CN115967559A - Webpage monitoring method and device and baseline data construction method and device - Google Patents

Webpage monitoring method and device and baseline data construction method and device Download PDF

Info

Publication number
CN115967559A
CN115967559A CN202211656344.9A CN202211656344A CN115967559A CN 115967559 A CN115967559 A CN 115967559A CN 202211656344 A CN202211656344 A CN 202211656344A CN 115967559 A CN115967559 A CN 115967559A
Authority
CN
China
Prior art keywords
operation log
data
webpage
baseline
baseline data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211656344.9A
Other languages
Chinese (zh)
Inventor
朱晴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202211656344.9A priority Critical patent/CN115967559A/en
Publication of CN115967559A publication Critical patent/CN115967559A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The application provides a webpage monitoring method and device and a baseline data construction method and device, wherein the webpage monitoring method comprises the following steps: when a webpage operation log aiming at a target website is acquired, judging whether the webpage operation log meets an alarm condition or not based on a constructed baseline data set; generating alarm information aiming at the target website under the condition that the alarm condition is determined to be met; the method and the device realize monitoring of the webpage of the target website without paying attention to the change of the webpage content, and reduce the business access volume of the webpage.

Description

Webpage monitoring method and device and baseline data construction method and device
Technical Field
The application relates to the technical field of computer network security, in particular to a webpage monitoring method and device and a baseline data construction method and device.
Background
With the popularization and development of internet and network applications, a great number of hacking attacks come along, especially attacks against websites. Among them, tampering with web content is a common technique of hacking.
Therefore, how to monitor whether the web page of the website is tampered with becomes a technical problem to be urgently solved by technical personnel. In the related art, the detection purpose is achieved by detecting the change of the webpage content of the website, and when the change of the webpage content is detected, a request needs to be periodically sent to the website to obtain the webpage content, so that the service access amount of the webpage is increased.
Disclosure of Invention
In order to overcome the problems in the related art, the application provides a webpage monitoring method and device and a baseline data construction method and device, so that the webpage can be monitored on the basis of not increasing the service access amount of the webpage.
A first aspect of the present application provides a web page monitoring method, including:
when a webpage operation log aiming at a target website is acquired, judging whether the webpage operation log meets an alarm condition or not based on a constructed baseline data set; wherein the baseline data set is constructed from a web page operation log;
and generating alarm information aiming at the target website under the condition that the alarm condition is determined to be met.
Optionally, the method further comprises:
judging whether the webpage operation log belongs to baseline data, if so, writing the webpage operation log into a baseline data set according to a preset writing mode;
and if not, executing the step of judging whether the webpage operation log meets the alarm condition or not based on the constructed baseline data set and all subsequent steps.
Optionally, the determining whether the web page operation log belongs to the baseline data includes:
judging whether the webpage operation log contains index data in a baseline data set or not, and if not, determining that the webpage operation log belongs to baseline data;
if so, determining that index data contained in the webpage operation log in the baseline data set is target index data, judging whether the operation time in the webpage operation log is within a baseline time range corresponding to the target index data, if so, determining that the webpage operation log belongs to the baseline data, and if not, determining that the webpage operation log does not belong to the baseline data.
Optionally, the determining whether the web page operation log meets an alarm condition based on the baseline data set includes:
judging whether the characteristic data in the webpage operation log is consistent with the target characteristic data corresponding to the target index data in the baseline data set or not, and if not, determining that an alarm condition is met;
if the characteristic data of the webpage operation log are consistent, judging whether the characteristic data of the webpage operation log belong to periodic data in the baseline data set, wherein the periodic data are periodically repeated in an operation time range corresponding to the target index data;
and if the data does not belong to the periodic data, determining that the alarm condition is met.
Optionally, the writing the web page operation log into the baseline data set according to a preset writing manner includes:
and writing the webpage operation log into the baseline data set in a mode of establishing corresponding operation time and characteristic data by taking index data as an index.
A second aspect of the present application provides a baseline data construction method, including:
under the condition that a webpage operation log aiming at a target website is obtained, judging whether the webpage operation log contains index data in a baseline data set or not, and if not, determining that the webpage operation log belongs to baseline data;
if so, determining that index data contained in the webpage operation log in the baseline data set is target index data, judging whether the operation time in the webpage operation log is within a baseline time range corresponding to the target index data, if so, determining that the webpage operation log belongs to the baseline data, and if not, determining that the webpage operation log does not belong to the baseline data;
and writing the webpage operation logs belonging to the baseline data into a baseline data set according to a preset writing mode.
A third aspect of the present application provides a web page monitoring apparatus, comprising:
the warning judgment unit is used for judging whether the webpage operation log meets a warning condition or not based on the constructed baseline data set when the webpage operation log aiming at the target website is acquired; wherein the baseline data set is constructed from a web page operation log;
and the first generating unit is used for generating the alarm information aiming at the target website under the condition that the alarm condition is determined to be met.
A fourth aspect of the present application provides a baseline data constructing apparatus, including:
the data judgment unit is used for judging whether a webpage operation log contains index data in a baseline data set or not under the condition that the webpage operation log aiming at the target website is obtained;
a first determining unit, configured to determine that the web page operation log belongs to the baseline data when the web page operation log does not include the index data in the baseline data set;
a second determining unit, configured to determine, when the web page operation log includes index data in the baseline data set, that the index data included in the web page operation log in the baseline data set is target index data;
the range judging unit is used for judging whether the operation time in the webpage operation log is within a baseline time range corresponding to the target index data;
a third determining unit, configured to determine that the web page operation log belongs to the baseline data when the operation time in the web page operation log is within a baseline time range corresponding to the target index data;
a fourth determining unit, configured to determine that the web page operation log does not belong to the baseline data when an operation time in the web page operation log is not within a baseline time range corresponding to the target index data;
and the data writing unit is used for writing the webpage operation logs belonging to the baseline data into the baseline data set according to a preset writing mode.
A fifth aspect of the present application provides an electronic device, comprising:
a processor; and
a memory having executable code stored thereon which, when executed by the processor, causes the processor to perform the method as described above.
A sixth aspect of the application provides a non-transitory machine-readable storage medium having stored thereon executable code which, when executed by a processor of an electronic device, causes the processor to perform a method as described above.
Therefore, when a webpage operation log for a target website is acquired, whether the webpage operation log meets an alarm condition is judged based on a constructed baseline data set, and alarm information for the target website is generated under the condition that the alarm condition is determined to be met, so that the webpage operation log and the baseline data set can be used for monitoring the webpage of the target website, the change of webpage content is not required to be concerned, and the service access amount of the webpage is reduced;
furthermore, the webpage operation log is used for monitoring the webpage, so that the current tampering behavior or the tampering behavior already occurred in the webpage can be ensured, and the accuracy of determining the tampering behavior is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The foregoing and other objects, features and advantages of the application will be apparent from the following more particular descriptions of exemplary embodiments of the application, as illustrated in the accompanying drawings wherein like reference numbers generally represent like parts throughout the exemplary embodiments of the application.
FIG. 1 is a schematic flow chart diagram illustrating a web page monitoring method according to an embodiment of the present application;
FIG. 2 is a schematic flow chart diagram illustrating a web page monitoring method according to another embodiment of the present application;
FIG. 3 is a schematic flow chart diagram illustrating a baseline data construction method according to a method embodiment of the present application;
FIG. 4 is a schematic diagram of a web page monitoring apparatus according to an embodiment of the present application;
FIG. 5 is a schematic structural diagram of a web page monitoring apparatus according to another embodiment of the present application;
FIG. 6 is a schematic diagram of a baseline data construction apparatus according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Preferred embodiments of the present application will be described in more detail below with reference to the accompanying drawings. While the preferred embodiments of the present application are shown in the drawings, it should be understood that the present application may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms "first," "second," "third," etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present application, "a plurality" means two or more unless specifically limited otherwise.
One embodiment of the method provides a web page monitoring method, which can be applied to a terminal communicating with a server of a target website and can also be applied to the server of the target website. The target website is a website which needs to monitor whether the webpage is tampered.
The method may comprise the steps of:
step 101: when a webpage operation log for a target website is acquired, judging whether the webpage operation log meets an alarm condition or not based on a constructed baseline data set, if so, entering step 102, and if not, finishing monitoring for the current webpage operation log;
in the application, a web page operation log records a one-time operation behavior of a host on a target website, and includes various data such as a file path, a file operation mode, a process path, operation time, a host identifier and the like.
The file path comprises a file directory and a file name, and is used for representing file information of the operation.
The file operation mode is used for characterizing the operation mode of the file, such as deletion, creation, modification, renaming and the like.
The process path is used to characterize the process used by the operation.
The operation time is used to characterize the time of operation.
The host identity is used to characterize the host ID and/or host IP of the operation.
Optionally, the web page operation log may further include a server identifier, where the server identifier may be a identifier customized by a technician for the server, and is used to characterize a server source of the web page operation log.
The method and the device have the advantages that the baseline data set is built on the basis of the webpage operation logs, and the type of the index data and the type of the feature data under the index data are set, so that the baseline data are generated on the basis of the webpage operation logs and can be written into the baseline data set. Therefore, whether the currently acquired webpage operation log meets the alarm condition or not can be judged based on the constructed baseline data set, if not, the monitoring of the current webpage operation log is finished, and when a new webpage operation log is acquired again, the method is executed again for the newly acquired webpage operation log; in the case of yes, step 102 is entered.
Step 102: and generating alarm information aiming at the target website.
The alarm information may be alarm information for a host identifier in the web page operation log, such as a host ID and/or a host address, so that a tampered host can be quickly located, and a response handling speed after tampering occurs is increased.
In the embodiment of the application, when a webpage operation log aiming at a target website is obtained, whether the webpage operation log meets an alarm condition is judged based on a constructed baseline data set, and alarm information aiming at the target website is generated under the condition that the alarm condition is determined to be met, so that the application can realize monitoring on the webpage of the target website through the webpage operation log and the baseline data set, does not need to pay attention to the change of webpage content, and reduces the service access amount of the webpage;
furthermore, the webpage operation log is used for monitoring the webpage, so that the current tampering behavior or the tampering behavior already occurred in the webpage can be ensured, and the accuracy of determining the tampering behavior is improved.
Another method embodiment of the present application provides a web page monitoring method, as shown in fig. 2, the method includes the following processes:
step 201: when a webpage operation log for a target website is acquired, judging whether the webpage operation log belongs to baseline data, if so, entering step 202; if not, go to step 203;
in the application, a web page operation log records a one-time operation behavior of a host on a target website, and includes various data such as a file path, a file operation mode, a process path, operation time, a host identifier and the like.
The file path comprises a file directory and a file name, and is used for representing file information of the operation.
The file operation mode is used for characterizing the operation mode of the file, such as deletion, creation, modification, renaming and the like.
The process path is used to characterize the process used by the operation.
The operation time is used to characterize the time of operation.
The host identity is used to characterize the host ID and/or host IP of the operation.
Optionally, the web page operation log may further include a server identifier, where the server identifier may be a identifier customized by a technician for the server, and is used to characterize a server source of the web page operation log.
In this application, determining whether the web page operation log belongs to the baseline data may include the following steps:
(1.1) judging whether the webpage operation log contains index data in a baseline data set, and if not, determining that the webpage operation log belongs to baseline data;
the baseline data set in the application is generated based on the webpage operation logs, and the type of the index data and the type of the feature data under the index data can be preset, so that the baseline data is generated based on the webpage operation logs and can be written into the baseline data set.
The baseline data set is further used for determining whether the web page operation log meets the alarm condition, and therefore when a web page operation log is acquired, it needs to be determined whether the web page operation log is a log for generating baseline data or a log for determining whether the web page operation log meets the alarm condition.
If the web page operation log does not include the index data in the baseline data set, it is determined that the index data related to the web page operation log is not recorded in the baseline data set, and therefore the web page operation log belongs to the baseline data, and referring to the subsequent steps of this embodiment, the web page operation log is written into the baseline data set according to a preset writing method.
It can be understood that, if no baseline data is recorded in the baseline data set, it is required to write the web page operation log into the baseline data set first, that is, it is determined that the web page operation log belongs to the baseline data. Or, if the baseline data set records the baseline data, but the index data does not have data about the web page operation log, the web page operation log also needs to be written into the baseline data set, that is, it can be determined that the web page operation log belongs to the baseline data. For example, if the index data type is host id, the host id in the baseline data set is host a, and the host id in the web page operation log is host B, it is determined that the web page operation log does not contain the index data in the baseline data set, and it is determined that the web page operation log belongs to the baseline data.
(1.2) if the webpage operation log contains index data in a baseline data set, determining that the index data contained in the webpage operation log in the baseline data set is target index data, and judging whether the operation time in the webpage operation log is within an operation time range corresponding to the target index data;
in the baseline data set, each index datum corresponds to a baseline time range, and the baseline time range can be based on the operation time of the first written index datum and is extended by a range determined under a specified time length. For example, the index data is host a, and the corresponding operation time when writing first is 2022-11-15: 00:00, the time range extending two weeks later is taken as the baseline time range, namely the baseline time range is 2022-11-1520:00:00 to 2022-11-29: 00:00.
it is understood that two weeks is only one specific example of the specified time length, and is not limiting, and the specified time length may be set based on actual conditions.
And (1.3) if the operation time range is within the operation time range, determining that the webpage operation log belongs to the baseline data, and if the operation time range is not within the operation time range, determining that the webpage operation log does not belong to the baseline data.
Step 202: writing the webpage operation log into a baseline data set according to a preset writing mode;
the writing mode of the webpage operation log is preset, and in one mode, the webpage operation log can be directly written into a baseline data set as baseline data. For convenience of management and data positioning, in another manner, writing the web page operation log into the baseline data set according to a preset writing manner may include: and writing the webpage operation log into the baseline data set in a mode of establishing corresponding operation time and characteristic data by taking index data as an index.
The type of the index data and the type of the feature data may be both pre-specified, for example, the index data may be one or more of a host identifier, a server identifier, a file identifier, and a process path, and the feature data may include: one or more of a file path, a process path, a file manipulation manner. The file path includes a file directory and a file name.
Note that the index data and the feature data are not duplicated. For example, if the process path is included in the index data, the corresponding feature data does not include the process path.
Each index data is also corresponding to an operation time, and when the webpage operation log is written into the baseline data set, the operation time of the webpage operation log and the index data need to be written in a corresponding relationship. Optionally, the baseline data set may have an index area and a data area, the index area is used for writing index data and time information corresponding to the index data, and the time information is operation time; when the baseline time range of the index data is determined, the baseline time range can also be written correspondingly, so that the baseline time range is prevented from being calculated when the webpage operation log is acquired subsequently.
The data area is used for writing characteristic data corresponding to the index data. Therefore, when the web page operation log is written, the web page operation log may be written into the baseline data set in a manner that the index data and the corresponding operation time are written into the index area, and the feature data corresponding to the index data is written into the feature area.
Step 203: judging whether the webpage operation log meets an alarm condition or not based on the baseline data set, if so, entering step 204, and if not, finishing monitoring on the current webpage operation log;
after the monitoring of the current webpage operation log is finished, when a new webpage operation log is obtained again, the method is executed again for the newly obtained webpage operation log.
Optionally, judging whether the web page operation log meets the alarm condition based on the baseline data set may include the following processes:
(2.1) judging whether the characteristic data in the webpage operation log is consistent with the target characteristic data corresponding to the target index data in the baseline data set, and if not, determining that an alarm condition is met;
in the baseline data set, the index data and the feature data have a corresponding relationship, and after it is determined that the web page operation log has the target index data in the baseline data set, whether the feature data in the web page operation log is consistent with the target feature data corresponding to the target index data can be judged, and it can be understood that the target feature data need to be compared in the same type when being compared.
For example, if the target feature data includes a process path, a file path, and a file operation mode, the process path in the web page operation log needs to be compared with the process path in the target feature data, the file path in the web page operation log needs to be compared with the file path in the target feature data, the file operation mode in the web page operation log needs to be compared with the file operation mode in the target feature data, and if any one of the process path, the file path, and the file operation mode is inconsistent, it is determined that the alarm condition is satisfied.
(2.2) if the characteristic data of the webpage operation logs are consistent, judging whether the characteristic data of the webpage operation logs belong to periodic data in the baseline data set;
the periodic data is represented by the target characteristic data which is periodically repeated in the operation time range corresponding to the target index data. The time and number of the periodic repetition are not limited in the present application, and are repeated every 2 days, for example.
Of course, in this embodiment, as another mode, in the case of matching, the determination of the current web page operation log may also be directly ended. And the accuracy of monitoring the webpage can be further improved by judging the periodic data of the webpage operation log.
And (2.3) if the data does not belong to the periodic data, determining that an alarm condition is met.
Step 204: and generating alarm information aiming at the target website.
The alarm information may specifically be alarm information for a host identifier in the web page operation log, such as a host ID and/or a host address, so as to enable a tampered host to be quickly located, and increase a response handling speed after the tampering occurs.
In the embodiment, when a webpage operation log for a target website is acquired, whether the webpage operation log belongs to baseline data is judged, if yes, the webpage operation log is written into a baseline data set according to a preset writing mode, if not, whether the webpage operation log meets an alarm condition is judged based on the baseline data set, and alarm information for the target website is generated under the condition that the alarm condition is determined to be met, so that the monitoring of the webpage of the target website can be realized through the webpage operation log and the baseline data set, the change of webpage content is not required to be concerned, and the service access volume of the webpage is reduced;
furthermore, the webpage operation log is used for monitoring the webpage, so that the tampering behavior occurring in the webpage or the tampering behavior already occurring in the webpage can be ensured, and the accuracy of determining the tampering behavior is improved;
in addition, the host with tampering can be quickly positioned through the webpage operation log, and the response processing speed after tampering is generated is increased.
In this embodiment, before acquiring a web page operation log for a target website, the method further includes: collecting a log aiming at a target website, and if a process path in the log conforms to a specified process path and an operation file in the log has specified attributes, determining the log as a webpage operation log;
the log may be a file process operation log or a web application log.
Specifically, a file process operation log about a process, a file, and a network behavior may be collected through the API HOOK technique.
In order to facilitate identification of the web page operation log, optionally, determining the log as the web page operation log may include: and converting the log into a standard log according to a preset format, and determining the standard log as a webpage operation log.
The designated process path is used for characterizing the process for starting the web page business, and can comprise a process path for characterizing one or more processes in Java, wpw3, httpd, nginx, php-cgi, tomcat and the like.
The specified attributes are used to characterize web page resource files, such as attributes used to characterize one or more of picture resources, static htm resources, web script resources, and the like. And whether the operation file has the specified attribute may be determined based on a suffix of the file name of the operation file, for example, if the suffix is jpg, it is determined to have the attribute of the picture resource.
Optionally, in this embodiment, before collecting the log for the target website, the method may further include:
setting and collecting a file process operation log of the target website, wherein correspondingly, the types of the index data in the baseline data set can be set to comprise a host identity and a server identity;
or, setting and acquiring a file process operation log of the target website, and correspondingly, setting index data in the baseline data set to comprise a host identifier and a file path;
or, setting and collecting the web application log of the target website, and correspondingly, setting the index data in the baseline data set to include the host identifier and the process path.
When the type of the index data is set to include the host identifier and the server identifier, the characteristic data corresponding to the index data may include: file path, process path, and file operation mode.
When the type of the index data is set to include a host identifier and a file path, the characteristic data corresponding to the index data may include: a process path;
when the type of the index data is set to include the host identifier and the process path, the feature data corresponding to the index data may include: file path and file operation mode.
Optionally, the baseline data set may include an index area and a data area, the index data under the type of the index data is written into the index area, and the characteristic data under the characteristic data is written into the data area and corresponds to the index data. The index area is also used for writing time information corresponding to the index data, and when the baseline time range of the index data is determined, the baseline time range can be correspondingly written.
The baseline time range can be determined based on the operation time corresponding to the index data and the specified time length when the first index data is written; of course, the determination and writing can be performed when the baseline time range is needed for determining the webpage operation log subsequently, which can be realized.
A further method embodiment of the present application provides a web page monitoring method by taking a web page application log as an example, and it should be noted that this embodiment is only a specific example provided for a web page application log, and does not constitute a limitation on other implementation manners, and a specific process is as follows:
and (3.1) setting a webpage application log of the acquisition target website, and setting a baseline data set to comprise an index area and a data area, wherein the index area is used for writing index data and time information corresponding to the index data, the index data comprises a host identifier and a process path, and the data area is used for writing characteristic data corresponding to the index data and comprises a file path and a file operation mode.
Since all the operations of the same process on the target website are described in the web application log, the operations of different hosts on the target website using the same process are recorded in the baseline data set of the embodiment.
(3.2) acquiring a webpage application log aiming at a target website, and if a process path in the webpage application log conforms to a specified process path and an operation file in the webpage application log has a specified attribute, determining the log as a webpage operation log;
and (3.3) taking the webpage operation log obtained for the first time as baseline data, setting an index area and a data area according to a baseline data set, writing a host identifier and a process path which are used as the index data and operation time which is used as time information into the index area, and writing a file path and a file operation mode which are used as characteristic data into the data area corresponding to the index data.
And (3.4) when the webpage operation log is obtained again, judging whether the webpage operation log contains the host identifier and the process path in the baseline data set, if not, writing the webpage operation log into the baseline data set according to the writing mode in the step (3.3). If the operation time range is included, determining the operation time corresponding to the host identifier and the process path included in the webpage operation log in the baseline data set, and determining a baseline time range based on the operation time and the specified time length, wherein the baseline time range can also be written into the index area.
And (3.5) judging whether the operation time in the webpage operation log is in the baseline time range, and if so, writing the webpage operation log into the baseline data set according to the writing mode in the step (3.3). If not, judging whether the file path in the webpage operation log is consistent with the corresponding file path in the baseline data set or not and whether the file operation modes are consistent or not, if so, meeting the alarm condition and directly outputting alarm information. If the characteristic data of the webpage operation logs are consistent with the characteristic data of the webpage operation logs in the baseline data set, judging whether the characteristic data of the webpage operation logs belong to periodic data or not, if the characteristic data of the webpage operation logs do not belong to the periodic data, determining that an alarm condition is met, directly outputting alarm information, and if the characteristic data of the webpage operation logs belong to the periodic data, ending judgment on the current webpage operation logs.
In a specific application scenario, for example, host a has operated file C using process B, and data corresponding to the operation is written into the baseline data set; the subsequent host computer A operates the file D by using the process B, and the situation of webpage tampering is determined if the operated file is changed based on the method, so that a user can be prompted that the webpage is tampered by outputting alarm information.
In another embodiment of the method of the present application, monitoring of a web page is implemented in a manner of monitoring an abnormal process, it should be noted that this embodiment is only one specific example of providing monitoring of an abnormal process, and does not constitute a limitation on other implementation manners, and a specific process is as follows: :
and (4.1) setting and collecting a file process operation log of the target website, and setting a baseline data set to comprise an index area and a data area, wherein the index area is used for writing index data and time information corresponding to the index data, the index data comprises a host identifier and a file path, and the data area is used for writing characteristic data corresponding to the index data and comprises a process path.
(4.2) collecting a file process operation log aiming at a target website, and if a process path in the file process operation log conforms to a specified process path and an operation file in the webpage application log has a specified attribute, determining the operation log as a webpage operation log;
and (4.3) taking the webpage operation log obtained for the first time as baseline data and setting an index area and a data area according to a baseline data set, writing a host identifier and a file path which are used as the index data and operation time which is used as time information into the index area, and writing a process path which is used as characteristic data into the data area corresponding to the index data.
And (4.4) when the webpage operation log is obtained again, judging whether the webpage operation log contains the host identifier and the file path in the baseline data set, if not, writing the webpage operation log into the baseline data set according to the writing mode in the step (4.3). If the operation time range includes the host identifier and the operation time corresponding to the file path, the host identifier and the file path included in the webpage operation log in the baseline data set are determined, a baseline time range is determined based on the operation time and the specified time length, and the baseline time range can be written into the index area.
(4.5) judging whether the operation time in the webpage operation log is in the baseline time range, if so, writing the webpage operation log into the baseline data set according to the writing mode in the step (4.3). If not, judging whether the process path in the webpage operation log is consistent with the corresponding process path in the baseline data set or not, if not, meeting the alarm condition and directly outputting alarm information. If the characteristic data of the webpage operation logs are consistent with the characteristic data of the webpage operation logs in the baseline data set, judging whether the characteristic data of the webpage operation logs belong to periodic data or not, if the characteristic data of the webpage operation logs do not belong to periodic data, determining that an alarm condition is met, directly outputting alarm information, and if the characteristic data of the webpage operation logs are periodic, ending the operation aiming at the current webpage operation logs.
In a specific application scenario, for example, host a uses process C when operating file B, and the data corresponding to this operation is written into the baseline data set; and the subsequent host computer A uses the process D when operating the file B, and the change of the process can be determined based on the method, so that the webpage tampering condition is determined, and the user can be prompted that the webpage is tampered by outputting the alarm information.
One embodiment of the present application provides a method for constructing baseline data, which may include the following steps, as shown in fig. 3:
step 301: when a webpage operation log for a target website is acquired, judging whether the webpage operation log contains index data in a baseline data set, if not, entering a step 304, and if so, entering a step 302;
in the application, a web page operation log records a one-time operation behavior of a host on a target website, and includes various data such as a file path, a file operation mode, a process path, operation time, a host identifier and the like.
The file path comprises a file directory and a file name, and is used for representing file information of the operation.
The file operation mode is used for characterizing the operation mode of the file, such as deletion, creation, modification, renaming and the like.
The process path is used to characterize the process used by the operation.
The operation time is used to characterize the time of operation.
The host identity is used to characterize the host ID and/or host IP of the operation.
Optionally, the web page operation log may further include a server identifier, where the server identifier may be a identifier customized by a technician for the server, and is used to characterize a server source of the web page operation log.
The baseline data set in the application is generated based on the webpage operation log, and the type of the index data and the type of the feature data under the index data can be preset, so that the baseline data is generated based on the webpage operation log and can be written into the baseline data set.
If the web page operation log does not include the index data in the baseline data set, it is determined that the index data related to the web page operation log is not recorded in the baseline data set, and therefore the web page operation log belongs to the baseline data, and referring to the subsequent steps of this embodiment, the web page operation log is written into the baseline data set according to a preset writing method.
It can be understood that, if no baseline data is recorded in the baseline data set, it is indicated that the web page operation log needs to be written into the baseline data set first, that is, it is determined that the web page operation log belongs to the baseline data. Or, if the baseline data set records the baseline data, but the index data does not have data about the web page operation log, the web page operation log also needs to be written into the baseline data set, that is, it can be determined that the web page operation log belongs to the baseline data. For example, if the index data type is host id, the host id in the baseline data set is host a, and the host id in the web page operation log is host B, it is determined that the web page operation log does not contain the index data in the baseline data set, and it is determined that the web page operation log belongs to the baseline data.
Step 302: determining index data contained in the webpage operation log in the baseline data set as target index data;
step 303: judging whether the operation time in the webpage operation log is within a baseline time range corresponding to the target index data, if so, entering a step 304, and if not, entering a step 305;
in the baseline data set, each index data corresponds to a baseline time range, and the baseline time range can be based on the operation time of the first written index data and extend the range determined under the specified time length. For example, the index data is host a, and the corresponding operation time when writing first is 2022-11-15: 00:00, the time range extending two weeks later is taken as the baseline time range, namely the baseline time range is 2022-11-1520:00:00 to 2022-11-29: 00:00.
it is understood that two weeks is only one specific example of the specified time length, and is not limiting, and the specified time length may be set based on actual conditions.
Step 304: determining that the webpage operation logs belong to baseline data, and writing the webpage operation logs belonging to the baseline data into a baseline data set according to a preset writing mode;
the writing mode of the webpage operation log is preset, and in one mode, the webpage operation log can be directly written into a baseline data set as baseline data. In another way, for convenience of management and data location, writing the web page operation log into the baseline data set according to a preset writing way may include: and writing the webpage operation log into the baseline data set in a mode of establishing corresponding operation time and characteristic data by taking index data as an index.
The type of the index data and the type of the feature data may be both pre-specified, for example, the index data may be one or more of a host identifier, a server identifier, a file identifier, and a process path, and the feature data may include: one or more of a file path, a process path, a file manipulation manner. The file path includes a file directory and a file name.
Note that the index data and the feature data are not duplicated. For example, if the process path is included in the index data, the corresponding feature data does not include the process path.
Each index data is also corresponding to an operation time, and when the webpage operation log is written into the baseline data set, the operation time of the webpage operation log and the index data need to be written in a corresponding relationship. Optionally, the baseline data set may have an index area and a data area, the index area is used for writing index data and time information corresponding to the index data, and the time information is operation time; when the baseline time range of the index data is determined, the baseline time range can be correspondingly written, so that the baseline time range is prevented from being calculated when the webpage operation log is subsequently acquired.
The data area is used for writing characteristic data corresponding to the index data. Therefore, when the web page operation log is written, the web page operation log may be written into the baseline data set in a manner that the index data and the corresponding operation time are written into the index area, and the feature data corresponding to the index data is written into the feature area.
Step 305: determining that the web page operation log does not belong to the baseline data.
The web page operation logs not belonging to the baseline data are not written into the baseline data set, and optionally, the web page operation logs not belonging to the baseline data may be monitored based on the baseline data set, for example, whether the web page operation logs meet the alarm condition is judged based on the baseline data set.
In this embodiment, when a web page operation log for a target website is acquired, whether the web page operation log includes index data in a baseline data set is determined, and if not, the web page operation log is determined to belong to baseline data; if so, determining that index data contained in the webpage operation log in the baseline data set is target index data, judging whether the operation time in the webpage operation log is within a baseline time range corresponding to the target index data, if so, determining that the webpage operation log belongs to the baseline data, and if not, determining that the webpage operation log does not belong to the baseline data; the webpage operation logs belonging to the baseline data are written into the baseline data set according to a preset writing mode, so that the construction of the baseline data set can be realized through the webpage operation logs, and the method and the device are used for monitoring subsequent webpages.
Corresponding to the embodiment of the application function implementation method, the application also provides a webpage monitoring device, a baseline data construction device, electronic equipment and a corresponding embodiment.
Fig. 4 is a schematic structural diagram of a web page monitoring apparatus according to an embodiment of the present application.
Referring to fig. 4, the apparatus may include: an alarm determination unit 110 and a first generation unit 120;
the alarm determination unit 110 is configured to determine, when a web page operation log for a target website is acquired, whether the web page operation log meets an alarm condition based on a constructed baseline data set; wherein the baseline data set is constructed from a web page operation log;
a first generating unit 120, configured to generate alarm information for the target website if it is determined that the alarm condition is satisfied.
Another embodiment of the present application provides a web page monitoring apparatus, as shown in fig. 5, the apparatus includes: a first judging unit 130, a first writing unit 140, an alarm judging unit 110, and a first generating unit 120; wherein:
the first judging unit 130, when acquiring a web page operation log for a target website, judges whether the web page operation log belongs to baseline data;
a first writing unit 140, configured to write the web page operation log into a baseline data set according to a preset writing method when it is determined that the web page operation log belongs to the baseline data;
an alarm determining unit 110, configured to determine whether the web page operation log meets an alarm condition based on the baseline data set when it is determined that the web page operation log does not belong to the baseline data;
a first generating unit 120, configured to generate alarm information for the target website if it is determined that the alarm condition is satisfied.
The alarm information may specifically be alarm information for a host identifier in the web page operation log, such as a host ID and/or a host address, so as to enable a tampered host to be quickly located, and increase a response handling speed after the tampering occurs.
The first determining unit 130 includes: the device comprises a first judgment module, a first determination module, a second judgment module, a third determination module and a fourth determination module; specifically, the method comprises the following steps:
the first judgment module is used for judging whether a webpage operation log contains index data in a baseline data set or not when the webpage operation log aiming at a target website is obtained;
the first determining module is used for determining that the webpage operation log belongs to the baseline data when the webpage operation log is determined not to contain the index data in the baseline data set;
the second determining module is used for determining that the index data contained in the webpage operation logs in the baseline data set is target index data when the webpage operation logs are determined to contain the index data in the baseline data set;
the second judgment module is used for judging whether the operation time in the webpage operation log is within the baseline time range corresponding to the target index data or not;
the third determining module is used for determining that the webpage operation log belongs to the baseline data within the baseline time range;
and the fourth determining module is used for determining that the webpage operation log is not in the baseline time range and determining that the webpage operation log does not belong to the baseline data.
The alarm determining unit 110 may include: the device comprises a third judgment module, a fifth determination module, a fourth judgment module and a sixth determination module; specifically, the method comprises the following steps:
a third judging module, configured to, when it is determined that the web page operation log does not belong to the baseline data, judge whether feature data in the web page operation log is consistent with target feature data corresponding to the target index data in the baseline data set;
the fifth determining module is used for determining that the alarm condition is met under the condition of inconsistency;
a fourth determining module, configured to determine whether feature data of the web page operation log belongs to periodic data in the baseline data set under a consistent condition, where the periodic data is a periodic repetition of the target feature data within an operation time range corresponding to the target index data;
and the sixth determining module is used for determining that the alarm condition is met under the condition that the data does not belong to the periodic data.
Optionally, the first writing unit 140 is specifically configured to, when it is determined that the web page operation log belongs to the baseline data, write the web page operation log into the baseline data set in a manner that corresponding operation time and feature data are established by using index data as an index.
As another implementation manner, the first writing unit 140 may specifically be configured to directly write the web page operation log as baseline data into the baseline data set.
According to the embodiment, the web pages of the target website can be monitored through the web page operation logs and the baseline data set, the change of the content of the web pages does not need to be concerned, and the service access amount of the web pages is reduced;
furthermore, the webpage operation log is used for monitoring the webpage, so that the tampering behavior occurring in the webpage or the tampering behavior already occurring in the webpage can be ensured, and the accuracy of determining the tampering behavior is improved;
in addition, the webpage operation log can quickly locate the host with tampering, and the response processing speed after tampering is improved.
Another apparatus embodiment of the present application provides a web page monitoring apparatus, and in this embodiment, the apparatus may include: an acquisition determining unit; wherein:
the acquisition determining unit is used for acquiring the log of the target website, and if the process path in the log conforms to the designated process path and the operation file in the log has the designated attribute, determining the log as the webpage operation log;
the log is a file process operation log or a webpage application log.
In order to facilitate identification of the web page operation log, optionally, the acquisition determining unit determines the log as the web page operation log, and specifically may be: and converting the log into a standard log according to a preset format, and determining the standard log as a webpage operation log.
Optionally, the apparatus may further include:
the first setting unit is used for presetting and acquiring a file process operation log of the target website and can also be used for setting index data in a baseline data set to comprise a host identity and a server identity;
or, the second setting unit is configured to preset a file process operation log for acquiring the target website, and may also be configured to set index data in the baseline data set to include a host identifier and a file path;
or, the third setting unit is configured to preset to acquire a web application log of the target website, and may further set index data in the baseline data set to include a host identifier and a process path.
When the index data is set to contain the host identifier and the server identifier, the characteristic data corresponding to the index data may include: file path, process path, and file operation mode.
When the index data is set to contain the host identifier and the file path, the characteristic data corresponding to the index data may include: a process path;
when the index data is set to include the host identifier and the process path, the feature data corresponding to the index data may include: file path and file operation mode.
Therefore, in the embodiment, the file process operation log or the webpage operation log can be used, and the webpage operation log is screened out from the file process operation log or the webpage operation log, and the used log is bottom-layer data, so that the identification universality of the monitoring method for the webpage is higher; and the information amount of subsequent data processing can be reduced through a screening mode, and the monitoring efficiency is further improved.
An apparatus embodiment of the present application further provides a baseline data constructing apparatus, as shown in fig. 6, the apparatus includes: a data judgment unit 210, a first determination unit 220, a second determination unit 230, a range judgment unit 240, a third determination unit 250, a fourth determination unit 260, and a write data unit 270; wherein:
the data determining unit 210 is configured to, when a web page operation log for a target website is acquired, determine whether the web page operation log includes index data in a baseline data set;
a first determining unit 220, configured to determine that the web page operation log belongs to the baseline data when the web page operation log does not include index data in the baseline data set;
a second determining unit 230, configured to determine, when the web page operation log includes index data in a baseline data set, that the index data included in the web page operation log in the baseline data set is target index data;
a range determining unit 240, configured to determine whether an operation time in the web page operation log is within a baseline time range corresponding to the target index data;
a third determining unit 250, configured to determine that the web page operation log belongs to the baseline data when the operation time in the web page operation log is within the baseline time range corresponding to the target index data;
a fourth determining unit 260, configured to determine that the web page operation log does not belong to the baseline data when an operation time in the web page operation log is not within a baseline time range corresponding to the target index data;
and a write data unit 270, configured to write the web page operation log belonging to the baseline data into the baseline data set according to a preset write mode.
Optionally, the write data unit 270 is specifically configured to write the web page operation log belonging to the baseline data into the baseline data set in a manner that corresponding operation time and feature data are established by using the index data as an index.
As another implementation, the write data unit 270 may be specifically configured to directly write the web page operation log as baseline data into the baseline data set.
In this embodiment, when a web page operation log for a target website is acquired, whether the web page operation log includes index data in a baseline data set is determined, and if not, the web page operation log is determined to belong to baseline data; if yes, determining that index data contained in the webpage operation log in the baseline data set is target index data, judging whether operation time in the webpage operation log is within a baseline time range corresponding to the target index data, if yes, determining that the webpage operation log belongs to the baseline data, and if not, determining that the webpage operation log does not belong to the baseline data; and writing the webpage operation logs belonging to the baseline data into the baseline data set according to a preset writing mode, so that the construction of the baseline data set can be realized through the webpage operation logs, and the method and the device are used for monitoring subsequent webpages.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Referring to fig. 7, the electronic device 1000 includes a memory 1010 and a processor 1020.
The Processor 1020 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 1010 may include various types of storage units, such as system memory, read Only Memory (ROM), and permanent storage. Wherein the ROM may store static data or instructions that are needed by the processor 1020 or other modules of the computer. The persistent storage device may be a read-write storage device. The persistent storage may be a non-volatile storage device that does not lose stored instructions and data even after the computer is powered down. In some embodiments, the persistent storage device employs a mass storage device (e.g., magnetic or optical disk, flash memory) as the persistent storage device. In other embodiments, the permanent storage may be a removable storage device (e.g., floppy disk, optical drive). The system memory may be a read-write memory device or a volatile read-write memory device, such as a dynamic random access memory. The system memory may store instructions and data that some or all of the processors require at run-time. Further, the memory 1010 may comprise any combination of computer-readable storage media, including various types of semiconductor memory chips (DRAM, SRAM, SDRAM, flash, programmable read only memory), magnetic and/or optical disks may also be employed. In some embodiments, memory 1010 may include a removable storage device that is readable and/or writable, such as a Compact Disc (CD), a read-only digital versatile disc (e.g., DVD-ROM, dual layer DVD-ROM), a read-only Blu-ray disc, an ultra-density optical disc, a flash memory card (e.g., SD card, min SD card, micro-SD card, etc.), a magnetic floppy disc, or the like. Computer-readable storage media do not contain carrier waves or transitory electronic signals transmitted by wireless or wired means.
The memory 1010 has stored thereon executable code that, when processed by the processor 1020, may cause the processor 1020 to perform some or all of the methods described above.
The aspects of the present application have been described in detail hereinabove with reference to the accompanying drawings. In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments. Those skilled in the art should also appreciate that acts and modules referred to in the specification are not necessarily required in the present application. In addition, it can be understood that the steps in the method of the embodiment of the present application may be sequentially adjusted, combined, and deleted according to actual needs, and the modules in the device of the embodiment of the present application may be combined, divided, and deleted according to actual needs.
Furthermore, the method according to the present application may also be implemented as a computer program or computer program product comprising computer program code instructions for performing some or all of the steps of the above-described method of the present application.
Alternatively, the present application may also be embodied as a non-transitory machine-readable storage medium (or computer-readable storage medium, or machine-readable storage medium) having stored thereon executable code (or a computer program, or computer instruction code) which, when executed by a processor of an electronic device (or electronic device, server, etc.), causes the processor to perform part or all of the various steps of the above-described method according to the present application.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the applications disclosed herein may be implemented as electronic hardware, computer software, or combinations of both.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems and methods according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Having described embodiments of the present application, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or improvements made to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims (10)

1. The webpage monitoring method is characterized by comprising the following steps:
when a webpage operation log aiming at a target website is acquired, judging whether the webpage operation log meets an alarm condition or not based on a constructed baseline data set; wherein the baseline data set is constructed from a web page operation log;
and generating alarm information aiming at the target website under the condition that the alarm condition is determined to be met.
2. The method of claim 1, further comprising:
judging whether the webpage operation logs belong to baseline data, if so, writing the webpage operation logs into a baseline data set according to a preset writing mode;
and if not, executing the step of judging whether the webpage operation log meets the alarm condition or not based on the constructed baseline data set and all subsequent steps.
3. The method of claim 2, wherein the determining whether the web page operation log belongs to baseline data comprises:
judging whether the webpage operation log contains index data in a baseline data set or not, and if not, determining that the webpage operation log belongs to baseline data;
if so, determining that index data contained in the webpage operation log in the baseline data set is target index data, judging whether the operation time in the webpage operation log is within a baseline time range corresponding to the target index data, if so, determining that the webpage operation log belongs to the baseline data, and if not, determining that the webpage operation log does not belong to the baseline data.
4. The method of claim 3, wherein the determining whether the web page operation log satisfies an alarm condition based on the baseline data set comprises:
judging whether the characteristic data in the webpage operation log is consistent with the target characteristic data corresponding to the target index data in the baseline data set or not, and if not, determining that an alarm condition is met;
if the characteristic data of the webpage operation log are consistent, judging whether the characteristic data of the webpage operation log belong to periodic data in the baseline data set, wherein the periodic data are periodically repeated in an operation time range corresponding to the target index data;
and if the data does not belong to the periodic data, determining that the alarm condition is met.
5. The method of claim 3, wherein the writing the web page operation log into the baseline data set according to a preset writing manner comprises:
and writing the webpage operation log into the baseline data set in a mode of establishing corresponding operation time and characteristic data by taking index data as an index.
6. A baseline data construction method, comprising:
under the condition that a webpage operation log aiming at a target website is obtained, judging whether the webpage operation log contains index data in a baseline data set or not, and if not, determining that the webpage operation log belongs to baseline data;
if so, determining that index data contained in the webpage operation log in the baseline data set is target index data, judging whether the operation time in the webpage operation log is within a baseline time range corresponding to the target index data, if so, determining that the webpage operation log belongs to the baseline data, and if not, determining that the webpage operation log does not belong to the baseline data;
and writing the webpage operation logs belonging to the baseline data into a baseline data set according to a preset writing mode.
7. The web page monitoring device is characterized by comprising:
the warning judgment unit is used for judging whether the webpage operation log meets a warning condition or not based on the constructed baseline data set when the webpage operation log aiming at the target website is acquired; wherein the baseline data set is constructed from a web page operation log;
and the first generating unit is used for generating the alarm information aiming at the target website under the condition that the alarm condition is determined to be met.
8. A baseline data construction apparatus, comprising:
the data judgment unit is used for judging whether a webpage operation log contains index data in a baseline data set or not under the condition of acquiring the webpage operation log aiming at a target website;
a first determining unit, configured to determine that the web page operation log belongs to the baseline data when the web page operation log does not include the index data in the baseline data set;
a second determining unit, configured to determine, when the web page operation log includes index data in the baseline data set, that the index data included in the web page operation log in the baseline data set is target index data;
the range judging unit is used for judging whether the operation time in the webpage operation log is within a baseline time range corresponding to the target index data;
a third determining unit, configured to determine that the web page operation log belongs to the baseline data when the operation time in the web page operation log is within a baseline time range corresponding to the target index data;
a fourth determining unit, configured to determine that the web page operation log does not belong to the baseline data when an operation time in the web page operation log is not within a baseline time range corresponding to the target index data;
and the data writing unit is used for writing the webpage operation logs belonging to the baseline data into the baseline data set according to a preset writing mode.
9. An electronic device, comprising:
a processor; and
a memory having executable code stored thereon, which when executed by the processor, causes the processor to perform the method of any one of claims 1-6.
10. A non-transitory machine-readable storage medium having stored thereon executable code that, when executed by a processor of an electronic device, causes the processor to perform the method of any one of claims 1-6.
CN202211656344.9A 2022-12-22 2022-12-22 Webpage monitoring method and device and baseline data construction method and device Pending CN115967559A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211656344.9A CN115967559A (en) 2022-12-22 2022-12-22 Webpage monitoring method and device and baseline data construction method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211656344.9A CN115967559A (en) 2022-12-22 2022-12-22 Webpage monitoring method and device and baseline data construction method and device

Publications (1)

Publication Number Publication Date
CN115967559A true CN115967559A (en) 2023-04-14

Family

ID=87352344

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211656344.9A Pending CN115967559A (en) 2022-12-22 2022-12-22 Webpage monitoring method and device and baseline data construction method and device

Country Status (1)

Country Link
CN (1) CN115967559A (en)

Similar Documents

Publication Publication Date Title
CN110992992B (en) Hard disk test method, device and storage medium
CN108205424B (en) Data migration method and device based on disk and electronic equipment
WO2018233630A1 (en) Fault discovery
CN107395650B (en) Method and device for identifying Trojan back connection based on sandbox detection file
CN108038039B (en) Method for recording log and micro-service system
CN112769775B (en) Threat information association analysis method, system, equipment and computer medium
CN109600272B (en) Crawler detection method and device
US8112398B1 (en) Methods, systems, and computer program products for selectively marking and retrieving data from an event log file
CN113301155B (en) Data routing method, device, equipment and storage medium
CN112818307A (en) User operation processing method, system, device and computer readable storage medium
CN113890762B (en) Method and system for detecting web crawler behaviors based on flow data
CN110134538B (en) Method, device, medium and electronic equipment for quickly positioning problem log
CN112860507A (en) Method and device for controlling sampling rate of distributed link tracking system
CN115967559A (en) Webpage monitoring method and device and baseline data construction method and device
CN111343132B (en) File transmission detection method and device and storage medium
CN111241547A (en) Detection method, device and system for unauthorized vulnerability
CN115630025A (en) System and method for monitoring file changes in a shared file system
CN106446687B (en) Malicious sample detection method and device
US11729246B2 (en) Apparatus and method for determining types of uniform resource locator
KR101999130B1 (en) System and method of detecting confidential information based on 2-tier for endpoint DLP
CN111914252A (en) File security detection method and device and electronic equipment
CN113961968B (en) Method and device for carrying out data desensitization interrupt post-processing on file
CN112118260B (en) OPCDA message processing method, device, electronic equipment and storage medium
CN112579553B (en) Method and apparatus for recording information
CN112380107B (en) Operation and maintenance system data acquisition system and method based on management information system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination