CN115955332A

CN115955332A - Abnormal traffic filtering method and device for authentication system and electronic equipment

Info

Publication number: CN115955332A
Application number: CN202211527979.9A
Authority: CN
Inventors: 陈邦文; 傅宁琪; 李永明; 郭龙缘
Original assignee: China Telecom Corp Ltd
Current assignee: China Telecom Corp Ltd
Priority date: 2022-12-01
Filing date: 2022-12-01
Publication date: 2023-04-11

Abstract

The application discloses an abnormal traffic filtering method and device of an authentication system, and belongs to the technical field of communication. The method comprises the following steps: responding to a received access request to an authentication system, and acquiring a message type and a target user identifier carried by the access request; responding to the message type matching with the preset message type, and performing abnormal flow judgment on the access request based on the target binary tree for recording the user access information to obtain a judgment result; and when the judgment result indicates that the access request is an abnormal access request, filtering the access request as abnormal flow. The method realizes that the user access information of the user to the authentication system is recorded based on the binary tree, and the abnormal flow identified by the current access request is judged to be filtered according to the user access information, the receiving time of the access request and the filtering judgment threshold value pre-configured for the user access information, thereby effectively reducing the consumption of the authentication system performance by frequently and maliciously accessing the authentication system and ensuring the safe and stable operation of the authentication system.

Description

Abnormal traffic filtering method and device for authentication system and electronic equipment

Technical Field

The present application relates to the field of communications technologies, and in particular, to an abnormal traffic filtering method and apparatus for an authentication system, an electronic device, and a computer-readable storage medium.

Background

In the daily operation and maintenance process of a broadband AAA authentication system of a telecom operator, a user dialing device sometimes has a fault, so that dialing is frequently carried out, or malicious frequent dialing is carried out, and the conditions of on-line and off-line are frequently carried out, so that a large amount of flow is generated, the performance of the back-end authentication system is consumed, and the operation safety of the authentication system is influenced. In order to ensure the safe operation of the authentication system, some abnormal frequent access traffic needs to be filtered.

Disclosure of Invention

The embodiment of the application provides an abnormal traffic filtering method and device for an authentication system and an electronic device, and aims to solve the problem that malicious frequent dialing causes consumption of the performance of the authentication system and influences the safe operation of the authentication system.

In a first aspect, an embodiment of the present application discloses an abnormal traffic filtering method for an authentication system, where the method includes:

responding to a received access request to the authentication system, and acquiring a message type and a target user identifier carried by the access request;

responding to the message type matching with the preset message type, and performing abnormal flow judgment on the access request based on the target binary tree for recording the user access information to obtain a judgment result;

responding to the judgment result to indicate that the access request is an abnormal access request, and filtering the access request as abnormal traffic;

and responding to the judgment result to indicate that the access request is a normal access request, and processing the access request as a normal flow.

Optionally, the performing, in response to the matching of the message type with a preset message type, abnormal traffic judgment on the access request based on the target binary tree recording the user access information to obtain a judgment result includes:

in response to the message type matching a preset message type, searching a target binary tree node matched with the target user identifier in the target binary tree by adopting a binary tree searching algorithm;

in response to the searched target binary tree node, performing abnormal traffic judgment on the access request according to one or more items of user access information, first filtering configuration information and the message type recorded in the target binary tree node to obtain a judgment result;

and in response to that the target binary tree node is not found, according to the message type and the second filtering configuration information, creating a binary tree node matched with the target user identifier in the target binary tree, and obtaining a judgment result indicating that the access request is a normal access request.

Optionally, the preset packet type includes: authenticating a message and an end message, wherein the access request is subjected to abnormal flow judgment according to one or more items of information in the user access information, the first filtering configuration information and the message type recorded in the target binary tree node to obtain a judgment result, and the method comprises the following steps of:

in response to the message type being an end message, updating the offline time recorded in the target binary tree node to be the receiving time of the access request, and obtaining a judgment result indicating that the access request is a normal access request;

and in response to the message type being an authentication message, performing abnormal traffic judgment on the access request according to the receiving time of the access request, the first filtering configuration information and the user access information recorded in the target binary tree node to obtain a judgment result.

Optionally, the first filtering configuration information includes: the authentication times threshold value, the authentication time interval threshold value and the period duration threshold value in the period, wherein the user access information comprises: a down time, a start authentication time, and a count cycle authentication number,

the performing, according to the receiving time of the access request, the first filtering configuration information, and the user access information recorded in the target binary tree node, abnormal traffic judgment on the access request to obtain a judgment result includes:

acquiring a time interval between the receiving time of the access request and the offline time;

responding to the time interval smaller than or equal to the authentication time interval threshold value, and obtaining a judgment result indicating that the access request is an abnormal access request;

and in response to the time interval being larger than the authentication time interval threshold, performing abnormal traffic judgment on the access frequency of the access request according to the receiving time of the access request, the authentication starting time, the period duration threshold, the counting period authentication times and the in-period authentication times threshold to obtain a judgment result.

Optionally, the determining, according to the receiving time of the access request, the authentication start time, the period duration threshold, the counting period authentication frequency, and the intra-period authentication frequency threshold, the abnormal traffic of the access frequency of the access request is determined to obtain a determination result, where the determining includes:

acquiring the current period duration according to the receiving time of the access request and the authentication starting time;

responding to the condition that the current period duration is larger than the period duration threshold, updating and recording the counting period authentication times, and obtaining a judgment result indicating that the access request is a normal access request;

responding to the condition that the current period duration is smaller than or equal to the period duration threshold and the counting period authentication times are larger than or equal to the period authentication times threshold, and obtaining a judgment result indicating that the access request is an abnormal access request;

and in response to the current period duration being less than or equal to the period duration threshold and the counting period authentication times being less than the intra-period authentication times threshold, updating and recording the counting period authentication times to obtain a judgment result indicating that the access request is a normal access request.

Optionally, the second filtering configuration information includes: and establishing a binary tree node matched with the target user identifier in the target binary tree according to the message type and the second filtering configuration information, wherein the step of establishing the binary tree node comprises the following steps:

acquiring the number of nodes of the target binary tree;

responding to the condition that the number of the nodes is smaller than the upper limit threshold of the number of the nodes, creating a binary tree node to be inserted which is matched with the target user identifier according to the message type, and inserting the binary tree node to be inserted into the target binary tree according to the size relation between the user identifier recorded in the binary tree node of the target binary tree and the target user identifier;

and in response to the fact that the number of the nodes is larger than or equal to the upper limit threshold of the number of the nodes, taking the target binary tree as a backup binary tree, updating the target binary tree through a newly-built binary tree, and creating a root node in the updated target binary tree according to the message type to be used as a binary tree node matched with the target user identifier.

Optionally, the second filtering configuration information includes: after the target binary tree is used as a backup binary tree, the node number buffering threshold further includes:

deleting the backup binary tree in response to the number of nodes being greater than or equal to the number of nodes buffering threshold, wherein the number of nodes buffering threshold is less than the number of nodes upper threshold.

Optionally, in the step of performing, in response to that the packet type matches a preset packet type, abnormal traffic judgment on the access request based on a target binary tree in which user access information is recorded, and obtaining a judgment result, before searching for a target binary tree node matched with the target user identifier in the target binary tree by using a binary tree search algorithm, the method further includes:

responding to the message type matching with the preset message type, and judging whether a target binary tree for recording user access information is empty or not;

responding to the target binary tree being empty, obtaining a judgment result indicating that the access request is a normal access request, creating a root node in the target binary tree according to the message type, and taking the created root node as a binary tree node matched with the target user identifier;

and responding to the non-null target binary tree, and skipping to the step of executing the binary tree search algorithm to search the target binary tree nodes matched with the target user identification in the target binary tree.

In a second aspect, an embodiment of the present application discloses an abnormal flow filtering apparatus for an authentication system, where the apparatus includes:

the message type and user identification acquisition module is used for responding to the received access request to the authentication system and acquiring the message type and the target user identification carried by the access request;

the abnormal flow judgment module is used for responding to the matching of the message type with the preset message type, and performing abnormal flow judgment on the access request based on the target binary tree for recording the user access information to obtain a judgment result;

the flow filtering processing module is used for responding to the judgment result to indicate that the access request is an abnormal access request, and filtering the access request as abnormal flow;

and the traffic filtering processing module is further configured to respond to the determination result indicating that the access request is a normal access request, and process the access request as a normal traffic.

Optionally, the abnormal flow determining module is further configured to:

in response to the message type matching a preset message type, searching a target binary tree node matched with the target user identifier in the target binary tree by adopting a binary tree search algorithm;

responding to the searched target binary tree node, and performing abnormal traffic judgment on the access request according to one or more items of user access information, first filtering configuration information and the message type recorded in the target binary tree node to obtain a judgment result;

responding to the condition that the target binary tree node is not found, according to the message type and the second filtering configuration information, creating a binary tree node matched with the target user identifier in the target binary tree, and obtaining a judgment result indicating that the access request is a normal access request.

Optionally, the first filtering configuration information includes: the authentication times threshold value, the authentication time interval threshold value and the period duration threshold value in the period, wherein the user access information comprises: the time of the off-line, the time of the start of authentication and the number of times of the count cycle authentication,

Optionally, the determining, according to the receiving time of the access request, the authentication start time, the period duration threshold, the counting period authentication frequency, and the intra-period authentication frequency threshold, the abnormal traffic of the access frequency of the access request is determined, so as to obtain a determination result, including:

and in response to that the current period duration is smaller than or equal to the period duration threshold and the counting period authentication times are smaller than the in-period authentication times threshold, updating and recording the counting period authentication times to obtain a judgment result indicating that the access request is a normal access request.

acquiring the number of nodes of the target binary tree;

in response to the fact that the number of the nodes is smaller than the upper limit threshold of the number of the nodes, creating a binary tree node to be inserted which is matched with the target user identifier according to the message type, and inserting the binary tree node to be inserted into the target binary tree according to the size relation between the user identifier recorded in the binary tree node of the target binary tree and the target user identifier;

and in response to the fact that the number of the nodes is larger than or equal to the upper limit threshold of the number of the nodes, taking the target binary tree as a backup binary tree, updating the target binary tree through a newly-built binary tree, and creating a root node in the updated target binary tree according to the message type to serve as a binary tree node matched with the target user identifier.

Optionally, the second filtering configuration information includes: after the target binary tree is used as a backup binary tree, the node number buffer threshold further includes:

In a third aspect, an embodiment of the present application further discloses an electronic device, which includes a memory, a processor, and a computer program that is stored on the memory and is executable on the processor, and when the processor executes the computer program, the abnormal traffic filtering method of the authentication system according to the embodiment of the present application is implemented.

In a fourth aspect, an embodiment of the present application discloses a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, performs the steps of the abnormal traffic filtering method of the authentication system disclosed in the embodiment of the present application.

The method for filtering the abnormal traffic of the authentication system disclosed by the embodiment of the application obtains the message type and the target user identification carried by an access request by responding to the received access request to the authentication system; responding to the message type matching with the preset message type, and performing abnormal flow judgment on the access request based on the target binary tree for recording the user access information to obtain a judgment result; responding to the judgment result to indicate that the access request is an abnormal access request, and filtering the access request as abnormal traffic; responding to the judgment result to indicate that the access request is a normal access request, processing the access request as normal flow, recording user access information of the user to the authentication system based on the binary tree, judging whether the current access request is abnormal flow or not according to the receiving time of the user access information and the access request and a filtering judgment threshold value configured in advance for the user access information, and filtering the abnormal flow according to the judgment result, thereby effectively reducing the consumption of the authentication system by frequently and maliciously accessing the authentication system and ensuring the safe and stable operation of the authentication system.

The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.

Drawings

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

Fig. 1 is a flowchart of an abnormal traffic filtering method of an authentication system according to an embodiment of the present disclosure;

fig. 2 is a flowchart illustrating a flow filtering step in an abnormal flow filtering method of an authentication system according to an embodiment of the present application;

fig. 3 is a second flowchart of the flow filtering step in the abnormal flow filtering method of the authentication system according to the embodiment of the present application;

FIG. 4 is a schematic structural diagram of an abnormal flow filtering apparatus of the authentication system disclosed in the embodiment of the present application;

FIG. 5 schematically shows a block diagram of an electronic device for performing a method according to the present application; and

fig. 6 schematically shows a storage unit for holding or carrying program code implementing a method according to the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.

As shown in fig. 1, an abnormal traffic filtering method for an authentication system disclosed in an embodiment of the present application includes: step 110 to step 140.

And step 110, responding to the received access request to the authentication system, and acquiring the message type and the target user identification carried by the access request.

In some embodiments of the present application, a flow cleaning module may be disposed in the authentication system, and is configured to execute the abnormal flow filtering method of the authentication system disclosed in the embodiments of the present application. When an authentication service interface in an authentication system receives an access request to the authentication system, the received access request is directed to a flow cleaning module to filter abnormal flow, and then a filtering result output by the flow cleaning module executes subsequent operation. For example, if the access request is determined to be abnormal traffic, the access request will be filtered out, and subsequent processes (such as an authentication process) will not be triggered; and if the access request is judged to be normal flow, starting a subsequent flow according to the flow of receiving the access request in the prior art.

Optionally, the access request at least carries a message type and a target user identifier. Wherein the packet types include, but are not limited to: authentication message, end message, charging start message and charging intermediate message. The authentication message is used for starting an authentication process, the end message is used for indicating that a user is offline, the charging start message is used for indicating that a charging operation is started on the user account after the authentication is passed, and the charging middle message is used for indicating that the user account is in a charging process.

Optionally, the target user identifier may be: account identification, account number and the like of the user account initiating the authentication uniquely identify the information of the user account.

And step 120, in response to the message type matching with the preset message type, performing abnormal traffic judgment on the access request based on the target binary tree for recording the user access information to obtain a judgment result.

In an embodiment of the present application, the preset packet type includes: an authentication message and an end message. That is, only when an authentication message or an end message is received, the operation related to the abnormal force judgment is executed, and if other types of messages are received, the abnormal flow judgment is not executed.

With reference to fig. 2, a specific implementation manner of performing abnormal traffic determination on the access request based on a target binary tree recording user access information in response to matching of the message type with a preset message type to obtain a determination result is described below by way of example.

As shown in fig. 2, the performing, in response to the message type matching a preset message type, abnormal traffic judgment on the access request based on the target binary tree for recording the user access information to obtain a judgment result includes: substep 210, substep 220, substep 230 and substep 240.

And a substep 210, in response to the message type matching a preset message type, searching a target binary tree node matched with the target user identifier in the target binary tree by using a binary tree searching algorithm.

In the embodiment of the application, a binary tree structure is adopted to record the access information of a user to the authentication system, and the access information is marked as 'user access information' in the embodiment of the application. The binary tree structure record also records user information, for example, each binary tree node records: one or more items of information of user identification, user name and IP address. Optionally, the user access information includes: the off-line time, the starting authentication time and the counting cycle authentication times. The offline time is used to indicate the latest offline time (for example, the time for logging out of the authentication system) of the user to which the user identifier recorded in the corresponding binary tree node belongs, and the authentication start time is used to indicate the latest authentication passing time of the user to which the user identifier recorded in the corresponding binary tree node belongs.

In the embodiment of the application, when a user executes network dialing for the first time, a user client submits an access request by calling an authentication service interface of an authentication system, and then the access request is input to a flow cleaning module by the authentication service interface to carry out abnormal flow filtering judgment. If the access request is judged to be normal traffic by the traffic cleansing module, a binary tree node is newly created for the user, the user identifier of the user is recorded in the binary tree node, and user access information is recorded at the same time, for example: the current time is taken as the authentication time, the number of times of the counting period authentication is initialized to 1, and the down time is initialized to the invalid time (for example, the down time is set to the invalid value or null). In this way, for each user authenticated by the authentication system, in the target binary tree node, the user identification and the user access information of the user are recorded.

In the embodiment of the application, a user account or a user number can be used as a user identifier, and when a binary tree node of a target binary tree is newly established for a certain user identifier, the binary tree node is newly established according to the size relationship of the user identifier recorded by the binary tree node. For example, for each parent node in the target binary tree, the user identifier recorded by the left child node of the parent node is smaller than the user identifier recorded by the parent node, and the user identifier recorded by the right child node of the parent node is larger than the user identifier recorded by the parent node. Thus, when searching for a binary tree node corresponding to a certain user identifier in the target binary tree, from the root node of the target binary tree, according to the size relationship between the user identifier to be searched (such as the target user identifier) and the user identifier recorded in the current binary tree node, layer-by-layer comparison may be performed on one branch of the target binary tree until the binary tree node corresponding to the target user identifier is found, or alternatively, the last binary tree node of the branch that has been compared, that is, the current binary tree node is a leaf node, and the binary tree node corresponding to the target user identifier is not found yet.

In the embodiment of the application, the binary tree node for recording the target user identifier is recorded as a "target binary tree node".

In some embodiments of the present application, when the packet type is an authentication packet or an end packet, the traffic cleaning module executes a binary tree search algorithm to search for a target binary tree node matched with the target user identifier in the target binary tree. For example, by using a binary tree search method, starting from a root node of a target binary tree, searching for a binary tree node in which a recorded user identifier is the same as the target user identifier.

Substep 220 determines whether the target binary tree node is found, if yes, substep 230 is executed, and if no, substep 240 is executed.

And a substep 230, responding to the searched target binary tree node, performing abnormal traffic judgment on the access request according to the user access information, the first filtering configuration information and one or more items of information in the message type recorded in the target binary tree node, and obtaining a judgment result.

If the binary tree node matched with the target user identifier is found in the target binary tree, which indicates that the authentication operation is completed before the target user identifier, or the authentication operation is underway, the access request is subjected to abnormal traffic judgment according to the user access information of the user of the target user identifier recorded in the found binary tree node, and one or more items of information in the first filtering configuration information and the message type of the target binary tree, so as to obtain a judgment result.

Wherein the first filtering configuration information includes: an authentication frequency threshold value in a period, an authentication time interval threshold value and a period duration threshold value. The authentication times threshold in the period is used for indicating the maximum times of access requests which are allowed to be initiated by a user in an abnormal flow filtering period; the authentication time interval threshold value is used for indicating the minimum time interval between two adjacent normal authentication requests of the unified user; the period duration threshold is used for indicating the duration of an abnormal traffic filtering period.

The first filtering configuration information is a limit to the access request set according to a performance requirement of the authentication system. For example, if the authentication system considers that the user rejects its authentication request after more than 5 authentications within 30 seconds, the cycle duration threshold may be set to 30 seconds and the number of authentications within the cycle threshold may be set to 5. For another example, if the authentication system considers that the user has just been offline, and rejects its authentication request after submitting authentication again within 5 seconds, the authentication time interval threshold may be set to 5 seconds.

And the flow cleaning module compares and judges the user access information updated in real time in the target binary tree node and the first filtering configuration information according to a preset rule to determine whether the release request is abnormal access.

As described above, the preset packet types include: correspondingly, in some embodiments of the present application, the performing, according to one or more items of information in the user access information, the first filtering configuration information, and the message type recorded in the target binary tree node, abnormal traffic judgment on the access request to obtain a judgment result includes: the performing, according to one or more items of information in the user access information, the first filtering configuration information, and the packet type recorded in the target binary tree node, abnormal traffic judgment on the access request to obtain a judgment result includes: in response to the message type being an end message, updating the offline time recorded in the target binary tree node to be the receiving time of the access request, and obtaining a judgment result indicating that the access request is a normal access request; and in response to the message type being an authentication message, performing abnormal traffic judgment on the access request according to the receiving time of the access request, the first filtering configuration information and the user access information recorded in the target binary tree node to obtain a judgment result.

Specifically, for example, when the access request is an access request generated based on an offline operation of a user, the access request carries an end message, and after the traffic cleansing module determines that the type of the message carried in the access request is the end message, a determination result indicating that the access request is a normal access request is obtained. And simultaneously, the flow cleaning module modifies the offline time recorded in the target binary tree node into the receiving time of the access request.

When the access request is generated based on the dialing operation of the user, the access request carries an authentication message, after the traffic cleaning module determines that the type of the message carried in the access request is the authentication message, the receiving time of the access request needs to be compared with the user access information recorded in the target binary tree node, and whether the access request is the access request of the user to be inhibited or not is judged in combination with the first filtering configuration information.

The following further explains a specific implementation of performing abnormal traffic judgment on the access request according to the receiving time of the access request, the first filtering configuration information, and the user access information recorded in the target binary tree node, in combination with specific contents of the user access information and the first filtering configuration information.

As described above, the first filtering configuration information includes: the authentication times threshold value, the authentication time interval threshold value and the period duration threshold value in the period, wherein the user access information comprises: optionally, the performing, according to the receiving time of the access request, the first filtering configuration information, and the user access information recorded in the target binary tree node, abnormal traffic judgment on the access request to obtain a judgment result includes: acquiring a time interval between the receiving time of the access request and the offline time; responding to the time interval smaller than or equal to the authentication time interval threshold value, and obtaining a judgment result indicating that the access request is an abnormal access request; and in response to the time interval being larger than the authentication time interval threshold, performing abnormal traffic judgment on the access frequency of the access request according to the receiving time of the access request, the authentication starting time, the period duration threshold, the counting period authentication times and the in-period authentication times threshold to obtain a judgment result.

Firstly, subtracting the receiving time of the access request by the offline time recorded in the target binary tree node to obtain the time interval of the current access distance of the user being the latest offline.

Further, if the time interval is less than or equal to the authentication time interval threshold value configured in the first filtering configuration information, the traffic cleansing module regards the current access request as an abnormal traffic generated by frequent online and offline of the user, and the traffic cleansing module obtains a determination result indicating that the access request is an abnormal access request and outputs the determination result.

If the time interval is greater than the authentication time interval threshold value configured in the first filtering configuration information, the traffic cleaning module further needs to filter abnormal traffic according to the number of access times in the period.

In some embodiments of the present application, the determining, according to the receiving time of the access request, the authentication start time, the period duration threshold, the counting period authentication frequency, and the intra-period authentication frequency threshold, an abnormal traffic of the access frequency of the access request to obtain a determination result includes: acquiring the current period duration according to the receiving time of the access request and the authentication starting time; responding to the condition that the current period duration is larger than the period duration threshold, updating and recording the counting period authentication times, and obtaining a judgment result indicating that the access request is a normal access request; responding to the condition that the current period duration is smaller than or equal to the period duration threshold and the counting period authentication times are larger than or equal to the period authentication times threshold, and obtaining a judgment result indicating that the access request is an abnormal access request; and in response to that the current period duration is smaller than or equal to the period duration threshold and the counting period authentication times are smaller than the in-period authentication times threshold, updating and recording the counting period authentication times to obtain a judgment result indicating that the access request is a normal access request.

When the access frequency is judged, firstly, the receiving time of the access request is subtracted from the starting authentication time recorded in the target binary tree node to obtain the current period duration. And if the current period duration exceeds the period duration threshold value set in the first filtering configuration information, re-counting the access frequency of the user in a monitoring period, namely setting the authentication times of the counting period recorded in the target binary tree node as 1.

If the current cycle time does not exceed the cycle time threshold set in the first filtering configuration information, whether the authentication times initiated by the user in the current monitoring cycle exceed the authentication times threshold in the preset cycle is further judged. If the authentication times initiated by the user in the current monitoring period exceed a preset authentication time threshold in the period (namely, the counting period authentication times are greater than or equal to the authentication time threshold in the period), the user is considered to have a behavior of frequent authentication, and a judgment result indicating that the access request is an abnormal access request can be obtained. If the authentication times initiated by the user in the current monitoring period do not exceed the preset period authentication times threshold (namely the counting period authentication times are smaller than the period authentication times threshold), the access request of the current user is considered to be a normal authentication behavior, and a judgment result indicating that the access request is a normal access request can be obtained. Meanwhile, 1 is added to the authentication times (namely the counting period authentication times recorded in the target binary tree node) of the user in the current monitoring period, and the counting period authentication times are updated and recorded.

In sub-step 240, in response to that the target binary tree node is not found, according to the packet type and the second filtering configuration information, a binary tree node matched with the target user identifier is newly created in the target binary tree, and a judgment result indicating that the access request is a normal access request is obtained.

If the target binary tree node is not found in the target binary tree, it may be considered that the user to which the target user identifier belongs is authenticated in the authentication system for the first time or for the first time since a long period of time, and at this time, a determination result indicating that the access request is a normal access request may be obtained.

Meanwhile, in this case, in order to perform traffic filtering on the access request of the user to the authentication system subsequently, a binary tree node needs to be newly established in the target binary tree, and the binary tree node is used for recording the user identifier of the user to which the target user identifier belongs and the user access information.

In some embodiments of the present application, creating a binary tree node in the target binary tree, where the binary tree node is matched with the target user identifier according to the packet type and the second filtering configuration information, includes: substep S1, substep S2 and substep S3.

And a substep S1, acquiring the number of nodes of the target binary tree.

Wherein the second filtering configuration information is a description of a pre-configured binary tree. Optionally, the second filtering configuration information includes: and the upper limit threshold of the number of the nodes is used for limiting the maximum number of the nodes of the binary tree contained in the target binary tree. By configuring the upper limit threshold of the number of nodes and judging whether the number of the nodes of the existing binary tree of the binary tree reaches the upper limit threshold of the number of the nodes when the nodes of the binary tree are newly built, the size of the binary tree can be controlled, the binary tree is prevented from occupying more storage space, and the calculation resources consumed by searching the binary tree can be reduced.

When creating a new binary tree node, first, the number of nodes of the existing binary tree of the binary tree needs to be obtained. In some embodiments of the present application, a single global variable may be used to store the number of nodes of the currently existing binary tree. In the embodiment of the present application, a specific implementation manner of obtaining the number of nodes of the target binary tree is not limited.

And a substep S2, in response to the fact that the number of the nodes is smaller than the upper limit threshold of the number of the nodes, creating a binary tree node to be inserted which is matched with the target user identifier according to the message type, and inserting the binary tree node to be inserted into the target binary tree according to the size relationship between the user identifier recorded in the binary tree node of the target binary tree and the target user identifier.

And if the number of the nodes is less than the upper limit threshold of the number of the nodes, namely the number of the nodes of the current existing binary tree of the target binary tree does not reach the set upper limit, creating a node of the target binary tree, and recording user access information of a user to which the target user identifier belongs in the created node. The specific implementation of the new node in the binary tree is described in the foregoing description, and is not described here again.

When user access information is recorded in the newly-built node, when the message type is an authentication message, the receiving time of the access request can be used as the authentication starting time of a user to which the target user identifier belongs, and the number of authentication times in a period is set to be 1; when the message type is an end message, the receiving time of the access request can be used as the offline time of the user to which the target user identifier belongs, and the number of authentication times in the period is set to 1. In some embodiments of the present application, the receiving time of the access request may be recorded in a newly created node as the authentication start time of the user to which the target user identifier belongs.

And a substep S3, in response to the number of the nodes being greater than or equal to the upper limit threshold of the number of the nodes, taking the target binary tree as a backup binary tree, updating the target binary tree through the newly-built binary tree, and creating a root node in the updated target binary tree according to the message type to be taken as a binary tree node matched with the target user identifier.

And if the number of the nodes is greater than or equal to the upper limit threshold of the number of the nodes, namely the number of the nodes of the current existing binary tree of the target binary tree reaches the set upper limit, taking the target binary tree as a backup binary tree, and newly building a binary tree as the target binary tree. Specifically, for example, first, the current target binary tree is marked as a backup binary tree, then, the binary tree is re-instantiated as the target binary tree, a root node of the newly-built target binary tree is created, and user access information of a user to which the target user identifier belongs is recorded in the root node.

In the embodiment of the application, the user access data of the user interacting with the authentication system can be temporarily stored through the backup binary tree, so that the accuracy of flow cleaning is improved.

And when the root node is created, initializing the user access information recorded in the root node according to the message type. For example, when the type of the message is an end message, the receiving time of the access request may be used as the offline time of the user to which the target user identifier belongs. In some embodiments of the present application, the number of times of authentication in a period of a record in a root node may be set to 0, and the start authentication time may be set to the reception time or a time value that is earlier than the reception time by a preset time duration. For another example, when the packet type is an authentication packet, the receiving time of the access request may be used as the authentication start time of the user to which the target user identifier belongs, and the number of times of authentication in the period recorded in the root node is set to 1.

The backup binary tree occupies the memory of the authentication system, and the memory needs to be timely recovered in order to save storage resources.

In some embodiments of the present application, the second filtering configuration information further includes: after the target binary tree is used as a backup binary tree, the node number buffering threshold further includes: deleting the backup binary tree in response to the number of nodes being greater than or equal to the number of nodes buffering threshold, wherein the number of nodes buffering threshold is less than the number of nodes upper threshold. Wherein, the node quantity buffering threshold value can be determined according to user traffic statistical data. For example, the node number buffer threshold may be set to 1000, that is, when the number of nodes in the newly created target binary tree is greater than or equal to 1000, the backup binary tree is deleted, and memory recovery is performed.

In some embodiments of the application, in response to that the packet type matches a preset packet type, and based on a target binary tree that records user access information, performing abnormal traffic judgment on the access request to obtain a judgment result, before searching for a target binary tree node that matches the target user identifier in the target binary tree, the method further includes: sub-step 200 and sub-step 201.

And a substep 200, in response to the message type matching the preset message type, judging whether the target binary tree for recording the user access information is empty, if so, executing a substep 201, and if not, executing a substep 210.

And a substep 201, in response to that the target binary tree is empty, obtaining a judgment result indicating that the access request is a normal access request, creating a root node in the target binary tree according to the message type, and using the created root node as a binary tree node matched with the target user identifier.

If the target binary tree is empty, the user access information of any user is not recorded in the target binary tree, and it can be considered that the user to which the target user identifier belongs is the first access authentication system, so that a judgment result indicating that the access request is a normal access request is obtained. In this case, it is necessary to create a root node in the target binary tree and set the user access information recorded in the root node according to the packet type.

The specific implementation of creating the root node according to the packet type is described in the foregoing, and is not described herein again.

And responding to the non-null target binary tree, and jumping to the step of executing the binary tree searching algorithm to search the target binary tree nodes matched with the target user identification in the target binary tree.

And if the target binary tree is not empty, searching the target binary tree node matched with the target user identification in the target binary tree by using a binary tree searching algorithm, and executing the substep 230 or the substep 240 according to a searching result.

Step 130, in response to the judgment result indicating that the access request is an abnormal access request, filtering the access request as abnormal traffic.

And after the access request is filtered and judged through the steps to obtain a judgment result, further executing the filtering operation of the access request according to the judgment result.

For example, if the determination result obtained in the foregoing step indicates that the access request is an access request of a suppressed user (for example, an access request initiated immediately after a certain user goes offline, or several access requests initiated within a specified time period for a certain user), the access request is filtered out as an abnormal traffic.

Step 140, in response to the judgment result indicating that the access request is a normal access request, processing the access request as a normal traffic.

And if the judgment result obtained in the previous step indicates that the access request is not the access request of the inhibited user, processing the access request as normal flow, and performing subsequent authentication processing.

The method for filtering the abnormal traffic of the authentication system, which is further disclosed in the embodiment of the application, comprises the steps of responding to a received access request for the authentication system, and acquiring a message type and a target user identifier carried by the access request; responding to the matching of the message type with a preset message type, and performing abnormal flow judgment on the access request based on a target binary tree for recording user access information to obtain a judgment result; responding to the judgment result to indicate that the access request is an abnormal access request, and filtering the access request as abnormal traffic; responding to the judgment result to indicate that the access request is a normal access request, processing the access request as normal flow, recording user access information of the user to the authentication system based on the binary tree, judging whether the current access request is abnormal flow or not according to the receiving time of the user access information and the access request and a filtering judgment threshold value configured in advance for the user access information, and filtering the abnormal flow according to the judgment result, thereby effectively reducing the consumption of the authentication system by frequently and maliciously accessing the authentication system and ensuring the safe and stable operation of the authentication system.

Correspondingly, an embodiment of the present application further discloses an abnormal flow filtering device of an authentication system, as shown in fig. 4, the device includes:

a message type and user identifier obtaining module 410, configured to, in response to receiving an access request to the authentication system, obtain a message type and a target user identifier carried in the access request;

an abnormal traffic determination module 420, configured to perform abnormal traffic determination on the access request based on a target binary tree in which user access information is recorded in response to that the packet type matches a preset packet type, so as to obtain a determination result;

a traffic filtering processing module 430, configured to filter the access request as an abnormal traffic in response to the determination result indicating that the access request is an abnormal access request;

the traffic filtering module 430 is further configured to, in response to the determination result indicating that the access request is a normal access request, process the access request as a normal traffic.

In some embodiments of the application, the abnormal traffic determining module 420 is further configured to:

In some embodiments of the present application, the preset packet type includes: authenticating a message and an end message, wherein the access request is subjected to abnormal flow judgment according to one or more items of information in the user access information, the first filtering configuration information and the message type recorded in the target binary tree node to obtain a judgment result, and the method comprises the following steps of:

In some embodiments of the present application, the first filtering configuration information includes: the user access information comprises an authentication frequency threshold value, an authentication time interval threshold value and a period duration threshold value in a period, wherein the user access information comprises: the time of the off-line, the time of the start of authentication and the number of times of the count cycle authentication,

In some embodiments of the present application, the determining, according to the receiving time of the access request, the authentication start time, the period duration threshold, the counting period authentication frequency, and the intra-period authentication frequency threshold, an abnormal traffic of the access frequency of the access request to obtain a determination result includes:

In some embodiments of the present application, the second filtering configuration information includes: and establishing a binary tree node matched with the target user identifier in the target binary tree according to the message type and the second filtering configuration information, wherein the node number upper limit threshold comprises:

acquiring the number of nodes of the target binary tree;

In some embodiments of the present application, the second filtering configuration information includes: after the target binary tree is used as a backup binary tree, the node number buffer threshold further includes:

responding to the message type matching with the preset message type, and judging whether a target binary tree recording user access information is empty or not;

The abnormal traffic filtering apparatus of the authentication system disclosed in the embodiment of the present application is used to implement the abnormal traffic filtering method of the authentication system described in the embodiment of the present application, and specific implementation manners of each module of the apparatus are not described again, and reference may be made to specific implementation manners of corresponding steps in the method embodiment.

The abnormal flow filtering device for the authentication system disclosed by the embodiment of the application responds to a received access request for the authentication system, and obtains a message type and a target user identification carried by the access request; responding to the message type matching with the preset message type, and performing abnormal flow judgment on the access request based on the target binary tree for recording the user access information to obtain a judgment result; responding to the judgment result to indicate that the access request is an abnormal access request, and filtering the access request as abnormal flow; responding to the judgment result to indicate that the access request is a normal access request, processing the access request as normal flow, recording user access information of the user to the authentication system based on the binary tree, judging whether the current access request is abnormal flow or not according to the receiving time of the user access information and the access request and a filtering judgment threshold value configured in advance aiming at the user access information, and filtering the abnormal flow according to the judgment result, thereby effectively reducing the consumption of the authentication system by frequently and maliciously accessing the authentication system and ensuring the safe and stable operation of the authentication system.

The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.

The above detailed description is given to the method and apparatus for filtering abnormal traffic of an authentication system, and specific examples are applied herein to explain the principle and the implementation of the present application, and the description of the above embodiments is only used to help understand the method and a core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

Various component embodiments of the present application may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components in an electronic device according to embodiments of the application. The present application may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present application may be stored on a computer readable medium or may be in the form of one or more signals. Such a signal may be downloaded from an internet website, or provided on a carrier signal, or provided in any other form.

For example, fig. 5 shows an electronic device that may implement a method according to the present application. The electronic device can be a PC, a mobile terminal, a personal digital assistant, a tablet computer and the like. The electronic device conventionally comprises a processor 510 and a memory 520, and program code 530 stored on said memory 520 and executable on the processor 510, said processor 510 implementing the method described in the above embodiments when executing said program code 530. The memory 520 may be a computer program product or a computer readable medium. The memory 520 may be an electronic memory such as a flash memory, an EEPROM (electrically erasable programmable read only memory), an EPROM, a hard disk, or a ROM. The memory 520 has a storage space 5201 for program code 530 of the computer program for performing any of the method steps of the above-described method. For example, the storage space 5201 for the program code 530 may include respective computer programs for implementing the respective steps in the above methods. The program code 530 is computer readable code. The computer programs may be read from and written to one or more computer program products. These computer program products comprise a program code carrier such as a hard disk, a Compact Disc (CD), a memory card or a floppy disk. The computer program comprises computer readable code which, when run on an electronic device, causes the electronic device to perform the method according to the above embodiments.

The embodiment of the application also discloses a computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the abnormal traffic filtering method of the authentication system according to the embodiment of the application.

Such a computer program product may be a computer-readable storage medium that may have memory segments, memory spaces, etc. arranged similarly to the memory 520 in the electronic device shown in fig. 5. The program code may be stored in a computer readable storage medium, for example, compressed in a suitable form. The computer readable storage medium is typically a portable or fixed storage unit as described with reference to fig. 6. Typically, the storage unit comprises computer readable code 530', said computer readable code 530' being code read by a processor, which when executed by the processor, performs the steps of the method described above.

Reference herein to "one embodiment," "an embodiment," or "one or more embodiments" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Furthermore, it is noted that instances of the word "in one embodiment" are not necessarily all referring to the same embodiment.

In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the application may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.

In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The application may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims

1. An abnormal traffic filtering method of an authentication system, the method comprising:

2. The method according to claim 1, wherein the performing abnormal traffic judgment on the access request based on a target binary tree recording user access information in response to the message type matching a preset message type to obtain a judgment result comprises:

3. The method of claim 2, wherein the predetermined packet type comprises: authenticating a message and an end message, wherein the access request is subjected to abnormal flow judgment according to one or more items of information in the user access information, the first filtering configuration information and the message type recorded in the target binary tree node to obtain a judgment result, and the method comprises the following steps of:

4. The method of claim 3, wherein the first filtering configuration information comprises: the authentication times threshold value, the authentication time interval threshold value and the period duration threshold value in the period, wherein the user access information comprises: the time of the off-line, the time of the start of authentication and the number of times of the count cycle authentication,

responding to the condition that the time interval is smaller than or equal to the authentication time interval threshold value, and obtaining a judgment result indicating that the access request is an abnormal access request;

5. The method according to claim 4, wherein the performing abnormal traffic determination on the access frequency of the access request according to the receiving time of the access request, the authentication start time, the period duration threshold, the counting period authentication frequency, and the intra-period authentication frequency threshold to obtain a determination result comprises:

6. The method of claim 2, wherein the second filtering configuration information comprises: and establishing a binary tree node matched with the target user identifier in the target binary tree according to the message type and the second filtering configuration information, wherein the node number upper limit threshold comprises:

acquiring the number of nodes of the target binary tree;

7. The method of claim 6, wherein the second filtering configuration information comprises: after the target binary tree is used as a backup binary tree, the node number buffering threshold further includes:

8. The method according to claim 2, wherein before searching for a target binary tree node in the target binary tree that matches the target user identity using a binary tree search algorithm, the method further includes:

9. An abnormal traffic filtering apparatus of an authentication system, the apparatus comprising:

the traffic filtering processing module is used for responding to the judgment result and indicating that the access request is an abnormal access request, and filtering the access request as abnormal traffic;

10. An electronic device comprising a memory, a processor, and program code stored on the memory and executable on the processor, wherein the processor implements the method for filtering abnormal traffic of the authentication system of any one of claims 1 to 8 when executing the program code.

11. A computer-readable storage medium having stored thereon program code means for implementing the steps of the method for abnormal traffic filtering of an authentication system according to any one of claims 1 to 8 when said program code means is executed by a processor.