CN116455640A - Website safety protection method and device - Google Patents
Website safety protection method and device Download PDFInfo
- Publication number
- CN116455640A CN116455640A CN202310429656.4A CN202310429656A CN116455640A CN 116455640 A CN116455640 A CN 116455640A CN 202310429656 A CN202310429656 A CN 202310429656A CN 116455640 A CN116455640 A CN 116455640A
- Authority
- CN
- China
- Prior art keywords
- target
- address
- score
- request
- threat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 90
- 238000004364 calculation method Methods 0.000 claims abstract description 37
- 238000012545 processing Methods 0.000 claims description 33
- 230000004044 response Effects 0.000 claims description 28
- 238000012795 verification Methods 0.000 claims description 19
- 238000005096 rolling process Methods 0.000 claims description 13
- 230000008447 perception Effects 0.000 claims description 6
- 230000009286 beneficial effect Effects 0.000 abstract description 4
- 230000000694 effects Effects 0.000 abstract description 4
- 238000011156 evaluation Methods 0.000 abstract description 3
- 230000006399 behavior Effects 0.000 description 18
- 230000008569 process Effects 0.000 description 14
- 230000002159 abnormal effect Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a website security protection method and a website security protection device, which are characterized in that firstly, real-time request characteristic data corresponding to a target IP address is processed by using a first threat degree calculation model to obtain a first threat degree score corresponding to the target IP address; and when the first threat degree score corresponding to the target IP address is greater than or equal to a first score threshold value, protecting the target IP address. Compared with the prior art, the embodiment of the invention not only can realize protection aiming at specific IP addresses, but also can realize that different protection strategies are adopted for the target IP addresses according to the threat degree evaluation result, thereby being beneficial to improving the efficiency and effect of safety protection.
Description
Technical Field
The application relates to the technical field of Internet, in particular to a website safety protection method and device.
Background
For many websites, requests sent from different guest IP addresses are received daily, and these requests may be normal requests or abnormal requests. In order to ensure the safety of websites, more and more websites use cloud Waf protection services for domain names of the websites at present. Waf (english is Web Application Firewall ") is a firewall for a Web terminal, cloud Waf is a cloud mode of a Web application firewall, so that a user can implement security protection on a website without installing a software program or deploying hardware equipment in own network, and the main implementation mode is to implement security protection by handing over domain name resolution rights by using DNS technology.
In the prior art, when the cloud Waf carries out safety protection on the domain name of the website, more judgment is carried out on whether a single Web request is a normal request, the whole threat degree of the visitor IP address on the website is not evaluated and is correspondingly treated, and the safety protection efficiency and effect can be affected to a certain extent.
Disclosure of Invention
In view of the above, one of the technical problems to be solved by the embodiments of the present invention is to provide a website security protection method and device, which are used for overcoming the problem that the website security protection method in the prior art does not evaluate the overall threat degree of the visitor IP address and perform corresponding treatment.
An embodiment of the present application in a first aspect discloses a website security protection method, where the method includes:
processing real-time request feature data corresponding to a target IP address by using a first threat degree calculation model to obtain a first threat degree score corresponding to the target IP address; the real-time request characteristic data are at least used for representing the total number of Web requests and the type distribution of request methods sent to a target domain name within a first preset time range;
and when the first threat score corresponding to the target IP address is greater than or equal to a first score threshold, performing protection processing on the target IP address.
A second aspect of the embodiments of the present application discloses a website security protection method apparatus, where the apparatus includes:
the threat degree calculation module is used for processing the real-time request characteristic data corresponding to the target IP address by using the first threat degree calculation model to obtain a first threat degree score corresponding to the target IP address; the real-time request characteristic data are at least used for representing the total number of Web requests and the type distribution of request methods sent to a target domain name within a first preset time range;
and the protection module is used for carrying out protection processing on the target IP address when the first threat degree score corresponding to the target IP address is greater than or equal to a first score threshold value.
In the embodiment of the invention, first, real-time request characteristic data corresponding to a target IP address is processed by using a first threat degree calculation model to obtain a first threat degree score corresponding to the target IP address; and when the first threat degree score corresponding to the target IP address is greater than or equal to a first score threshold value, protecting the target IP address. Compared with the prior art, the embodiment of the invention not only can realize protection aiming at specific IP addresses, but also can realize that different protection strategies are adopted for the target IP addresses according to the threat degree evaluation result, thereby being beneficial to improving the efficiency and effect of safety protection.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a website security method according to an embodiment of the present disclosure;
FIG. 2 is a flow chart of a website security method disclosed in the second embodiment of the present application;
fig. 3 is a schematic block diagram of a website security protection method device according to a third embodiment of the present application.
Detailed Description
The following description of the technical solutions in the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
It should be noted that the terms "first," "second," "third," and "fourth," etc. in the description and claims of the present application are used for distinguishing between different objects and not for describing a particular sequential order. The terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, apparatus, article, or device that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or device.
Example 1
As shown in fig. 1, fig. 1 is a schematic flowchart of a website security protection method disclosed in an embodiment of the present application, where the website security protection method includes:
and step S101, processing the real-time request characteristic data corresponding to the target IP address by using a first threat degree calculation model to obtain a first threat degree score corresponding to the target IP address.
In this embodiment, the real-time request feature data is at least used to characterize the total number of Web requests and the distribution of request types sent to the target domain name within the first preset time range.
In this embodiment, the execution body is a protection server, for example, a server of the cloud Waf. The protection server can acquire service log data of websites corresponding to one or more target domain names, and can acquire real-time request feature data corresponding to one or more target IP addresses through clustering processing of the multi-service log data.
The target domain name refers to a domain name corresponding to a target website for which the protection server provides protection service, and the number of the target domain names can be one or more; the target IP address refers to an IP address corresponding to a client that sends a Web request to the target domain name, and the number of the IP addresses may be one or more.
The service log data may include one or more pieces of service log information generated by protecting one or more target websites, where each piece of service log information is information recorded by processing a Web request. The plurality of pieces of service log information can be arranged according to time sequence, so that after the first preset time range is determined, real-time request characteristic data corresponding to the target IP address in the first preset time range can be obtained.
In addition, the time types for sorting the service log information in the embodiment are not limited, and can be reasonably selected according to actual application requirements. For example, the time for ordering the service log information may be the time for starting writing the log, or may be the time for completing the processing of the Web request.
In this embodiment, the specific duration of the first preset time range is a value, and the type of the program for extracting and storing the real-time request feature data is not limited, and may be reasonably selected according to the actual application requirement. For example, the service log data may be preferably stored and processed by kafka; the first preset time range may be 2 minutes, 5 minutes, or 10 minutes.
Optionally, in order to determine the relevant feature of the latest Web request corresponding to the target IP address, a rolling time window may be used to determine the first preset time range. Specifically, before step S101, the present embodiment may further include: and obtaining real-time request characteristic data corresponding to the target IP address by utilizing rolling time window statistics.
Further, in order to avoid the phenomenon that the service log information corresponding to one Web request is split into a plurality of rolling time windows and is leaked to be processed, it is preferable that the time ranges of the adjacent rolling time windows have intersection.
For example, if the duration of the rolling time window is set to be 2 minutes, and the intersection duration of the time ranges of the adjacent rolling time windows is set to be 1 minute, for the service log information with the time of 13:31, the service log information is divided into "13:30-13:32 "this rolling time window and" 13:31-13:33 "in this rolling time window.
Further, based on analysis and processing of large amounts of data, it may be preferable that each rolling time window corresponds to a duration range of greater than or equal to 30 seconds.
In this embodiment, the first threat degree calculation model is at least configured to calculate and obtain a first threat degree score according to the total number of Web requests and the request method type distribution, that is, after the total number of Web requests and the request method type distribution sent by the target IP address to the target domain name in the first preset time range are obtained, the first threat degree score corresponding to the target IP address may be calculated and obtained through the first threat degree calculation model. The specific construction method of the first threat degree calculation model and the calculation rule of the first threat degree score are not limited, and reasonable selection can be performed according to actual application requirements.
In this embodiment, in the first preset time range, if the total number of Web requests sent by a target IP address to one or more target domain names is too large and/or the number or the occupation of abnormal request types is relatively large, for example, exceeds a set threshold, and obviously does not accord with the normal condition, it indicates that the threat degree of the target IP address to the target domain names is higher, and the first threat degree score calculated by using the first threat degree calculation model is also relatively higher.
The method for determining the abnormal request is not limited, and can be reasonably set according to actual application requirements. For example, among all Web requests sent by the target IP address to one or more target domain names, the request method type may be GET request, PUT request, track request, or the like. The request method white list can be preset, after the real-time request characteristic data corresponding to the target IP address is obtained, the number of Web requests belonging to a normal request method in the Web requests sent by the target IP address can be determined according to the preset request method white list, and other Web requests except the normal request method can be judged to belong to abnormal requests; the request method blacklist can be preset, and after the real-time request characteristic data corresponding to the target IP address is obtained, the number of the Web requests of the abnormal request method in the Web requests sent by the target IP address can be determined according to the preset request method blacklist.
Optionally, the real-time request feature data is further used for characterizing at least one of request resource type distribution, user agent distribution and response status code distribution corresponding to the Web request sent to the target domain name within the first preset time range. Correspondingly, the first threat degree calculation model is used for calculating and obtaining a first threat degree score according to the total number of the Web requests and the request method type distribution and at least one of request resource type distribution, user agent distribution and response state code distribution corresponding to the Web requests.
The request resource type may be determined by a resource suffix of a Web request, for example, in practical applications, common suffixes of the request resource type include ". Js", ". Css", ". Png", ". Html", ". Git", ". Svn", ". Git", ". Sqlite_history", and ". Flash_history", etc. When the target IP address sends a plurality of Web requests with abnormal request resource types to the target domain name within the first preset time range, the target IP address is indicated to have higher threat degree to the target domain name, and the first threat degree score calculated by using the first threat degree calculation model is relatively higher.
The judging mode of whether the request resource type corresponding to the Web request is normal is not limited, and reasonable selection can be carried out according to the actual application requirement. For example, a resource type white list can be preset, when the request resource type corresponding to the Web request belongs to the request resource type listed in the preset resource type white list, the request resource type of the Web request can be determined to be normal, otherwise, the request resource type of the Web request is determined to be abnormal; or, a resource type blacklist can be preset, when the request resource type corresponding to the Web request belongs to the request resource type listed in the preset resource type blacklist, the request resource type of the Web request can be determined to be abnormal, otherwise, the request resource type of the Web request is determined to be normal.
Wherein, if the Web requests sent by the target IP address are all normal requests in a short time, the user agent corresponding to the Web requests sent by the target IP address will not change or will change little. Therefore, in the first preset time range, if the number of user agents corresponding to the Web requests sent by one target IP address to one or more target domain names is larger, for example, exceeds a set threshold, and when the target IP address obviously does not accord with the normal condition, the threat degree of the target IP address to the target domain names is higher, and the first threat degree score calculated by using the first threat degree calculation model is also relatively higher.
In practical application, the response status code may be 1xx, 2xx, 3xx, 4xx, 5xx, and the like, and when the response status code is an abnormal Web request in the Web request sent to the target domain name by the target IP address in the first preset time range, the response status code indicates that the threat degree of the target IP address to the target domain name is higher, and the first threat degree score calculated by using the first threat degree calculation model is also relatively higher.
The judging mode of whether the response status code corresponding to the Web request is normal is not limited, and reasonable selection can be performed according to actual application requirements. For example, a state code white list can be preset, when the response state code corresponding to the Web request belongs to the response state code listed in the preset state code white list, the response state code of the Web request can be determined to be normal, otherwise, the response state code of the Web request is determined to be abnormal; or, a state code blacklist can be preset, when the response state code corresponding to the Web request belongs to the response state code listed in the preset state code blacklist, the response state code of the Web request can be determined to be abnormal, otherwise, the response state code of the Web request is determined to be normal.
Step S102, when the first threat score corresponding to the target IP address is greater than or equal to the first score threshold, the target IP address is protected.
In this embodiment, when the first threat score corresponding to the target IP address is greater than or equal to the first score threshold, it indicates that the access behavior of the target IP address in the first preset time range is likely to be an abnormal access behavior, that is, it indicates that the threat of the target IP address to the target domain name is higher, so that protection processing needs to be performed on the target IP address.
In this embodiment, when the first threat score corresponding to the target IP address is smaller than the first score threshold, it indicates that the access behavior of the target IP address in the first preset time range is likely to be a normal access behavior, so that the threat degree of the target IP address to the target domain name is lower or no threat, and protection processing is not needed for the target IP address temporarily.
In this embodiment, the specific value of the first score threshold is not limited, and may be reasonably selected according to the actual application requirement.
In this embodiment, the method for protecting the target IP address is not limited, and may be reasonably selected according to the actual application requirement. For example, the verification interaction can be performed in a picture and/or slider mode, and the target IP address can be directly blocked. In addition, a plurality of different score intervals can be further divided, and when the first threat score belongs to the different score intervals, the protection processing method adopted for the target IP address can be different.
As can be seen from the above embodiments of the present invention, in the embodiments of the present invention, first, real-time request feature data corresponding to a target IP address is processed by using a first threat degree calculation model, so as to obtain a first threat degree score corresponding to the target IP address; and when the first threat degree score corresponding to the target IP address is greater than or equal to a first score threshold value, protecting the target IP address. Compared with the prior art, the embodiment of the invention not only can realize protection aiming at specific IP addresses, but also can realize that different protection strategies are adopted for the target IP addresses according to the threat degree evaluation result, thereby being beneficial to improving the efficiency and effect of safety protection.
Example two
As shown in fig. 2, fig. 2 is a schematic flowchart of a website security protection method disclosed in a second embodiment of the present application, where the website security protection method includes:
step S201, processing the real-time request feature data corresponding to the target IP address by using a first threat degree calculation model to obtain a first threat degree score corresponding to the target IP address.
In this embodiment, step S201 is substantially the same as or similar to step S101 in the first embodiment, and will not be described herein.
Step S202, when the first threat degree score corresponding to the target IP address is greater than or equal to the first score threshold, the historical request feature data corresponding to the target IP address is processed by using the second threat degree calculation model, and a second threat degree score corresponding to the target IP address is obtained.
In this embodiment, the second threat degree calculation model is used to calculate and obtain the second threat degree score according to the historical request feature data, and the specific construction method of the model and the calculation rule of the second threat degree score are not limited, and may be reasonably selected according to the actual application requirement. It should be noted that the second threat degree calculation model and the first threat degree calculation model are two different models, that is, the two models not only process different source data, but also process different modes for processing the source data.
In this embodiment, the history request feature data is at least used to characterize the total number of Web requests and the request method type distribution sent to the target domain name within the second preset time range.
Wherein the time of the second preset time range is more forward than the time of the first preset time range. The duration of the second preset time range is not limited, and can be reasonably selected according to practical application requirements, for example, the duration can be 12 hours, 24 hours or 48 hours.
Optionally, in order to avoid that the target IP address without abnormal behavior is mistakenly protected, it may be preferable that when the Web request sent by the target IP address meets a preset normal behavior judgment condition, the second threat score corresponding to the target IP address is 0. When the second threat score of the target IP address is 0, the third threat score of the target IP address will be correspondingly lower.
The normal behavior judgment conditions are not limited, and reasonable selection can be performed according to actual application requirements. For example, if all or more than 99% of the request methods in the Web request sent by the target IP address are judged to belong to the normal request method, the history request of the target IP address may be considered to behave normally, and the corresponding second threat score is 0.
Optionally, the historical request feature data is further used for characterizing request resource type distribution, response status code distribution, user agent distribution and intercepted times corresponding to the Web request sent to the target domain name within a second preset time range. The preset normal behavior judgment conditions include at least one of the following conditions:
in the Web requests sent by the target IP addresses, the Web request duty ratio of the request method which is a normal request method is larger than or equal to a first duty ratio threshold value.
And in the Web requests sent by the target IP address, the duty ratio of the Web requests with the request resource type being the normal resource type is larger than or equal to a second duty ratio threshold value.
In the Web requests sent by the target IP address, whether the duty ratio of the Web requests with the response status code being the normal response status code is larger than or equal to a third duty ratio threshold value.
The number of user agents corresponding to all the Web requests sent by the target IP address is smaller than or equal to a first number threshold.
And in the Web requests sent by the target IP address, the number of the intercepted Web requests is smaller than or equal to a second number threshold.
When the Web request duty ratio of the normal request method is larger than or equal to the first duty ratio threshold value in the Web requests sent by the target IP address in the second preset time range, the fact that all or most of the Web requests sent by the target IP address belong to the normal requests is indicated, and the historical behaviors of the target IP address have low threat to the target domain name.
When the duty ratio of the Web request with the normal resource type in the Web requests sent by the target IP address in the second preset time range is larger than or equal to the second duty ratio threshold, the Web requests sent by the target IP address are indicated to be all or mostly normal requests, and the historical behaviors of the target IP address have less threat to the target domain name.
When the Web request with the response state code being the normal response state code in the Web requests sent by the target IP address within the second preset time range is larger than or equal to the third duty ratio threshold, the fact that all or most of the Web requests sent by the target IP address belong to the normal requests is indicated, and the threat of the historical behaviors of the target IP address to the target domain name is small.
When the number of user agents in all the Web requests sent by the target IP address in the second preset time range is smaller than or equal to the first number threshold, the fact that all or most of the Web requests sent by the target IP address belong to normal requests is indicated, and the historical behaviors of the target IP address have low threat to the target domain name.
The guard server intercepts the Web request judged as the abnormal request and records the relevant parameters intercepted in the service log data, so that whether the historical behavior of the target IP address is normal behavior can be judged according to the intercepted quantity of the target IP address in the Web request sent in the second preset time range. When the number of the intercepted Web requests in all the Web requests sent by the target IP address within the second preset time range is smaller than or equal to the second number threshold value, the fact that all or most of the Web requests sent by the target IP address belong to normal requests is indicated, and the historical behaviors of the target IP address have small threat to the target domain name.
In addition, the value ranges of the first duty ratio threshold, the second duty ratio threshold, the first quantity threshold and the second quantity threshold are not limited, and can be reasonably selected according to actual application requirements.
Further, in order to make the historical behavior determination on the target IP address more accurate, it may be preferable that the preset normal behavior determination conditions include all the foregoing conditions, that is, the historical request feature data is at least used to characterize the total number of Web requests, the request method type distribution, the request resource type distribution, the response status code distribution, the user agent distribution, and the intercepted number of times that are sent to the target domain name within the second preset time range.
Optionally, considering that when the first threat score is higher, it indicates that the threat level of the target IP address to the target domain name is already high, a protective measure may be directly taken on the target IP address, that is, the embodiment may further include: and when the first threat degree score corresponding to the target IP address is greater than or equal to the fourth score threshold, protecting the target IP address. The specific value of the fourth score threshold is not limited, and the value of the fourth score threshold can be reasonably selected according to actual application requirements and is only required to be larger than that of the first score threshold.
Correspondingly, step S202 may include: when the first threat degree score corresponding to the target IP address is greater than or equal to the first score threshold and smaller than the fourth score threshold, the historical request characteristic data corresponding to the target IP address is processed by using the second threat degree calculation model, and a second threat degree score corresponding to the target IP address is obtained.
Step S203, a third threat score is obtained according to the second threat score and the first threat score.
In this embodiment, the method for obtaining the third threat score according to the second threat score and the first threat score is not limited, and may be reasonably selected according to the actual application requirement. For example, the second threat score and the first threat score may be directly summed to obtain a third threat score; the weight coefficients corresponding to the second threat score and the first threat score can be preset, and after the second threat score and the first threat score are obtained through calculation, the corresponding weight coefficients are multiplied and summed, and then the third threat score can be obtained.
And step S204, when the third threat score is greater than or equal to the second score threshold, the target IP address is protected.
In this embodiment, the value of the second score threshold is not limited, and may be reasonably selected according to the actual application requirement. For example, the first score threshold may be the same or different.
Alternatively, in order to reduce the complexity of the numerical setting, it may be preferable that the value of the second score threshold is the same as the first score threshold.
Optionally, in view of the threat degrees of different target IP addresses to the target website, in order to take different protection policies for the target IP addresses with different threat degrees to improve the access experience of the user, step S204 may include one of sub-step a and sub-step B:
and a sub-step A, when the third threat degree score is larger than or equal to the second score threshold and smaller than the third score threshold, triggering the target IP address to execute the user non-perception verification operation.
The third fraction threshold is larger than the second fraction threshold, the specific value is not limited, and reasonable selection can be performed according to actual application requirements.
The user non-perception verification operation means that the verification process is executed in the background, the user does not need to perform manual operation, the specific execution mode is not limited, and reasonable selection can be performed according to actual application requirements. For example, the user unaware authentication may be fingerprint authentication and/or one-time instruction authentication.
Further, considering that most of the mainstream browsers have compatibility to the JS grammar, in order to improve the application range of the method, JS codes can be preferably adopted to execute user non-perception verification operation. The JS code data can be issued to the target IP address in advance, and when the fact that the third threat score is larger than or equal to the second score threshold and smaller than the third score threshold is determined, the JS code data in the target IP address can be triggered to execute the user non-perception verification operation.
And a sub-step B, triggering the target IP address to execute the user perceivable verification operation when the third threat degree score is greater than or equal to a third score threshold.
The user perceivable verification operation means that the verification process needs manual operation by a user, the specific implementation mode is not limited, and reasonable selection can be performed according to actual application requirements. For example, it may be that a user is required to conduct a verification interaction in the form of a picture and/or a slider.
Further, in order to further improve the accuracy of the determination of the unfriendly target IP address, in particular, the sub-step B may further include: and when the third threat score is greater than or equal to a third score threshold, triggering the target IP address to execute the user perceivable verification operation and the user non-perceivable verification operation.
As can be seen from the above embodiments of the present invention, in the embodiments of the present invention, not only the first threat degree calculation model is used to process the real-time request feature data corresponding to the target IP address to obtain a first threat degree score corresponding to the target IP address, but also the second threat degree calculation model is used to process the historical request feature data corresponding to the target IP address to obtain a second threat degree score corresponding to the target IP address, and a third threat degree score is obtained according to the second threat degree score and the first threat degree score; and finally determining the protection strategy for the target IP address according to the third threat degree score. Compared with the first embodiment, the real-time request feature data and the history request feature data corresponding to the target IP address are considered, so that the threat degree of the target IP address to the target domain name can be judged more accurately.
Example III
An embodiment III of the present application provides a website security protection method device, and FIG. 3 is a schematic structural diagram of the website security protection method device disclosed in the embodiment III of the present application, where the device includes:
the threat degree calculation module is used for processing the real-time request characteristic data corresponding to the target IP address by using the first threat degree calculation model to obtain a first threat degree score corresponding to the target IP address; the real-time request feature data are at least used for representing the total number of Web requests and the type distribution of request methods sent to the target domain name within a first preset time range;
and the protection module is used for carrying out protection processing on the target IP address when the first threat degree score corresponding to the target IP address is greater than or equal to the first score threshold value.
Optionally, the protection module includes a score calculating unit and a protection processing unit, where the score calculating unit is configured to process the historical request feature data corresponding to the target IP address by using a second threat degree calculation model, to obtain a second threat degree score corresponding to the target IP address; the historical request characteristic data are at least used for representing the total number of Web requests and the type distribution of request methods sent to the target domain name within a second preset time range; obtaining a third threat score according to the second threat score and the first threat score;
and the protection processing unit is used for carrying out protection processing on the target IP address when the third threat degree score is greater than or equal to the second score threshold.
Optionally, the score calculating unit is further configured to, when the Web request sent by the target IP address meets a preset normal behavior judgment condition, set a second threat score corresponding to the target IP address to 0.
Optionally, the history request feature data is further used for characterizing request resource type distribution, response status code distribution, user agent distribution and intercepted times corresponding to the Web request sent to the target domain name within a second preset time range; the preset normal behavior judgment conditions include at least one of the following conditions:
in the Web request sent by the target IP address, the Web request duty ratio of the request method which is a normal request method is larger than or equal to a first duty ratio threshold;
in the Web request sent by the target IP address, the Web request duty ratio of which the request resource type is the normal resource type is larger than or equal to a second duty ratio threshold value;
in the Web request sent by the target IP address, whether the duty ratio of the Web request with the response state code being the normal response state code is larger than or equal to a third duty ratio threshold value;
the number of user agents corresponding to all Web requests sent by the target IP address is smaller than or equal to a first number threshold;
and in the Web requests sent by the target IP address, the number of the intercepted Web requests is smaller than or equal to a second number threshold.
Optionally, the protection processing unit is further configured to trigger the target IP address to perform a user non-perception verification operation when the third threat score is greater than or equal to the second score threshold and less than the third score threshold;
and when the third threat score is greater than or equal to the third score threshold, triggering the target IP address to execute the user perceivable verification operation.
Optionally, the protection processing unit is further configured to trigger the target IP address to perform a user-perceptible authentication operation and a user-imperceptible authentication operation when the third threat score is greater than or equal to the third score threshold.
Optionally, the score calculating unit is further configured to process the historical request feature data corresponding to the target IP address by using the second threat degree calculation model when the first threat degree score corresponding to the target IP address is greater than or equal to the first score threshold and less than the fourth score threshold, so as to obtain the second threat degree score corresponding to the target IP address.
Optionally, the real-time request feature data is further used for characterizing at least one of request resource type distribution, user agent distribution and response status code distribution corresponding to the Web request sent to the target domain name within the first preset time range.
Optionally, the device further comprises an extraction module, which is used for obtaining the real-time request feature data corresponding to the target IP address by utilizing rolling time window statistics; wherein the time ranges of adjacent rolling time windows have intersections.
By the website security protection method device of the embodiment, the website security protection method corresponding to the method embodiments can be realized, and the website security protection method device has the beneficial effects of the corresponding method embodiments and is not described herein.
Thus far, specific embodiments of the present application have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may be advantageous.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
It will be apparent to those skilled in the art that embodiments of the present application may be provided as methods, apparatus. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer storage media (including, but not limited to, magnetic disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.
Claims (10)
1. A method for protecting website security, the method comprising:
processing real-time request feature data corresponding to a target IP address by using a first threat degree calculation model to obtain a first threat degree score corresponding to the target IP address; the real-time request characteristic data are at least used for representing the total number of Web requests and the type distribution of request methods sent to a target domain name within a first preset time range;
and when the first threat score corresponding to the target IP address is greater than or equal to a first score threshold, performing protection processing on the target IP address.
2. The method of claim 1, wherein the performing the protection processing on the target IP address when the first threat score corresponding to the target IP address is greater than or equal to a first score threshold value comprises:
processing the historical request characteristic data corresponding to the target IP address by using a second threat degree calculation model to obtain a second threat degree score corresponding to the target IP address; the history request characteristic data is at least used for representing the total number of Web requests and the type distribution of request methods sent to the target domain name within a second preset time range;
obtaining a third threat score according to the second threat score and the first threat score;
and when the third threat degree score is greater than or equal to a second score threshold, performing protection processing on the target IP address.
3. The method of claim 2, wherein processing the historical request feature data corresponding to the target IP address using a second threat level calculation model to obtain a second threat level score corresponding to the target IP address comprises:
when the Web request sent by the target IP address meets a preset normal behavior judgment condition, the second threat score corresponding to the target IP address is 0.
4. The method of claim 3, wherein the historical request feature data is further used to characterize a request resource type distribution, a response status code distribution, a user agent distribution, and a number of intercepted times corresponding to Web requests sent to the target domain name within a second preset time frame; the preset normal behavior judgment condition comprises at least one of the following conditions:
in the Web requests sent by the target IP addresses, the Web request duty ratio of the request method which is a normal request method is larger than or equal to a first duty ratio threshold;
in the Web request sent by the target IP address, the Web request duty ratio of which the request resource type is the normal resource type is larger than or equal to a second duty ratio threshold value;
in the Web requests sent by the target IP address, whether the duty ratio of the Web requests with the response state code being the normal response state code is larger than or equal to a third duty ratio threshold value;
the number of user agents corresponding to all the Web requests sent by the target IP address is smaller than or equal to a first number threshold;
and in the Web requests sent by the target IP address, the number of the intercepted Web requests is smaller than or equal to a second number threshold.
5. The method of claim 2, wherein the safeguarding the target IP address when the third threat score is greater than or equal to a second score threshold comprises:
when the third threat degree score is greater than or equal to a second score threshold and smaller than a third score threshold, triggering the target IP address to execute user non-perception verification operation;
and triggering the target IP address to execute a user perceivable verification operation when the third threat degree score is greater than or equal to the third score threshold.
6. The method of claim 5, wherein triggering the target IP address to perform a user-perceptible verification operation when the third threat score is greater than or equal to the third score threshold comprises:
and triggering the target IP address to execute the user perceivable verification operation and the user non-perceivable verification operation when the third threat degree score is greater than or equal to the third score threshold.
7. The method of claim 2, wherein processing the historical request feature data corresponding to the target IP address using a second threat level calculation model to obtain a second threat level score corresponding to the target IP address comprises:
and when the first threat degree score corresponding to the target IP address is larger than or equal to the first score threshold and smaller than a fourth score threshold, processing the historical request characteristic data corresponding to the target IP address by using the second threat degree calculation model to obtain the second threat degree score corresponding to the target IP address.
8. The method of claim 1, wherein the real-time request feature data is further used to characterize at least one of a request resource type distribution, a user agent distribution, and a response status code distribution corresponding to Web requests sent to the target domain name within a first preset time range.
9. The method according to claim 1, wherein the method further comprises:
acquiring real-time request feature data corresponding to the target IP address by utilizing rolling time window statistics; wherein the time ranges of adjacent rolling time windows have intersections.
10. A website security apparatus, the apparatus comprising:
the threat degree calculation module is used for processing the real-time request characteristic data corresponding to the target IP address by using the first threat degree calculation model to obtain a first threat degree score corresponding to the target IP address; the real-time request characteristic data are at least used for representing the total number of Web requests and the type distribution of request methods sent to a target domain name within a first preset time range;
and the protection module is used for carrying out protection processing on the target IP address when the first threat degree score corresponding to the target IP address is greater than or equal to a first score threshold value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310429656.4A CN116455640A (en) | 2023-04-20 | 2023-04-20 | Website safety protection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310429656.4A CN116455640A (en) | 2023-04-20 | 2023-04-20 | Website safety protection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116455640A true CN116455640A (en) | 2023-07-18 |
Family
ID=87123481
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310429656.4A Pending CN116455640A (en) | 2023-04-20 | 2023-04-20 | Website safety protection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116455640A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8949978B1 (en) * | 2010-01-06 | 2015-02-03 | Trend Micro Inc. | Efficient web threat protection |
| WO2019109743A1 (en) * | 2017-12-07 | 2019-06-13 | 阿里巴巴集团控股有限公司 | Url attack detection method and apparatus, and electronic device |
| CN111131175A (en) * | 2019-12-04 | 2020-05-08 | 互联网域名系统北京市工程研究中心有限公司 | Threat intelligence domain name protection system and method |
| CN112751883A (en) * | 2021-01-19 | 2021-05-04 | 光通天下网络科技股份有限公司 | IP threat score judgment method, device, equipment and medium |
| CN114285639A (en) * | 2021-12-24 | 2022-04-05 | 云盾智慧安全科技有限公司 | Website security protection method and device |
| CN115208647A (en) * | 2022-07-05 | 2022-10-18 | 南京领行科技股份有限公司 | Attack behavior handling method and device |
| CN115834412A (en) * | 2022-11-03 | 2023-03-21 | 中国联合网络通信集团有限公司 | Network security situation evaluation method and device, electronic equipment and storage medium |
-
2023
- 2023-04-20 CN CN202310429656.4A patent/CN116455640A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8949978B1 (en) * | 2010-01-06 | 2015-02-03 | Trend Micro Inc. | Efficient web threat protection |
| WO2019109743A1 (en) * | 2017-12-07 | 2019-06-13 | 阿里巴巴集团控股有限公司 | Url attack detection method and apparatus, and electronic device |
| CN111131175A (en) * | 2019-12-04 | 2020-05-08 | 互联网域名系统北京市工程研究中心有限公司 | Threat intelligence domain name protection system and method |
| CN112751883A (en) * | 2021-01-19 | 2021-05-04 | 光通天下网络科技股份有限公司 | IP threat score judgment method, device, equipment and medium |
| CN114285639A (en) * | 2021-12-24 | 2022-04-05 | 云盾智慧安全科技有限公司 | Website security protection method and device |
| CN115208647A (en) * | 2022-07-05 | 2022-10-18 | 南京领行科技股份有限公司 | Attack behavior handling method and device |
| CN115834412A (en) * | 2022-11-03 | 2023-03-21 | 中国联合网络通信集团有限公司 | Network security situation evaluation method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109831465B (en) | Website intrusion detection method based on big data log analysis | |
| CN105282047B (en) | Access request processing method and device | |
| CN110602029B (en) | Method and system for identifying network attack | |
| CN110417778B (en) | Access request processing method and device | |
| CN113542279B (en) | Network security risk assessment method, system and device | |
| CN107819631B (en) | Equipment anomaly detection method, device and equipment | |
| US20160241576A1 (en) | Detection of anomalous network activity | |
| US10491621B2 (en) | Website security tracking across a network | |
| EP3750275B1 (en) | Method and apparatus for identity authentication, server and computer readable medium | |
| CN103701794A (en) | Identification method and device for denial of service attack | |
| CN110049028B (en) | Method and device for monitoring domain control administrator, computer equipment and storage medium | |
| CN110519263B (en) | Anti-swipe method, device, apparatus, and computer-readable storage medium | |
| CN111311285A (en) | Method, device, equipment and storage medium for preventing user from illegally logging in | |
| WO2020210976A1 (en) | System and method for detecting anomaly | |
| CN113992356A (en) | Method and device for detecting IP attack and electronic equipment | |
| CN114285639B (en) | Website safety protection method and device | |
| CN112511535A (en) | Equipment detection method, device, equipment and storage medium | |
| CN111177720B (en) | Method and device for generating threat information based on big data and readable storage medium | |
| CN114445088A (en) | Method and device for judging fraudulent conduct, electronic equipment and storage medium | |
| CN111131166B (en) | User behavior prejudging method and related equipment | |
| CN110933082B (en) | Method, device and equipment for identifying lost host and storage medium | |
| CN112613893A (en) | Method, system, equipment and medium for identifying malicious user registration | |
| CN116455640A (en) | Website safety protection method and device | |
| CN110943989A (en) | Equipment identification method and device, electronic equipment and readable storage medium | |
| CN108345613B (en) | Risk identification method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |