the client is still added into the access blacklist information, so that a complete closed monitoring loop is formed, and monitoring omission does not occur.
By setting the threshold of the access times in the unit time and monitoring the access times in the unit time of the single client, when the number of times that the single client accesses the server in the unit time is greater than the preset threshold of the access times, the situation that the client frequently accesses the server in the unit time is described, which is unreasonable. In general, after a client accesses a server, a certain operation content is performed in the server; if the server is accessed by mistake, the server is not accessed after quitting, therefore, the conventional times of accessing the server by one client in unit time cannot be overlarge, and under a certain threshold value, when the times of accessing the server by a single client in unit time are overlarge, the server can be directly judged to be maliciously accessed, the server access monitoring device can directly refuse the access request of the client, so that the information amount of the server in the same time is reduced, the problems that the server is processed in overload operation and cannot process the access requests of other remote clients in time are avoided, the user experience of other clients is improved, and the server is favorable for popularization.
Fig. 3 shows a flowchart for monitoring a client in an abnormal local area network in a server access monitoring method according to an embodiment of the present invention, which is detailed as follows:
after the access request of the client is rejected when the final count value in the unit time is greater than the access time threshold, the method further comprises:
step S201: and analyzing the identity information of the client with the access refused to obtain the IP address of the client with the access refused to be accessed.
The IP address is a uniform address format provided by the IP protocol, and a logical address is allocated to each network and each host on the Internet so as to shield the difference of physical addresses.
A very important aspect of the IP protocol is that each computer and other device on the internet is assigned a unique address, called the "IP address". Due to the unique address, the user can select the needed objects from thousands of computers efficiently and conveniently when operating on the networked computers.
The colloquial analogy explains that an IP address is just like our home address, and if you want to write to a person, you know his (her) address, so that the carrier can send a letter. The computer sends the message as if it were a postman who must know the unique "home address" so as not to send the message wrong. Except that our addresses are represented by words and the computer addresses are represented by binary digits.
The IP address is used to give a number to the computer on the network. It is a daily practice to have an IP address on each PC connected to the network to communicate properly. Or we can also compare "personal computer" with "a telephone", then "IP address" is equivalent to "telephone number", and the router in the network is equivalent to "stored program controlled exchange" of the telecommunication office.
Step S202-step S203: extracting a field representing the local area network in the IP address of the client, and filling the extracted field to be set as the address information of the abnormal local area network.
The internet is a very large local area network, and what we often say is a network under the same network segment. In general, for example: 192.168.1.1, and 192.168.1.3 are in the same network segment, it can be determined to be in the same LAN.
However, the actual determination of whether two IP addresses are in the same lan is more complicated than the above example:
first, looking at Subnet Mask (Subnet Mask), if the Subnet masks of two machines are not consistent, they are not in a LAN.
If the subnet mask is consistent, then see if the IP segments of the IP address corresponding to the subnet mask 255 are consistent, if so, belong to a subnet, i.e., a local area network.
For example, 10.178.0.222 and 10.178.1.212 IP addresses, whose subnet masks are 255.255.0.0, are anded with the subnet mask 255 into hexadecimal form, which is FF, and into binary form, which is 11111111111, and the result of the and operation between 10.178.0.222 and 255.255.0.0 is 10.178.0.0, and likewise 10.178.1.212 and 255.255.0.0 is 10.178.0.0, so that the two addresses belong to a lan.
And 10.178.0.222 and 10.178.1.212 do not belong to a lan if their subnet masks are 255.255.255.0. The two IP addresses and the subnet mask are anded to result in 10.178.0.0 and 10.178.1.0, respectively, and it is obvious that the IP addresses are inconsistent.
From the above, the local network segment where the client is located can be analyzed from the IP address of the client and the related information.
Step S204: and monitoring the client machine under the abnormal local area network. The purpose of monitoring the local area network where the malicious client is located is to prevent someone from deliberately organizing a plurality of clients and irregularly accessing the server in a non-regular and non-regular manner, so as to achieve the state of paralysis or poor operation of the server. Monitoring the local area network where the malicious client is also a reverse monitoring and early warning means, so that the abnormality of the server can be avoided, and the stability of the server is improved.
Step S205: when a client in an abnormal local area network accesses the server, the time interval value of the client for accessing the server once and the time interval value of the client for quitting the server are calculated. Under normal conditions, a client accessing a server is sure to solve some needs on the server, so that the client always performs some operations after entering the server, even if a simple query or check is performed, it takes a certain time to exit from the server, and the time interval value is the time difference between the exit and the entrance of the client to the server.
Step S206: and judging whether the time interval value is smaller than the minimum access time length. The minimum access time duration is a fixed value preset in advance, and may be set to be 3 seconds, 5 seconds, 10 seconds, or the like, but in order to monitor a real malicious access client as much as possible, the minimum access time duration may be set to be as small as possible, because the malicious access client frequently sends an access request, generally performs a program operation and performs a flush operation, and without limitation, the actions of accessing the server and exiting the server may be performed many times per second.
Step S207: when the time interval value is smaller than the minimum access duration, the probability that the client sending the access request carries out malicious access can be judged to be very high by combining the fact that the client is located under an abnormal local area network, at the moment, the identity information of the client sending the access request can be directly stored in the access blacklist information, and the number of the malicious access clients under the same local area network is counted. Therefore, the client sending the access request is refused to access the server, the possibility is cut off when a malicious access event occurs, the server can be ensured to run well, and paralysis of the server is prevented.
Step S208: and when the number of the clients with malicious access in the same local area network is larger than a first threshold value, rejecting the access of all the clients in the abnormal local area network. The first threshold may be 3, 4, 5, or the like, and is set according to practical situations, where the value defines the maximum number of clients with malicious access to the server in the same lan.
Step S209: and when the time interval value is greater than the minimum access duration, the identity information of the client sending the access request is not directly stored in the access blacklist information, and the client is allowed to continue to access the server.
By analyzing the identity information of the client which is judged to be maliciously accessed, the address information of the abnormal local area network where the maliciously accessed client is positioned is determined, the monitoring of the client under the abnormal local area network is emphasized and strengthened, when the number of the clients with malicious access under the local area network is larger than a first threshold value, the access of all the clients under the abnormal local area network is refused, the monitoring method can only monitor a plurality of clients on the basis of the mode of locking the abnormal local area network, if the clients are still malicious access clients, all the clients under the abnormal local area network can be judged to be organized malicious attack behaviors, the access of all clients in the abnormal local area network can be directly refused, monitoring and verification of other clients in the local area network are not needed, a large amount of processing time is shortened, and the speed of the server access monitoring device for crisis processing and response is improved.
Fig. 4 shows a flow chart of client complaint in a server access monitoring method according to an embodiment of the present invention, which is detailed as follows:
step S301: and receiving a restriction removal application request sent by the client. The client may frequently access the server and immediately quit the server within a certain time due to the network on-off problem or other reasons such as misoperation of unskilled personnel, and the client cannot access the server again subsequently when monitored by the access monitoring device and judged as malicious access to the client.
Step S302: the identity information of the client is verified and it is determined whether the identity information of the client is in the access blacklist information.
Step S303: when the identity information of the client is verified to be valid and the identity information of the client is in the access blacklist information, the client is allowed to complain, and an application channel is opened to the client.
Step S304: and receiving client identity authentication information submitted by the client from the application channel. The client authentication information includes at least one of video authentication information and voice authentication information. The client can prove the legality of the client by recording information such as videos or voice, and additionally, when the transmitted video information is favorable for the same condition or worse condition, the client is subjected to responsibility tracing. In addition, in order to make the verification meticulous, the client needs to submit misoperation proving information to the application channel, so that the method has the advantages that the authenticity of misoperation of the client can be laterally proved, and the complaint difficulty is increased, so that the method plays a role in warning the client, and the client can pay more attention in the subsequent operation, thereby avoiding the same misoperation.
Step S305: when the identity verification information is verified to be correct, the client identity information is removed from the access blacklist information. The client making the complaint can now restore the right to access the server. The complaint function is added to improve the rationality of the whole monitoring process, leave a processing channel for unexpected situations and make up possible bugs in the operation of the access monitoring device under the fixed monitoring process.
Fig. 5 is a schematic diagram illustrating an internal structure of a server access monitoring apparatus according to the present invention, where the apparatus includes:
the IP address resolution module 150 is configured to resolve the identity information of the client determined as the malicious access client, and obtain the client IP address of the malicious access client.
The abnormal lan address integration module 160 is configured to extract a field representing a lan in the client IP address, and set the extracted field as address information of the abnormal lan.
And an abnormal local area network monitoring module 170, configured to monitor a client in the abnormal local area network.
The determining module 180 is configured to determine that, when the number of malicious clients accessing the same lan is greater than a first threshold, all clients accessing the abnormal lan are denied.
The abnormal local area network monitoring module specifically comprises:
the timer unit 171 calculates a time interval value between a client accessing the server once and a client quitting the server when the client in the abnormal lan accesses the server.
And the counting unit 172, when the time interval value is smaller than the minimum access duration, is configured to directly store the identity information of the client sending the access request in the access blacklist information, and count the number of malicious access clients in the same local area network.
The server access monitoring apparatus further includes:
the counting module 100: the client identity information used for identifying the access server counts the times of the client accessing the server in unit time, and sends the final count value to the comparison module.
The comparison module 110: and the counting module is used for judging whether the final counting value of the counting module in unit time is greater than the access time threshold value or not and sending the comparison result to the limiting module.
The limiting module 120: and the access module is used for receiving the comparison result sent by the comparison module and rejecting the access request of the client when the final counting value of the counting module in unit time is greater than the access time threshold.
The three modules sequentially transmit information, so that the monitoring process is smoothly carried out.
The server access monitoring apparatus further includes:
the saving module 130: storing the identity information of the client which is denied access into access blacklist information;
the comparison module 140: when a request of the client for accessing the server is received again, comparing the client identity information with the access blacklist information, and sending a comparison result to the limiting module;
the limiting module 120 is further configured to receive the comparison result sent by the comparison module, and deny the access of the client when the comparison result shows that the client identity information is in the access blacklist information.
The three modules sequentially transmit information, and the limiting module also transmits identity information of a malicious access client to the storage module to form a closed flow loop which is continuous in circulation.
In addition, the server access monitoring apparatus further includes a complaint processing module 190 for executing a client complaint process. The complaint handling module 190 interacts with the preservation module 130 and the client for information.
It should be understood that, although the steps in the flowcharts of the embodiments of the present invention are shown in sequence as indicated by the arrows, the steps are not necessarily executed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in various embodiments may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (9)

1. A server access monitoring method, the method comprising:
analyzing the identity information of the client which is judged to be maliciously accessed to obtain the client IP address of the maliciously accessed client;
extracting a field representing a local area network in the IP address of the client, and supplementing and setting the extracted field as address information of an abnormal local area network;
monitoring a client under an abnormal local area network;
and when the number of the clients with malicious access in the same local area network is larger than a first threshold value, rejecting the access of all the clients in the abnormal local area network.
2. The method for monitoring server access according to claim 1, wherein the monitoring of the client in the abnormal local area network specifically includes:
when a client in an abnormal local area network accesses a server, calculating the time interval value of the client for accessing the server once and quitting the server;
and when the time interval value is smaller than the minimum access time, directly storing the identity information of the client sending the access request into access blacklist information, and counting the number of malicious access clients in the same local area network.
3. The server access monitoring method according to claim 1, wherein before the analyzing the identity information of the client determined as the malicious access client and obtaining the client IP address of the malicious access client, the method further comprises:
identifying client identity information of the access server, and counting the times of the client accessing the server in unit time;
judging whether the final count value in unit time is greater than the access time threshold value or not;
and when the final count value in unit time is larger than the access time threshold, judging that the client is a malicious access client, and rejecting the access request of the client.
4. The server access monitoring method of claim 3, wherein after denying the request for continued access from the client when the final count value per unit time is greater than the threshold number of accesses, the method further comprises:
storing the identity information of the client which is denied access into access blacklist information;
when a request of the client for accessing the server is received again, comparing the client identity information with the access blacklist information;
and when the comparison result shows that the client identity information is in the access blacklist information, rejecting the access request of the client.
5. A server access monitoring method according to any of claims 2-4, characterized in that the method further comprises:
receiving an application request for removing the limitation sent by a client;
verifying the identity information of the client and judging whether the identity information of the client is in the access blacklist information;
when the identity information of the client is verified to be valid and the identity information of the client is in the access blacklist information, an application channel is opened to the client;
receiving client identity authentication information submitted by a client from the application channel;
when the identity verification information is verified to be correct, the client identity information is removed from the access blacklist information.
6. The server access monitoring method of claim 5, wherein the client authentication information includes at least one of video authentication information and voice authentication information.
7. The method as claimed in claim 5, wherein the client further submits certificate of incorrect operation information to the application channel.
8. A server access monitoring apparatus, the apparatus comprising:
the IP address analysis module is used for analyzing the identity information of the client which is judged to be maliciously accessed to obtain the client IP address of the maliciously accessed client;
the abnormal local area network address integration module is used for extracting the field representing the local area network in the IP address of the client and setting the extracted field as the address information of the abnormal local area network;
the abnormal local area network monitoring module is used for monitoring the client under the abnormal local area network;
and the judging module is used for judging that all the clients in the abnormal local area network are denied access when the number of the malicious access clients in the same local area network is greater than a first threshold value.
9. The server access monitoring apparatus of claim 8, wherein the abnormal local area network monitoring module comprises:
the timing unit is used for calculating the time interval value of the client for accessing the server once and quitting the server when the client under the abnormal local area network accesses the server;
and the counting unit is used for directly storing the identity information of the client sending the access request into the access blacklist information and counting the number of the malicious access clients in the same local area network when the time interval value is smaller than the minimum access duration.
CN202110574393.7A 2021-05-25 2021-05-25 Server access monitoring method and device Active CN113051570B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110574393.7A CN113051570B (en) 2021-05-25 2021-05-25 Server access monitoring method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110574393.7A CN113051570B (en) 2021-05-25 2021-05-25 Server access monitoring method and device

Publications (2)

Publication Number Publication Date
CN113051570A true CN113051570A (en) 2021-06-29
CN113051570B CN113051570B (en) 2021-08-17

Family

ID=76518552

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110574393.7A Active CN113051570B (en) 2021-05-25 2021-05-25 Server access monitoring method and device

Country Status (1)

Country Link
CN (1) CN113051570B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114900355A (en) * 2022-05-07 2022-08-12 广州莱万科技股份有限公司 Network school IP access monitoring system and device
CN115328727A (en) * 2022-07-25 2022-11-11 江苏财经职业技术学院 Big data computer network safety early warning device
CN116506229A (en) * 2023-06-28 2023-07-28 北京域信科技有限公司 Data access method and device and electronic equipment
CN117221019A (en) * 2023-11-09 2023-12-12 苏州元脑智能科技有限公司 Access control method, device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8667557B2 (en) * 2008-11-25 2014-03-04 At&T Intellectual Property I, L.P. Independent role based authorization in boundary interface elements
CN104468554A (en) * 2014-11-28 2015-03-25 北京奇虎科技有限公司 Attack detection method and device based on IP and HOST
US9049172B2 (en) * 2008-08-07 2015-06-02 At&T Intellectual Property I, L.P. Method and apparatus for providing security in an intranet network
CN105450619A (en) * 2014-09-28 2016-03-30 腾讯科技(深圳)有限公司 Method, device and system of protection of hostile attacks
CN110912861A (en) * 2018-09-18 2020-03-24 北京数安鑫云信息技术有限公司 AI detection method and device for deeply tracking group attack behavior

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9049172B2 (en) * 2008-08-07 2015-06-02 At&T Intellectual Property I, L.P. Method and apparatus for providing security in an intranet network
US8667557B2 (en) * 2008-11-25 2014-03-04 At&T Intellectual Property I, L.P. Independent role based authorization in boundary interface elements
CN105450619A (en) * 2014-09-28 2016-03-30 腾讯科技(深圳)有限公司 Method, device and system of protection of hostile attacks
CN104468554A (en) * 2014-11-28 2015-03-25 北京奇虎科技有限公司 Attack detection method and device based on IP and HOST
CN110912861A (en) * 2018-09-18 2020-03-24 北京数安鑫云信息技术有限公司 AI detection method and device for deeply tracking group attack behavior

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114900355A (en) * 2022-05-07 2022-08-12 广州莱万科技股份有限公司 Network school IP access monitoring system and device
CN115328727A (en) * 2022-07-25 2022-11-11 江苏财经职业技术学院 Big data computer network safety early warning device
CN116506229A (en) * 2023-06-28 2023-07-28 北京域信科技有限公司 Data access method and device and electronic equipment
CN116506229B (en) * 2023-06-28 2023-09-12 北京域信科技有限公司 Data access method and device and electronic equipment
CN117221019A (en) * 2023-11-09 2023-12-12 苏州元脑智能科技有限公司 Access control method, device, electronic equipment and storage medium
CN117221019B (en) * 2023-11-09 2024-02-20 苏州元脑智能科技有限公司 Access control method, device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN113051570B (en) 2021-08-17

Similar Documents

Publication Publication Date Title
CN113051570B (en) Server access monitoring method and device
EP3544250B1 (en) Method and device for detecting dos/ddos attack, server, and storage medium
US9438616B2 (en) Network asset information management
CN107395570B (en) Cloud platform auditing system based on big data management analysis
CN109194680B (en) Network attack identification method, device and equipment
CN110784470B (en) Method and device for determining abnormal login of user
EP3223495B1 (en) Detecting an anomalous activity within a computer network
KR20100075043A (en) Management system for security control of irc and http botnet and method thereof
CN104239758A (en) Man-machine identification method and system
CN112910854B (en) Method and device for safe operation and maintenance of Internet of things, terminal equipment and storage medium
CN103124226A (en) Household broadband net-system play monitoring system and method
CN112469044A (en) Edge access control method and controller for heterogeneous terminal
CN110611682A (en) Network access system, network access method and related equipment
CN112887105B (en) Conference security monitoring method and device, electronic equipment and storage medium
CN113382010A (en) Large-scale network security defense system based on cooperative intrusion detection
CN111866995A (en) WeChat applet-based intelligent device network distribution method and system
CN113452668B (en) Internet of things terminal access monitoring method, computer program and storage medium
CN115802357A (en) 5G power distribution network feeder automation control method, device and storage medium
CN114640536A (en) Data access monitoring method
CN113595958B (en) Security detection system and method for Internet of things equipment
CN113824738A (en) Method and system for node communication management in block chain
CN106888199B (en) Role-driven demand response secure access method in smart grid
CN114124559B (en) Host recognition method based on public key fingerprint
KR101160903B1 (en) Blacklist extracting system and method thereof
CN114900355A (en) Network school IP access monitoring system and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant