CN113269378A - Network traffic processing method and device, electronic equipment and readable storage medium - Google Patents
Network traffic processing method and device, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN113269378A CN113269378A CN202110817506.1A CN202110817506A CN113269378A CN 113269378 A CN113269378 A CN 113269378A CN 202110817506 A CN202110817506 A CN 202110817506A CN 113269378 A CN113269378 A CN 113269378A
- Authority
- CN
- China
- Prior art keywords
- target
- risk
- flow
- target flow
- cost
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/04—Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/02—Marketing; Price estimation or determination; Fundraising
- G06Q30/0283—Price estimation or determination
Abstract
The invention provides a network traffic processing method, a device, electronic equipment and a readable storage medium, wherein the method comprises the following steps: identifying single target flow and determining a target state corresponding to the target flow; acquiring a target risk event type corresponding to the target flow, and determining the occurrence frequency of the target risk event; determining a current risk predicted value of the target flow according to the target risk event type corresponding to the target flow and the occurrence frequency of the target risk event; and processing the target flow according to the current risk predicted value of the target flow. The network traffic processing method, the network traffic processing device, the electronic equipment and the readable storage medium provided by the embodiment of the invention realize the minimum granularity of an abnormal risk measurement mode generated by monomer traffic, uniform processing standard and accurate processing effect, thereby avoiding network security risk brought by abnormal network traffic.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a method and an apparatus for processing network traffic, an electronic device, and a readable storage medium.
Background
Network traffic refers to data generated by user access on internet network application products, and can be generally divided into normal traffic and abnormal traffic. Where normal traffic is traffic generated by a user normally accessing a web site of a business, the business typically encourages users to generate such traffic by offering incentives. And the abnormal flow is typically a black product manufacturing flow. For example, the black products register the behavior of the account numbers in batch through an automatic script, so that account number resources are stocked for subsequent attack behaviors of the black products and are directly used or resale; for another example, the black product takes the leaked account password through various ways and then performs automatic login to other large network stations, so that the purpose of stealing the number by colliding with the bank is achieved.
Abnormal traffic can be disguised in an enterprise website for a long time, and concurrent profit and attack behaviors are carried out when a specific time point is reached, so that large-area loss of the enterprise is caused, access of normal traffic is prevented, even service paralysis of the enterprise website is caused, and marking or blocking processing is required for the abnormal traffic.
One of the existing abnormal network traffic processing methods is based on the traffic statistics of the quantity change: measuring the change condition of network flow from the dimensions of new registration, activity, residence time, conversion rate and the like of an enterprise website, monitoring the flow quantity, embedding points in the scenes of registration, browsing, clicking and the like, monitoring the change of the embedded data to count the change of the flow quantity of the whole product, and reflecting the whole quality condition of the flow by the information. However, the data counted by the method belongs to post data, and the statistical data cannot directly and effectively identify and process whether the single flow is abnormal or not.
Another existing method for processing abnormal network traffic is based on traffic statistics of risk events: this scheme focuses on wind-controlled event touch of the flow. Monitoring which rules the flow touches through the wind control rules and wind control events of the wind control system, wherein the system is generally fused with business characteristics, and business elements are extracted into special wind control rules for special use, such as the heaven and imperial use of the existing service products on the market; the method comprises the steps that the front end JS collects service information or integrates the SDK and is embedded with a service terminal, when flow enters, the flow is judged by a wind control system, and then the low-risk flow is put into the service system according to return information of the wind control system to complete subsequent service closed loop. The method needs to have certain learning cost for the behavior and degree of the occurrence of the risk event, and the abnormal state of the network flow can be objectively evaluated and processed.
Another existing abnormal network traffic processing method is based on traffic statistics of risk scoring: this scheme focuses on the risk score of the traffic. Monitoring the risk degree of the flow through a wind control system and a wind control rule, for example, an existing service google data analysis product on the market is embedded with a service terminal through a mode of acquiring service information or integrating an SDK (software development kit) through a front end JS, when the flow enters, the wind control system returns a risk code to the service, and the service automatically determines whether to process according to the risk code. The final measurement output of the method is a risk score of each flow, such as 0-9, or high, medium, low risk, etc., and the data reflects the quality of a single flow. Due to the fact that the understanding and the measurement standard of the risk are not uniform, the method cannot accurately reflect the abnormal situation of the network traffic, and therefore errors exist in the processing result of the abnormal network traffic.
Disclosure of Invention
In view of this, an object of an embodiment of the present invention is to provide a method, an apparatus, an electronic device, and a readable storage medium for processing network traffic, which specifically include:
in a first aspect, an embodiment of the present invention provides a method for processing network traffic, where the method includes:
identifying single target flow and determining a target state corresponding to the target flow;
if the target state corresponding to the target flow is abnormal, acquiring a target risk event type corresponding to the target flow, and determining the occurrence frequency of the target risk event;
determining a current risk predicted value of the target flow according to the target risk event type corresponding to the target flow and the occurrence frequency of the target risk event; wherein the current risk prediction value is used for representing the loss amount generated by the target flow;
and processing the target flow according to the current risk predicted value of the target flow.
Optionally, the determining a current risk prediction value of the target traffic according to the target risk event type corresponding to the target traffic and the number of times of occurrence of the target risk event specifically includes:
acquiring unit risk cost corresponding to the target risk event type;
determining the extra cost corresponding to the target flow according to the occurrence frequency of the target risk event and the unit risk cost corresponding to the type of the target risk event;
and determining the current risk predicted value of the target flow according to the historical risk predicted value of the target flow, the extra cost and the obstacle cost.
Optionally, the obtaining of the unit risk cost corresponding to the target risk event type specifically includes:
constructing a real-time risk event cost database by constructing a specialist system and/or monitoring a black product data source; the real-time risk event cost database comprises corresponding relations between risk events and unit risk costs of the risk events;
and acquiring unit risk cost corresponding to the target risk event type according to the real-time risk event cost database.
Optionally, the determining a current risk prediction value of the target flow according to the historical risk prediction value of the target flow, the additional cost, and the obstacle cost specifically includes:
acquiring a risk predicted value of the target flow in the last prediction process as a historical risk predicted value;
pushing a verification program with the cracking cost being a preset barrier cost for the flow;
if the target flow passes the verification, calculating a current risk predicted value Price of the target flow according to the following formula:
Price=Cost-Risk+Delta;
where Cost is the historical Risk prediction, Risk is the extra Cost, Delta is the barrier Cost.
Optionally, the determining the number of times of occurrence of the target risk event specifically includes:
determining the equipment ID corresponding to the target flow according to the equipment fingerprint corresponding to the target flow;
and counting the occurrence times of the target risk event corresponding to the equipment ID.
Optionally, the identifying a single target flow rate and determining a target state corresponding to the target flow rate specifically include:
performing data analysis on mouse or cursor track data, browser data, Http transmission data and/or equipment data corresponding to the target flow;
and determining a target state corresponding to the target flow according to the touch condition of the risk event in the data analysis result.
Optionally, the processing the target traffic according to the current risk prediction value of the target traffic specifically includes:
and according to the current risk predicted value of the target traffic and the corresponding relation between the current risk predicted value and a preset processing mode, the processing mode of the target traffic comprises blocking, marking, allocating website resources or no processing.
In a second aspect, an embodiment of the present invention provides a network traffic processing apparatus, where the apparatus includes:
the state determination module is used for identifying single target flow and determining a target state corresponding to the target flow; wherein the target states include exceptions and non-exceptions;
the risk determination module is used for acquiring a target risk event type corresponding to the target flow and determining the occurrence frequency of the target risk event if the target state corresponding to the target flow is abnormal;
the risk prediction module is used for determining a current risk prediction value of the target flow according to the target risk event type corresponding to the target flow and the occurrence frequency of the target risk event; wherein the current risk prediction value is used for representing the loss amount generated by the target flow;
and the flow processing module is used for processing the target flow according to the current risk predicted value of the target flow.
In a third aspect, an embodiment of the present invention provides an electronic device, including:
one or more processors;
a memory for storing one or more programs;
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of the first aspect.
In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium having stored thereon executable instructions, which when executed by a processor, cause the processor to perform the method according to the first aspect.
According to the network traffic processing method, the network traffic processing device, the electronic equipment and the readable storage medium, the granularity of an abnormal risk measurement mode generated by monomer traffic is minimized, the processing standard is unified, the processing effect is accurate by determining the current risk predicted value of the single target traffic, which is used for representing the loss amount generated by the target traffic, so that the network security risk caused by the abnormal network traffic is avoided.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings required to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative work. The foregoing and other objects, features and advantages of the application will be apparent from the accompanying drawings. Like reference numerals refer to like parts throughout the drawings. The drawings are not intended to be to scale as practical, emphasis instead being placed upon illustrating the subject matter of the present application.
Fig. 1 is a flowchart illustrating a network traffic processing method according to an embodiment of the present invention.
Fig. 2 is a schematic structural diagram illustrating a current risk prediction value determination method according to an embodiment of the present invention.
Fig. 3 is a schematic structural diagram of a network traffic processing apparatus according to an embodiment of the present invention.
Fig. 4 shows a schematic structural diagram of an electronic device provided in an embodiment of the present invention.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The words "a", "an" and "the" and the like as used herein are also intended to include the meanings of "a plurality" and "the" unless the context clearly dictates otherwise. Furthermore, the terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Network traffic refers to data generated by user access on internet network application products, and can be generally divided into normal traffic and abnormal traffic. Where normal traffic is traffic generated by a user normally accessing a web site of a business, the business typically encourages users to generate such traffic by offering incentives. And the abnormal flow is typically a black product manufacturing flow. For example, the black products register the behavior of the account numbers in batch through an automatic script, so that account number resources are stocked for subsequent attack behaviors of the black products and are directly used or resale; for another example, the black product takes the leaked account password through various ways and then performs automatic login to other large network stations, so that the purpose of stealing the number by colliding with the bank is achieved.
Abnormal traffic can be disguised in an enterprise website for a long time, and concurrent profit and attack behaviors are carried out when a specific time point is reached, so that large-area loss of the enterprise is caused, access of normal traffic is prevented, even service paralysis of the enterprise website is caused, and marking or blocking processing is required for the abnormal traffic.
The existing network flow processing methods such as flow statistics based on quantity change, flow statistics based on risk events, flow statistics based on risk scoring and the like have the characteristics that object analysis is refined to a single body, a measurement result is direct feedback and is unified with decision-making profit and disadvantage units, absolute safety and reliability are guaranteed, good and bad flows can be measured and the like, which cannot be realized simultaneously when network flow processing is carried out due to respective technical limitations, so that the practical value is not high.
In view of the above, embodiments of the present invention provide a method and an apparatus for processing network traffic, an electronic device, and a readable storage medium, and the following describes in detail the content disclosed in the embodiments of the present invention with reference to the drawings.
Fig. 1 shows a schematic flow chart of a network traffic processing method provided in an embodiment of the present invention, which includes the following specific contents:
and S110, identifying the single target flow and determining a target state corresponding to the target flow.
The embodiment of the invention firstly needs to identify the single target flow. The single target flow in the step is different from the method of flow statistics and other types based on quantity change to identify the integral state of a series of target flows, and the analysis object is refined to a single body, namely the data generated by the behavior of a user on an internet network application product, so that the purpose of accurately processing the flow is achieved by analyzing and refining the object to the single body flow and analyzing the flow with the minimum granularity. Specifically, the single target traffic includes various data such as a mouse or cursor trajectory, browser data, Http transmission data, and device data.
The target state corresponding to the target flow in this step is determined whether the target state is an abnormal state or a non-abnormal state based on the touch of the target flow on the risk event. Wherein the risk events include: and various types of risk events such as mouse or cursor track abnormity, equipment risk abnormity, cluster analysis abnormity and the like.
In particular implementation, the step may include: performing data analysis on mouse or cursor track data, browser data, Http transmission data and/or equipment data corresponding to the target flow; and determining a target state corresponding to the target flow according to the touch condition of the risk event in the data analysis result.
Through the buried point at the client webpage end or APP, monomer flow data generated in real time are obtained, the touch condition of the target flow to the risk event is detected through a flow data analysis tool, whether each flow is abnormal or not is output in real time, and if the abnormal risk event is detected, the abnormal risk event is detected. It should be noted that this step can only perform qualitative analysis on a single flow rate, i.e. preliminarily determine the target state of a single target flow rate, and cannot perform quantitative evaluation on the abnormal degree of the single flow rate.
S120, if the target state corresponding to the target flow is abnormal, acquiring the target risk event type corresponding to the target flow, and determining the occurrence frequency of the target risk event;
after the target state corresponding to the target traffic is determined in step S110, if the target state corresponding to the target traffic is abnormal, it may be determined that the traffic data analysis tool preliminarily determines that the target traffic touches a certain type of risk event, and a specific user behavior corresponding to the risk event has occurred in one or more of the risk events. For example, a user's one-time behavior results in network traffic that is deemed to have 1000 automation scripts running.
Further, the determining the number of times of occurrence of the target risk event specifically includes:
determining the equipment ID corresponding to the target flow according to the equipment fingerprint corresponding to the target flow;
the device ID can be considered as a unique identification of the user equipment that generated the target traffic. When one or more risk events occur in a specific user behavior corresponding to the risk event, if the one or more risk events are generated by the same black-producing user, the device IDs corresponding to the target traffic corresponding to the one or more risk events are the same.
Then, the number of times of occurrence of the target risk event corresponding to the device ID may be counted as the number of times of occurrence of the risk event generated by the user device used in the specific black birth.
S130, determining a current risk predicted value of the target flow according to the target risk event type corresponding to the target flow and the occurrence frequency of the target risk event; wherein the current risk prediction value is used for representing the loss amount generated by the target flow;
in this step, a current risk prediction value of the target traffic is determined according to the target risk event type corresponding to the target traffic determined in step S120 and the number of times of occurrence of the target risk event. The current risk prediction value is used for representing the loss amount generated by the target traffic, and is a quantitative measure for the degree of abnormality of the target traffic, which is specifically discussed below.
The loss amount represented by the current risk prediction value in the embodiment of the invention refers to money loss possibly caused by abnormal network traffic to a website or an APP owner. Since the abnormal network traffic is usually made by the black product, it can be understood that a certain cost amount needs to be invested in each time the black product uses technical means such as an automation script and a simulator, and therefore the black product can obtain a profit which is not less than the cost amount from a website or an APP to realize profit. It is understood that the higher the single cost amount of a target risk event of a certain risk event type, the more times the target risk event occurs, and the higher the current risk prediction value of the target traffic.
Compared with the other patents in the prior art, the method for measuring the abnormal degree of the target flow by adopting the risk scoring of the target flow is adopted, the method for quantitatively measuring the abnormal degree of the target flow by adopting the current risk predicted value for representing the loss amount is adopted, the understanding of the abnormal risk and the unification of the measurement standard are realized, the abnormal condition of the network flow can be accurately reflected, and the accurate processing of the abnormal network flow is further realized.
It can be understood by those skilled in the art that the related technical features of the money amount related in the embodiment of the present invention do not represent that the technical solution relates to business use, but serve as a unified and intuitive measurement standard for evaluating the risk anomaly degree of the network traffic.
And S140, processing the target flow according to the current risk predicted value of the target flow.
And according to the current risk predicted value of the target traffic and the corresponding relation between the current risk predicted value and a preset processing mode, the processing mode of the target traffic comprises blocking, marking, allocating website resources or no processing.
And correspondingly processing different target flows according to different threshold intervals in which the current risk prediction value of the target flow is positioned. For example, if the current risk prediction value of the target traffic is within a threshold interval representing the dangerous traffic, the traffic may be subjected to a blocking process; if the current risk prediction value of the target flow is in a threshold interval representing the flow to be confirmed, marking or further evaluating the flow; if the current risk prediction value of the target traffic is within the threshold interval representing the to-be-normal traffic, the website or the APP may allocate more dominant resources to the traffic or perform no processing.
The user can set parameters such as different attention intervals of the current risk prediction value and the partition mode of the threshold interval according to actual requirements, and classification processing of network traffic of different current risk prediction values is achieved.
According to the network traffic processing method provided by the embodiment of the invention, the granularity of an abnormal risk measurement mode generated by monomer traffic is minimized, the processing standard is unified, the processing effect is accurate by determining the current risk predicted value of the single target traffic, which is used for representing the loss amount generated by the target traffic, so that the network security risk caused by the abnormal network traffic is avoided.
Based on the foregoing embodiment, fig. 2 shows a flowchart of a method for determining a predicted current risk value according to an embodiment of the present invention, and the specific content of step S130 is as follows:
s131, unit risk cost corresponding to the target risk event type is obtained.
The unit risk cost in the embodiment of the invention refers to the cost amount paid by the risk event that a specific black-yielding user behavior occurs one or more times. For example, suppose that the real-time cost paid by a black product user using the simulator technique is 0.03 yuan, i.e. the unit risk cost corresponding to the risk event of the target risk event type using the simulator. The amount of this cost is not fixed and needs to be determined by means of information acquisition.
Specifically, a real-time risk event cost database can be constructed in a mode of constructing a specialist system and/or monitoring a black product data source; and the real-time risk event cost database comprises the corresponding relation between the risk event and the unit risk cost of the risk event. It is understood that the real-time risk event cost database contains real-time data for various risk events and their unit risk costs.
The step can be combined by an expert system and a machine monitoring and collecting mode in an informatics mode. The expert system can acquire real-time unit risk cost information corresponding to various risk events through manual inquiry channels in the industry; the black product data source is monitored in a script crawling or other data acquisition mode through social networks, forums, Telegrams, dark nets and other ways of black product gathering, and real-time unit risk cost information corresponding to various risk events is obtained. And then classifying, summarizing and counting the acquired real-time unit risk cost information.
And constructing a real-time risk event cost database, and acquiring unit risk cost corresponding to the target risk event type according to the mapping relation of the real-time data of various risk events and unit risk cost thereof contained in the real-time risk event cost database.
S132, determining the extra cost corresponding to the target flow according to the occurrence frequency of the target risk event and the unit risk cost corresponding to the type of the target risk event.
The extra cost corresponding to the target traffic in this step is the sum of the costs that need to be paid after the specific user behavior has undergone one or more risk events. It will be appreciated that the additional cost is an additional cost to black-produce users to use automated scripts, simulators, etc. for revenue generation.
In the specific method for determining the extra cost corresponding to the target flow rate in this step, it can be directly determined that the extra cost corresponding to the target flow rate is a multiplier of the number of times of occurrence of the target risk event and the unit risk cost corresponding to the type of the target risk event; the influence of the times of using technical means for black birth on the unit risk cost can also be considered, and the preset attenuation factor is further multiplied on the basis of the product according to the times of the extra cost along with the occurrence of the risk event for calculation.
And S133, determining the current risk predicted value of the target flow according to the historical risk predicted value of the target flow, the extra cost and the obstacle cost.
In the method for calculating the current risk prediction value in this step, reference may be further made to the following steps:
firstly, a risk predicted value of the target flow in the last prediction is obtained and used as a historical risk predicted value.
Secondly, pushing a verification program with the cracking cost being a preset barrier cost for the flow; if the target flow passes the verification, calculating a current risk predicted value Price of the target flow according to the following formula:
Price=Cost-Risk+Delta;
where Cost is the historical Risk prediction, Risk is the extra Cost, Delta is the barrier Cost.
The principle of the formula in the above formula is illustrated as follows:
based on the fact that the income obtained by black products is not less than the cost of the website which is invested by technical means such as an automatic script and a simulator, and the like, a website is assumed to provide a resource with a flow value of 2.5 yuan, at this time, in order to detect an estimated value, a verification program with a cracking cost of 2 yuan is tried to be pushed to the flow for verification, and then subsequent operations of the flow are monitored, wherein the 2 yuan is the barrier cost in the formula and represents the cost amount paid by the flow for crossing the artificially pushed cracking barriers. Assume that the measure of risk for the traffic prediction is-1 dollar, i.e., the traffic has already invested 1 dollar in cost. The flow faces the verification that the cost is 2 yuan, and the barrier cost of 2 yuan is also needed to be invested for cracking, namely, the flow income of 2.5 yuan is obtained after 3 yuan is invested in total, which is in contradistinction with the fact that the income obtained by black production is not less than the cost.
Black yielding, therefore, typically foregoes the cost of this hurdle. That is, if the target traffic finally gives up the verification link, we assume that the user generating the traffic is black production, and the value of the metric of the traffic prediction risk is-1 yuan, which is within the accurate value interval. Similarly, in the embodiment of the present invention, the risk measurement may be performed on the flow for several times until the flow approaches the accurate interval more closely, where the flow is measured by the value of-0.9 yuan, or-0.8 yuan. And the historical risk prediction value is the risk prediction value calculated when the target flow appears last time. Equivalently, the measured value of the predicted flow prediction risk at each time is used as a historical risk prediction value Cost, and the predicted value is added into the prediction calculation of the measured value of the next flow prediction risk.
Particularly, Cost is an estimated value of the flow, and may also be calculated by adding a certain attenuation function, which is not specifically limited in the embodiment of the present invention. If the value of the historical risk prediction value Cost does not exist when the formula is calculated, namely when the current risk prediction value Price of a certain flow is calculated for the first time, the value of the Cost can be initially set to 0. And subtracting the currently paid extra Cost from the historical risk predicted value Cost, and finally obtaining the current risk predicted value Price if the traffic passes through the obstacle set for the traffic by the website and the paid obstacle Cost Delta.
As will be known to those skilled in the art from the content of the foregoing embodiment, in the embodiment of the present invention, not only the minimum granularity of the abnormal risk measurement mode generated for the single flow rate, uniform processing standard, and accurate processing effect can be achieved, but also the calculated current risk prediction value Price can be used as the Cost value in the next abnormal degree measurement calculation, that is, the abnormal risk prediction value of each time is fed back to the prediction formula, so as to form a "risk prediction system" and a "feedback system" in the entire abnormal flow rate processing method. The feedback system continuously revises the risk prediction measurement value in the risk prediction system again, so that the risk prediction result is closer to the real result, namely, the risk prediction result is more accurate, and the closed-loop logic of the end-to-end learning system is formed, thereby realizing the accurate measurement of the abnormal risk generated by the single flow and further avoiding the network security risk brought by the abnormal network flow.
As can also be known to those skilled in the art, based on the risk prediction system and the feedback system in the embodiment of the present invention, the technical solution provided in the embodiment of the present invention can accurately measure and process the risk brought by abnormal traffic, and can also accurately measure the forward value of non-abnormal traffic.
Based on any of the above embodiments, fig. 3 shows a schematic structural diagram of a network traffic processing device provided in an embodiment of the present invention, and the specific content is as follows.
A state determining module 301, configured to identify a single target flow, and determine a target state corresponding to the target flow; wherein the target states include exceptions and non-exceptions;
a risk determining module 302, configured to, if the target state corresponding to the target traffic is abnormal, obtain a target risk event type corresponding to the target traffic, and determine the occurrence frequency of the target risk event;
a risk prediction module 303, configured to determine a current risk prediction value of the target traffic according to a target risk event type corresponding to the target traffic and the number of times of occurrence of the target risk event; wherein the current risk prediction value is used for representing the loss amount generated by the target flow;
and the flow processing module 304 is configured to process the target flow according to the current risk prediction value of the target flow.
According to the network flow processing device provided by the embodiment of the invention, the granularity of an abnormal risk measurement mode generated by monomer flow is minimized, the processing standard is unified, the processing effect is accurate by determining the current risk predicted value of the single target flow for representing the loss amount generated by the target flow, and further, the network safety risk caused by abnormal network flow is avoided.
Based on any of the above embodiments, fig. 4 shows a schematic physical structure diagram of an electronic device provided in an embodiment of the present invention, and as shown in fig. 4, the electronic device may include: a processor (processor)410, a communication Interface 420, a memory (memory)430 and a communication bus 440, wherein the processor 410, the communication Interface 420 and the memory 430 are communicated with each other via the communication bus 440. The processor 410 may call logic instructions in the memory 430 to perform the following method: identifying single target flow and determining a target state corresponding to the target flow; if the target state corresponding to the target flow is abnormal, acquiring a target risk event type corresponding to the target flow, and determining the occurrence frequency of the target risk event; determining a current risk predicted value of the target flow according to the target risk event type corresponding to the target flow and the occurrence frequency of the target risk event; wherein the current risk prediction value is used for representing the loss amount generated by the target flow; and processing the target flow according to the current risk predicted value of the target flow.
In addition, the logic instructions in the memory 430 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method described in the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented by a processor to perform the method provided by the foregoing embodiments, for example, including: identifying single target flow and determining a target state corresponding to the target flow; if the target state corresponding to the target flow is abnormal, acquiring a target risk event type corresponding to the target flow, and determining the occurrence frequency of the target risk event; determining a current risk predicted value of the target flow according to the target risk event type corresponding to the target flow and the occurrence frequency of the target risk event; wherein the current risk prediction value is used for representing the loss amount generated by the target flow; and processing the target flow according to the current risk predicted value of the target flow.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A method for processing network traffic, the method comprising:
identifying single target flow and determining a target state corresponding to the target flow;
if the target state corresponding to the target flow is abnormal, acquiring a target risk event type corresponding to the target flow, and determining the occurrence frequency of the target risk event;
determining a current risk predicted value of the target flow according to the target risk event type corresponding to the target flow and the occurrence frequency of the target risk event; wherein the current risk prediction value is used for representing the loss amount generated by the target flow;
and processing the target flow according to the current risk predicted value of the target flow.
2. The method according to claim 1, wherein the determining a current risk prediction value of the target traffic according to the target risk event type corresponding to the target traffic and the number of times of occurrence of the target risk event specifically includes:
acquiring unit risk cost corresponding to the target risk event type;
determining the extra cost corresponding to the target flow according to the occurrence frequency of the target risk event and the unit risk cost corresponding to the type of the target risk event;
and determining the current risk predicted value of the target flow according to the historical risk predicted value of the target flow, the extra cost and the obstacle cost.
3. The method for processing network traffic according to claim 2, wherein the obtaining of the unit risk cost corresponding to the target risk event type specifically includes:
constructing a real-time risk event cost database by constructing a specialist system and/or monitoring a black product data source; the real-time risk event cost database comprises corresponding relations between risk events and unit risk costs of the risk events;
and acquiring unit risk cost corresponding to the target risk event type according to the real-time risk event cost database.
4. The method according to claim 2, wherein the determining a current risk prediction value of the target traffic according to the historical risk prediction value of the target traffic, the additional cost, and the obstacle cost specifically includes:
acquiring a risk predicted value of the target flow in the last prediction process as a historical risk predicted value;
pushing a verification program with the cracking cost being a preset barrier cost for the flow;
if the target flow passes the verification, calculating a current risk predicted value Price of the target flow according to the following formula:
Price=Cost-Risk+Delta;
where Cost is the historical Risk prediction, Risk is the extra Cost, Delta is the barrier Cost.
5. The method according to claim 1, wherein the determining the number of times the target risk event occurs specifically includes:
determining the equipment ID corresponding to the target flow according to the equipment fingerprint corresponding to the target flow;
and counting the occurrence times of the target risk event corresponding to the equipment ID.
6. The method according to claim 1, wherein the identifying a single target traffic and determining a target state corresponding to the target traffic specifically includes:
performing data analysis on mouse or cursor track data, browser data, Http transmission data and/or equipment data corresponding to the target flow;
and determining a target state corresponding to the target flow according to the touch condition of the risk event in the data analysis result.
7. The method according to claim 1, wherein the processing the target traffic according to the current risk prediction value of the target traffic specifically includes:
and according to the current risk predicted value of the target traffic and the corresponding relation between the current risk predicted value and a preset processing mode, the processing mode of the target traffic comprises blocking, marking, allocating website resources or no processing.
8. A network traffic processing apparatus, the apparatus comprising:
the state determination module is used for identifying single target flow and determining a target state corresponding to the target flow; wherein the target states include exceptions and non-exceptions;
the risk determination module is used for acquiring a target risk event type corresponding to the target flow and determining the occurrence frequency of the target risk event if the target state corresponding to the target flow is abnormal;
the risk prediction module is used for determining a current risk prediction value of the target flow according to the target risk event type corresponding to the target flow and the occurrence frequency of the target risk event; wherein the current risk prediction value is used for representing the loss amount generated by the target flow;
and the flow processing module is used for processing the target flow according to the current risk predicted value of the target flow.
9. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs;
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions, which when executed by a processor, cause the processor to perform the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110817506.1A CN113269378A (en) | 2021-07-20 | 2021-07-20 | Network traffic processing method and device, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110817506.1A CN113269378A (en) | 2021-07-20 | 2021-07-20 | Network traffic processing method and device, electronic equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113269378A true CN113269378A (en) | 2021-08-17 |
Family
ID=77236832
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110817506.1A Pending CN113269378A (en) | 2021-07-20 | 2021-07-20 | Network traffic processing method and device, electronic equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113269378A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114710367A (en) * | 2022-06-01 | 2022-07-05 | 武汉极意网络科技有限公司 | Method and device for determining barrier cost of network flow and electronic equipment |
| CN114757599A (en) * | 2022-06-15 | 2022-07-15 | 武汉极意网络科技有限公司 | Method for measuring flow quality based on extra cost |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107067157A (en) * | 2017-03-01 | 2017-08-18 | 北京奇艺世纪科技有限公司 | Business risk appraisal procedure, device and air control system |
| CN109327439A (en) * | 2018-09-29 | 2019-02-12 | 武汉极意网络科技有限公司 | Risk Identification Method, device, storage medium and the equipment of service request data |
| CN109495424A (en) * | 2017-09-11 | 2019-03-19 | 东软集团股份有限公司 | A kind of method and apparatus detecting intrusion rate |
| CN109660502A (en) * | 2018-09-28 | 2019-04-19 | 平安科技(深圳)有限公司 | Detection method, device, equipment and the storage medium of abnormal behaviour |
| CN110674479A (en) * | 2019-09-29 | 2020-01-10 | 武汉极意网络科技有限公司 | Abnormal behavior data real-time processing method, device, equipment and storage medium |
-
2021
- 2021-07-20 CN CN202110817506.1A patent/CN113269378A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107067157A (en) * | 2017-03-01 | 2017-08-18 | 北京奇艺世纪科技有限公司 | Business risk appraisal procedure, device and air control system |
| CN109495424A (en) * | 2017-09-11 | 2019-03-19 | 东软集团股份有限公司 | A kind of method and apparatus detecting intrusion rate |
| CN109660502A (en) * | 2018-09-28 | 2019-04-19 | 平安科技(深圳)有限公司 | Detection method, device, equipment and the storage medium of abnormal behaviour |
| CN109327439A (en) * | 2018-09-29 | 2019-02-12 | 武汉极意网络科技有限公司 | Risk Identification Method, device, storage medium and the equipment of service request data |
| CN110674479A (en) * | 2019-09-29 | 2020-01-10 | 武汉极意网络科技有限公司 | Abnormal behavior data real-time processing method, device, equipment and storage medium |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114710367A (en) * | 2022-06-01 | 2022-07-05 | 武汉极意网络科技有限公司 | Method and device for determining barrier cost of network flow and electronic equipment |
| CN114710367B (en) * | 2022-06-01 | 2022-08-02 | 武汉极意网络科技有限公司 | Method and device for determining barrier cost of network flow and electronic equipment |
| CN114757599A (en) * | 2022-06-15 | 2022-07-15 | 武汉极意网络科技有限公司 | Method for measuring flow quality based on extra cost |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110113226B (en) | Method and device for detecting equipment abnormity | |
| CN109922032B (en) | Method, device, equipment and storage medium for determining risk of logging in account | |
| Yamada et al. | OSS reliability measurement and assessment | |
| CN106951984B (en) | Dynamic analysis and prediction method and device for system health degree | |
| US20190180379A1 (en) | Life insurance system with fully automated underwriting process for real-time underwriting and risk adjustment, and corresponding method thereof | |
| CN109831465A (en) | A kind of invasion detection method based on big data log analysis | |
| CN113269378A (en) | Network traffic processing method and device, electronic equipment and readable storage medium | |
| US20220214957A1 (en) | Machine learning models applied to interaction data for facilitating modifications to online environments | |
| CN111740977B (en) | Voting detection method and device, electronic equipment and computer readable storage medium | |
| CN110363407A (en) | Risk of fraud appraisal procedure and device based on user behavior track | |
| CN111144941A (en) | Merchant score generation method, device, equipment and readable storage medium | |
| CN114549001A (en) | Method and device for training risk transaction recognition model and recognizing risk transaction | |
| CN113449703A (en) | Quality control method and device for environment online monitoring data, storage medium and equipment | |
| CN109729069A (en) | Detection method, device and the electronic equipment of unusual IP addresses | |
| CN110532301B (en) | Audit method, system and readable storage medium | |
| CN111611519A (en) | Method and device for detecting personal abnormal behaviors | |
| KR20140051678A (en) | Apparatus and method for fault management of smart devices | |
| US11665185B2 (en) | Method and apparatus to detect scripted network traffic | |
| CN113569162A (en) | Data processing method, device, equipment and storage medium | |
| CN112598326A (en) | Model iteration method and device, electronic equipment and storage medium | |
| Yevseiev et al. | DEVELOPMENT OF A CONCEPT FOR CYBERSECURITY METRICS CLASSIFICATION. | |
| CN112581291B (en) | Risk assessment change detection method, apparatus, device and storage medium | |
| CN114064757A (en) | Application program optimization method, device, equipment and medium | |
| US11625788B1 (en) | Systems and methods to evaluate application data | |
| CN113361778A (en) | Information processing method and device applied to business continuity management platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |