CN114285639A - Website security protection method and device - Google Patents
Website security protection method and device Download PDFInfo
- Publication number
- CN114285639A CN114285639A CN202111597233.0A CN202111597233A CN114285639A CN 114285639 A CN114285639 A CN 114285639A CN 202111597233 A CN202111597233 A CN 202111597233A CN 114285639 A CN114285639 A CN 114285639A
- Authority
- CN
- China
- Prior art keywords
- target
- address
- access request
- information
- information corresponding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000011156 evaluation Methods 0.000 claims abstract description 45
- 238000012545 processing Methods 0.000 claims abstract description 31
- 230000004044 response Effects 0.000 claims abstract description 16
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 11
- 230000002159 abnormal effect Effects 0.000 claims description 46
- 238000013210 evaluation model Methods 0.000 claims description 21
- 238000007781 pre-processing Methods 0.000 claims description 6
- 230000011218 segmentation Effects 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 abstract description 8
- 238000001514 detection method Methods 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 8
- 230000005856 abnormality Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000012795 verification Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000015654 memory Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the application relates to a website safety protection method and a website safety protection device, wherein at least one target IP address for sending an access request, and URL information and error state information corresponding to the access request sent by the target IP address are determined according to access request data of a website; according to URL information and error state information corresponding to an access request sent by a target IP address, carrying out danger level evaluation on the target IP address to obtain danger level information corresponding to the target IP address; and carrying out safety protection response processing on the target IP address according to the danger level information corresponding to the target IP address. Therefore, the complex algorithm or model with large calculation amount can be avoided, the third-party service dependence and human intervention are reduced as much as possible, the system detection speed is increased, and the resource load is reduced.
Description
Technical Field
The application relates to the technical field of network security, in particular to a website security protection method and device.
Background
WEB attack and defense are a proposition in the field of website security, and with the development of the times, various black products attack tools are more and more mature, and can replace manual work to finish automatic vulnerability detection and attack by using prefabricated rules and logics. Hackers often use various scanning tools to find some high-risk service and private data information exposed outside in a website system before initiating an attack, so that existing loophole information is used for carrying out targeted attack on a website, or data leakage is caused by external publication of private data, and great threat is caused to website security.
In order to deal with various security problems, many websites use WAF products for security protection, and WAF (Web Application Firewall, english) is a Firewall for the Web end. In the prior art, the WAF product usually calculates a sitemap using a big data platform and generates a URL white list, thereby filtering the request using white list rules. The method is relatively dependent on historical data, and the white list library cannot be effectively updated under the condition that website resources are changed, so that the maintainability is low. Meanwhile, due to the dependence on various open source components, ports or files can be exposed to generate more attack points, and high requirements are also placed on computing resources of a deployment platform.
Disclosure of Invention
In view of this, one of the technical problems solved by the embodiments of the present invention is to provide a method and an apparatus for website security protection, so as to overcome the problems in the prior art that the deployment and maintenance costs of network security protection services are high, and the dependence on historical big data is strong.
A first aspect of an embodiment of the present application discloses a website security protection method, including:
determining at least one target IP address for sending an access request, and URL information and error state information corresponding to the access request sent by the target IP address according to access request data of a website, wherein the URL information is at least used for identifying a target URL requested to be accessed by the access request, and the error state information is at least used for identifying whether the state of the access request is an error;
according to URL information and error state information corresponding to the access request sent by the target IP address, carrying out danger level evaluation on the target IP address to obtain danger level information corresponding to the target IP address;
and carrying out safety protection response processing on the target IP address according to the danger level information corresponding to the target IP address.
A second aspect of the embodiments of the present application discloses a website security protection device, including:
the system comprises a preprocessing module, a processing module and a processing module, wherein the preprocessing module is used for determining at least one target IP address for sending an access request, and URL information and error state information corresponding to the access request sent by the target IP address, the URL information is at least used for identifying a target URL requested to be accessed by the access request, and the error state information is at least used for identifying whether the state of the access request is an error or not;
the danger level evaluation module is used for carrying out danger level evaluation on the target IP address according to URL information and error state information corresponding to the access request sent by the target IP address to obtain danger level information corresponding to the target IP address;
and the response module is used for carrying out safety protection response processing on the target IP address according to the danger level information corresponding to the target IP address.
A third aspect of the embodiments of the present application discloses a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, where the computer program includes some or all of the steps for executing the foregoing website security protection method.
Compared with the prior art, the method and the device for sending the access request determine at least one target IP address for sending the access request and URL information and error state information corresponding to the access request sent by the target IP address according to the access request data of the website; according to URL information and error state information corresponding to an access request sent by a target IP address, carrying out danger level evaluation on the target IP address to obtain danger level information corresponding to the target IP address; according to the danger level information corresponding to the target IP address, safety protection response processing is carried out on the target IP address, the use of a complex algorithm or model with large calculation amount can be avoided, third-party service dependence and human intervention are reduced as far as possible, the protection compatibility problem in a directory adjustment scene caused by website resource change is supported, and meanwhile, the system detection speed is improved and the resource load is reduced.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic flowchart illustrating a website security protection method according to an embodiment of the present application;
fig. 2 is a flowchart illustrating a website security protection method according to a second embodiment of the present application;
fig. 3 is a block diagram schematically illustrating a structure of a website security device according to a third embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first", "second", "third" and "fourth", etc. in the description and claims of the present application are used for distinguishing different objects, and are not used for describing a specific order. The terms "comprises," "comprising," and "having," and any variations thereof, of the embodiments of the present application, are intended to cover a non-exclusive inclusion, such that a process, method, apparatus, product, or device that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, product, or device.
Example one
As shown in fig. 1, fig. 1 is a schematic flowchart of a website security protection method disclosed in an embodiment of the present application, where the website security protection method includes:
step S101, according to the access request data of the website, at least one target IP address for sending the access request, and URL information and error state information corresponding to the access request sent by the target IP address are determined, wherein the URL information is at least used for identifying a target URL requested to be accessed by the access request, and the error state information is at least used for identifying whether the state of the access request is an error.
In this embodiment, an execution subject for executing the method may be a separate server in communication connection with the web server or the firewall device, or may be the web server, and this embodiment is not limited herein.
Optionally, the execution main body executing the method preferably runs in a bypass deployment mode, and is isolated from the service system of the website, so that unpredictable influence on normal service of the website is avoided. The protection capability can be provided by the linkage with the WAF of each manufacturer through configuration.
In this embodiment, the access request data may be obtained by, for example, directly collecting a log file of a firewall or a website server, or by collecting a log by another third-party component.
Optionally, when the access request data is obtained by collecting a log file of a firewall or a website server, step S101 may further include: and when the log file of the firewall or the website server is monitored and determined to be updated, reading the log file, and taking the updated part of the log file as access request data.
Optionally, when the access request data is obtained after log collection by another third-party component, step S101 may further include: and receiving access request data of the website by means of an HTTP request or a Kafka message queue.
In this embodiment, the access request data of the website is at least used to identify an access request to the website, where the receiving or sending time corresponding to the access request is not limited. For example, the website access request data may include data for identifying all access requests received after the website is operated; data identifying all access requests to the website received within a preset time period may also be included; or randomly or according to a set selection rule, screening out partial access requests from all the access requests received in a preset time period, namely, the website access request data only comprises data for identifying the partial access requests.
In this embodiment, the target IP address may be all IP addresses that have been determined according to the access request data and sent the access request, or may be a part of all IP addresses that satisfy a predetermined IP address selection condition, which is not limited herein.
In this embodiment, the target URL may be obtained by analyzing an access request of the website. The URL (Uniform Resource Locator, english is called "Uniform Resource Locator" throughout) is a compact representation of the location and access method of resources obtained on the internet, and has global uniqueness, and is generally called as www Uniform Resource Locator, commonly called "web address".
In this embodiment, when the access request is an HTTP request, the IP address, the URL, and the status code corresponding to the access request may be determined according to the key field in the request by analyzing the access request, where whether the status of the access request is an error may be further determined according to the status code corresponding to the access request.
And step S102, according to URL information and error state information corresponding to the access request sent by the target IP address, carrying out danger level evaluation on the target IP address to obtain danger level information corresponding to the target IP address.
In this embodiment, the risk level evaluation method for the target IP address is not limited, and one or more evaluation models may be used for evaluation individually or in association. For example, two evaluation models can be adopted to respectively evaluate the risk level of the target IP address according to the URL information and the error state request corresponding to all the access requests, and then the evaluation results of the two models are integrated to obtain the risk level information corresponding to the target IP address; or only one evaluation model is adopted to evaluate the danger level of the target IP address according to the URL information and the error state request corresponding to all the access requests, so as to obtain the danger level information corresponding to the target IP address.
In this embodiment, since the URL is composed of three parts, i.e., a resource type identifier, a host domain name for storing resources, and a resource file name, when the resource type identified in the URL information corresponding to the access request belongs to an uncommon resource type, such as resources related to various service or file configurations, and resources generated by common server operations, or the host domain name and/or the resource file name for storing resources contain a suspicious keyword, it is indicated that the access request is likely to be an abnormal access request, and it is necessary to evaluate the risk level of the target IP address for sending the access request relatively high, so as to perform protection emphasis. Therefore, the danger level evaluation can be carried out on the target IP address according to the URL information corresponding to the access request sent by the target IP address.
In this embodiment, when the state of the access request is an error, it indicates that there is no corresponding resource on the website, and the request is likely to belong to an abnormal request, for example, a scan request initiated by an attacker for a target website, so that risk level evaluation may be performed on a target IP address according to error state information corresponding to all access requests sent by the target address.
And step S103, performing safety protection response processing on the target IP address according to the danger level information corresponding to the target IP address.
In this embodiment, different security response processing may be performed for target IP addresses evaluated to have different risk levels, and a specific security response processing policy may be flexibly set according to conditions such as requirements, hardware conditions, and website access characteristics in practical application, which is not limited herein.
As can be seen from the above embodiments of the present invention, in the embodiments of the present invention, at least one target IP address for sending an access request, and URL information and error status information corresponding to the access request sent by the target IP address are determined according to access request data of a website; according to URL information and error state information corresponding to an access request sent by a target IP address, carrying out danger level evaluation on the target IP address to obtain danger level information corresponding to the target IP address; according to the danger level information corresponding to the target IP address, safety protection response processing is carried out on the target IP address, the use of a complex algorithm or model with large calculation amount can be avoided, third-party service dependence and human intervention are reduced as far as possible, the protection compatibility problem in a directory adjustment scene caused by website resource change is supported, and meanwhile, the system detection speed is improved and the resource load is reduced.
Example two
As shown in fig. 2, fig. 2 is a schematic flowchart of a website security protection method disclosed in the second embodiment of the present application, where the website security protection method includes:
step S201, according to the access request data of the website, at least one target IP address for sending the access request, and URL information and error state information corresponding to the access request sent by the target IP address are determined, wherein the URL information comprises resource suffix sub information and keyword sub information.
In this embodiment, the execution subject and the deployment manner of the execution subject, the access request data obtaining manner of the website, and other contents of the execution subject and the deployment manner of the execution subject are substantially the same as or similar to those in step S101 in the first embodiment, and details are not repeated herein in this embodiment.
In this embodiment, the URL information is at least used to identify a target URL requested to be accessed by the access request; the error status information is at least used for identifying whether the status of the access request is an error; the resource suffix sub-information is used for identifying the resource type corresponding to the target URL; the key sub-information is used to identify the domain name path of the target URL.
As mentioned above, the URL is composed of three parts, i.e., a resource type identifier, a host domain name for storing resources, and a resource file name, and when the resource type identified in the URL information corresponding to the access request belongs to an uncommon resource type, such as resources related to various service or file configurations, resources generated by common server operations, or a host domain name and/or a resource file name for storing resources contains a suspicious keyword, it indicates that the access request is likely to be an abnormal access request, and therefore, resource suffix sub-information and keyword sub-information corresponding to the access request sent by the target IP address can be obtained by analyzing the access request data.
Optionally, the access request may be analyzed to obtain resource suffix sub-information and keyword sub-information according to the identification rule and characteristics of the target URL for identifying the resource type, the host domain name where the resource is stored, and the resource file name. Specifically, step S201 may include at least one of sub-step S201a and sub-step S201 b:
the substep S201a is to perform word segmentation processing on the target URL, and extract a path keyword for identifying a domain name path, so as to obtain keyword sub-information.
And a substep S201b, obtaining resource suffix sub-information according to a suffix character used for identifying the resource type in the target URL.
The resource suffix sub-information may be obtained according to a resource suffix in the target URL, such as a character after the symbol ". If there is no suffix character in the target URL to identify the resource type, it may be identified as null in the resource suffix sub-information.
Alternatively, since the target URL may include a long character string, many characters are not used for identifying the resource type and path, in order to improve the accuracy of extracting the resource suffix sub-information and the keyword sub-information, the deparametric processing may be performed on the target URL before the sub-step S201a and/or the sub-step S201b, i.e., the part after the symbol "#" in the target URL is removed, and the symbol "? "the portion after.
Optionally, the target URL may be participled according to a naming rule common to the website domain name. For example, since no space is included in a domain name, in order to distinguish words, a string identifying the domain name may include special separators such as ".", "-", "|", "@", etc., or may use a hump naming scheme (each word is capital and the remaining letters are lowercase). Therefore, the sub-step S201a may further include: and performing word segmentation processing on the target URL according to whether the special separator and/or the letter is capitalized or not, and extracting path keywords for identifying the domain name path to obtain keyword sub-information.
In this embodiment, the status of the access request whose corresponding status code is 40 top can be determined as an error. For example, when the status code in the HTTP request is one of 400, 404, 408, then the status of the request may be determined to be an error.
In this embodiment, since multiple parameter values may be used in the risk level evaluation in the subsequent step, in order to improve the processing efficiency of the subsequent step, after the access request data is analyzed in this step, statistics may be further performed on the analysis result of the access request data, so as to implement preprocessing for the execution of the subsequent step.
Optionally, step S201 may further include: and analyzing and counting the access request data in a preset time period by using a sliding window algorithm to obtain URL information and error state information corresponding to the access request sent by the target IP address.
The sliding window algorithm is operated on a character string or an array with a specific size, but not on the whole character string or the whole array, so that the processing complexity can be reduced, the time value corresponding to each window can be flexibly set according to requirements or data characteristics in practical application, and the embodiment is not limited herein. Compared with the fixed window algorithm, the sliding window algorithm can avoid the problem that the relevant data corresponding to the time between two windows in the fixed window algorithm is missed to be counted, so the counting accuracy can be improved.
Optionally, when the analysis result of the access request data is counted within a preset time period, the index for counting for each target IP address may include: the number of the transmitted access requests, the number of the access requests with the error state, the number of the access requests corresponding to the state codes indicating different types of errors, the number of target URLs of all the access requests with the error state, the path keyword list of all the access requests with the error state, the suffix character list of all the access requests with the error state, the path keyword list of all the access requests with the non-error state, and the suffix character list of all the access requests with the non-error state.
Step S202, according to the resource suffix sub-information and the keyword sub-information corresponding to all the access requests with the wrong states, the danger level evaluation is carried out on the target IP address by using a preset access resource abnormal score evaluation model, and the danger level information corresponding to the target IP address is obtained.
In the embodiment, considering that an attacker generally sends a plurality of access requests in a short time when attacking, in order to reduce misjudgment of normal access requests and reduce data processing amount, only the IP address with a large number of sent access requests may be used as the target IP address. Namely: the number of access requests sent by the target IP address is greater than the preset minimum number.
The preset value of the lowest frequency is not limited in this embodiment, and can be flexibly set according to the actual application requirements and characteristics.
In this embodiment, in order to reduce resource occupation, the access resource anomaly score evaluation model may be stored in a lightweight database.
Alternatively, the access resource anomaly score evaluation model may be stored in a local SQLite file database. The SQLite file database occupies very low resources, and can be supported by only a few hundred K of memories in the embedded device.
In this embodiment, in order to evaluate the risk level of the target IP address as simply as possible, the risk level information corresponding to the target IP address may be determined by calculating the score, that is, step S202 may further include:
step A1, respectively calculating and obtaining a first abnormal sub-score and a second abnormal sub-score by using an access resource abnormal score evaluation model according to the resource suffix sub-information and the keyword sub-information corresponding to all the access requests with the states of errors.
In the method, the scores corresponding to different types of suffix characters and path keywords can be preset in the access resource abnormal score evaluation model, so that in the step, a first abnormal sub-score and a second abnormal sub-score can be calculated according to resource suffix sub-information and keyword sub-information corresponding to all access requests with wrong states and the number of all access requests with wrong states.
Alternatively, in order to control the score interval and avoid the influence on the accuracy of the risk level assessment due to the large score difference, the calculation formula of the first anomaly sub-score and the second anomaly sub-score may be preferably as follows:
in the above formula, at least all access requests with wrong status need to be calculated, that is, the first abnormal sub-score and the second abnormal sub-score are calculated and obtained according to the scores and the number corresponding to all kinds of suffix characters and path keywords included in the requests.
And step A2, calculating and obtaining the access resource abnormal score according to the first abnormal sub-score and the second abnormal sub-score.
The formula for obtaining the access resource abnormal score by calculation according to the first abnormal sub-score and the second abnormal sub-score is not limited, and can be flexibly set in practical application. For example, for simpler calculation, the sum of the first anomaly sub-score and the second anomaly sub-score may be used as the access resource anomaly score.
And step A3, performing danger level evaluation on the target IP address according to the abnormal value of the access resource.
The corresponding relation between the danger level and the access resource abnormal score interval can be preset, so that after the access resource abnormal score is obtained, the danger level corresponding to the target IP address can be determined according to the access resource abnormal score.
For example, when the access resource anomaly score is less than or equal to 3, then the target IP address is evaluated as "low-risk"; when the access resource abnormal score is larger than 3 and is smaller than or equal to 5, the target IP address is evaluated as 'low risk'; and when the access resource abnormal score is more than 5, evaluating the target IP address as high risk.
In this embodiment, the risk level evaluation may be performed on the target IP address according to the access resource anomaly score and the access resource anomaly score, so as to obtain risk level information corresponding to the target IP address. That is, in order to improve the accuracy of the risk level assessment, step S202 may further include:
substep S202a, obtaining the proportion information of the access request with the wrong state according to the error state information corresponding to all the access requests sent by the target IP address; and acquiring the number information of wrong URLs included in the access request with the wrong state according to URL information and wrong state information corresponding to the access request sent by the target IP address.
And a substep S202b, performing danger level evaluation on the target IP address according to the proportion information and the error URL number information, and obtaining danger level information corresponding to the target IP address.
The proportion information is used for identifying the proportion of the number of the access requests with the state of error in the access requests sent by the target IP address to all the access requests; the error URL number information is used to identify the number of target URLs of all access requests whose states are errors.
Optionally, the sub-step S202b may further include:
and step B1, respectively calculating and obtaining a third abnormal sub-score and a fourth abnormal sub-score according to the proportion information and the error URL quantity information.
Alternatively, in order to control the score interval and avoid the influence on the accuracy of the risk level assessment due to the large score difference, the calculation formulas of the third anomaly sub-score and the fourth anomaly sub-score may be preferably as follows:
the third abnormal sub-score is MIN (the state is the proportion of the number of wrong access requests to all access requests/the first preset rule threshold value, 5);
the fourth anomaly sub-score MIN (number of target URLs for all access requests with status in error/second preset rule threshold, 5).
And step B2, calculating and obtaining the error access abnormal score according to the third abnormal sub-score and the fourth abnormal sub-score.
Alternatively, in order to comprehensively consider the third abnormality sub-score and the fourth abnormality sub-score and avoid the influence on the accuracy of the risk level evaluation due to abnormality of any one of the scores, the calculation formula of the wrong-access abnormality score may be preferably as follows:
the wrong-access-anomaly score is the third anomaly score and the fourth anomaly sub-score + the third anomaly sub-score + the fourth anomaly sub-score.
And step B3, performing danger level evaluation on the target IP address according to the error access abnormal score.
The corresponding relation between the danger level and the error access abnormal score interval can be preset, so that after the error access abnormal score is obtained, the danger level corresponding to the target IP address can be determined according to the error access abnormal score.
For example, when the false access anomaly score is less than or equal to 1, then the target IP address is evaluated as "low-risk"; when the error access abnormal score is larger than 1 and is smaller than or equal to 3, the target IP address is evaluated as 'low-risk'; and when the wrong access abnormal value is more than 3, evaluating the target IP address as high-risk.
In this embodiment, the risk level evaluation may be performed on the target IP address according to the incorrect access anomaly score and the access resource anomaly score, so as to obtain risk level information corresponding to the target IP address.
For example, in the foregoing method, when it is evaluated that the risk level corresponding to the target IP address is "high risk" or both of them evaluate that the risk level corresponding to the target IP address is "medium risk", it is determined that the final risk level evaluation result of the target IP address is "high risk"; when the risk level corresponding to the target IP address is evaluated to be low-risk in both items, determining that the final risk level evaluation result of the target IP address is low-risk; and under other conditions, determining that the final danger level evaluation result of the target IP address is 'medium-risk'.
In this embodiment, in order to further improve the accuracy of risk level evaluation, step S202 may further include:
and according to a preset IP credit management model, carrying out IP credit score evaluation on the target IP address so as to obtain the danger level information corresponding to the target IP address.
Optionally, to reduce resource usage, the IP reputation management model may also be stored in a lightweight database, such as a local SQLite file database.
And step S203, performing safety protection response processing on the target IP address according to the danger level information corresponding to the target IP address.
In this embodiment, the processing of the security protection response to the target IP address may include at least one of the following sub-steps:
and a substep S203a, when the danger level corresponding to the target IP address is evaluated as "low risk", further informing the firewall to perform human-machine identification verification on the target IP address.
In the substep S203b, when the danger level corresponding to the target IP address is evaluated as "medium-risk", the firewall may be further notified to intercept the target IP address within a preset short time threshold, and perform the mobile phone identification verification after the interception time is over.
And a substep S203c, when the danger level corresponding to the target IP address is evaluated as "high risk", further informing the firewall to intercept the target IP address within a preset longer time threshold.
In the substep S203d, when the risk level corresponding to the target IP address is evaluated as "no risk", the target IP address may not be protected, or the protection wall may be notified to randomly extract a preset proportion or number of target IP addresses for human-machine identification verification.
In this embodiment, in order to further improve the accuracy of evaluating the risk level of the target IP address when processing the access request data obtained again subsequently, after step S202, the method may further include: and updating the access resource abnormal score evaluation model according to the danger level information corresponding to the target IP address.
Alternatively, when the risk level of the target IP address is evaluated as not low risk, the access resource abnormal score evaluation model may be updated according to suffix characters of all access requests whose states are wrong and path keywords of all access requests whose states are wrong.
For example, when a suffix character and/or a path keyword of an access request whose status is wrong is not included in the access resource abnormality score evaluation model, a corresponding suffix base score and/or a path keyword base score may be added to the access resource abnormality score evaluation model.
Optionally, the reputation score evaluation rule corresponding to the target IP address may be updated in the IP reputation management model according to the risk level information corresponding to the target IP address, so that when the IP reputation management model is subsequently used to evaluate the IP reputation score of the target IP address, the obtained evaluation result is more reliable.
As can be seen from the above embodiments of the present invention, according to the resource suffix sub-information and the keyword sub-information corresponding to all access requests in which the states are wrong, the embodiments of the present invention perform risk level evaluation on the target IP address by using the preset access resource abnormal score evaluation model, and can reduce the deployment and maintenance costs of services on the basis of not relying on historical large data processing and maximally preserving the protection capability; the access request data in the preset time period is analyzed and counted by using the sliding window algorithm, so that the problem that the corresponding related data between two window times in the fixed window algorithm is missed to be counted can be avoided, the counting accuracy is improved, and the processing complexity is reduced; by determining only the IP addresses with the number of the sent access requests larger than the preset minimum number of times as the target IP addresses, the misjudgment on normal access requests can be reduced, and the data processing amount is reduced; the access resource abnormal score evaluation model is stored in a light database, so that the resource occupation can be reduced; by updating the access resource abnormal score evaluation model according to the danger level information corresponding to the target IP address, the accuracy of danger level evaluation of the target IP address can be further improved when subsequently obtained access request data are processed.
EXAMPLE III
A third embodiment of the present application provides a website security device, and fig. 3 is a schematic structural diagram of a website security device disclosed in the third embodiment of the present application, where the website security device includes:
the preprocessing module 301 is configured to determine, according to access request data of a website, at least one target IP address for sending an access request, and URL information and error status information corresponding to the access request sent by the target IP address, where the URL information is at least used to identify a target URL requested to be accessed by the access request, and the error status information is at least used to identify whether a status of the access request is an error.
And the danger level evaluation module 302 is configured to perform danger level evaluation on the target IP address according to the URL information and the error state information corresponding to the access request sent by the target IP address, and obtain danger level information corresponding to the target IP address.
And the response module 303 is configured to perform security protection response processing on the target IP address according to the danger level information corresponding to the target IP address.
In this embodiment, the risk level evaluation module 302 is further configured to obtain proportion information of access requests in an error state according to error state information corresponding to all access requests sent by the target IP address; acquiring error URL quantity information included in the access request with the error state according to URL information and error state information corresponding to the access request sent by the target IP address;
and according to the proportion information and the number information of the error URLs, carrying out danger level evaluation on the target IP address to obtain danger level information corresponding to the target IP address.
In this embodiment, the URL information includes resource suffix sub-information and keyword sub-information, where the resource suffix sub-information is used to identify a resource type corresponding to the target URL, and the keyword sub-information is used to identify a domain name path of the target URL. The risk level evaluation module 302 is further configured to perform risk level evaluation on the target IP address by using a preset access resource abnormal score evaluation model according to the resource suffix sub-information and the keyword sub-information corresponding to all access requests in which the states are wrong, so as to obtain risk level information corresponding to the target IP address.
In this embodiment, the risk level evaluation module 302 is further configured to perform word segmentation on the target URL, and extract a path keyword for identifying a domain name path, so as to obtain keyword sub-information; and/or the presence of a gas in the gas,
and acquiring resource suffix sub-information according to suffix characters used for identifying the resource types in the target URL.
In this embodiment, the risk level evaluation module 302 is further configured to perform IP reputation score evaluation on the target IP address according to a preset IP reputation management model to obtain risk level information corresponding to the target IP address.
In this embodiment, the system further includes an updating module 304, configured to update the access resource abnormal score evaluation model according to the risk level information corresponding to the target IP address.
In this embodiment, the access resource abnormal score evaluation model is stored in the local SQLite file database.
In this embodiment, the number of access requests sent by the target IP address is greater than the preset minimum number of times.
The website security protection device of the embodiment can realize the corresponding website security protection method in the foregoing method embodiments, and has the beneficial effects of the corresponding method embodiments, which are not described herein again.
So far, specific embodiments of the present application have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may be advantageous.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, apparatus or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A website security protection method is characterized by comprising the following steps:
determining at least one target IP address for sending an access request, and URL information and error state information corresponding to the access request sent by the target IP address according to access request data of a website, wherein the URL information is at least used for identifying a target URL requested to be accessed by the access request, and the error state information is at least used for identifying whether the state of the access request is an error;
according to URL information and error state information corresponding to the access request sent by the target IP address, carrying out danger level evaluation on the target IP address to obtain danger level information corresponding to the target IP address;
and carrying out safety protection response processing on the target IP address according to the danger level information corresponding to the target IP address.
2. The method according to claim 1, wherein the performing risk level assessment on the target IP address according to the URL information and the error status information corresponding to the access request sent by the target IP address, and obtaining the risk level information corresponding to the target IP address comprises:
acquiring proportion information of the access requests with wrong states according to error state information corresponding to all the access requests sent by the target IP address; acquiring wrong URL quantity information included in the access request with a wrong state according to URL information and wrong state information corresponding to the access request sent by the target IP address;
and according to the proportion information and the number information of the error URLs, carrying out danger level evaluation on the target IP address to obtain danger level information corresponding to the target IP address.
3. The method according to claim 1, wherein the URL information includes resource suffix sub-information and keyword sub-information, wherein the resource suffix sub-information is used to identify a resource type corresponding to the target URL, and the keyword sub-information is used to identify a domain name path of the target URL;
correspondingly, the performing risk level evaluation on the target IP address according to the URL information and the error state information corresponding to the access request sent by the target IP address, and obtaining the risk level information corresponding to the target IP address includes:
and according to the resource suffix sub-information and the keyword sub-information corresponding to all the access requests with wrong states, performing danger level evaluation on the target IP address by using a preset access resource abnormal score evaluation model to obtain danger level information corresponding to the target IP address.
4. The method according to claim 3, wherein the determining at least one target IP address for sending the access request according to the access request data of the website, and the URL information and the error status information corresponding to the access request sent by the target IP address comprise:
performing word segmentation processing on the target URL, and extracting path keywords for identifying a domain name path to obtain keyword sub-information; and/or the presence of a gas in the gas,
and acquiring the resource suffix sub-information according to suffix characters used for identifying the resource types in the target URL.
5. The method of claim 3, further comprising:
and updating the access resource abnormal score evaluation model according to the danger level information corresponding to the target IP address.
6. The method of claim 3, wherein the access resource anomaly score evaluation model is stored in a local SQLite file database.
7. The method of claim 1, further comprising:
and according to a preset IP credit management model, carrying out IP credit score evaluation on the target IP address to obtain the danger level information corresponding to the target IP address.
8. The method of claim 1, wherein the number of access requests sent by the destination IP address is greater than a preset minimum number of times.
9. The method of claim 1, further comprising:
and analyzing and counting the access request data in a preset time period by using a sliding window algorithm so as to obtain URL information and error state information corresponding to the access request sent by the target IP address.
10. A website security guard, comprising:
the system comprises a preprocessing module, a processing module and a processing module, wherein the preprocessing module is used for determining at least one target IP address for sending an access request, and URL information and error state information corresponding to the access request sent by the target IP address, the URL information is at least used for identifying a target URL requested to be accessed by the access request, and the error state information is at least used for identifying whether the state of the access request is an error or not;
the danger level evaluation module is used for carrying out danger level evaluation on the target IP address according to URL information and error state information corresponding to the access request sent by the target IP address to obtain danger level information corresponding to the target IP address;
and the response module is used for carrying out safety protection response processing on the target IP address according to the danger level information corresponding to the target IP address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111597233.0A CN114285639B (en) | 2021-12-24 | 2021-12-24 | Website safety protection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111597233.0A CN114285639B (en) | 2021-12-24 | 2021-12-24 | Website safety protection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114285639A true CN114285639A (en) | 2022-04-05 |
| CN114285639B CN114285639B (en) | 2023-11-24 |
Family
ID=80874806
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111597233.0A Active CN114285639B (en) | 2021-12-24 | 2021-12-24 | Website safety protection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114285639B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116302660A (en) * | 2023-05-16 | 2023-06-23 | 天津金城银行股份有限公司 | Method, system, computer and storage medium for retrying to acquire abnormal information |
| CN116455640A (en) * | 2023-04-20 | 2023-07-18 | 云盾智慧安全科技有限公司 | Website safety protection method and device |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103297435A (en) * | 2013-06-06 | 2013-09-11 | 中国科学院信息工程研究所 | Abnormal access behavior detection method and system on basis of WEB logs |
| CN104580230A (en) * | 2015-01-15 | 2015-04-29 | 广州唯品会信息科技有限公司 | Website attack verification method and device |
| CN106161451A (en) * | 2016-07-19 | 2016-11-23 | 青松智慧(北京)科技有限公司 | The method of defence CC attack, Apparatus and system |
| CN107483488A (en) * | 2017-09-18 | 2017-12-15 | 济南互信软件有限公司 | A kind of malice Http detection methods and system |
| CN110460487A (en) * | 2019-06-25 | 2019-11-15 | 网宿科技股份有限公司 | The monitoring method and system of service node, service node |
| CN111177619A (en) * | 2019-12-19 | 2020-05-19 | 山石网科通信技术股份有限公司 | Webpage identification method and device, storage medium and processor |
| CN112433891A (en) * | 2020-12-02 | 2021-03-02 | 中国建设银行股份有限公司 | Data processing method and device and server |
| CN112565164A (en) * | 2019-09-26 | 2021-03-26 | 中国电信股份有限公司 | Dangerous IP identification method, dangerous IP identification device and computer readable storage medium |
| CN113055368A (en) * | 2021-03-08 | 2021-06-29 | 云盾智慧安全科技有限公司 | Web scanning identification method and device and computer storage medium |
-
2021
- 2021-12-24 CN CN202111597233.0A patent/CN114285639B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103297435A (en) * | 2013-06-06 | 2013-09-11 | 中国科学院信息工程研究所 | Abnormal access behavior detection method and system on basis of WEB logs |
| CN104580230A (en) * | 2015-01-15 | 2015-04-29 | 广州唯品会信息科技有限公司 | Website attack verification method and device |
| CN106161451A (en) * | 2016-07-19 | 2016-11-23 | 青松智慧(北京)科技有限公司 | The method of defence CC attack, Apparatus and system |
| CN107483488A (en) * | 2017-09-18 | 2017-12-15 | 济南互信软件有限公司 | A kind of malice Http detection methods and system |
| CN110460487A (en) * | 2019-06-25 | 2019-11-15 | 网宿科技股份有限公司 | The monitoring method and system of service node, service node |
| CN112565164A (en) * | 2019-09-26 | 2021-03-26 | 中国电信股份有限公司 | Dangerous IP identification method, dangerous IP identification device and computer readable storage medium |
| CN111177619A (en) * | 2019-12-19 | 2020-05-19 | 山石网科通信技术股份有限公司 | Webpage identification method and device, storage medium and processor |
| CN112433891A (en) * | 2020-12-02 | 2021-03-02 | 中国建设银行股份有限公司 | Data processing method and device and server |
| CN113055368A (en) * | 2021-03-08 | 2021-06-29 | 云盾智慧安全科技有限公司 | Web scanning identification method and device and computer storage medium |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116455640A (en) * | 2023-04-20 | 2023-07-18 | 云盾智慧安全科技有限公司 | Website safety protection method and device |
| CN116455640B (en) * | 2023-04-20 | 2024-07-16 | 云盾智慧安全科技有限公司 | Website safety protection method and device |
| CN116302660A (en) * | 2023-05-16 | 2023-06-23 | 天津金城银行股份有限公司 | Method, system, computer and storage medium for retrying to acquire abnormal information |
| CN116302660B (en) * | 2023-05-16 | 2023-08-08 | 天津金城银行股份有限公司 | Method, system, computer and storage medium for retrying to acquire abnormal information |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114285639B (en) | 2023-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111935192B (en) | Network attack event tracing processing method, device, equipment and storage medium | |
| Shibahara et al. | Efficient dynamic malware analysis based on network behavior using deep learning | |
| CN109831465B (en) | Website intrusion detection method based on big data log analysis | |
| Van Ede et al. | Deepcase: Semi-supervised contextual analysis of security events | |
| CN112637220B (en) | Industrial control system safety protection method and device | |
| CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
| US10482240B2 (en) | Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored | |
| CN110602137A (en) | Malicious IP and malicious URL intercepting method, device, equipment and medium | |
| CN107547490B (en) | Scanner identification method, device and system | |
| CN110351248B (en) | Safety protection method and device based on intelligent analysis and intelligent current limiting | |
| CN114285639A (en) | Website security protection method and device | |
| CN112887341B (en) | External threat monitoring method | |
| KR101692982B1 (en) | Automatic access control system of detecting threat using log analysis and automatic feature learning | |
| Le Page et al. | Domain classifier: Compromised machines versus malicious registrations | |
| CN118138361A (en) | Security policy making method and system based on autonomously evolutionary agent | |
| CN112287345A (en) | Credible edge computing system based on intelligent risk detection | |
| CN114070899A (en) | Message detection method, device and readable storage medium | |
| CN114205146B (en) | Processing method and device for multi-source heterogeneous security log | |
| CN111131166A (en) | User behavior prejudging method and related equipment | |
| CN113055368B (en) | Web scanning identification method and device and computer storage medium | |
| CN115913634A (en) | Network security abnormity detection method and system based on deep learning | |
| CN115314271A (en) | Access request detection method, system and computer storage medium | |
| Mtsweni et al. | Technical Guidelines for Evaluating and Selecting Data Sources for Cybersecurity Threat Intelligence | |
| CN116991680B (en) | Log noise reduction method and electronic equipment | |
| US20240289446A1 (en) | Extraction method, extraction device, and extraction program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |