CN113923039B - Attack equipment identification method and device, electronic equipment and readable storage medium - Google Patents
Attack equipment identification method and device, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN113923039B CN113923039B CN202111218791.1A CN202111218791A CN113923039B CN 113923039 B CN113923039 B CN 113923039B CN 202111218791 A CN202111218791 A CN 202111218791A CN 113923039 B CN113923039 B CN 113923039B
- Authority
- CN
- China
- Prior art keywords
- access
- attack
- equipment
- record
- website
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 230000006399 behavior Effects 0.000 claims abstract description 24
- 230000009471 action Effects 0.000 claims description 14
- 238000012545 processing Methods 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 5
- 230000000903 blocking effect Effects 0.000 claims description 3
- 230000007123 defense Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 238000011156 evaluation Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The application provides an attack equipment identification method, an attack equipment identification device, electronic equipment and a readable storage medium, and relates to the technical field of computers. The method comprises the following steps: under the condition that an access request of the access equipment to a website is received, acquiring a target historical access record of the access equipment; judging whether the access equipment performs attack behaviors or not according to the target historical access record; and identifying whether the access device is an attack device according to whether the access device has performed attack behaviors. Thus, the attack equipment can be accurately and early identified.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to an attack device identification method, an attack device identification apparatus, an electronic device, and a readable storage medium.
Background
At present, websites on the Internet are more and more, and security is more and more important, but attack techniques of attackers are more and more important. The current attack recognition method is difficult to quickly recognize a real attacker. Therefore, how to accurately and early identify an attacker so as to make a defense measure in advance by a security manufacturer has become a technical problem to be solved by those skilled in the art.
Disclosure of Invention
The embodiment of the application provides an attack equipment identification method, an attack equipment identification device, electronic equipment and a readable storage medium, which can accurately identify attack equipment in advance.
Embodiments of the application may be implemented as follows:
in a first aspect, an embodiment of the present application provides an attack apparatus identifying method, including:
under the condition that an access request of access equipment to a website is received, acquiring a target historical access record of the access equipment;
judging whether the access equipment performs attack behaviors or not according to the target historical access record;
and identifying whether the access device is an attack device according to whether the access device has performed attack behaviors.
In a second aspect, an embodiment of the present application provides an attack apparatus identifying device, including:
the system comprises a record acquisition module, a target historical access record acquisition module and a storage module, wherein the record acquisition module is used for acquiring a target historical access record of access equipment under the condition that an access request of the access equipment to a website is received;
the judging module is used for judging whether the access equipment performs attack behaviors or not according to the target historical access record;
the judging module is further configured to identify whether the access device is an attack device according to whether the access device has performed an attack action.
In a third aspect, an embodiment of the present application provides an electronic device, including a processor and a memory, where the memory stores machine executable instructions that can be executed by the processor, where the processor can execute the machine executable instructions to implement the attack device identification method described in the foregoing embodiment.
In a fourth aspect, an embodiment of the present application provides a readable storage medium having stored thereon a computer program that, when executed by a processor, implements an attack device identification method according to the foregoing embodiment.
According to the attack equipment identification method, the attack equipment identification device, the electronic equipment and the readable storage medium, under the condition that an access request of the access equipment to a website is received, a target historical access record of the access equipment is obtained, whether the access equipment performs attack behaviors or not is judged based on the target historical access record, and whether the access equipment is the attack equipment is identified according to whether the access equipment performs the attack behaviors or not. Therefore, through evaluation and judgment of the historical access record of the visitor, whether the visitor is an attacker can be identified, and the problem that whether the visitor is the attacker is difficult to accurately and early identify by the traditional website defense means is effectively solved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic block diagram of an electronic device according to an embodiment of the present application;
fig. 2 is a schematic flow chart of an attack device identification method according to an embodiment of the present application;
FIG. 3 is a flow chart illustrating the sub-steps included in step S120 in FIG. 2;
FIG. 4 is a flow chart illustrating the sub-steps included in step S130 in FIG. 2;
FIG. 5 is a flow chart of the sub-steps included in step S132 in FIG. 4;
FIG. 6 is a second flowchart of an attack equipment identification method according to an embodiment of the present application;
fig. 7 is a schematic block diagram of an attack apparatus identification device according to an embodiment of the present application;
fig. 8 is a second schematic block diagram of an attack apparatus identification device according to an embodiment of the present application.
Icon: 100-an electronic device; 110-memory; a 120-processor; 130-a communication unit; 200-attack equipment identification means; 210-a record acquisition module; 220-a judging module; 230-a processing module.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. The components of the embodiments of the present application generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the application, as presented in the figures, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by a person skilled in the art without making any inventive effort, are intended to be within the scope of the present application.
It is noted that relational terms such as "first" and "second", and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Currently, an attacker is generally identified by: (1) identifying an attacker by page access frequency; (2) identifying by the user's access behavior. These two modes are briefly described below.
In the first scheme, whether the user is an attacker is mainly identified through the access frequency of the user to each page of the website. Firstly, counting the access frequency of a user to each page of a website, then setting a threshold according to the access frequency of a normal user to a single page, and judging that the website is maliciously accessed if the access frequency of the current user to each page exceeds the threshold. However, when each person accesses the website, the information required to be acquired is different, the habit is different, and the access frequency to the page is different, so that the first scheme can cause high probability of interception.
In the second scheme, whether the user is an attacker is judged through the existing access behavior of the user. The disadvantage of this approach is that the determination can be made when an attacker makes an attack, which may lead to the attacker having succeeded in the attack and causing a loss to the website. That is, this approach does not predict threats in advance, identifying attackers.
As can be seen from the above description, it is difficult to accurately identify an attacker by the existing technical solution so as to make a defense measure in advance, thereby making it difficult to achieve the purposes of early defense and accurate defense.
Aiming at the situation, the embodiment of the application provides an attack equipment identification method, an attack equipment identification device, electronic equipment and a readable storage medium, so as to solve the problem that whether a website visitor is an attacker or not is difficult to accurately and early identify in a traditional website defense mode.
Some embodiments of the present application are described in detail below with reference to the accompanying drawings. The following embodiments and features of the embodiments may be combined with each other without conflict.
Referring to fig. 1, fig. 1 is a block diagram of an electronic device 100 according to an embodiment of the application. The electronic device 100 may be, but is not limited to, a computer or a server. The server may be a single server or a cluster server composed of a plurality of servers. The electronic device 100 may include a memory 110, a processor 120, and a communication unit 130. The memory 110, the processor 120, and the communication unit 130 are electrically connected directly or indirectly to each other to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines.
Wherein the memory 110 is used for storing programs or data. The Memory 110 may be, but is not limited to, random access Memory (RandomAccess Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc.
The processor 120 is used to read/write data or programs stored in the memory 110 and perform corresponding functions. For example, the memory 110 stores therein an attack apparatus identification device 200, and the attack apparatus identification device 200 includes at least one software function module that may be stored in the memory 110 in the form of software or firmware (firmware). The processor 120 executes various functional applications and data processing by running software programs and modules stored in the memory 110, such as the attack device identification apparatus 200 in the embodiment of the present application, that is, implements the attack device identification method in the embodiment of the present application.
The communication unit 130 is configured to establish a communication connection between the electronic device 100 and other communication terminals through a network, and is configured to transmit and receive data through the network.
It should be understood that the structure shown in fig. 1 is merely a schematic diagram of the structure of the electronic device 100, and that the electronic device 100 may further include more or fewer components than those shown in fig. 1, or have a different configuration than that shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
Referring to fig. 2, fig. 2 is a flow chart of an attack equipment identification method according to an embodiment of the application. The attack device identification method is applicable to the electronic device 100 described above. Specific flow of the attack device identification method is described in detail below. The method may include steps S110 to S130.
Step S110, under the condition that an access request of the access device to the website is received, a target historical access record of the access device is obtained.
In this embodiment, when the access device needs to access any website, it needs to send an access request for the website. The electronic device 100 may obtain the target historical access record of the access device, that is, obtain the historical access record of the website visitor when receiving the access condition. The target historical access record is a record of website access by the access device before sending the access request. The target historical access record of the access device comprises at least one target historical access record, wherein the target historical access record can comprise information such as accessed website addresses and the like, and the information can be specifically set in combination with actual demands.
Alternatively, the electronic device 100 may be located between the access device and a website server corresponding to a website to be accessed, and when the access device sends an access request, the electronic device 100 may directly receive the access request of the access device for the website. The electronic device 100 may also be in communication connection with a website server corresponding to a website to be accessed by the access device, where the website server may send the access request to the electronic device 100 first when receiving the access request, so that the electronic device 100 determines whether the access device corresponding to the access request is an attack device, and further determines whether to allow the access. It should be understood, of course, that the above manner in which the electronic device 100 obtains the access request is merely illustrative, and may be obtained by other manners, which are not limited in detail herein.
And step S120, judging whether the access equipment performs attack behaviors or not according to the target historical access record.
Step S130, according to whether the access device performs attack action, whether the access device is an attack device is identified.
Under the condition that the target historical access record is obtained, whether the access equipment performs attack action before sending the access request or not can be analyzed through analyzing the target historical access record, namely whether a website visitor sends attack to a website in the target historical record is analyzed, and whether the access equipment is attack equipment can be further identified based on the analysis result.
Therefore, through evaluation and judgment of the historical access record of the visitor, whether the visitor is an attacker can be identified, and the problem that whether the visitor is the attacker is difficult to accurately and early identify by the traditional website defense means is effectively solved.
Alternatively, as a possible implementation manner, in a case where the access request is received, a history access record of each browser of the access device may be obtained as the target history access record. For example, the access device includes browsers a, b, and c, so that the history access records of each of the browsers a, b, and c can be obtained, and the history access records of the three browsers a, b, and c are used as target history access records of the access device.
As another possible implementation manner, in the case of receiving the access request, a target history access record of the target browser used when the access is sent to the access request by the device may also be obtained. For example, the access device includes browsers a, b, and c, if the access request received by the electronic device 100 is sent through the browser b, a history access record of the browser b is obtained, and the history access record of the browser b is used as a target history access record of the access device, that is, a history access record of the browser used by the visitor in this access is used as a target history access record of the access device.
The target historical access record may be a historical access record within a preset time period before the target historical access record is sent to the access request, or may be a historical access record within a period of historical time with a last access before the target historical access record is sent to the access request as a starting point and a time period as a preset time period, or may be all existing historical access records. It will be appreciated that the foregoing is merely illustrative, and that the specific time period corresponding to the target historical access record may be determined in connection with actual demand.
Referring to fig. 3, fig. 3 is a flow chart illustrating the sub-steps included in step S120 in fig. 2. In this embodiment, step S120 may include sub-steps S121 to S123.
And a substep S121, obtaining a history access feature corresponding to each target history access record.
In this embodiment, the history access record of an entry includes access information for describing a history access corresponding to the history access record of the entry. And extracting the history access characteristics corresponding to each item target history access record according to the information in the item target history access record.
The malicious access library may be generated from malicious access actions that have occurred. The malicious access repository may include at least one malicious access feature extracted from behavior information of the malicious access behavior. Malicious access records may also be included in the malicious access library. Alternatively, the malicious access features in the malicious access library may be non-repeatable in the event that the malicious access features do not include time information.
The information type included in one of the historical access characteristics may be the same as the information type corresponding to the malicious access characteristic in the malicious access library used. For example, if the information type corresponding to the malicious access feature in the malicious access library includes an IP address, the history access feature corresponding to the history access record of the one entry also includes the IP address.
Optionally, each piece of history access record may include a visited website, an IP address used when visiting a website, a feature of a browser used when visiting a website, and the like, and each of the history access feature and the malicious access feature may include at least any one of a visited website address, an IP address used when visiting a website, and a feature of a browser used when visiting a website. Features of the browser used when accessing the website may include version information of the browser, and the like.
Sub-step S122, comparing the obtained historical access characteristic with the malicious access characteristic included in the malicious access library.
In the case of obtaining the history access feature, the obtained history access feature may be compared with malicious access features included in a malicious access library. Optionally, under the condition that each history access feature corresponding to each target history access record is obtained, comparing the obtained history access feature with malicious access features in the malicious access library; and comparing all the obtained historical access characteristics with the malicious access characteristics in the malicious access library under the condition that the historical access characteristics corresponding to all the target historical access records are obtained. The specific execution sequence may be set according to actual requirements, and is not particularly limited herein.
Substep S123, determining that the access device performs an attack action when there is a malicious access feature in the malicious access library that is the same as any of the historical access features.
After comparison, if the malicious access characteristics which are the same as the one or more historical access characteristics exist in the malicious access library, the access equipment can be determined to perform attack behaviors, namely, the access equipment performs malicious access or attack behaviors on websites in the target historical access records.
If the malicious access characteristics in the malicious access library are different from each first access characteristic, that is, if any malicious access characteristic with the same historical access characteristic does not exist in the malicious access library, it can be determined that the access device does not conduct attack.
Alternatively, in the case where the access device has not performed an attack, it may be determined that the access device is not an attack device. In this case, the present access of the access device may be allowed.
Alternatively, as an optional implementation manner, in a case that the access device performs an attack action, it may be directly determined that the access device is an attack device.
As another alternative embodiment, as shown in fig. 4, the identification may be made based on the number of times the access device has made an attack. Referring to fig. 4, fig. 4 is a flowchart illustrating the sub-steps included in step S130 in fig. 2. In the present embodiment, step S130 may include sub-steps S131 to S132.
Substep S131, obtaining the number of times the access device has been attacked.
And under the condition that the access equipment is determined to conduct the attack behavior, the number of times of attack of the access equipment can be obtained according to the target historical access record of the access equipment. The number of times of attack represents the number of times of attack actions performed by the access equipment, which is determined according to the target historical access record.
Alternatively, the number of historical access characteristics identical to the malicious access characteristics in the malicious access library may be used as the number of attacked times. For example, if the historical access characteristics of the 5-item historical access record are the same as the malicious access characteristics in the malicious access library, the number of attacked times may be determined to be 5.
Sub-step S132, identifying whether the access device is an attack device according to the number of times of attack.
Alternatively, as a possible implementation manner, the number of times of attack may be compared with a preset number of times, and if the number of times of attack is greater than the preset number of times, the access device is determined to be an attack device. And if the attacked number is not greater than the preset number, determining that the access device is not an attacking device. Wherein, the preset times are more than 0, which can be specifically set in combination with actual demands.
The preset times can be preset times corresponding to the target website. The target website is the website aimed by the access request, namely the website to be accessed by the visitor at this time. Therefore, the condition of the target website can be further determined whether the attack equipment is attack equipment, so that the judging result is more in line with the actual condition of the target website. For example, if the target website is hundred degrees, since the hundred degrees use a relatively large number of people, in order to reduce "false killing", the preset number of times corresponding to the hundred degrees may be set relatively large, and the preset number of times corresponding to the website with a relatively small number of people may be set relatively small.
Alternatively, as another possible implementation, the identification may be performed in the manner shown in fig. 5. Referring to fig. 5, fig. 5 is a flow chart illustrating the sub-steps included in step S132 in fig. 4. In this embodiment, sub-step S132 may include sub-steps S1321 to S1322.
And step S1321, calculating an attack proportion according to the attacked times and the total access times corresponding to the target historical access record of the access equipment.
Substep S1322, identifying whether the access device is an attack device according to the attack proportion.
In this embodiment, the total access times may be obtained according to the target history access record of the access device. Then, the ratio of the number of attacked times to the total number of accesses is calculated as the attack ratio. The attack proportion may then be compared to a preset attack proportion threshold. And under the condition that the attack proportion is larger than the preset attack proportion threshold value, determining the access equipment as attack equipment. And under the condition that the attack proportion is not larger than the preset attack proportion threshold value, determining that the access equipment is not attack equipment.
The preset attack proportion threshold value can be directly set by human, and can be used for judging no matter what website access request is received. Or the preset attack proportion threshold value is the preset attack proportion threshold value of the target website corresponding to the access request. The corresponding preset attack proportion thresholds for different websites may be different. For example, the preset attack proportion threshold value for a website with a large number of people may be set larger, and the preset attack proportion threshold value for a website with a small number of people may be set smaller.
After determining whether the access device is an attack device, different processing manners may be adopted in connection with specific requirements, which are not specifically limited herein. For example, the present access of the access device may be allowed when it is determined that the access device is not an attacking device.
Referring to fig. 6, fig. 6 is a second flowchart of an attack equipment identification method according to an embodiment of the present application. In this embodiment, after step S130, the method may further include step S140.
Step S140, when the access device is an attack device, blocking the access of the access device.
When it is determined that the access device is an attack device through step S130, the current access of the access device may be blocked. For example, the web server corresponding to the access request is made to refuse the current access of the access device. In this way, the impending attack can be blocked in advance.
According to the embodiment of the application, by analyzing the historical access records of the website visitors, whether the visitors attack the websites in the historical access records is accurately judged, under the condition that the visitors have malicious access behaviors to the websites in the historical access records, whether the visitors are attackers is identified by combining specific conditions, and the access behaviors of the visitors to the websites are blocked in advance when the visitors are judged to be the attackers. Therefore, when someone tries to attack the website, the malicious visitor can be predicted in advance, and the purposes of early defense and accurate defense are achieved by blocking the access in advance.
The attack apparatus identification method described above is exemplified below.
The visitor initiates an access to website a. In this case, a historical access record of the browser that the visitor initiated the access use may be obtained. For example, the following 5 histories are obtained: www.aaa.com, IP address 2, browser feature 1; www.bbb.com, IP address 1, browser feature 1; www.ccc.com, IP address 1, browser feature 1; www.ddd.com, IP address 1, browser feature 1; www.eee.com, IP address 1, browser feature 1.
The malicious access library can comprise a website address, a specific IP address and browser characteristics used in access, wherein the website address and the specific IP address correspond to one malicious access. If the 5 historical records are compared with the data in the malicious access library, and 3 websites in the 5 websites corresponding to the 5 historical records are determined to be attacked by the visitor, the attack proportion can be calculated to be 60%.
Assuming that the preset attack proportion threshold value corresponding to the website A is 50%, since the attack proportion 60% is greater than the preset attack proportion threshold value 50%, it can be determined that the visitor is a malicious visitor, that is, an attacker, access of the visitor to the website A can be blocked, and the visitor is prohibited from accessing the website A. If it is determined that the access is not an attacker in the above manner, the visitor is allowed to access the website a, and the visitor can normally access the website a.
Therefore, the attacker can be accurately identified in advance, and the access of the attacker is blocked, so that the attack and the loss to the website are avoided.
In order to perform the corresponding steps in the above embodiments and the various possible ways, an implementation manner of the attack device identification apparatus 200 is given below, and alternatively, the attack device identification apparatus 200 may employ the device structure of the electronic device 100 shown in fig. 1. Further, referring to fig. 7, fig. 7 is a block diagram of an attack device identification apparatus 200 according to an embodiment of the present application. It should be noted that, the basic principle and the technical effects of the attack apparatus identification device 200 provided in this embodiment are the same as those of the foregoing embodiment, and for brevity, reference should be made to the corresponding content in the foregoing embodiment. The attack apparatus identifying apparatus 200 may include: the record obtaining module 210 and the judging module 220.
The record obtaining module 210 is configured to obtain, when an access request of an access device to a website is received, a target historical access record of the access device.
The determining module 220 is configured to determine, according to the target historical access record, whether the access device has performed an attack.
The determining module 220 is further configured to identify whether the access device is an attack device according to whether the access device has performed an attack action.
Optionally, in this embodiment, the determining module 220 is specifically configured to: acquiring a history access characteristic corresponding to each target history access record; comparing the obtained historical access characteristics with malicious access characteristics included in a malicious access library; and under the condition that the malicious access characteristics which are the same as any historical access characteristics exist in the malicious access library, determining that the access equipment performs attack behaviors.
Optionally, in this embodiment, the history access feature and the malicious access feature include at least any one of a website address accessed, an IP address used when accessing a website, and a feature of a browser used when accessing a website.
Optionally, in this embodiment, the determining module 220 is specifically configured to: obtaining the number of times of attack of the access equipment, wherein the number of times of attack represents the number of times of attack behavior of the access equipment determined according to the target historical access record; and identifying whether the access device is an attack device or not according to the attacked times.
Optionally, in this embodiment, the determining module 220 is specifically configured to: according to the attacked times and the total access times corresponding to the target historical access record of the access equipment, calculating to obtain attack proportion; and identifying whether the access equipment is attack equipment according to the attack proportion.
Optionally, in this embodiment, the determining module 220 is specifically configured to: obtaining a preset attack proportion threshold value of a target website corresponding to the access request; under the condition that the attack proportion is larger than the preset attack proportion threshold value, determining the access equipment as attack equipment; and under the condition that the attack proportion is not larger than the preset attack proportion threshold value, determining that the access equipment is not attack equipment.
Optionally, in this embodiment, the record obtaining module 210 is specifically configured to: and obtaining a target historical access record of a target browser used when the access device sends the access request.
Referring to fig. 8, fig. 8 is a second block diagram of an attack device identification apparatus 200 according to an embodiment of the present application. Optionally, in an embodiment, the attack apparatus identification device 200 may further include a processing module 230. The processing module 230 is configured to block the access of the access device when the access device is an attack device.
Alternatively, the above modules may be stored in the memory 110 shown in fig. 1 or solidified in an Operating System (OS) of the electronic device 100 in the form of software or Firmware (Firmware), and may be executed by the processor 120 in fig. 1. Meanwhile, data, codes of programs, and the like, which are required to execute the above-described modules, may be stored in the memory 110.
The embodiment of the application also provides a readable storage medium, on which a computer program is stored, which when being executed by a processor, implements the attack equipment identification method.
In summary, in the attack equipment identification method, the apparatus, the electronic equipment and the readable storage medium provided by the embodiments of the present application, under the condition that an access request of an access equipment to a website is received, a target history access record of the access equipment is obtained, and then whether the access equipment has performed an attack action is determined based on the target history access record, so as to identify whether the access equipment is an attack equipment according to whether the access equipment has performed an attack action. Therefore, through evaluation and judgment of the historical access record of the visitor, whether the visitor is an attacker can be identified, the problem that whether the visitor is the attacker is difficult to accurately and early identify by the traditional website defense means is effectively solved, and the safety manufacturer can conveniently make defense measures in advance so as to achieve the purposes of early defense and accurate defense.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above description is only of alternative embodiments of the present application and is not intended to limit the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (9)
1. An attack equipment identification method, comprising:
under the condition that an access request of access equipment to websites is received, acquiring a target historical access record of the access equipment, wherein the target historical access record comprises records of the access equipment for accessing a plurality of websites before the access request is initiated;
judging whether the access equipment performs attack behaviors or not according to the target historical access record;
identifying whether the access device is an attack device according to whether the access device has performed attack behaviors;
wherein the identifying whether the access device is an attack device according to whether the access device has performed an attack action includes:
obtaining the number of times of attack of the access equipment, wherein the number of times of attack represents the number of websites which are determined according to the target historical access record and are attacked by the access equipment;
according to the attacked times and the total access times corresponding to the target historical access records of the access equipment, calculating to obtain attack proportion, wherein the total access times represent the total number of accessed websites;
under the condition that the attack proportion is larger than a preset attack proportion threshold value, determining the access equipment as attack equipment;
and under the condition that the attack proportion is not larger than the preset attack proportion threshold value, determining that the access equipment is not attack equipment.
2. The method of claim 1, wherein the determining whether the access device has performed an attack on the basis of the target historical access record comprises:
acquiring a history access characteristic corresponding to each target history access record;
comparing the obtained historical access characteristics with malicious access characteristics included in a malicious access library;
and under the condition that the malicious access characteristics which are the same as any historical access characteristics exist in the malicious access library, determining that the access equipment performs attack behaviors.
3. The method of claim 2, wherein the historical access characteristic and the malicious access characteristic include at least any one of a website address accessed, an IP address used when accessing a website, and a browser characteristic used when accessing a website.
4. The method according to any one of claims 1-3, wherein the preset attack proportion threshold is a preset attack proportion threshold of a target website corresponding to the access request.
5. A method according to any of claims 1-3, wherein said obtaining a target historical access record of the access device comprises:
and acquiring a target historical access record of a target browser used when the access device sends the access request.
6. A method according to any one of claims 1-3, characterized in that the method further comprises:
and blocking the access of the access device when the access device is an attack device.
7. An attack equipment identification apparatus, comprising:
the system comprises a record acquisition module, a processing module and a processing module, wherein the record acquisition module is used for acquiring a target historical access record of access equipment under the condition that an access request of the access equipment to websites is received, wherein the target historical access record comprises records of the access equipment for accessing a plurality of websites before the access request is initiated;
the judging module is used for judging whether the access equipment performs attack behaviors or not according to the target historical access record;
the judging module is further used for identifying whether the access device is an attack device according to whether the access device performs attack behaviors;
the judging module is specifically configured to: obtaining the number of times of attack of the access equipment, wherein the number of times of attack represents the number of websites which are determined according to the target historical access record and are attacked by the access equipment; according to the attacked times and the total access times corresponding to the target historical access records of the access equipment, calculating to obtain attack proportion, wherein the total access times represent the total number of accessed websites; under the condition that the attack proportion is larger than a preset attack proportion threshold value, determining the access equipment as attack equipment; and under the condition that the attack proportion is not larger than the preset attack proportion threshold value, determining that the access equipment is not attack equipment.
8. An electronic device comprising a processor and a memory, the memory storing machine executable instructions executable by the processor to implement the attack device identification method of any of claims 1-6.
9. A readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the attack device identification method according to any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111218791.1A CN113923039B (en) | 2021-10-20 | 2021-10-20 | Attack equipment identification method and device, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111218791.1A CN113923039B (en) | 2021-10-20 | 2021-10-20 | Attack equipment identification method and device, electronic equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113923039A CN113923039A (en) | 2022-01-11 |
| CN113923039B true CN113923039B (en) | 2023-11-28 |
Family
ID=79241564
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111218791.1A Active CN113923039B (en) | 2021-10-20 | 2021-10-20 | Attack equipment identification method and device, electronic equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113923039B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116528243B (en) * | 2023-06-29 | 2023-09-08 | 北京华翔联信科技股份有限公司 | User identification method and device, electronic equipment and storage medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104065644A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Method and apparatus for recognizing CC attacks based on log analysis |
| KR20170079511A (en) * | 2015-12-30 | 2017-07-10 | 주식회사 시큐아이 | Security device and operating method thereof |
| CN109474601A (en) * | 2018-11-26 | 2019-03-15 | 杭州安恒信息技术股份有限公司 | A kind of scanning class attack method of disposal of Behavior-based control identification |
| CN109561090A (en) * | 2018-11-30 | 2019-04-02 | 杭州安恒信息技术股份有限公司 | A kind of web intelligence defence method, device, equipment and readable storage medium storing program for executing |
| CN111541687A (en) * | 2020-04-21 | 2020-08-14 | 厦门网宿有限公司 | Network attack detection method and device |
| CN111628990A (en) * | 2020-05-22 | 2020-09-04 | 北京金山云网络技术有限公司 | Attack recognition method and device and server |
| CN111683087A (en) * | 2020-06-07 | 2020-09-18 | 中信银行股份有限公司 | Access control method, device, electronic equipment and computer readable storage medium |
| CN111756720A (en) * | 2020-06-16 | 2020-10-09 | 深信服科技股份有限公司 | Targeted attack detection method, apparatus thereof and computer-readable storage medium |
| CN113496033A (en) * | 2020-04-08 | 2021-10-12 | 腾讯科技(深圳)有限公司 | Access behavior recognition method and device and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP6756224B2 (en) * | 2016-10-03 | 2020-09-16 | 富士通株式会社 | Network monitoring device, network monitoring program and network monitoring method |
-
2021
- 2021-10-20 CN CN202111218791.1A patent/CN113923039B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104065644A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Method and apparatus for recognizing CC attacks based on log analysis |
| KR20170079511A (en) * | 2015-12-30 | 2017-07-10 | 주식회사 시큐아이 | Security device and operating method thereof |
| CN109474601A (en) * | 2018-11-26 | 2019-03-15 | 杭州安恒信息技术股份有限公司 | A kind of scanning class attack method of disposal of Behavior-based control identification |
| CN109561090A (en) * | 2018-11-30 | 2019-04-02 | 杭州安恒信息技术股份有限公司 | A kind of web intelligence defence method, device, equipment and readable storage medium storing program for executing |
| CN113496033A (en) * | 2020-04-08 | 2021-10-12 | 腾讯科技(深圳)有限公司 | Access behavior recognition method and device and storage medium |
| CN111541687A (en) * | 2020-04-21 | 2020-08-14 | 厦门网宿有限公司 | Network attack detection method and device |
| CN111628990A (en) * | 2020-05-22 | 2020-09-04 | 北京金山云网络技术有限公司 | Attack recognition method and device and server |
| CN111683087A (en) * | 2020-06-07 | 2020-09-18 | 中信银行股份有限公司 | Access control method, device, electronic equipment and computer readable storage medium |
| CN111756720A (en) * | 2020-06-16 | 2020-10-09 | 深信服科技股份有限公司 | Targeted attack detection method, apparatus thereof and computer-readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113923039A (en) | 2022-01-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107465648B (en) | Abnormal equipment identification method and device | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| CN111786966A (en) | Method and device for browsing webpage | |
| CN107426196B (en) | Method and system for identifying WEB invasion | |
| CN112165488A (en) | Risk assessment method, device and equipment and readable storage medium | |
| CN113711559B (en) | System and method for detecting anomalies | |
| CN112532631A (en) | Equipment safety risk assessment method, device, equipment and medium | |
| CN107426136B (en) | Network attack identification method and device | |
| CN111404949A (en) | Flow detection method, device, equipment and storage medium | |
| CN113055407A (en) | Asset risk information determination method, device, equipment and storage medium | |
| CN112668005A (en) | Webshell file detection method and device | |
| CN112600797A (en) | Method and device for detecting abnormal access behavior, electronic equipment and storage medium | |
| CN113923039B (en) | Attack equipment identification method and device, electronic equipment and readable storage medium | |
| CN107135199B (en) | Method and device for detecting webpage backdoor | |
| CN108156127B (en) | Network attack mode judging device, judging method and computer readable storage medium thereof | |
| US10250626B2 (en) | Attacking node detection apparatus, method, and non-transitory computer readable storage medium thereof | |
| CN111131166B (en) | User behavior prejudging method and related equipment | |
| CN109067716B (en) | Method and system for identifying dark chain | |
| JP7000271B2 (en) | Vehicle unauthorized access countermeasure device and vehicle unauthorized access countermeasure method | |
| CN116015800A (en) | Scanner identification method and device, electronic equipment and storage medium | |
| CN113329035B (en) | Method and device for detecting attack domain name, electronic equipment and storage medium | |
| CN107341396B (en) | Intrusion detection method and device and server | |
| CN115001724B (en) | Network threat intelligence management method, device, computing equipment and computer readable storage medium | |
| CN112702349B (en) | Network attack defense method and device and electronic bidding transaction platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |