CN115577349A - Method and device for determining abnormal request and electronic equipment - Google Patents

Method and device for determining abnormal request and electronic equipment Download PDF

Info

Publication number
CN115577349A
CN115577349A CN202211175015.2A CN202211175015A CN115577349A CN 115577349 A CN115577349 A CN 115577349A CN 202211175015 A CN202211175015 A CN 202211175015A CN 115577349 A CN115577349 A CN 115577349A
Authority
CN
China
Prior art keywords
request
feature
vector
characteristic
sub
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211175015.2A
Other languages
Chinese (zh)
Inventor
刘权
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN202211175015.2A priority Critical patent/CN115577349A/en
Publication of CN115577349A publication Critical patent/CN115577349A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure provides a method and a device for determining an abnormal request and electronic equipment, and relates to the technical field of data processing, in particular to the fields of big data, network security and the like. The specific scheme is as follows: aggregating the network requests corresponding to each feature vector in the request data table, and determining the first request quantity of each feature vector under different request types; determining the total request quantity of each feature sub-vector corresponding to each feature vector and the second request quantity of each feature sub-vector under different request types according to a plurality of feature values in each feature vector and the first request quantity under different request types; and when the ratio of the second request quantity corresponding to any characteristic sub-vector to the total request quantity is greater than a first threshold value, determining that the network request corresponding to any characteristic sub-vector is an abnormal request. The method realizes the analysis of the network request from the angle of each dimension combination, avoids missing the mining of the abnormal requests under various dimension combinations, and improves the accuracy of determining the abnormal requests.

Description

Method and device for determining abnormal request and electronic equipment
Technical Field
The present disclosure relates to the field of data processing technologies, particularly to the fields of big data, network security, and the like, and in particular, to a method and an apparatus for determining an exception request, and an electronic device.
Background
In recent years, the hot spot in the field of network security is continuous, and the information network security becomes a general concern. How to accurately determine whether the network request is an abnormal request is a key for ensuring the network security.
Disclosure of Invention
The disclosure provides a method and a device for determining an abnormal request.
According to an aspect of the present disclosure, there is provided a method for determining an exception request, including:
acquiring a request data table, wherein the request data table comprises a plurality of network requests, request types corresponding to the network requests and feature vectors, and the feature vectors comprise feature values of the network requests on a plurality of dimensions respectively;
aggregating the network requests corresponding to each feature vector to determine a first request quantity of each feature vector under different request types;
determining the total quantity of requests of each feature sub-vector corresponding to each feature vector and the second quantity of requests of each feature sub-vector under different request types according to the first quantity of requests of each feature vector under different request types and the plurality of feature values included in each feature vector, wherein each feature sub-vector includes at least one feature value;
and under the condition that the ratio of the second request quantity corresponding to any characteristic sub-vector to the total request quantity is larger than a first threshold value, determining that the network request corresponding to any characteristic sub-vector is an abnormal request.
According to another aspect of the present disclosure, there is provided an apparatus for determining an exception request, including:
the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a request data table, the request data table comprises a plurality of network requests, request types and feature vectors corresponding to the network requests, and the feature vectors comprise feature values of the network requests on a plurality of dimensions respectively;
the aggregation module is used for aggregating the network requests corresponding to each feature vector to determine the first request quantity of each feature vector under different request types;
the determining module is used for determining the total quantity of requests of each feature sub-vector corresponding to each feature vector and the second quantity of requests of each feature sub-vector under different request types according to the first quantity of requests of each feature vector under different request types and the plurality of feature values included in each feature vector, wherein each feature sub-vector includes at least one feature value;
the determining module is further configured to determine that the network request corresponding to any feature sub-vector is an abnormal request when a ratio of the second request number corresponding to any feature sub-vector to the total request amount is greater than a first threshold.
According to another aspect of the present disclosure, there is provided an electronic device including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of the above embodiments.
According to another aspect of the present disclosure, there is provided a non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method according to the above-described embodiments.
According to another aspect of the present disclosure, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method of the above embodiment.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present disclosure, nor do they limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The drawings are included to provide a better understanding of the present solution and are not to be construed as limiting the present disclosure. Wherein:
fig. 1 is a schematic flowchart illustrating a method for determining an abnormal request according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of another method for determining an exception request according to an embodiment of the present disclosure;
fig. 3 is a schematic flowchart of another method for determining an exception request according to an embodiment of the present disclosure;
fig. 4 is a schematic flowchart of another method for determining an exception request according to an embodiment of the present disclosure;
fig. 5 is a flowchart illustrating another method for determining an exception request according to an embodiment of the present disclosure;
fig. 6 is a flowchart illustrating another method for determining an exception request according to an embodiment of the present disclosure;
fig. 7 is a schematic flowchart of an apparatus for determining an exception request according to an embodiment of the present disclosure;
FIG. 8 is a block diagram of an electronic device used to implement the determination of an exception request of an embodiment of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below with reference to the accompanying drawings, in which various details of the embodiments of the disclosure are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Big data, or mass data, refers to information that is large in size and cannot be captured, managed, processed, and collated in a reasonable time through the current mainstream software tools to help enterprises make business decisions more positive.
The network security means that the network system is not threatened or infringed and can normally realize the resource sharing function. In order to enable the network to normally realize the resource sharing function, firstly, the hardware and the software of the network are ensured to be normally operated, and then, the safety of data information exchange is ensured.
Generally, whether a network request is an abnormal request can be judged by characteristic values on a fixed dimension. However, due to the complexity of the abnormal request scenario, the abnormal network request is judged by the feature values in the fixed dimension, and mining of typical abnormal requests in other dimension combinations is omitted, so that the determination of the abnormal request is inaccurate.
According to the method and the device, the characteristic sub-vectors under various dimension combinations are obtained by splitting the characteristic vectors on multiple dimensions, and the network requests corresponding to the characteristic sub-vectors are aggregated, so that the analysis of the network requests from the angle of each dimension combination is realized, the missing of mining abnormal requests under various dimension combinations is avoided, and the accuracy of determining the abnormal requests is improved.
A method, an apparatus, an electronic device, and a storage medium for determining an exception request according to embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
Fig. 1 is a schematic flowchart of a method for determining an exception request according to an embodiment of the present disclosure.
As shown in fig. 1, the method includes:
step 101, a request data table is obtained, wherein the request data table includes a plurality of network requests, a request type corresponding to each network request, and a feature vector, and the feature vector includes feature values of the network requests in a plurality of dimensions respectively.
The dimension may be an IP (Internet Protocol Address ) corresponding to the network request, a client identifier, an account identifier, and the like, which is not limited in this disclosure.
In the present disclosure, the request data table may be determined by analyzing the weblog. When a user initiates a network request, the request type of the network request can be determined according to a service interface called by the network request, and the like. For example, when the user applies for after-sales, the request type of the network request may be determined as an after-sales type, and when the network request initiated by the user only calls the login interface, the request type of the network request may be determined as a login type.
Optionally, the network logs corresponding to different services may be analyzed, the network requests corresponding to the services are stored in different request data tables, so as to determine the request data table corresponding to each service, and then the abnormal traffic under each service is determined according to the request data table corresponding to each service.
And 102, aggregating the network requests corresponding to each feature vector to determine a first request quantity of each feature vector under different request types.
In the disclosure, the first request number of each feature vector under different request types can be determined first to reduce the data amount of the request data, so that the efficiency of determining the abnormal request can be improved.
In this disclosure, network requests corresponding to each feature vector may be aggregated to determine a first number of requests of each feature vector under different request types, respectively. For example, if the user uses account 1 and client 1 to initiate 5 after-sale requests, and logs in the requests 3 times, the 8 network requests are aggregated, and it is determined that the first request quantity of the feature vector [ account identifier 1 and client identifier 1] in the after-sale type is 5, and the first request quantity in the login type is 3.
Step 103, determining a total amount of requests of each feature sub-vector corresponding to each feature sub-vector and a second amount of requests of each feature sub-vector in different request types according to a first amount of requests of each feature vector in different request types and a plurality of feature values included in each feature vector, wherein each feature sub-vector includes at least one feature value.
In the present disclosure, each feature vector may be split, so as to determine a feature sub-vector of each feature vector under various dimensional combinations, and determine a first request quantity of each feature vector under different request types, as a request quantity of each feature sub-vector corresponding to each feature sub-vector under corresponding request types, and then aggregate the request quantities of each feature sub-vector under different request types, and determine a second request quantity of each feature sub-vector under different request types.
In addition, the first request number of a plurality of feature vectors corresponding to a certain feature sub-vector in the same request type can be added to determine the total request number corresponding to the feature sub-vector.
And step 104, determining that the network request corresponding to any characteristic sub-vector is an abnormal request under the condition that the ratio of the second request quantity corresponding to any characteristic sub-vector to the request total quantity is greater than a first threshold value.
In this disclosure, when the ratio of the second request number corresponding to the feature sub-vector to the total request amount is greater than the first threshold, it indicates that the user frequently makes the same network request, and thus, it may be determined that the network request corresponding to the feature sub-vector is an abnormal request.
In this disclosure, different request types may correspond to different thresholds, and therefore, a first threshold corresponding to each request type may be dynamically determined according to distribution of the number of requests in different request types, and then, in a case where a ratio of a second request number of any feature sub-vector in a certain request type to a total number of requests is greater than the first threshold corresponding to the request type, a network request corresponding to the feature sub-vector is determined to be an abnormal request. Thereby, the accuracy of determining the abnormal request can be improved.
Optionally, a ratio of the second request quantity corresponding to each feature sub-vector to the total request quantity under different request types may be determined, and then the first threshold corresponding to each request type may be determined according to a distribution of a plurality of ratios under each request type.
Optionally, in a case that it is determined that the network request corresponding to the feature sub-vector is an abnormal request, the request data including the feature sub-vector in the request data table is marked as abnormal request data. So as to facilitate statistics and data display of the abnormal requests in the following process.
In this disclosure, after a request data table including a plurality of network requests, a request type corresponding to each network request, and a feature vector is obtained, network requests corresponding to each feature vector may be aggregated to determine a first request quantity of each feature vector in different request types, and then, a request total quantity of each feature vector including at least one feature value feature sub-vector and a second request quantity of each feature vector in different request types may be determined according to the first request quantity of each feature vector in different request types and a plurality of feature values included in each feature vector, and a network request corresponding to any feature sub-vector is determined to be an abnormal request when a ratio of the second request quantity corresponding to any feature sub-vector to the request total quantity is greater than a first threshold. Therefore, the characteristic sub-vectors under various dimensional combinations are obtained by splitting the characteristic vectors on the multiple dimensions, and the network requests corresponding to the characteristic sub-vectors are aggregated, so that the analysis of the network requests from the angle of each dimensional combination is realized, the missing of mining abnormal requests under various dimensional combinations is avoided, and the accuracy of determining the abnormal requests is improved.
Fig. 2 is a schematic flowchart of a method for determining an exception request according to an embodiment of the present disclosure.
As shown in fig. 2, the method includes:
step 201, a request data table is obtained, where the request data table includes a plurality of network requests, a request type corresponding to each network request, and a feature vector, and the feature vector includes feature values of the network requests in multiple dimensions, respectively.
Step 202, aggregating the network requests corresponding to each feature vector to determine a first request quantity of each feature vector under different request types.
In the present disclosure, for a specific implementation process of step 201 to step 202, reference may be made to detailed description of any embodiment of the present disclosure, and details are not repeated here.
Step 203, determining a feature sub-vector corresponding to each feature vector according to the dimension corresponding to the feature value included in each feature vector.
In the present disclosure, when the dimensions corresponding to a plurality of eigenvalues are semantically related, based on the number of network requests corresponding to the plurality of eigenvalues, it cannot be accurately determined whether the network requests corresponding to the plurality of eigenvalues are abnormal requests. Therefore, in order to improve the accuracy of determining the abnormal request, semantic identification may be performed on the dimension corresponding to each feature value to determine the semantic type corresponding to each feature value, and then, each feature vector may be split according to the semantic type corresponding to the feature value included in each feature vector to generate feature sub-vectors, where the semantic types corresponding to the feature values included in the feature sub-vectors are different.
Optionally, a reference dimension having no correlation may be configured through the configuration file, and thus, feature values included in each feature vector and corresponding to the reference dimension may be combined to generate a feature sub-vector. Therefore, the irrelevance of the characteristic values in the characteristic sub-vectors can be ensured, and the accuracy of determining the abnormal request is improved.
Step 204, in a case that any one of the feature sub-vectors corresponds to a plurality of feature vectors, aggregating the first request quantity of the plurality of feature vectors respectively under the same request type to determine a second request quantity of any one of the feature sub-vectors under the same request type.
In the present disclosure, in a case that any one feature sub-vector corresponds to multiple feature vectors, the multiple feature vectors may be aggregated in the first request number of the same request type, respectively, to determine the second request number of the feature sub-vector of the same request type. And then, whether the network request corresponding to each feature sub-vector is an abnormal request or not can be respectively determined according to the second request quantity of each feature sub-vector, so that the missing of mining the abnormal requests under various dimension combinations is avoided, and the accuracy of determining the abnormal requests is improved.
For example, it is assumed that the feature sub-vector [ IP ] corresponds to 2 feature vectors, which are respectively the feature vector 1[ IP ], the account identifier 1], the feature vector 2[ IP ], and the account identifier 2], the first request quantity corresponding to the feature vector 1 under the after-sales type is 5, and the first request quantity corresponding to the feature vector 2 under the after-sales type is 4. Aggregating the first request quantity of the two feature vectors under the after-sales type respectively, and determining that the second request quantity of the feature sub-vector [ IP ] under the after-sales type is 9.
Step 205, aggregating the second request quantity of any feature sub-vector under each request type to determine the total request quantity corresponding to any feature sub-vector.
In this disclosure, the second request amount of any feature sub-vector in each request type may be aggregated, and the total request amount corresponding to any feature sub-vector may be determined.
For example, assuming that the number of second requests corresponding to the feature subvector [ IP ] in the after-market type is 9 and the number of second requests corresponding to the login type is 8, the number of second requests corresponding to the feature subvector [ IP ] in the after-market type and the login type are aggregated, and the total number of requests corresponding to the feature subvector [ IP ] is determined to be 17.
Step 206, under the condition that the ratio of the second request quantity corresponding to any characteristic sub-vector to the total request quantity is larger than a first threshold value, determining that the network request corresponding to any characteristic sub-vector is an abnormal request.
In the present disclosure, the specific implementation process of step 206 may refer to the detailed description of any embodiment of the present disclosure, and is not described herein again.
According to the method and the device, the characteristic sub-vectors under various dimensional combinations are obtained by splitting the characteristic vectors on multiple dimensions, and the network requests corresponding to the characteristic sub-vectors are aggregated, so that the analysis of the network requests from the perspective of the dimensional combinations is realized, the missing of the mining of abnormal requests under various dimensional combinations is avoided, and the accuracy of determining the abnormal requests is improved.
Fig. 3 is a flowchart illustrating a method for determining an abnormal request according to an embodiment of the present disclosure.
As shown in fig. 3, the method includes:
step 301, a request data table is obtained, where the request data table includes a plurality of network requests, a request type corresponding to each network request, and a feature vector, and the feature vector includes feature values of the network requests in a plurality of dimensions respectively.
Step 302, aggregating the network requests corresponding to each feature vector to determine a first request quantity of each feature vector under different request types.
Step 303, determining a total amount of requests of each feature sub-vector corresponding to each feature vector and a second amount of requests of each feature sub-vector corresponding to each feature vector under different request types according to the first amount of requests of each feature vector under different request types and the plurality of feature values included in each feature vector, wherein each feature sub-vector includes at least one feature value.
Step 304, when the ratio of the second request quantity corresponding to any characteristic sub-vector to the total request quantity is greater than a first threshold, determining that the network request corresponding to any characteristic sub-vector is an abnormal request.
In the present disclosure, the detailed implementation process of steps 301 to 304 may refer to the detailed description of any embodiment of the present disclosure, and is not repeated herein.
Step 305, aggregating the plurality of network requests according to the request time corresponding to each network request to determine a fourth request quantity corresponding to each feature vector in each first preset time interval.
In the present disclosure, the number of network requests initiated by the user in each time interval is regular, for example, the number of network requests initiated by the user in each time interval is uniformly distributed, and the network request may be an abnormal request if the number of network requests made by the user in a certain time interval is increased. Therefore, the plurality of network requests can be aggregated according to the request time corresponding to each network request, and the fourth request quantity corresponding to each feature vector in each first preset time interval is determined.
For example, assume that the feature vector 1, [ ip, account identifier 1], there are 3 corresponding network requests within 10-10, and 2 corresponding network requests within 10-10. Then the fourth request number for feature vector 1 in 10.
Step 306, in a case that any one of the feature sub-vectors corresponds to a plurality of feature vectors within the same first preset time interval, aggregating the fourth request quantities respectively corresponding to the plurality of feature vectors to determine a fifth request quantity corresponding to any one of the feature sub-vectors within the same first preset time interval.
In this disclosure, when a certain feature sub-vector corresponds to multiple feature vectors within the same first preset time interval, the fourth request quantities corresponding to the multiple feature vectors respectively may be aggregated to determine the fifth request quantities corresponding to the feature sub-vectors within the same first preset time interval, and then, whether the network request corresponding to the feature sub-vector is an abnormal request may be determined according to the fifth request quantities corresponding to the feature sub-vectors within the first preset time intervals respectively.
For example, assume that the feature sub-vector [ IP ] corresponds to two feature vectors, i.e., feature vector 1 is [ IP, account id 1], feature vector 2[ IP, account id 2], the fourth request number corresponding to feature vector 1 in 10. Aggregating the fourth request quantity corresponding to the feature vector 1 and the feature vector 2 respectively, and determining that the fifth request quantity corresponding to the feature sub-vector [ IP ] in the range of 10.
Step 307, determining whether the network request corresponding to each feature sub-vector is an abnormal request according to a difference between the numbers of the fifth requests respectively corresponding to each feature sub-vector in each first preset time interval.
In this disclosure, when a difference between the numbers of the fifth requests respectively corresponding to a certain feature sub-vector in each first preset time interval is greater than a preset threshold, it is indicated that the network request corresponding to the feature sub-vector is an abnormal request. When the difference value between the fifth request numbers respectively corresponding to a certain characteristic sub-vector in each first preset time interval is smaller than the preset threshold value, the network request number corresponding to the characteristic sub-vector in each first preset time interval is stable, and therefore the network request corresponding to the characteristic sub-vector can be determined not to be an abnormal request, and accuracy of determining the abnormal request is improved.
Optionally, according to the sequence of each first preset time interval, the fifth request number respectively corresponding to a certain feature sub-vector in each first preset time interval may be sorted to determine trend data corresponding to the feature sub-vector, and then the trend data may be input into a preset trend anomaly determination network model to determine whether a network request corresponding to the feature sub-vector is an anomaly request. The trend anomaly determination network model may be configured to determine whether a number of network requests that do not have a uniform distribution characteristic in each first preset time interval are anomalous requests.
According to the method and the device, the characteristic sub-vectors under various dimension combinations are obtained by splitting the characteristic vectors on multiple dimensions, and the network requests corresponding to the characteristic sub-vectors are aggregated, so that the analysis of the network requests from the angle of each dimension combination is realized, the missing of mining abnormal requests under various dimension combinations is avoided, and the accuracy of determining the abnormal requests is improved.
Fig. 4 is a flowchart illustrating a method for determining an abnormal request according to an embodiment of the present disclosure.
As shown in fig. 4, the method includes:
step 401, a request data table is obtained, where the request data table includes a plurality of network requests, a request type corresponding to each network request, and a feature vector, and the feature vector includes feature values of the network requests in a plurality of dimensions respectively.
Step 402, aggregating the network requests corresponding to each feature vector to determine a first request quantity of each feature vector under different request types.
In the present disclosure, for a specific implementation process of step 401 to step 402, reference may be made to detailed description of any embodiment of the present disclosure, and details are not described herein again.
Step 403, determining a third request quantity of each eigenvalue under different request types according to the first request quantity of the eigenvector in which each eigenvalue is located under different request types.
In the present disclosure, each feature vector in the request data table may include more feature values, and when the data amount of the network request corresponding to a certain feature value is less, it may be determined that the network request corresponding to the feature value is not an abnormal request. In order to reduce the operation amount, a third request number of each eigenvalue in different request types may be determined according to a first request number of an eigenvector in which each eigenvalue is located in different request types, and then mask processing may be performed on the eigenvalue according to the third request number.
And step 404, replacing any characteristic value in each characteristic vector with a preset character under the condition that the third request quantity corresponding to any characteristic value is smaller than a second threshold value.
In this disclosure, when the number of the third requests corresponding to a certain feature value is smaller than the second threshold, it is indicated that the network request corresponding to the feature value is not an abnormal request, and therefore, the feature value in each feature vector may be replaced with a preset character. Therefore, the number of characteristic values is reduced, and the efficiency of determining the abnormal request is further improved.
Step 405, determining a total amount of requests of each feature sub-vector corresponding to each feature vector and a second amount of requests of each feature sub-vector corresponding to each feature vector in accordance with a first amount of requests of each feature vector in different request types and a plurality of feature values included in each feature vector, wherein each feature sub-vector includes at least one feature value.
Step 406, determining that the network request corresponding to any feature sub-vector is an abnormal request under the condition that the ratio of the second request quantity corresponding to any feature sub-vector to the total request quantity is greater than a first threshold.
In the present disclosure, the detailed implementation process of steps 405 to 406 may refer to the detailed description of any embodiment of the present disclosure, and is not repeated herein.
According to the method and the device, the characteristic sub-vectors under various dimension combinations are obtained by splitting the characteristic vectors on multiple dimensions, and the network requests corresponding to the characteristic sub-vectors are aggregated, so that the analysis of the network requests from the angle of each dimension combination is realized, the missing of mining abnormal requests under various dimension combinations is avoided, and the accuracy of determining the abnormal requests is improved.
Fig. 5 is a schematic flowchart of a method for determining an exception request according to an embodiment of the present disclosure.
As shown in fig. 5, the method includes:
step 501, a request data table is obtained, wherein the request data table includes a plurality of network requests, a request type corresponding to each network request, and a feature vector, and the feature vector includes feature values of the network requests in a plurality of dimensions respectively.
Step 502, aggregating the network requests corresponding to each feature vector to determine a first request quantity of each feature vector under different request types.
Step 503, determining a total amount of requests of each feature sub-vector corresponding to each feature vector and a second amount of requests of each feature sub-vector corresponding to each feature vector under different request types according to the first amount of requests of each feature vector under different request types and the plurality of feature values included in each feature vector, wherein each feature sub-vector includes at least one feature value.
Step 504, under the condition that the ratio of the second request quantity corresponding to any characteristic sub-vector to the total request quantity is larger than a first threshold value, determining that the network request corresponding to any characteristic sub-vector is an abnormal request.
Step 505, according to the request time corresponding to each network request, aggregating the plurality of network requests to determine a fourth request quantity corresponding to each feature vector in each first preset time interval.
In the present disclosure, for a specific implementation process of step 501 to step 505, reference may be made to detailed description of any embodiment of the present disclosure, and details are not repeated here.
Step 506, determining a sixth request quantity corresponding to each eigenvalue in each second preset time interval according to the fourth request quantity corresponding to the eigenvector in which each eigenvalue is located in each second preset time interval.
In the present disclosure, each eigenvector in the request data table may contain more eigenvalues, and when the data volume of the network request corresponding to the eigenvalue is less, the network request corresponding to the eigenvalue is not an abnormal request. In order to reduce the operation amount, a sixth request quantity corresponding to each eigenvalue in each second preset time interval may be determined according to a fourth request quantity corresponding to the eigenvector where each eigenvalue is located in each second preset time interval, and then mask processing may be performed on the eigenvalue according to the sixth request quantity.
Step 507, replacing any eigenvalue in each eigenvector with a preset character under the condition that the sixth request number corresponding to any eigenvalue is smaller than the third threshold value.
In this disclosure, when the sixth request number corresponding to a certain feature value is smaller than the third threshold, it indicates that the network request corresponding to the feature value is not an abnormal request, and therefore, the feature value in each feature vector may be replaced with a preset character. Therefore, the number of characteristic values is reduced, and the efficiency of determining the abnormal request is further improved.
Step 508, under the condition that any one of the feature sub-vectors corresponds to a plurality of feature vectors within the same first preset time interval, aggregating the fourth request quantities respectively corresponding to the plurality of feature vectors to determine a fifth request quantity corresponding to any one of the feature sub-vectors within the same first preset time interval.
Step 509, determining whether the network request corresponding to each feature sub-vector is an abnormal request according to a difference between the numbers of the fifth requests corresponding to each feature sub-vector in each first preset time interval.
In the present disclosure, the detailed implementation process of step 508 to step 509 may refer to the detailed description of any embodiment of the present disclosure, and is not described herein again.
According to the method and the device, the characteristic sub-vectors under various dimension combinations are obtained by splitting the characteristic vectors on multiple dimensions, and the network requests corresponding to the characteristic sub-vectors are aggregated, so that the analysis of the network requests from the angle of each dimension combination is realized, the missing of mining abnormal requests under various dimension combinations is avoided, and the accuracy of determining the abnormal requests is improved.
Fig. 6 is a schematic flowchart of a method for determining an exception request according to an embodiment of the present disclosure.
As shown in fig. 6, the method includes:
step 601, a request data table is obtained, wherein the request data table includes a plurality of network requests, a request type corresponding to each network request, and a feature vector, and the feature vector includes feature values of the network requests in a plurality of dimensions respectively.
Step 602, aggregating the network requests corresponding to each feature vector to determine a first request quantity of each feature vector under different request types.
Step 603, determining a total amount of requests of each feature sub-vector corresponding to each feature vector and a second amount of requests of each feature sub-vector corresponding to each feature vector in accordance with the first amount of requests of each feature vector in different request types and the plurality of feature values included in each feature vector, wherein each feature sub-vector includes at least one feature value.
Step 604, determining that the network request corresponding to any feature sub-vector is an abnormal request under the condition that the ratio of the second request quantity corresponding to any feature sub-vector to the total request quantity is greater than a first threshold value.
In the present disclosure, the detailed implementation process of steps 601 to 604 may refer to the detailed description of any embodiment of the present disclosure, and is not repeated herein.
Step 605, determining the number of different second eigenvalues corresponding to each first eigenvalue according to the first eigenvalue corresponding to the first preset dimension and the second eigenvalue corresponding to the second preset dimension in each eigenvector.
In the present disclosure, a network request frequently initiated by a user using the same account at different IPs is an exception request. Therefore, in order to more accurately determine the abnormal request, the number of different second eigenvalues corresponding to each first eigenvalue may be determined according to the first eigenvalue corresponding to the first preset dimension and the second eigenvalue corresponding to the second preset dimension in each eigenvector, and then, whether the network request corresponding to the first eigenvalue is the abnormal request may be determined according to the number of different second eigenvalues corresponding to each first eigenvalue.
In addition, the first preset dimension and the second preset dimension can be configured by a user according to requirements.
Step 606, determining that the network request corresponding to any first eigenvalue is an abnormal request under the condition that the number of different second eigenvalues corresponding to any first eigenvalue is greater than the fourth threshold.
In this disclosure, when the number of different second eigenvalues corresponding to the first eigenvalue is greater than the fourth threshold, it is indicated that the user frequently initiates a network request, and therefore, the network request corresponding to the first eigenvalue can be determined to be an abnormal request, thereby improving the accuracy of determining the abnormal request.
For example, if the first feature value is account id 1, and account id 1 corresponds to 1000 IPs, the network request corresponding to account id 1 is an abnormal request.
According to the method and the device, the characteristic sub-vectors under various dimensional combinations are obtained by splitting the characteristic vectors on multiple dimensions, and the network requests corresponding to the characteristic sub-vectors are aggregated, so that the analysis of the network requests from the perspective of the dimensional combinations is realized, the missing of the mining of abnormal requests under various dimensional combinations is avoided, and the accuracy of determining the abnormal requests is improved.
In order to implement the foregoing embodiment, the embodiment of the present disclosure further provides an apparatus for determining an exception request. Fig. 7 is a schematic structural diagram of an apparatus for determining an exception request according to an embodiment of the present disclosure.
As shown in fig. 7, the apparatus 700 for determining an exception request includes: an acquisition module 710, an aggregation module 720, and a determination module 730.
An obtaining module 710, configured to obtain a request data table, where the request data table includes a plurality of network requests, a request type corresponding to each network request, and a feature vector, and the feature vector includes feature values of the network requests in multiple dimensions respectively;
an aggregation module 720, configured to aggregate the network requests corresponding to each feature vector to determine a first request quantity of each feature vector under different request types;
a determining module 730, configured to determine, according to a first request quantity of each feature vector in different request types and a plurality of feature values included in each feature vector, a request total quantity of each feature sub-vector corresponding to each feature vector and a second request quantity of each feature sub-vector in different request types, where each feature sub-vector includes at least one feature value;
the determining module 730 is further configured to determine that the network request corresponding to any feature sub-vector is an abnormal request when a ratio of the second request number corresponding to any feature sub-vector to the total request amount is greater than a first threshold.
In a possible implementation manner of the embodiment of the present disclosure, the determining module 730 is configured to:
determining a feature sub-vector corresponding to each feature vector according to the dimension corresponding to the feature value included in each feature vector;
under the condition that any characteristic sub-vector corresponds to a plurality of characteristic vectors, respectively aggregating the first request quantity of the plurality of characteristic vectors under the same request type to determine the second request quantity of any characteristic sub-vector under the same request type;
and aggregating the second request quantity of any characteristic sub-vector under each request type to determine the total quantity of the requests corresponding to any characteristic sub-vector.
In a possible implementation manner of the embodiment of the present disclosure, the determining module 730 is configured to:
performing semantic recognition on the dimensionality corresponding to each characteristic value to determine a semantic type corresponding to each characteristic value;
and splitting each feature vector according to the semantic types corresponding to the feature values included in each feature vector to generate feature sub-vectors, wherein the semantic types corresponding to the feature values included in the feature sub-vectors are different.
In a possible implementation manner of the embodiment of the present disclosure, the determining module 730 is configured to:
acquiring a configuration file, wherein the configuration file comprises a reference dimension;
and combining the characteristic values corresponding to the reference dimension and included in each characteristic vector to generate a characteristic sub-vector.
In a possible implementation manner of the embodiment of the present disclosure, the determining module 730 is further configured to:
determining a third request quantity of each characteristic value under different request types according to the first request quantity of the characteristic vector of each characteristic value under different request types;
the above-mentioned device still includes:
and the replacing module is used for replacing any characteristic value in each characteristic vector with a preset character under the condition that the third request quantity corresponding to any characteristic value is smaller than a second threshold value.
In a possible implementation manner of the embodiment of the present disclosure, the aggregating module 720 is further configured to:
aggregating the plurality of network requests according to the request time corresponding to each network request to determine the fourth request quantity corresponding to each feature vector in each first preset time interval;
under the condition that any one feature sub-vector corresponds to a plurality of feature vectors in the same first preset time interval, aggregating the fourth request quantity corresponding to the feature vectors respectively to determine the fifth request quantity corresponding to any one feature sub-vector in the same first preset time interval;
the determining module 730 is configured to determine whether the network request corresponding to each feature sub-vector is an abnormal request according to a difference between the numbers of the fifth requests corresponding to each feature sub-vector in each first preset time interval.
In a possible implementation manner of the embodiment of the present disclosure, the determining module 720 is further configured to:
determining a sixth request quantity corresponding to each characteristic value in each second preset time interval according to a fourth request quantity corresponding to the characteristic vector in which each characteristic value is located in each second preset time interval;
the replacing module is further configured to replace any feature value in each feature vector with a preset character when the sixth request number corresponding to any feature value is smaller than a third threshold.
In a possible implementation manner of the embodiment of the present disclosure, the determining module 720 is further configured to:
determining the number of different second eigenvalues corresponding to each first eigenvalue according to a first eigenvalue corresponding to a first preset dimension and a second eigenvalue corresponding to a second preset dimension in each eigenvector;
and under the condition that the number of different second characteristic values corresponding to any first characteristic value is greater than a fourth threshold value, determining that the network request corresponding to any first characteristic value is an abnormal request.
In a possible implementation manner of the embodiment of the present disclosure, the determining module 720 is further configured to:
determining the ratio of the second request quantity corresponding to each characteristic sub-vector to the total request quantity under different request types;
and determining a first threshold corresponding to each request type according to the distribution of a plurality of ratios under each request type.
In a possible implementation manner of the embodiment of the present disclosure, the method further includes:
and the marking module is used for marking the request data containing the characteristic sub-vectors in the request data table as abnormal request data under the condition that the network request corresponding to the characteristic sub-vectors is determined to be an abnormal request.
It should be noted that the explanation of the foregoing method for determining an exception request is also applicable to the apparatus of this embodiment, and therefore is not described herein again.
In this disclosure, after a request data table including a plurality of network requests, a request type corresponding to each network request, and a feature vector is obtained, network requests corresponding to each feature vector may be aggregated to determine a first request number of each feature vector in different request types, and then, a request total amount of each feature vector including at least one feature value feature sub-vector and a second request number of each feature vector in different request types may be determined according to the first request number of each feature vector in different request types and a plurality of feature values included in each feature vector, and a network request corresponding to any feature sub-vector is determined to be an abnormal request when a ratio of the second request number corresponding to any feature sub-vector to the request total amount is greater than a first threshold. Therefore, the characteristic sub-vectors under various dimensional combinations are obtained by splitting the characteristic vectors on the multiple dimensions, and the network requests corresponding to the characteristic sub-vectors are aggregated, so that the analysis of the network requests from the angle of each dimensional combination is realized, the missing of mining abnormal requests under various dimensional combinations is avoided, and the accuracy of determining the abnormal requests is improved.
The present disclosure also provides an electronic device, a readable storage medium, and a computer program product according to embodiments of the present disclosure.
FIG. 8 shows a schematic block diagram of an example electronic device 800 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not intended to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 8, the device 800 includes a computing unit 801 that can perform various appropriate actions and processes in accordance with a computer program stored in a ROM (Read-Only Memory) 802 or a computer program loaded from a storage unit 808 into a RAM (Random Access Memory) 803. In the RAM 803, various programs and data necessary for the operation of the device 800 can also be stored. The calculation unit 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. An I/O (Input/Output) interface 805 is also connected to the bus 804.
A number of components in the device 800 are connected to the I/O interface 805, including: an input unit 806, such as a keyboard, a mouse, or the like; an output unit 807 such as various types of displays, speakers, and the like; a storage unit 808, such as a magnetic disk, optical disk, or the like; and a communication unit 809 such as a network card, modem, wireless communication transceiver, etc. The communication unit 809 allows the device 800 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
Computing unit 801 may be a variety of general and/or special purpose processing components with processing and computing capabilities. Some examples of the computing Unit 801 include, but are not limited to, a CPU (Central Processing Unit), a GPU (graphics Processing Unit), various dedicated AI (Artificial Intelligence) computing chips, various computing Units running machine learning model algorithms, a DSP (Digital Signal Processor), and any suitable Processor, controller, microcontroller, and the like. The calculation unit 801 executes the respective methods and processes described above, such as the determination method of the exception request. For example, in some embodiments, the method of determining an exception request may be implemented as a computer software program tangibly embodied in a machine-readable medium, such as storage unit 808. In some embodiments, part or all of a computer program may be loaded onto and/or installed onto device 800 via ROM 802 and/or communications unit 809. When the computer program is loaded into the RAM 803 and executed by the computing unit 801, one or more steps of the method of determining an exception request described above may be performed. Alternatively, in other embodiments, the computing unit 801 may be configured to perform the determination method of the exception request in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, FPGAs (Field Programmable Gate arrays), ASICs (Application-Specific Integrated circuits), ASSPs (Application Specific Standard products), SOCs (System On Chip), CPLDs (Complex Programmable Logic devices), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a RAM, a ROM, an EPROM (Electrically Programmable Read-Only-Memory) or flash Memory, an optical fiber, a CD-ROM (Compact Disc Read-Only-Memory), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a Display device (e.g., a CRT (Cathode Ray Tube) or LCD (Liquid Crystal Display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: LAN (Local Area Network), WAN (Wide Area Network), internet and blockchain networks.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The Server may be a cloud Server, which is also called a cloud computing Server or a cloud host, and is a host product in a cloud computing service system, so as to solve the defects of high management difficulty and weak service expansibility in a conventional physical host and a VPS (Virtual Private Server). The server may also be a server of a distributed system, or a server incorporating a blockchain.
According to an embodiment of the present disclosure, the present disclosure further provides a computer program product, which when executed by an instruction processor in the computer program product, performs the method for determining an exception request according to the above-mentioned embodiment of the present disclosure.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be executed in parallel or sequentially or in different orders, and are not limited herein as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the scope of protection of the present disclosure.

Claims (23)

1. A method of determining an anomalous request, the method comprising:
acquiring a request data table, wherein the request data table comprises a plurality of network requests, a request type corresponding to each network request and a feature vector, and the feature vector comprises feature values of the network requests on a plurality of dimensions respectively;
aggregating the network requests corresponding to each feature vector to determine a first request quantity of each feature vector under different request types;
determining the total quantity of requests of each feature sub-vector corresponding to each feature vector and the second quantity of requests of each feature sub-vector under different request types according to the first quantity of requests of each feature vector under different request types and the plurality of feature values included in each feature vector, wherein each feature sub-vector includes at least one feature value;
and under the condition that the ratio of the second request quantity corresponding to any characteristic sub-vector to the total request quantity is larger than a first threshold value, determining that the network request corresponding to any characteristic sub-vector is an abnormal request.
2. The method according to claim 1, wherein the determining, according to a first number of requests of each of the feature vectors in different request types and a plurality of feature values included in each of the feature vectors, a total number of requests of each of the feature sub-vectors corresponding to each of the feature vectors and a second number of requests in different request types, respectively, comprises:
determining a feature sub-vector corresponding to each feature vector according to the dimension corresponding to the feature value included in each feature vector;
under the condition that any characteristic sub-vector corresponds to a plurality of characteristic vectors, respectively aggregating first request quantities of the plurality of characteristic vectors under the same request type to determine a second request quantity of any characteristic sub-vector under the same request type;
and aggregating the second request quantity of any characteristic sub-vector under each request type to determine the total quantity of the requests corresponding to any characteristic sub-vector.
3. The method of claim 2, wherein the determining the feature sub-vector corresponding to each of the feature vectors according to the dimension corresponding to the feature value included in each of the feature vectors comprises:
performing semantic recognition on the dimensionality corresponding to each characteristic value to determine a semantic type corresponding to each characteristic value;
splitting each feature vector according to the semantic types corresponding to the feature values included in each feature vector to generate the feature sub-vectors, wherein the semantic types corresponding to the feature values included in the feature sub-vectors are different.
4. The method of claim 3, wherein the splitting each feature vector according to the semantic type corresponding to the feature value included in each feature vector to generate the feature sub-vectors comprises:
acquiring a configuration file, wherein the configuration file comprises a reference dimension;
combining the feature values included in each of the feature vectors corresponding to the reference dimension to generate the feature sub-vectors.
5. The method as claimed in claim 1, wherein before said determining the total amount of requests of each eigenvector corresponding to each eigenvector and the second amount of requests of each eigenvector in different request types according to the first amount of requests of each eigenvector in different request types and the plurality of eigenvalues included in each eigenvector, further comprises:
determining a third request quantity of each characteristic value under different request types according to the first request quantity of the characteristic vector of each characteristic value under different request types;
and under the condition that the third request quantity corresponding to any characteristic value is smaller than a second threshold value, replacing any characteristic value in each characteristic vector with a preset character.
6. The method of claim 1, wherein the method further comprises:
aggregating the plurality of network requests according to the request time corresponding to each network request to determine the fourth request quantity corresponding to each feature vector in each first preset time interval;
under the condition that any characteristic sub-vector corresponds to a plurality of characteristic vectors in the same first preset time interval, respectively aggregating fourth request quantities corresponding to the plurality of characteristic vectors to determine a fifth request quantity corresponding to any characteristic sub-vector in the same first preset time interval;
and determining whether the network request corresponding to each feature sub-vector is an abnormal request or not according to the difference value between the fifth request quantities respectively corresponding to each feature sub-vector in each first preset time interval.
7. The method of claim 6, wherein before the aggregating the fourth request numbers respectively corresponding to the plurality of feature vectors, further comprising:
determining a sixth request quantity corresponding to each characteristic value in each second preset time interval according to a fourth request quantity corresponding to a characteristic vector in which each characteristic value is located in each second preset time interval;
and under the condition that the sixth request number corresponding to any characteristic value is smaller than a third threshold value, replacing the any characteristic value in each characteristic vector with a preset character.
8. The method of claim 1, further comprising:
determining the number of different second eigenvalues corresponding to each first eigenvalue according to a first eigenvalue corresponding to a first preset dimension and a second eigenvalue corresponding to a second preset dimension in each eigenvector;
and under the condition that the number of different second characteristic values corresponding to any first characteristic value is greater than a fourth threshold value, determining that the network request corresponding to any first characteristic value is an abnormal request.
9. The method as claimed in claim 1, wherein, when the ratio of the second request number corresponding to any of the feature sub-vectors to the total number of requests is greater than a first threshold, before determining that the network request corresponding to any of the feature sub-vectors is an abnormal request, further comprising:
determining the ratio of the second request quantity corresponding to each feature sub-vector to the total request quantity under different request types;
and determining a first threshold corresponding to each request type according to the distribution of the ratios under each request type.
10. The method of any of claims 1-9, further comprising:
and under the condition that the network request corresponding to the characteristic sub-vector is determined to be an abnormal request, marking the request data containing the characteristic sub-vector in the request data table as abnormal request data.
11. An apparatus for determining an exception request, the apparatus comprising:
the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a request data table, the request data table comprises a plurality of network requests, request types corresponding to the network requests and characteristic vectors, and the characteristic vectors comprise characteristic values of the network requests on a plurality of dimensions respectively;
the aggregation module is used for aggregating the network requests corresponding to each feature vector to determine the first request quantity of each feature vector under different request types;
a determining module, configured to determine, according to a first request quantity of each feature vector in different request types and a plurality of feature values included in each feature vector, a request total quantity of each feature sub-vector corresponding to each feature vector and a second request quantity of each feature sub-vector in different request types, where each feature sub-vector includes at least one feature value;
the determining module is further configured to determine that the network request corresponding to any feature sub-vector is an abnormal request when a ratio of a second request number corresponding to any feature sub-vector to the total request amount is greater than a first threshold.
12. The apparatus of claim 11, wherein the means for determining is configured to:
determining a feature sub-vector corresponding to each feature vector according to the dimension corresponding to the feature value included in each feature vector;
under the condition that any characteristic sub-vector corresponds to a plurality of characteristic vectors, aggregating first request quantities of the plurality of characteristic vectors under the same request type respectively to determine a second request quantity of any characteristic sub-vector under the same request type;
and aggregating the second request quantity of any characteristic sub-vector under each request type to determine the total quantity of the requests corresponding to any characteristic sub-vector.
13. The apparatus of claim 12, wherein the means for determining is configured to:
performing semantic identification on the dimensionality corresponding to each characteristic value to determine a semantic type corresponding to each characteristic value;
splitting each feature vector according to the semantic type corresponding to the feature value included in each feature vector to generate the feature sub-vectors, wherein the semantic types corresponding to the feature values included in the feature sub-vectors are different.
14. The apparatus of claim 13, wherein the means for determining is configured to:
acquiring a configuration file, wherein the configuration file comprises a reference dimension;
combining the feature values included in each of the feature vectors corresponding to the reference dimension to generate the feature sub-vectors.
15. The apparatus of claim 11, wherein the determining means is further configured to:
determining a third request quantity of each characteristic value under different request types according to the first request quantity of the characteristic vector of each characteristic value under different request types;
the device further comprises:
and the replacing module is used for replacing any characteristic value in each characteristic vector with a preset character under the condition that the third request quantity corresponding to any characteristic value is smaller than a second threshold value.
16. The apparatus of claim 11, wherein the aggregating module is further configured to:
aggregating the plurality of network requests according to the request time corresponding to each network request to determine the fourth request quantity corresponding to each feature vector in each first preset time interval;
under the condition that any characteristic sub-vector corresponds to a plurality of characteristic vectors in the same first preset time interval, respectively aggregating fourth request quantities corresponding to the plurality of characteristic vectors to determine a fifth request quantity corresponding to any characteristic sub-vector in the same first preset time interval;
and the determining module is configured to determine whether the network request corresponding to each feature sub-vector is an abnormal request according to a difference between the numbers of the fifth requests respectively corresponding to each feature sub-vector in each first preset time interval.
17. The apparatus of claim 15, wherein the means for determining is further configured to:
determining a sixth request quantity corresponding to each characteristic value in each second preset time interval according to a fourth request quantity corresponding to a characteristic vector in which each characteristic value is located in each second preset time interval;
the replacing module is further configured to replace any feature value in each feature vector with a preset character under the condition that the sixth request number corresponding to any feature value is smaller than a third threshold.
18. The apparatus of claim 11, wherein the means for determining is further configured to:
determining the number of different second eigenvalues corresponding to each first eigenvalue according to a first eigenvalue corresponding to a first preset dimension and a second eigenvalue corresponding to a second preset dimension in each eigenvector;
and under the condition that the number of different second characteristic values corresponding to any first characteristic value is greater than a fourth threshold value, determining that the network request corresponding to any first characteristic value is an abnormal request.
19. The apparatus of claim 11, wherein the means for determining is further configured to:
determining the ratio of the second request quantity corresponding to each characteristic sub-vector to the total request quantity under different request types;
and determining a first threshold corresponding to each request type according to the distribution of the ratios under each request type.
20. The apparatus of any of claims 11-19, further comprising:
and the marking module is used for marking the request data containing the characteristic sub-vectors in the request data table as abnormal request data under the condition that the network request corresponding to the characteristic sub-vectors is determined to be an abnormal request.
21. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-10.
22. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of claims 1-10.
23. A computer program product comprising a computer program which, when executed by a processor, carries out the steps of the method of any one of claims 1-10.
CN202211175015.2A 2022-09-26 2022-09-26 Method and device for determining abnormal request and electronic equipment Pending CN115577349A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211175015.2A CN115577349A (en) 2022-09-26 2022-09-26 Method and device for determining abnormal request and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211175015.2A CN115577349A (en) 2022-09-26 2022-09-26 Method and device for determining abnormal request and electronic equipment

Publications (1)

Publication Number Publication Date
CN115577349A true CN115577349A (en) 2023-01-06

Family

ID=84582532

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211175015.2A Pending CN115577349A (en) 2022-09-26 2022-09-26 Method and device for determining abnormal request and electronic equipment

Country Status (1)

Country Link
CN (1) CN115577349A (en)

Similar Documents

Publication Publication Date Title
CN110163457B (en) Abnormal positioning method and device for business index
US20230050771A1 (en) Method for determining risk level of instance on cloud server, and electronic device
CN115883187A (en) Method, device, equipment and medium for identifying abnormal information in network traffic data
CN115421922A (en) Current limiting method, device, equipment, medium and product of distributed system
CN113946816A (en) Cloud service-based authentication method and device, electronic equipment and storage medium
CN113961797A (en) Resource recommendation method and device, electronic equipment and readable storage medium
CN113052325A (en) Method, device, equipment, storage medium and program product for optimizing online model
CN116796085A (en) File processing method and device, electronic equipment and storage medium
CN116305324A (en) Host safety protection method, device, equipment and storage medium
CN114330221B (en) Score board implementation method, score board, electronic device and storage medium
CN115577349A (en) Method and device for determining abnormal request and electronic equipment
CN114565105A (en) Data processing method and deep learning model training method and device
CN110532304B (en) Data processing method and device, computer readable storage medium and electronic device
CN113726885A (en) Method and device for adjusting flow quota
CN114091909A (en) Collaborative development method, system, device and electronic equipment
CN113590447A (en) Buried point processing method and device
CN113010571A (en) Data detection method, data detection device, electronic equipment, storage medium and program product
CN115378746B (en) Network intrusion detection rule generation method, device, equipment and storage medium
CN113407844B (en) Version recommendation method, device and equipment of applet framework and storage medium
CN113327133B (en) Data recommendation method, data recommendation device, electronic equipment and readable storage medium
CN115965276A (en) Index set determination method and device, electronic equipment and storage medium
CN112667627B (en) Data processing method and device
US20220391808A1 (en) Data processing method, electronic device and storage medium
CN117081939A (en) Traffic data processing method, device, equipment and storage medium
CN117009356A (en) Method, device and equipment for determining application success of public data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination