CN115051977B - Web robot identification method, device, equipment and medium - Google Patents
Web robot identification method, device, equipment and medium Download PDFInfo
- Publication number
- CN115051977B CN115051977B CN202210729514.5A CN202210729514A CN115051977B CN 115051977 B CN115051977 B CN 115051977B CN 202210729514 A CN202210729514 A CN 202210729514A CN 115051977 B CN115051977 B CN 115051977B
- Authority
- CN
- China
- Prior art keywords
- operating system
- client
- web
- protocol
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The invention discloses a method, a device, equipment and a medium for identifying a Web robot, wherein in the method, each TCP/IP fingerprint, a first operating system type and a first operating system version which are extracted through each passively acquired Web data packet are identified to the Web robot by a second operating system type and a second operating system version which are obtained after a first characteristic vector generated according to each TCP/IP fingerprint is input into a first identification model, and the Web robot is identified by the second operating system type and the first operating system version, and when the first operating system type is not matched with the second operating system type or the first operating system version is not matched with the second operating system version, the client is determined to be the Web robot, so that the performance of the client is not affected, the client experience is improved, and the method does not need to set a threshold value depending on user experience, thereby improving the accuracy of the Web robot identification.
Description
Technical Field
The present invention relates to the field of computer security technologies, and in particular, to a method, an apparatus, a device, and a medium for identifying a Web robot.
Background
The World Wide Web (Web) robot is a software program that automatically performs a series of Web transactions without manual intervention. In the development process of the internet at a high speed, web sites are increasingly facing attacks of web robots in addition to facing conventional threats such as conventional structured query language (Structured Query Language, SQL) injection, cross-site scripting attack and the like. When the web robots attack, the registration machine is generally used for registering false account numbers in batches, the means of library dragging and library bumping is used for stealing user account information, the means of crawlers is used for stealing sensitive data of websites, the automatic script tool is used for participating in various marketing activities such as lottery and lottery for conducting wool, and the automatic tool is used for conducting bill brushing operation and the like. The existence of these web robots poses a significant threat to websites.
Existing methods for identifying Web robots include identifying a Web robot by injecting an interpreted script language (JavaScript, JS) script into a client, identifying a Web robot using access frequency determination, identifying a Web robot using a verification code technique, identifying a Web robot using a behavior detection technique, and the like.
The method for injecting the JS script into the client to identify the Web robot generally includes that a section of Javascript code containing information such as the identity (Cookie) name of the client is generated at a server side, the Javascript code is returned to the client, and when the server side detects that the client cannot execute the Javascript code, the client is the Web robot. The method can influence the performance and user experience of the client because of the need of injecting Javascript codes into the client.
The method for identifying the Web robot by using the access frequency judgment is to detect the access flow of the client at the server side, and when the access frequency exceeds a threshold value, the client is determined to be the Web robot. The method can identify the web robot for carrying out the attack actions of violent cracking and robbing, but has the difficulty that the threshold value is usually dependent on experience in actual use, so false alarm or false alarm is very easy to exist.
The verification code technology is adopted to identify that the Web robot transmits the verification code to the client through the server, if the verification is not passed, the client is determined to be the Web robot, but the method interrupts the normal operation of the user in the use process, so that the experience of the normal user is poor.
The method for identifying the Web robot by adopting the behavior detection technology is to identify the Web robot by a machine learning model through a JS script generated at a server side and transmitting the JS script to a client side, and acquiring behavior data such as a mouse and a keyboard at the client side by the JS script. According to the method, JS scripts are also required to be injected into the client, so that performance and user experience of the client are affected in execution, and the collection of behavior data has a compliance risk of user privacy data leakage.
Disclosure of Invention
The invention provides a method, a device, equipment and a medium for identifying a Web robot, which are used for solving the problems that in the prior art, when the Web robot is identified, the performance of a client is affected, so that the user experience is poor, and the identification accuracy is low due to false alarm or missing report.
The invention provides a method for identifying a Web robot, which comprises the following steps:
each web data packet sent by a client to a server in a set time length is obtained, and each TCP/IP fingerprint, a first operating system type and a first operating system version of the client are extracted by analyzing each web data packet;
generating a first feature vector according to each TCP/IP fingerprint, and acquiring a second operating system type and a second operating system version of the client output aiming at the input first feature vector based on a pre-stored first identification model;
And if the first operating system type is not matched with the second operating system type or the first operating system version is not matched with the second operating system version, determining that the client is a Web robot.
Further, the parsing each web data packet to extract each TCP/IP fingerprint, the first operating system type, and the first operating system version of the client includes:
aiming at each web data packet, carrying out IP protocol analysis and TCP protocol analysis on the web data packet, extracting the characteristic value of each IP protocol characteristic and the characteristic value of each TCP protocol characteristic corresponding to the web data packet, and forming a TCP/IP fingerprint corresponding to the web data packet;
and carrying out HTTP (hyper text transfer protocol) protocol analysis on any one of the web data packets, and extracting a first operating system type and a first operating system version of the client.
Further, the generating a first feature vector according to each TCP/IP fingerprint includes:
and determining an average value of each characteristic value of each protocol characteristic according to the characteristic value of each IP protocol characteristic and the characteristic value of each TCP protocol characteristic contained in each TCP/IP fingerprint aiming at the protocol characteristic corresponding to each dimension component in the first characteristic vector, and determining the average value as a component value corresponding to the dimension component in the first characteristic vector.
Further, if the first operating system type matches the second operating system type and the first operating system version matches the second operating system version, the method further comprises:
acquiring a target handshake data packet in each web data packet;
performing security layer transport protocol (TLS) protocol analysis on the target handshake data packet to acquire a TLS fingerprint of the client;
generating a second feature vector according to the TLS fingerprint, and acquiring target identification information output for the input second feature vector based on a pre-stored second identification model;
and if the client is identified as a tool according to the target identification information, determining that the client is a Web robot, and determining the tool type of the tool as the type of the Web robot.
Further, if the client is identified as a browser according to the target identification information, the method further includes:
carrying out HTTP (hyper text transfer protocol) protocol analysis on any one of the web data packets, and extracting a second browser version number of a browser used by the client;
and judging whether the target identification information identifies the first browser version number of the browser to be matched with the second browser version number, and if not, determining that the client is a Web robot.
Further, after the obtaining the target handshake packet in each web data packet, the performing a security layer transport protocol TLS protocol parsing on each web data packet, and before extracting the TLS fingerprint of the client, the method further includes:
determining whether the first web data packet sent by the client to the server is transmitted based on a hypertext transfer security protocol (HTTPS), if yes, executing the subsequent step of carrying out security layer transmission protocol (TLS) protocol analysis on each web data packet, and extracting the TLS fingerprint of the client.
Accordingly, the present invention provides an identification device of a Web robot, the device comprising:
the analysis module is used for acquiring each web data packet sent by the client to the server in a set time length, and analyzing and extracting each TCP/IP fingerprint, a first operating system type and a first operating system version of the client from each web data packet;
the identification module is used for generating a first feature vector according to each TCP/IP fingerprint, and acquiring a second operating system type and a second operating system version of the client output aiming at the input first feature vector based on a pre-stored first identification model; and if the first operating system type is not matched with the second operating system type or the first operating system version is not matched with the second operating system version, determining that the client is a Web robot.
Further, the parsing module is specifically configured to perform IP protocol parsing and TCP protocol parsing on the web data packet for each web data packet, extract a feature value of each IP protocol feature and a feature value of each TCP protocol feature corresponding to the web data packet, and form a TCP/IP fingerprint corresponding to the web data packet; and carrying out HTTP (hyper text transfer protocol) protocol analysis on any one of the web data packets, and extracting a first operating system type and a first operating system version of the client.
Further, the identification module is specifically configured to determine, for each of the dimension components in the first feature vector, an average value of each of the feature values of each of the protocol features according to the feature value of each of the IP protocol features and the feature value of each of the TCP protocol features included in each of the TCP/IP fingerprints, and determine the average value as a component value corresponding to the dimension component in the first feature vector.
Further, the parsing module is further configured to obtain a target handshake packet in each web packet if the first operating system type matches the second operating system type and the first operating system version matches the second operating system version; performing security layer transport protocol (TLS) protocol analysis on the target handshake data packet to acquire a TLS fingerprint of the client;
The identification module is further used for generating a second feature vector according to the TLS fingerprint, and acquiring target identification information output for the input second feature vector based on a pre-stored second identification model; and if the client is identified as a tool according to the target identification information, determining that the client is a Web robot, and determining the tool type of the tool as the type of the Web robot.
Further, the parsing module is further configured to, if the client is identified as a browser according to the target identification information, parse a hypertext transfer protocol HTTP protocol for any one of the web data packets, and extract a second browser version number of the browser used by the client;
the identification module is further configured to determine whether the target identification information identifies that the first browser version number of the browser is matched with the second browser version number, and if not, determine that the client is a Web robot.
Further, the apparatus further comprises:
and the judging module is used for determining whether the first web data packet sent by the client to the server is transmitted based on a hypertext transfer security protocol (HTTPS) after the target handshake data packet in each web data packet is acquired, carrying out security layer transport protocol (TLS) protocol analysis on each web data packet, and before extracting the TLS fingerprint of the client, if so, triggering the analyzing module to execute the subsequent step of carrying out security layer transport protocol (TLS) protocol analysis on each web data packet and extracting the TLS fingerprint of the client.
Accordingly, the present invention provides an electronic device comprising a processor and a memory for storing program instructions, the processor being adapted to implement the steps of any one of the above-mentioned methods of Web robot identification when executing a computer program stored in the memory.
Accordingly, the present invention provides a computer readable storage medium storing a computer program which when executed by a processor implements the steps of any one of the above-described Web robot recognition methods.
The invention provides a method, a device, equipment and a medium for identifying a Web robot, wherein each Web data packet sent by a client to a server in a set time length is acquired in the method, and each TCP/IP fingerprint, a first operating system type and a first operating system version of the client are analyzed and extracted; generating a first feature vector according to each TCP/IP fingerprint, and acquiring a second operating system type and a second operating system version of the client output aiming at the input first feature vector based on a pre-stored first identification model; if the first operating system type is not matched with the second operating system type or the first operating system version is not matched with the second operating system version, the client is determined to be a Web robot, and because the method is that each TCP/IP fingerprint, the first operating system type and the first operating system version are extracted through each Web data packet which is passively acquired, the Web robot is identified by the second operating system type and the second operating system version which are obtained after the first characteristic vector generated according to each TCP/IP fingerprint is input into the first identification model, and the Web robot is identified by the second operating system type and the first operating system version, and when the first operating system type is not matched with the second operating system type or the first operating system version is not matched with the second operating system version, the client is determined to be the Web robot, so that the performance of the client is not influenced, the client experience is improved, the user experience is not required to be set up with a threshold value depending on the experience of a user, and the Web robot identification accuracy is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it will be apparent that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a process schematic diagram of an identification method of a Web robot according to an embodiment of the present invention;
fig. 2 is a process schematic diagram of an identification method of a Web robot according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an identification device of a Web robot according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an identification device of another Web robot according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In order to solve the problem that in the prior art, when a Web robot is identified, performance of a client is affected to cause poor user experience, and the problem that identification accuracy is low due to false alarm or missing alarm, the embodiment of the invention provides an identification method, an identification device, identification equipment and identification media of the Web robot.
Example 1:
fig. 1 is a process schematic diagram of an identification method of a Web robot according to an embodiment of the present invention, where the process includes the following steps:
s101: and acquiring each web data packet sent by the client to the server in a set time length, and analyzing and extracting each TCP/IP fingerprint, the first operating system type and the first operating system version of the client from each web data packet.
In order to improve the recognition accuracy and user experience of the Web robot, the recognition method of the Web robot provided by the embodiment of the invention is applied to electronic equipment, wherein the electronic equipment is a server; the server can be a local server or a cloud server; in particular, embodiments of the present invention are not limited in this regard.
The electronic equipment is connected with the client as a server side, acquires each web data packet sent by the client within a set time length, specifically, performs a session with the client with a certain IP address, and receives each web data packet sent by the client within the set time length of the session.
In order to identify whether the client is a Web robot or not, after acquiring each Web data packet, the electronic device performs protocol analysis on each Web data packet, and extracts each TCP/IP fingerprint, the first operating system type and the first operating system version of the client. The TCP/IP fingerprint is obtained by combining a characteristic value of a TCP protocol characteristic and a characteristic value of an IP protocol characteristic, the operating system type comprises a windows operating system, a UNIX operating system, a linux operating system and a mac operating system, and the operating system version is a version number of each operating system in different updating.
S102: and generating a first characteristic vector according to each TCP/IP fingerprint, and acquiring a second operating system type and a second operating system version of the client output aiming at the input first characteristic vector based on a pre-stored first identification model.
In order to identify the type and version of the operating system of the client, the electronic device pre-stores a first identification model for identifying the operating system in the prior art, wherein the first identification model is a classification algorithm based on machine learning, and identifies the operating system according to the difference of feature vectors between different versions of different operating systems.
According to each acquired TCP/IP fingerprint, a first feature vector formed by arranging the corresponding protocol feature sequences of each dimension component is generated, the first feature vector is input into a first recognition model, and a second operating system type and a second operating system version of a client output by the first recognition model are acquired.
S103: and if the first operating system type is not matched with the second operating system type or the first operating system version is not matched with the second operating system version, determining that the client is a Web robot.
Judging whether the first operating system type is matched with the second operating system type according to the first operating system type and the second operating system type, and if not, determining that the client is a Web robot; or judging whether the first operating system version and the second operating system version are matched according to the first operating system version and the second operating system version, and if not, determining that the client is the Web robot.
In the embodiment of the invention, the method is characterized in that each TCP/IP fingerprint, the first operating system type and the first operating system version extracted through each passively acquired Web data packet are used for identifying the Web robot through the second operating system type and the second operating system version which are obtained after the first characteristic vector generated according to each TCP/IP fingerprint is input into the first identification model, and the first operating system type and the first operating system version are used for identifying the Web robot when the first operating system type is not matched with the second operating system type or the first operating system version is not matched with the second operating system version, so that the performance of the client is not influenced, the client experience is improved, and the method does not need to rely on user experience to set a threshold value, thereby improving the accuracy of the identification of the Web robot.
Example 2:
in order to extract each TCP/IP fingerprint, the first operating system type and the first operating system version of the client, in the embodiment of the present invention, the parsing and extracting each TCP/IP fingerprint, the first operating system type and the first operating system version of the client on each web data packet includes:
aiming at each web data packet, carrying out IP protocol analysis and TCP protocol analysis on the web data packet, extracting the characteristic value of each IP protocol characteristic and the characteristic value of each TCP protocol characteristic corresponding to the web data packet, and forming a TCP/IP fingerprint corresponding to the web data packet;
and carrying out HTTP (hyper text transfer protocol) protocol analysis on any one of the web data packets, and extracting a first operating system type and a first operating system version of the client.
In order To extract each TCP/IP fingerprint of a client, the electronic device performs IP protocol analysis on the web data packet aiming at each acquired web data, namely performs three-layer protocol analysis on the web data packet, and extracts a characteristic value of each IP protocol characteristic corresponding To the data packet, wherein the IP protocol characteristic comprises Time To Live (TTL), SYN packet length (SYN packet length) and IP identification (IP identification); the electronic device further performs TCP protocol parsing on the web data packet, that is, performs four-layer protocol parsing on the web data packet, and extracts a feature value of each TCP protocol feature corresponding to the data packet, where the TCP protocol feature includes a TCP maximum message length (Maximum Segment Size, MSS), a TCP window expansion option (window scale), a TCP window size (window size), a TCP timestamp option (TCP Timestamps option, TSopt), and a TCP option order (Options order).
In order to extract the first operating system type and the first operating system version of the client, for any one of the obtained web data packets, the electronic device performs HTTP protocol analysis on the web data packet, and identifies content such as a hypertext transfer protocol header (HTTP header), a hypertext transfer protocol body (HTTP body), and the like. The http header includes a User Agent (User-Agent), which is identification information of the client, and the User-Agent includes an operating system type and an operating system version.
The format of User-Agent is typically: a platform (Mozilla/5.0), an engine version and a browser version number, wherein the platform is an operating system of the client and comprises an operating system type and an operating system version, for example, the platform is any one of Windows NT 10.0, windows NT 6.2 and Windows NT 6.1, the Windows NT 10.0 corresponds to an operating system Windows 10, and when the platform is Windows NT 10.0, the operating system of the client is a Windows operating system, and the operating system version is Windows 10; when the platform is the windows NT 6.2, which corresponds to the windows NT 6.2, the operating system of the client is indicated to be a windows operating system, and the version of the operating system is indicated to be windows 8; windows NT 6.1 corresponds to operating system Windows 7, and when the platform is Windows NT 6.1, it means that the operating system of the client is a Windows operating system, and the operating system version is Windows 7.
Example 3:
in order to generate a first feature vector identifying an operating system type and an operating system version of the client, in the embodiments of the present invention, generating the first feature vector according to each TCP/IP fingerprint includes:
and determining an average value of each characteristic value of each protocol characteristic according to the characteristic value of each IP protocol characteristic and the characteristic value of each TCP protocol characteristic contained in each TCP/IP fingerprint aiming at the protocol characteristic corresponding to each dimension component in the first characteristic vector, and determining the average value as a component value corresponding to the dimension component in the first characteristic vector.
In order to generate the first feature vector, in the embodiment of the present invention, the electronic device classifies, for each dimension in the first feature vector, the corresponding protocol feature of each dimension component includes an IP protocol feature and a TCP protocol feature, determines each feature value of each IP protocol feature and each feature value of each TCP protocol feature according to the obtained feature value of each TCP/IP fingerprint included in each TCP/IP fingerprint, calculates an average value of each feature value, and determines the average value as a component value of each dimension component in the first feature vector.
Example 4:
in order to identify whether the client is a Web robot when the first operating system type matches the second operating system type and the first operating system version matches the second operating system version, based on the above embodiments, in the embodiments of the present invention, if the first operating system type matches the second operating system type and the first operating system version matches the second operating system version, the method further includes:
acquiring a target handshake data packet in each web data packet;
performing security layer transport protocol (TLS) protocol analysis on the target handshake data packet to acquire a TLS fingerprint of the client;
generating a second feature vector according to the TLS fingerprint, and acquiring target identification information output for the input second feature vector based on a pre-stored second identification model;
and if the client is identified as a tool according to the target identification information, determining that the client is a Web robot, and determining the tool type of the tool as the type of the Web robot.
When the first operating system type is matched with the second operating system type and the first operating system version is matched with the second operating system version, the Client cannot be determined to be not the Web robot, and the electronic device acquires a target handshake data packet in each Web data after acquiring each Web data packet, wherein the target handshake data packet is a Client Hello handshake packet.
After the electronic device acquires the target handshake data packet, performing TLS protocol analysis on the target handshake data packet, and acquiring a TLS fingerprint of the client, wherein the TLS fingerprint comprises characteristic values of characteristics such as a secure socket protocol (Secure Sockets Layer, SSL) version, a supported secret key set (Cipher List), a TLS Extension (TLS Extension) and the like.
And acquiring a characteristic value of each TLS characteristic in the TLS fingerprint according to the acquired TLS fingerprint of the client and the TLS characteristic corresponding to each dimension component in the second characteristic vector, and taking the characteristic value as a component value of the dimension component corresponding to each TLS characteristic.
Because the client may be a different browser or a different tool, the TLS mechanism implemented may be different, and the TLS fingerprints acquired after the TLS protocol analysis is performed on the target handshake packet may be different, where the differences include a Cipher List and a TLS Extension, where the client may be any one of a google (Chrome) browser, a Firefox (Firefox) browser, and a Safari browser when the client is a browser, and may be a file transfer tool (curl), a command line tool (wgget), a request library of a computer program language (python 2), a penetration test tool (Burp Suite), and the like when the client is a tool.
In order to identify which browser or tool the client is, the electronic device pre-stores a second identification model for identifying the browser and the tool in the prior art, wherein the second identification model is a classification algorithm based on machine learning, and the browser and the tool are identified according to the difference of feature vectors between different browsers and different tools.
Inputting the second feature vector into a second recognition model, and acquiring target identification information of the client output by the second recognition model, wherein the identification information is used for identifying a version number when the client is a browser or a tool type when the client is a tool; if the target identification information identifies the type of the tool, identifying the client as the tool, determining the client as the Web robot, and determining the type of the tool as the type of the Web robot; and if the target identification information identifies the browser version number, identifying the client as the browser.
When the client is identified as a browser according to the target identification information, in order to identify whether the client is a Web robot, in an embodiment of the present invention, the method further includes:
carrying out HTTP (hyper text transfer protocol) protocol analysis on any one of the web data packets, and extracting a second browser version number of a browser used by the client;
And judging whether the target identification information identifies the first browser version number of the browser to be matched with the second browser version number, and if not, determining that the client is a Web robot.
The electronic device analyzes an HTTP protocol of any web data packet in each web data packet, identifies a User-Agent in an HTTP header, and judges whether the second browser version number is matched with the first browser version number according to the second browser version number contained in the User-Agent and the first browser version number of the browser identified by the target identification information.
If the second browser version number is not matched with the first browser version number, determining that the client is a Web robot; if the second browser version number is determined to be matched with the first browser version number, the existing behavior detection technology is adopted to identify whether the client is a Web robot.
Example 5:
in order to extract the TLS fingerprint of the client, in the embodiment of the present invention, after the obtaining the target handshake packet in each web packet, the security layer transport protocol TLS protocol parsing is performed on each web packet, and before extracting the TLS fingerprint of the client, the method further includes:
Determining whether the first web data packet sent by the client to the server is transmitted based on a hypertext transfer security protocol (HTTPS), if yes, executing the subsequent step of carrying out security layer transmission protocol (TLS) protocol analysis on each web data packet, and extracting the TLS fingerprint of the client.
In order to extract the TLS fingerprint of the client, the electronic device further determines, according to a first web data packet in each web data packet sent by the client to the server, whether the first web data packet is based on HTTPS transmission; specifically, the electronic device extracts a destination port number of a TCP header in the first web data packet, if the destination port number is 443, it determines that the first web data packet is based on HTTPS transmission, that is, a request corresponding to a web data packet sent by the client to the server is an HTTPS request, and if the destination port number is not 443, it determines that the first web data packet is not based on HTTPS transmission, that is, a request corresponding to a web data packet sent by the client to the server is not an HTTPS request.
If the first web data packet is determined to be based on HTTPS transmission, executing the subsequent steps of carrying out TLS protocol analysis on each web data packet and extracting TLS fingerprints of the client; if the first Web data packet is determined not to be based on HTTPS transmission, the existing behavior detection technology is adopted to identify whether the client is a Web robot, if the client is determined not to be the Web robot, the output client is a normal user, and if the client is determined to be the Web robot, the output client is the Web robot.
Example 6:
the following describes a Web robot recognition method according to a complete embodiment, and fig. 2 is a schematic process diagram of a Web robot recognition method according to an embodiment of the present invention, as shown in fig. 2, where the method includes the following steps:
s201: and acquiring each web data packet sent by the client to the server in a set time length, and analyzing and extracting each TCP/IP fingerprint, the first operating system type and the first operating system version of the client from each web data packet.
S202: and generating a first characteristic vector according to each TCP/IP fingerprint, and acquiring a second operating system type and a second operating system version of the client output aiming at the input first characteristic vector based on a pre-stored first identification model.
S203: and judging whether the first operating system type is matched with the second operating system type and whether the first operating system version is matched with the second operating system version, if so, performing S204, and if not, performing S210.
S204: a target handshake packet in each web packet is obtained.
S205: and determining whether the first web data packet sent by the client to the server is transmitted based on a hypertext transfer security protocol (HTTPS), if so, performing S206, and if not, performing S211.
S206: and carrying out security layer transport protocol (TLS) protocol analysis on the target handshake data packet, acquiring TLS fingerprints of the client, generating a second feature vector according to the TLS fingerprints, and acquiring target identification information output for the input second feature vector based on a pre-stored second identification model.
S207: and identifying whether the client is a browser according to the target identification information, if so, performing S208, and if not, performing S210.
S208: and carrying out HTTP protocol analysis on any one of the web data packets, and extracting a second browser version number of the browser used by the client.
S209: and judging whether the first browser version number of the target identification information identification browser is matched with the second browser version number, if not, performing S210, and if so, performing S211.
S210: the output client is a Web robot.
S211: and detecting the behavior data collected at the client by adopting a behavior detection technology.
S212: it is determined whether the client is a Web robot, if so, S210 is performed, and if not, S213 is performed.
S213: the output client is a normal user.
Example 7:
fig. 3 is a schematic structural diagram of an identification device of a Web robot according to an embodiment of the present invention, where, as shown in fig. 3, the device includes:
The parsing module 301 is configured to obtain each web data packet sent by a client to a server within a set time length, parse each web data packet, and extract each TCP/IP fingerprint, a first operating system type, and a first operating system version of the client;
the recognition module 302 is configured to generate a first feature vector according to each TCP/IP fingerprint, and obtain, based on a first recognition model stored in advance, a second operating system type and a second operating system version of the client that are output for the input first feature vector; and if the first operating system type is not matched with the second operating system type or the first operating system version is not matched with the second operating system version, determining that the client is a Web robot.
Further, the parsing module is specifically configured to perform IP protocol parsing and TCP protocol parsing on the web data packet for each web data packet, extract a feature value of each IP protocol feature and a feature value of each TCP protocol feature corresponding to the web data packet, and form a TCP/IP fingerprint corresponding to the web data packet; and carrying out HTTP (hyper text transfer protocol) protocol analysis on any one of the web data packets, and extracting a first operating system type and a first operating system version of the client.
Further, the identification module is specifically configured to determine, for each of the dimension components in the first feature vector, an average value of each of the feature values of each of the protocol features according to the feature value of each of the IP protocol features and the feature value of each of the TCP protocol features included in each of the TCP/IP fingerprints, and determine the average value as a component value corresponding to the dimension component in the first feature vector.
Further, the parsing module is further configured to obtain a target handshake packet in each web packet if the first operating system type matches the second operating system type and the first operating system version matches the second operating system version; performing security layer transport protocol (TLS) protocol analysis on the target handshake data packet to acquire a TLS fingerprint of the client;
the identification module is further used for generating a second feature vector according to the TLS fingerprint, and acquiring target identification information output for the input second feature vector based on a pre-stored second identification model; and if the client is identified as a tool according to the target identification information, determining that the client is a Web robot, and determining the tool type of the tool as the type of the Web robot.
Further, the parsing module is further configured to, if the client is identified as a browser according to the target identification information, parse a hypertext transfer protocol HTTP protocol for any one of the web data packets, and extract a second browser version number of the browser used by the client;
the identification module is further configured to determine whether the target identification information identifies that the first browser version number of the browser is matched with the second browser version number, and if not, determine that the client is a Web robot.
Further, the apparatus further comprises:
and the judging module is used for determining whether the first web data packet sent by the client to the server is transmitted based on a hypertext transfer security protocol (HTTPS) after the target handshake data packet in each web data packet is acquired, carrying out security layer transport protocol (TLS) protocol analysis on each web data packet, and before extracting the TLS fingerprint of the client, if so, triggering the analyzing module to execute the subsequent step of carrying out security layer transport protocol (TLS) protocol analysis on each web data packet and extracting the TLS fingerprint of the client.
The following describes an identification device of a Web robot according to an embodiment of the present invention by a specific embodiment, and fig. 4 is a schematic structural diagram of an identification device of another Web robot according to an embodiment of the present invention, as shown in fig. 4, where the device includes: an operating system identification module 401, an HTTP protocol parsing module 402, a TLS fingerprint extraction module 403, and a Web robot identification module 404.
The operating system identification module 401 is configured to parse and extract each TCP/IP fingerprint of the client from each acquired web data packet, generate a first feature vector according to each TCP/IP fingerprint, and acquire a second operating system type and a second operating system version of the client output for the input first feature vector based on a first identification model stored in advance; and carrying out HTTP protocol analysis on any one of the web data packets, and extracting a second browser version number of the browser used by the client.
The HTTP protocol parsing module 402 is configured to perform HTTP protocol parsing on any one of the web data packets, and extract a first operating system type and a first operating system version of the client.
The TLS fingerprint extraction module 403 is configured to perform TLS protocol analysis on the target handshake data packet in each web data packet, obtain a TLS fingerprint of the client, generate a second feature vector according to the TLS fingerprint, and obtain target identification information output for the input second feature vector based on a second recognition model stored in advance.
The Web robot recognition module 404 is configured to determine that the client is a Web robot according to the first operating system type and the first operating system version, the second operating system type, and the second operating system version if the first operating system type is not matched with the second operating system type, or the first operating system version is not matched with the second operating system version; if the first operating system type is matched with the second operating system type and the first operating system version is matched with the second operating system version, determining that the client is a Web robot according to the target identification information if the target identification information identifies the tool type of the client as a tool, and determining the tool type as the type of the Web robot; if the target identification information identifies the first browser version number when the client is a browser, the client is determined to be a Web robot according to the second browser version number and the first browser version number, and if the first browser version number is not matched with the second browser version number.
The operating system identification module 401 corresponds to the parsing module 301 and the identification module 302 in the above embodiments; the HTTP protocol parsing module 402 corresponds to the parsing module 301 in the above embodiment; the TLS fingerprint extraction module 403 corresponds to the parsing module 301 and the recognition module 302 in the above embodiments; the Web robot recognition module 404 corresponds to the recognition module 302 in the above embodiment.
Example 8:
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and on the basis of the foregoing embodiments, the embodiment of the present invention further provides an electronic device, as shown in fig. 5, including: the device comprises a processor 501, a communication interface 502, a memory 503 and a communication bus 504, wherein the processor 501, the communication interface 502 and the memory 503 are in communication with each other through the communication bus 504.
The memory 503 has stored therein a computer program which, when executed by the processor 501, causes the processor 501 to perform the steps of:
each web data packet sent by a client to a server in a set time length is obtained, and each TCP/IP fingerprint, a first operating system type and a first operating system version of the client are extracted by analyzing each web data packet;
generating a first feature vector according to each TCP/IP fingerprint, and acquiring a second operating system type and a second operating system version of the client output aiming at the input first feature vector based on a pre-stored first identification model;
and if the first operating system type is not matched with the second operating system type or the first operating system version is not matched with the second operating system version, determining that the client is a Web robot.
Further, the processor 501 is specifically configured to parse each web data packet to extract each TCP/IP fingerprint, a first operating system type, and a first operating system version of the client, where the parsing includes:
aiming at each web data packet, carrying out IP protocol analysis and TCP protocol analysis on the web data packet, extracting the characteristic value of each IP protocol characteristic and the characteristic value of each TCP protocol characteristic corresponding to the web data packet, and forming a TCP/IP fingerprint corresponding to the web data packet;
and carrying out HTTP (hyper text transfer protocol) protocol analysis on any one of the web data packets, and extracting a first operating system type and a first operating system version of the client.
Further, the processor 501 is specifically configured to generate a first feature vector according to each TCP/IP fingerprint, where the generating includes:
and determining an average value of each characteristic value of each protocol characteristic according to the characteristic value of each IP protocol characteristic and the characteristic value of each TCP protocol characteristic contained in each TCP/IP fingerprint aiming at the protocol characteristic corresponding to each dimension component in the first characteristic vector, and determining the average value as a component value corresponding to the dimension component in the first characteristic vector.
Further, the processor 501 is further configured to, if the first operating system type matches the second operating system type and the first operating system version matches the second operating system version, further comprise:
acquiring a target handshake data packet in each web data packet;
performing security layer transport protocol (TLS) protocol analysis on the target handshake data packet to acquire a TLS fingerprint of the client;
generating a second feature vector according to the TLS fingerprint, and acquiring target identification information output for the input second feature vector based on a pre-stored second identification model;
and if the client is identified as a tool according to the target identification information, determining that the client is a Web robot, and determining the tool type of the tool as the type of the Web robot.
Further, the processor 501 is further configured to, if the client is identified as a browser according to the target identification information, further include:
carrying out HTTP (hyper text transfer protocol) protocol analysis on any one of the web data packets, and extracting a second browser version number of a browser used by the client;
And judging whether the target identification information identifies the first browser version number of the browser to be matched with the second browser version number, and if not, determining that the client is a Web robot.
Further, the processor 501 is further configured to, after the obtaining the target handshake packet in each web packet, perform a security layer transport protocol TLS protocol parsing on each web packet, and before extracting the TLS fingerprint of the client, further include:
determining whether the first web data packet sent by the client to the server is transmitted based on a hypertext transfer security protocol (HTTPS), if yes, executing the subsequent step of carrying out security layer transmission protocol (TLS) protocol analysis on each web data packet, and extracting the TLS fingerprint of the client.
The communication bus mentioned above for the electronic devices may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface 502 is used for communication between the electronic device and other devices described above.
The Memory may include random access Memory (Random Access Memory, RAM) or may include Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit, a network processor (Network Processor, NP), etc.; but also digital instruction processors (Digital Signal Processing, DSP), application specific integrated circuits, field programmable gate arrays or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
Example 9:
on the basis of the above embodiments, the embodiments of the present invention further provide a computer readable storage medium having stored therein a computer program executable by a processor, which when run on the processor, causes the processor to perform the steps of:
each web data packet sent by a client to a server in a set time length is obtained, and each TCP/IP fingerprint, a first operating system type and a first operating system version of the client are extracted by analyzing each web data packet;
Generating a first feature vector according to each TCP/IP fingerprint, and acquiring a second operating system type and a second operating system version of the client output aiming at the input first feature vector based on a pre-stored first identification model;
and if the first operating system type is not matched with the second operating system type or the first operating system version is not matched with the second operating system version, determining that the client is a Web robot.
Further, the parsing each web data packet to extract each TCP/IP fingerprint, the first operating system type, and the first operating system version of the client includes:
aiming at each web data packet, carrying out IP protocol analysis and TCP protocol analysis on the web data packet, extracting the characteristic value of each IP protocol characteristic and the characteristic value of each TCP protocol characteristic corresponding to the web data packet, and forming a TCP/IP fingerprint corresponding to the web data packet;
and carrying out HTTP (hyper text transfer protocol) protocol analysis on any one of the web data packets, and extracting a first operating system type and a first operating system version of the client.
Further, the generating a first feature vector according to each TCP/IP fingerprint includes:
And determining an average value of each characteristic value of each protocol characteristic according to the characteristic value of each IP protocol characteristic and the characteristic value of each TCP protocol characteristic contained in each TCP/IP fingerprint aiming at the protocol characteristic corresponding to each dimension component in the first characteristic vector, and determining the average value as a component value corresponding to the dimension component in the first characteristic vector.
Further, if the first operating system type matches the second operating system type and the first operating system version matches the second operating system version, the method further comprises:
acquiring a target handshake data packet in each web data packet;
performing security layer transport protocol (TLS) protocol analysis on the target handshake data packet to acquire a TLS fingerprint of the client;
generating a second feature vector according to the TLS fingerprint, and acquiring target identification information output for the input second feature vector based on a pre-stored second identification model;
and if the client is identified as a tool according to the target identification information, determining that the client is a Web robot, and determining the tool type of the tool as the type of the Web robot.
Further, if the client is identified as a browser according to the target identification information, the method further includes:
carrying out HTTP (hyper text transfer protocol) protocol analysis on any one of the web data packets, and extracting a second browser version number of a browser used by the client;
and judging whether the target identification information identifies the first browser version number of the browser to be matched with the second browser version number, and if not, determining that the client is a Web robot.
Further, after the obtaining the target handshake packet in each web data packet, the performing a security layer transport protocol TLS protocol parsing on each web data packet, and before extracting the TLS fingerprint of the client, the method further includes:
determining whether the first web data packet sent by the client to the server is transmitted based on a hypertext transfer security protocol (HTTPS), if yes, executing the subsequent step of carrying out security layer transmission protocol (TLS) protocol analysis on each web data packet, and extracting the TLS fingerprint of the client.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (9)
1. A method for identifying a Web robot, the method comprising:
each web data packet sent by a client to a server in a set time length is obtained, and each TCP/IP fingerprint, a first operating system type and a first operating system version of the client are extracted by analyzing each web data packet;
generating a first feature vector according to each TCP/IP fingerprint, and acquiring a second operating system type and a second operating system version of the client output aiming at the input first feature vector based on a first recognition model which is stored in advance and is based on machine learning;
And if the first operating system type is not matched with the second operating system type or the first operating system version is not matched with the second operating system version, determining that the client is a Web robot.
2. The method of claim 1, wherein parsing each web data packet to extract each TCP/IP fingerprint, first operating system type, and first operating system version of the client comprises:
aiming at each web data packet, carrying out IP protocol analysis and TCP protocol analysis on the web data packet, extracting the characteristic value of each IP protocol characteristic and the characteristic value of each TCP protocol characteristic corresponding to the web data packet, and forming a TCP/IP fingerprint corresponding to the web data packet;
and carrying out HTTP (hyper text transfer protocol) protocol analysis on any one of the web data packets, and extracting a first operating system type and a first operating system version of the client.
3. The method of claim 1, wherein generating a first feature vector from each of the TCP/IP fingerprints comprises:
and determining an average value of each characteristic value of each protocol characteristic according to the characteristic value of each IP protocol characteristic and the characteristic value of each TCP protocol characteristic contained in each TCP/IP fingerprint aiming at the protocol characteristic corresponding to each dimension component in the first characteristic vector, and determining the average value as a component value corresponding to the dimension component in the first characteristic vector.
4. The method of claim 1, wherein if the first operating system type matches the second operating system type and the first operating system version matches the second operating system version, the method further comprises:
acquiring a target handshake data packet in each web data packet;
performing security layer transport protocol (TLS) protocol analysis on the target handshake data packet to acquire a TLS fingerprint of the client;
generating a second feature vector according to the TLS fingerprint, and acquiring target identification information output for the input second feature vector based on a pre-stored second recognition model based on machine learning;
and if the client is identified as a tool according to the target identification information, determining that the client is a Web robot, and determining the tool type of the tool as the type of the Web robot.
5. The method of claim 4, wherein if the client is identified as a browser based on the target identification information, the method further comprises:
carrying out HTTP (hyper text transfer protocol) protocol analysis on any one of the web data packets, and extracting a second browser version number of a browser used by the client;
And judging whether the target identification information identifies the first browser version number of the browser to be matched with the second browser version number, and if not, determining that the client is a Web robot.
6. The method of claim 4, wherein after the obtaining the target handshake packet in each web packet, the performing a security layer transport protocol TLS protocol parsing on each web packet, and before extracting the TLS fingerprint of the client, the method further comprises:
determining whether the first web data packet sent by the client to the server is transmitted based on a hypertext transfer security protocol (HTTPS), if yes, executing the subsequent step of carrying out security layer transmission protocol (TLS) protocol analysis on each web data packet, and extracting the TLS fingerprint of the client.
7. An identification device of a Web robot, the device comprising:
the analysis module is used for acquiring each web data packet sent by the client to the server in a set time length, and analyzing and extracting each TCP/IP fingerprint, a first operating system type and a first operating system version of the client from each web data packet;
The identification module is used for generating a first feature vector according to each TCP/IP fingerprint, and acquiring a second operating system type and a second operating system version of the client output aiming at the input first feature vector based on a pre-stored first identification model; and if the first operating system type is not matched with the second operating system type or the first operating system version is not matched with the second operating system version, determining that the client is a Web robot.
8. An electronic device, comprising: the device comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
the memory has stored therein a computer program which, when executed by the processor, causes the processor to perform the method of any of claims 1-6.
9. A computer readable storage medium, characterized in that it stores a computer program executable by a processor, which when run on the processor causes the processor to perform the method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210729514.5A CN115051977B (en) | 2022-06-24 | 2022-06-24 | Web robot identification method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210729514.5A CN115051977B (en) | 2022-06-24 | 2022-06-24 | Web robot identification method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115051977A CN115051977A (en) | 2022-09-13 |
| CN115051977B true CN115051977B (en) | 2023-09-19 |
Family
ID=83162742
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210729514.5A Active CN115051977B (en) | 2022-06-24 | 2022-06-24 | Web robot identification method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115051977B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110213124A (en) * | 2019-05-06 | 2019-09-06 | 清华大学 | Passive operation system identification method and device based on the more sessions of TCP |
| CN110532756A (en) * | 2018-05-23 | 2019-12-03 | 中国移动通信集团浙江有限公司 | A kind of system fingerprint recognition methods, device, electronic equipment and storage medium |
| CN110868409A (en) * | 2019-11-08 | 2020-03-06 | 中国科学院信息工程研究所 | Passive operating system identification method and system based on TCP/IP protocol stack fingerprint |
| CN112115965A (en) * | 2020-08-04 | 2020-12-22 | 西安交通大学 | SVM-based passive operating system identification method, storage medium and equipment |
| CN112751815A (en) * | 2019-10-31 | 2021-05-04 | 华为技术有限公司 | Message processing method, device, equipment and computer readable storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9451036B2 (en) * | 2008-01-15 | 2016-09-20 | Alcatel Lucent | Method and apparatus for fingerprinting systems and operating systems in a network |
| US20150067472A1 (en) * | 2013-08-28 | 2015-03-05 | F5 Networks, Inc. | Web browser fingerprinting |
| US10148664B2 (en) * | 2016-08-16 | 2018-12-04 | Paypal, Inc. | Utilizing transport layer security (TLS) fingerprints to determine agents and operating systems |
| KR101779327B1 (en) * | 2016-11-22 | 2017-10-10 | 한국인터넷진흥원 | Method and apparatus for generating fingerprint based on rule |
-
2022
- 2022-06-24 CN CN202210729514.5A patent/CN115051977B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110532756A (en) * | 2018-05-23 | 2019-12-03 | 中国移动通信集团浙江有限公司 | A kind of system fingerprint recognition methods, device, electronic equipment and storage medium |
| CN110213124A (en) * | 2019-05-06 | 2019-09-06 | 清华大学 | Passive operation system identification method and device based on the more sessions of TCP |
| CN112751815A (en) * | 2019-10-31 | 2021-05-04 | 华为技术有限公司 | Message processing method, device, equipment and computer readable storage medium |
| CN110868409A (en) * | 2019-11-08 | 2020-03-06 | 中国科学院信息工程研究所 | Passive operating system identification method and system based on TCP/IP protocol stack fingerprint |
| CN112115965A (en) * | 2020-08-04 | 2020-12-22 | 西安交通大学 | SVM-based passive operating system identification method, storage medium and equipment |
Non-Patent Citations (3)
| Title |
|---|
| 基于决策树的被动操作系统识别技术研究;易运晖;刘海峰;朱振显;;计算机科学(08);全文 * |
| 改进的TLS指纹增强用户行为安全分析能力;胡建伟;徐明洋;崔艳鹏;;计算机科学(03);全文 * |
| 浅谈操作系统指纹识别;蔡岚岚;;科技信息(36);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115051977A (en) | 2022-09-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106961419B (en) | WebShell detection method, device and system | |
| US11233819B2 (en) | Method and apparatus for analyzing cyberattack | |
| WO2017086837A1 (en) | Method for detecting malicious programs and elements | |
| US11044268B2 (en) | Systems and methods for identifying internet attacks | |
| EP3547121B1 (en) | Combining device, combining method and combining program | |
| CN107612926B (en) | One-sentence speech WebShell interception method based on client recognition | |
| CN104956372A (en) | Determining coverage of dynamic security scans using runtime and static code analyses | |
| CN109547426B (en) | Service response method and server | |
| EP3021550A1 (en) | System and method for identifying internet attacks | |
| CN114553523A (en) | Attack detection method and device based on attack detection model, medium and equipment | |
| CN110035087B (en) | Method, device, equipment and storage medium for recovering account information from traffic | |
| US10412101B2 (en) | Detection device, detection method, and detection program | |
| CN113472791A (en) | Attack detection method and device, electronic equipment and readable storage medium | |
| CN111885034B (en) | Internet of things attack event tracking method and device and computer equipment | |
| CN115051977B (en) | Web robot identification method, device, equipment and medium | |
| CN111327632B (en) | Zombie host detection method, system, equipment and storage medium | |
| CN115051874B (en) | Multi-feature CS malicious encrypted traffic detection method and system | |
| CN108363922B (en) | Automatic malicious code simulation detection method and system | |
| CN107995167B (en) | Equipment identification method and server | |
| AU2021414145A1 (en) | Automated detection of cross site scripting attacks | |
| CN114363059A (en) | Attack identification method and device and related equipment | |
| KR102001814B1 (en) | A method and apparatus for detecting malicious scripts based on mobile device | |
| CN111131223A (en) | Test method and device for click hijacking | |
| CN107124386B (en) | Method and device for detecting and analyzing black industry content | |
| CN110719313A (en) | Webshell detection method based on log session |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |