CN117421506A - Website data monitoring method and device, electronic equipment and storage medium - Google Patents

Website data monitoring method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN117421506A
CN117421506A CN202310849441.8A CN202310849441A CN117421506A CN 117421506 A CN117421506 A CN 117421506A CN 202310849441 A CN202310849441 A CN 202310849441A CN 117421506 A CN117421506 A CN 117421506A
Authority
CN
China
Prior art keywords
target
website
period
access
target website
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310849441.8A
Other languages
Chinese (zh)
Inventor
陈岩
王宁
李惠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongjin Technology Hangzhou Co ltd
Original Assignee
Zhongjin Technology Hangzhou Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongjin Technology Hangzhou Co ltd filed Critical Zhongjin Technology Hangzhou Co ltd
Priority to CN202310849441.8A priority Critical patent/CN117421506A/en
Publication of CN117421506A publication Critical patent/CN117421506A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/958Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
    • G06F16/986Document structures and storage, e.g. HTML extensions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure provides a website data monitoring method, a device, an electronic device and a storage medium, wherein the method comprises the following steps: acquiring text information of a target website, wherein the text information is used for indicating display content of the target website in a monitoring period; performing similar comparison on the text information and preset reference information to obtain a first comparison result, wherein the reference information is used for indicating preset content of the target website; and generating warning information under the condition that the first comparison result indicates that the target website has content tampering risk. By comparing the text information of the target website with the preset content of the target website, whether the display content of the target website is tampered in the monitoring period is identified, and under the condition that the tampering risk is identified, warning information is generated to remind a website operator of countering the malicious attack of the external network, so that the identification effect of the target website on the malicious attack of the external network can be effectively enhanced.

Description

Website data monitoring method and device, electronic equipment and storage medium
Technical Field
The disclosure relates to the technical field of computers, in particular to a website data monitoring method, a website data monitoring device, electronic equipment and a storage medium.
Background
As networks evolve, more and more users begin to engage in web site operations, such as: some groups of minor hobbies, or associations, may operate related websites on the web in an effort to attract users with the same interests or hobbies to join and communicate.
In application, the protection function of the popular website operated by the popular group or the association organization is weak, the malicious attack of the external network cannot be effectively identified, and the malicious attack from the external network cannot be timely found due to certain hysteresis of the mode which is usually identified by a website operator in a manual operation mode.
Disclosure of Invention
An embodiment of the present disclosure is directed to providing a method, an apparatus, an electronic device, and a storage medium for monitoring website data, which are used for solving a technical problem in the related art that a malicious attack of an external network by a popular website is poor in recognition effect.
In a first aspect, an embodiment of the present disclosure provides a website data monitoring method, where the method includes:
acquiring text information of a target website, wherein the text information is used for indicating display content of the target website in a monitoring period;
performing similar comparison on the text information and preset reference information to obtain a first comparison result, wherein the reference information is used for indicating preset content of the target website;
and generating warning information under the condition that the first comparison result indicates that the target website has content tampering risk.
In one embodiment, the method is applied to a first device, the target website is deployed on a second device, and the first device is not connected to the Internet;
the obtaining the text information of the target website comprises the following steps:
and under the condition that the second equipment is disconnected from the Internet, the first equipment receives the text information transmitted by the second equipment.
In one embodiment, performing a similar comparison on the text information and preset reference information to obtain a first comparison result, including:
filtering the text information to obtain target data, wherein the target data is used for indicating the display content of target elements in the monitoring period, and the target elements are page elements for man-machine interaction in the target website;
and carrying out similar comparison on the target data and the data part corresponding to the page element in the reference information to obtain the first comparison result.
In one embodiment, before the obtaining the text information of the target website, the method further includes:
acquiring historical access data of the target website, wherein the historical access data is used for indicating the access amount of the target website in a historical period;
analyzing the historical access data, and determining a target period, wherein the target period is a period with the minimum corresponding access amount in the historical period;
and updating the monitoring period according to the target period.
In one embodiment, after the obtaining the historical access data of the target website, the method further includes:
determining a reference access amount of each period in the current monitoring period according to the historical access data;
determining an abnormal time period according to the reference access amount of each time period in the current monitoring period, wherein the abnormal time period is a time period in which the actual access amount is larger than the reference access amount in the current monitoring period;
and analyzing the access data generated in the abnormal time period to obtain an analysis result, wherein the analysis result is used for indicating whether the target website encounters DDOS attack or not.
In one embodiment, analyzing the plurality of access data generated in the abnormal period to obtain an analysis result includes:
clustering a plurality of access data generated in the abnormal time period based on the access address corresponding to the access data to obtain at least one class cluster;
generating an analysis result for indicating that the target website encounters a DDOS attack under the condition that a target cluster exists in the at least one cluster, wherein the target cluster is a cluster with the number of elements included in the at least one cluster being greater than a preset threshold;
the method further comprises the steps of:
and sealing and banning the access address indicated by the target class cluster.
In one embodiment, analyzing the plurality of access data generated in the abnormal period to obtain an analysis result includes:
performing similar comparison on the plurality of access data generated in the abnormal time period based on the access behaviors corresponding to the access data to obtain a second comparison result;
generating the analysis result for indicating that the target website encounters a DDOS attack in the case that the second comparison result indicates that the access behaviors of the plurality of access data generated in the abnormal period are identical or similar;
the method further comprises the steps of:
and outputting warning information.
In a second aspect, an embodiment of the present disclosure further provides a website data monitoring apparatus, including:
the system comprises an acquisition module, a display module and a display module, wherein the acquisition module is used for acquiring text information of a target website, wherein the text information is used for indicating display content of the target website in a monitoring period;
the comparison module is used for carrying out similar comparison on the text information and preset reference information to obtain a first comparison result, wherein the reference information is used for indicating preset content of the target website;
the generation module is used for generating warning information under the condition that the first comparison result indicates that the target website has content tampering risk.
In a third aspect, an embodiment of the present disclosure further provides an electronic device, including a processor, a memory, and a computer program stored on the memory and executable on the processor, where the computer program when executed by the processor implements the steps of the website data monitoring method described above.
In a fourth aspect, the embodiments of the present disclosure further provide a computer readable storage medium having a computer program stored thereon, the computer program implementing the steps of the website data monitoring method described above when executed by a processor.
In the embodiment of the disclosure, by acquiring the text information of the target website and comparing the text information with the preset content of the target website in a similar manner, whether the display content of the target website is tampered in a monitoring period is identified, and under the condition that the content tampering risk of the target website is identified, warning information is generated to remind a website operator to counteract the malicious attack of the external network based on the warning information, so that the identification effect of the target website on the malicious attack of the external network can be effectively enhanced, and the loss of the target website in the process of defending the external network attack is reduced.
Drawings
Fig. 1 is a flow chart of a website data monitoring method according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a website operation system according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a website data monitoring device according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
The following description of the technical solutions in the embodiments of the present disclosure will be made clearly and completely with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are some embodiments of the present disclosure, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure are intended to be within the scope of this disclosure.
Referring to fig. 1, fig. 1 is a flowchart of a website data monitoring method provided in an embodiment of the present disclosure, as shown in fig. 1, including the following steps:
and 101, acquiring text information of a target website.
The text information is used for indicating the display content of the target website in the monitoring period.
In the present disclosure, a target website may be understood as an audience website, that is, a website that has a maximum number of accesses or a maximum frequency of accesses that can be received by the website on a single day that is lower than a first preset threshold, for example, the first preset threshold may be 500, 1000, 2000, etc.
The above text information may be a set of display text corresponding to at least part of page elements included in the target website in the monitoring period, and it should be noted that, in this disclosure, the display content or the display text is specifically displayable content/text on the target website, for example: category data of the website front page, drop-down frame data of the website sub page (the website sub page can be accessed by clicking a preset button of the website front page), and the like.
Step 102, performing similar comparison on the text information and preset reference information to obtain a first comparison result.
The reference information is used for indicating preset contents of the target website.
In some embodiments, feature extraction can be performed on text information by applying a preset neural network algorithm, and feature comparison is performed on the extracted features and features corresponding to reference information to obtain feature comparison results;
for example, the feature comparison result may be normalized so that the value range of the feature comparison result is 0 to 1, where a value of 0 indicates that the text information and the reference information are completely different, and a value of 1 indicates that the text information and the reference information are completely the same;
it should be noted that, the feature comparison method in this example is applicable to a popular website with a high website content update frequency, a feature threshold may be set in the application, and when the feature comparison result is greater than the feature threshold, a first comparison result for indicating that the text information and the reference information are the same (i.e. the target website does not have a content tampering risk) is generated; and when the characteristic comparison result is smaller than the characteristic threshold value, generating a first comparison result for indicating that the text information and the reference information are different (namely, the target website has content tampering risk).
In other embodiments, at least one first keyword included in the text information may be obtained, and the at least one first keyword and a plurality of second keywords corresponding to the reference information may be compared in a similar manner, so as to obtain the first comparison result;
for example, when the number of keywords of the at least one first keyword and the number of keywords of the plurality of second keywords are different, generating a first comparison result indicating that the text information and the reference information are different;
generating a first comparison result for indicating that the text information and the reference information are different when the number of keywords of the at least one first keyword is the same as the number of keywords of the plurality of second keywords, but the keyword contents of the at least one first keyword and the keyword contents of the plurality of second keywords are not matched;
generating a first comparison result for indicating that the text information and the reference information are the same when the number of keywords of the at least one first keyword is the same as the number of keywords of the plurality of second keywords and the keyword contents of the at least one first keyword and the keyword contents of the plurality of second keywords are matched;
for example: when the at least one first keyword includes: "web site link 1", "text display 1", and the keywords of the plurality of second keywords include: when the website links 1 and the text displays 1, the keyword contents of the at least one first keyword and the keyword contents of the plurality of second keywords can be considered to be matched;
when the at least one first keyword includes: "web site link 1", "text display 1", and the keywords of the plurality of second keywords include: when "web site link 1", "text display 2", the keyword contents of the at least one first keyword and the keyword contents of the plurality of second keywords may be considered to be not matched.
It should be noted that the keyword comparison method in this example is applicable to a small-sized website with low frequency of updating website contents.
And step 103, generating warning information under the condition that the first comparison result indicates that the target website has content tampering risk.
In the embodiment of the disclosure, by acquiring the text information of the target website and comparing the text information with the preset content of the target website in a similar manner, whether the display content of the target website is tampered in a monitoring period is identified, and under the condition that the content tampering risk of the target website is identified, warning information is generated to remind a website operator to counteract the malicious attack of the external network based on the warning information, so that the identification effect of the target website on the malicious attack of the external network can be effectively enhanced, and the loss of the target website in the process of defending the external network attack is reduced.
In one embodiment, the method is applied to a first device, the target website is deployed on a second device, and the first device is not connected to the Internet;
the obtaining the text information of the target website comprises the following steps:
and under the condition that the second equipment is disconnected from the Internet, the first equipment receives the text information transmitted by the second equipment.
In this embodiment, the method disclosed by the disclosure is limited to be applied to the first device, the first device is not connected to the internet, the target website is deployed on the second device, and under the condition that the second device is disconnected from the internet, the first device is communicated with the second device, and the first device receives text information transmitted by the second device, so that the data security of the reference information stored on the first device is ensured in a physical isolation manner, and the identification effect of the target website on malicious attacks of external networks is further enhanced.
For example, the first device and the second device may be disposed at the same location, and during the non-monitoring period, the second device accesses the internet, and the first device and the second device are not connected, where the first device is in an independent local area network; and in the monitoring period, starting a timer program preset in the second equipment, wherein the timer program controls the second equipment to disconnect from the Internet, and establishes connection with the first equipment after disconnecting from the Internet so as to support subsequent text information transmission.
Compared with the scheme of disposing the target website and the reference information on the same device, disposing the target website and the reference information on different devices and isolating the device storing the reference information from the Internet can effectively avoid the condition that the reference information is polluted by external attack, so that the data reliability of the reference information can be ensured, and the reliability of the information similarity comparison operation performed later is ensured.
As shown in fig. 2 (N is a positive integer) in fig. 2, in an example, the number of the second devices may be two or more, the number of the target websites may also be multiple, each second device may deploy at least one target website, and the target websites deployed on different second devices are different, where the two or more second devices connect the first devices when the connection with the internet is disconnected, that is, the first devices are external core machines of the two or more second devices, which can deploy functions with higher requirements on the performance of the devices, such as website data monitoring, on the first device side on the premise of guaranteeing the data security of the reference information of each target website, and only provide basic functions with higher requirements on the performance of the website deployment on the second device side (the higher the requirements on the performance of the devices are, the higher the equipment cost is, and vice versa), so as to construct a low-cost and high-security website operation system on the premise of guaranteeing the security of the data of each target website, and reduce the operation cost of the website deployment system on the premise of guaranteeing the security of each target website;
for example: second-hand equipment can be used as the second equipment in the present disclosure, and new equipment with higher performance is purchased to be used as the first equipment in the present disclosure, so that the deployment cost of the website operation system is reduced.
In one embodiment, performing a similar comparison on the text information and preset reference information to obtain a first comparison result, including:
filtering the text information to obtain target data, wherein the target data is used for indicating the display content of target elements in the monitoring period, and the target elements are page elements for man-machine interaction in the target website;
and carrying out similar comparison on the target data and the data part corresponding to the page element in the reference information to obtain the first comparison result.
In this embodiment, by filtering the text information, the data amount of the data to be compared in the target website is reduced, so that the system overhead of the first device in the similar comparison operation corresponding to the processing target website is reduced, that is, the energy consumption of the first device is reduced, and meanwhile, the processing efficiency of the first device in the similar comparison operation corresponding to the processing target website is improved.
The text information includes a plurality of key value pair data, each key value pair indicates a page element of the target website and element content of the page element, after the text information is obtained, the key value pair data corresponding to the target element is reserved, and the key value pair of the non-target element is filtered, so that the text information can be filtered.
Illustratively, the target element includes at least one of: hyperlink elements, page title elements, button elements, drop-down box elements, form elements, image address elements.
In one embodiment, before the obtaining the text information of the target website, the method further includes:
acquiring historical access data of the target website, wherein the historical access data is used for indicating the access amount of the target website in a historical period;
analyzing the historical access data, and determining a target period, wherein the target period is a period with the minimum corresponding access amount in the historical period;
and updating the monitoring period according to the target period.
In the embodiment, the access amount of the target website in the history period is obtained and analyzed to determine the target period of the target website in the history period, namely, the period of the target website in the access valley period in the history period is determined, and the monitoring period is dynamically updated according to the target period in the current monitoring period so as to adapt to the characteristic that the access amount of different target websites changes with time, so that the applicability of the method in a complex scene is enhanced, and the adverse effect caused by network disconnection (which means that the second equipment disconnects the Internet) is reduced.
Illustratively, when the target website is deployed for the first time, the monitoring period is a preset period, for example: 2 to 3 am every day.
After the target website goes through a complete history period, the first device can determine the target period by acquiring the history access data of the second device, determine a new monitoring period based on the target period, and transmit the new monitoring period to the second device so as to cover an old monitoring period in the timer program of the second device.
Illustratively, the new monitoring period may be a period corresponding to the target period in the current period, for example: when the duration of the period is one day and the historical access data is data acquired by No. 3 and the current date is No. 4, the new target period is 3 to 4 pm when the target period indicates 3 to 4 pm.
In one embodiment, after the obtaining the historical access data of the target website, the method further includes:
determining a reference access amount of each period in the current monitoring period according to the historical access data;
determining an abnormal time period according to the reference access amount of each time period in the current monitoring period, wherein the abnormal time period is a time period in which the actual access amount is larger than the reference access amount in the current monitoring period;
and analyzing the access data generated in the abnormal time period to obtain an analysis result, wherein the analysis result is used for indicating whether the target website encounters DDOS attack or not.
In this embodiment, besides obtaining a more accurate reference period by applying the historical access data, the reference access amount of each period of the target website in the current monitoring period can be determined based on the historical access data, whether the high-frequency abnormal access condition (that is, the actual access amount is larger than the reference access amount) occurs in the corresponding period of the target website is estimated based on the reference access amount, if so, the access data in the corresponding period is analyzed, a final analysis result is output, and DDOS attacks of the external network are timely handled.
For example, the time length of the history period may be one week, one month or one quarter, and the time length corresponding to the period is 1 hour or half hour, and the reference access amount of the corresponding period in the current monitoring period may be obtained by calculating the access amount average value of each period in the history period.
For example: when the time length of the history period can be one week, and the time length corresponding to the time period is 1 hour, the access amount of the history access data indicating 1 to 2 hours in the early morning is sequentially as follows: 1. 0, 2, 1, 2, 0, 1, the average value of the access amount from 1 time to 2 time in the early morning is 1, 1 can be directly used as the reference access amount from 1 time to 2 time in the early morning in the current monitoring period, 1+N can also be used as the reference access amount from 1 time to 2 time in the early morning in the current monitoring period, N is used for indicating the fluctuation value of the access amount, and N is a positive integer.
In one embodiment, analyzing the plurality of access data generated in the abnormal period to obtain an analysis result includes:
clustering a plurality of access data generated in the abnormal time period based on the access address corresponding to the access data to obtain at least one class cluster;
generating an analysis result for indicating that the target website encounters a DDOS attack under the condition that a target cluster exists in the at least one cluster, wherein the target cluster is a cluster with the number of elements included in the at least one cluster being greater than a preset threshold;
the method further comprises the steps of:
and sealing and banning the access address indicated by the target class cluster.
In the embodiment, when the target website encounters abnormal high-frequency access, cluster analysis of a plurality of access data is completed based on the access address corresponding to the access data, and a target cluster which possibly exists is identified in at least one obtained cluster, so that whether the target website encounters DDOS attack is effectively screened, and the identification effect of the target website on malicious attack of an external network can be further enhanced; and under the condition that the target class cluster is identified, the loss of the target website in the process of defending the external network attack can be effectively reduced by blocking the access address indicated by the target class cluster.
For example, the target website may set an access blacklist to block an access request from an access address in the access blacklist, where the blocking of the access address indicated by the target cluster may be understood as: and adding the access address indicated by the target cluster into the access blacklist.
In one embodiment, analyzing the plurality of access data generated in the abnormal period to obtain an analysis result includes:
performing similar comparison on the plurality of access data generated in the abnormal time period based on the access behaviors corresponding to the access data to obtain a second comparison result;
generating the analysis result for indicating that the target website encounters a DDOS attack in the case that the second comparison result indicates that the access behaviors of the plurality of access data generated in the abnormal period are identical or similar;
the method further comprises the steps of:
and outputting warning information.
In practical application, part of DDOS attacks can disguise the access address of the high-frequency access behavior initiated by the DDOS attacks, so that the DDOS attacks cannot be accurately identified only by analyzing the access address of the access data; in view of the above, this embodiment proposes to perform consistency check on access behaviors of a plurality of access data, and generate the analysis result for indicating that the target website encounters a DDOS attack when the check result indicates that there is a similarity or similarity between access behaviors of a plurality of access data generated in the abnormal period, so as to further enhance the identification effect of the target website on malicious attacks of an external network.
For example: when a normal user accesses a target website, a plurality of click events and scroll bar dragging events are triggered, and the stay time of the target website is not equal from a few seconds to a few hours;
the trigger event of access initiated by DDOS attack is single, usually only the request of accessing the target website is initiated, but the related event of website content interaction with the target website is not executed, and the target website is not stopped, but the access to the target website is repeatedly initiated;
based on the above, the process of performing consistency check on the access behaviors of the plurality of access data may be: clustering based on the number of access operations of the plurality of access data to obtain at least one clustering result;
outputting a test result for indicating that the access behaviors of the plurality of access data generated in the abnormal period have identical or similar conditions under the condition that at least one clustering result has target clustering results with the element number larger than the preset element number;
outputting a test result for indicating that there is no identical or similar condition of access behavior of the plurality of access data generated in the abnormal period in the case where the target clustering result does not exist in at least one clustering result.
It should be noted that, in practical applications, clustering may also be performed based on access times of a plurality of access data.
In this embodiment, when the DDOS attack with the disguised access address is identified, the website operator is fed back in time by outputting the warning information, so that the website operator performs corresponding treatment on the DDOS attack with the disguised access address, thereby reducing adverse effects caused by malicious attack of the external network.
In some embodiments, the foregoing warning information may be generated, and the target website may be restored according to a preset restoration program and the reference information, so as to further reduce adverse effects caused by tampering of website content.
As shown in fig. 3, the embodiment of the present disclosure further provides a website data monitoring apparatus 300, where the apparatus 300 includes:
the acquiring module 301 is configured to acquire text information of a target website, where the text information is used to indicate display content of the target website in a monitoring period;
the comparison module 302 is configured to perform a similar comparison on the text information and preset reference information, so as to obtain a first comparison result, where the reference information is used to indicate preset content of the target website;
a generating module 303, configured to generate a warning message when the first comparison result indicates that the target website has a risk of tampering with content.
In one embodiment, the apparatus is applied to a first device, the target website is deployed on a second device, and the first device is not connected to the internet;
the acquiring module 301 is specifically configured to:
and under the condition that the second equipment is disconnected from the Internet, the first equipment receives the text information transmitted by the second equipment.
In one embodiment, the comparison module 302 includes:
the filtering unit is used for filtering the text information to obtain target data, wherein the target data are used for indicating the display content of target elements in the monitoring period, and the target elements are page elements for man-machine interaction in the target website;
and the comparison unit is used for carrying out similar comparison on the target data and the data part corresponding to the page element in the reference information to obtain the first comparison result.
In one embodiment, the apparatus 300 further comprises:
the data acquisition module is used for acquiring historical access data of the target website, wherein the historical access data are used for indicating the access amount of the target website in a historical period;
the data analysis module is used for analyzing the historical access data and determining a target period, wherein the target period is a period with the minimum corresponding access amount in the historical period;
and the time period updating module is used for updating the monitoring time period according to the target time period.
In one embodiment, the apparatus 300 further comprises:
the determining module is used for determining the reference access amount of each period in the current monitoring period according to the historical access data;
the abnormal identification module is used for determining an abnormal period according to the reference access quantity of each period in the current monitoring period, wherein the abnormal period is a period in which the actual access quantity is larger than the reference access quantity in the current monitoring period;
the anomaly analysis module is used for analyzing the plurality of access data generated in the anomaly period to obtain an analysis result, wherein the analysis result is used for indicating whether the target website encounters DDOS attack or not.
In one embodiment, the anomaly analysis module is specifically configured to:
clustering a plurality of access data generated in the abnormal time period based on the access address corresponding to the access data to obtain at least one class cluster;
generating an analysis result for indicating that the target website encounters a DDOS attack under the condition that a target cluster exists in the at least one cluster, wherein the target cluster is a cluster with the number of elements included in the at least one cluster being greater than a preset threshold;
the apparatus further comprises:
and the address blocking module is used for blocking the access address indicated by the target cluster.
In one embodiment, the anomaly analysis module is specifically configured to:
performing similar comparison on the plurality of access data generated in the abnormal time period based on the access behaviors corresponding to the access data to obtain a second comparison result;
generating the analysis result for indicating that the target website encounters a DDOS attack in the case that the second comparison result indicates that the access behaviors of the plurality of access data generated in the abnormal period are identical or similar;
the apparatus further comprises:
and the warning module is used for outputting warning information.
The website data monitoring device 300 provided in the embodiments of the present disclosure can implement each process in the embodiments of the method, and achieve the same technical effects, and for avoiding repetition, the description is omitted here.
According to embodiments of the present disclosure, the present disclosure also provides an electronic device, a readable storage medium and a computer program product.
Fig. 4 illustrates a schematic block diagram of an example electronic device 400 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 4, the apparatus 400 includes a computing unit 401 that can perform various suitable actions and processes according to a computer program stored in a Read Only Memory (ROM) 402 or a computer program loaded from a storage unit 408 into a Random Access Memory (RAM) 403. In RAM403, various programs and data required for the operation of device 400 may also be stored. The computing unit 401, ROM402, and RAM403 are connected to each other by a bus 404. An input/output (I/O) interface 405 is also connected to bus 404.
Various components in device 400 are connected to I/O interface 405, including: an input unit 406 such as a keyboard, a mouse, etc.; an output unit 407 such as various types of displays, speakers, and the like; a storage unit 408, such as a magnetic disk, optical disk, etc.; and a communication unit 409 such as a network card, modem, wireless communication transceiver, etc. The communication unit 409 allows the device 400 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The computing unit 401 may be a variety of general purpose and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 401 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 401 performs the respective methods and processes described above, such as a road patrol method or a data processing method. For example, in some embodiments, the road inspection method or the data processing method may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as the storage unit 408. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 400 via the ROM402 and/or the communication unit 409. When the computer program is loaded into the RAM403 and executed by the computing unit 401, one or more steps of the road patrol method or the data processing method described above may be performed. Alternatively, in other embodiments, the computing unit 401 may be configured to perform the road patrol method or the data processing method in any other suitable way (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection according to one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel, sequentially, or in a different order, provided that the desired results of the disclosed aspects are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.

Claims (10)

1. A method for monitoring website data, the method comprising:
acquiring text information of a target website, wherein the text information is used for indicating display content of the target website in a monitoring period;
performing similar comparison on the text information and preset reference information to obtain a first comparison result, wherein the reference information is used for indicating preset content of the target website;
and generating warning information under the condition that the first comparison result indicates that the target website has content tampering risk.
2. The method of claim 1, wherein the method is applied to a first device, the target website is deployed on a second device, and the first device does not access the internet;
the obtaining the text information of the target website comprises the following steps:
and under the condition that the second equipment is disconnected from the Internet, the first equipment receives the text information transmitted by the second equipment.
3. The method of claim 1, wherein performing a similar comparison between the text information and a preset reference information to obtain a first comparison result comprises:
filtering the text information to obtain target data, wherein the target data is used for indicating the display content of target elements in the monitoring period, and the target elements are page elements for man-machine interaction in the target website;
and carrying out similar comparison on the target data and the data part corresponding to the page element in the reference information to obtain the first comparison result.
4. The method of claim 3, wherein prior to the obtaining text information for the target web site, the method further comprises:
acquiring historical access data of the target website, wherein the historical access data is used for indicating the access amount of the target website in a historical period;
analyzing the historical access data, and determining a target period, wherein the target period is a period with the minimum corresponding access amount in the historical period;
and updating the monitoring period according to the target period.
5. The method of claim 4, wherein after the obtaining the historical access data for the target web site, the method further comprises:
determining a reference access amount of each period in the current monitoring period according to the historical access data;
determining an abnormal time period according to the reference access amount of each time period in the current monitoring period, wherein the abnormal time period is a time period in which the actual access amount is larger than the reference access amount in the current monitoring period;
and analyzing the access data generated in the abnormal time period to obtain an analysis result, wherein the analysis result is used for indicating whether the target website encounters DDOS attack or not.
6. The method of claim 5, wherein analyzing the plurality of access data generated during the anomaly time period to obtain an analysis result comprises:
clustering a plurality of access data generated in the abnormal time period based on the access address corresponding to the access data to obtain at least one class cluster;
generating an analysis result for indicating that the target website encounters a DDOS attack under the condition that a target cluster exists in the at least one cluster, wherein the target cluster is a cluster with the number of elements included in the at least one cluster being greater than a preset threshold;
the method further comprises the steps of:
and sealing and banning the access address indicated by the target class cluster.
7. The method of claim 6, wherein analyzing the plurality of access data generated during the anomaly time period to obtain an analysis result comprises:
performing similar comparison on the plurality of access data generated in the abnormal time period based on the access behaviors corresponding to the access data to obtain a second comparison result;
generating the analysis result for indicating that the target website encounters a DDOS attack in the case that the second comparison result indicates that the access behaviors of the plurality of access data generated in the abnormal period are identical or similar;
the method further comprises the steps of:
and outputting warning information.
8. A website data monitoring device, the device comprising:
the system comprises an acquisition module, a display module and a display module, wherein the acquisition module is used for acquiring text information of a target website, wherein the text information is used for indicating display content of the target website in a monitoring period;
the comparison module is used for carrying out similar comparison on the text information and preset reference information to obtain a first comparison result, wherein the reference information is used for indicating preset content of the target website;
the generation module is used for generating warning information under the condition that the first comparison result indicates that the target website has content tampering risk.
9. An electronic device comprising a processor, a memory and a computer program stored on the memory and executable on the processor, the computer program implementing the steps of the website data monitoring method of any one of claims 1 to 7 when executed by the processor.
10. A readable storage medium, wherein a computer program is stored on the readable storage medium, which when executed by a processor, implements the steps of the website data monitoring method according to any one of claims 1 to 7.
CN202310849441.8A 2023-07-12 2023-07-12 Website data monitoring method and device, electronic equipment and storage medium Pending CN117421506A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310849441.8A CN117421506A (en) 2023-07-12 2023-07-12 Website data monitoring method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310849441.8A CN117421506A (en) 2023-07-12 2023-07-12 Website data monitoring method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117421506A true CN117421506A (en) 2024-01-19

Family

ID=89527252

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310849441.8A Pending CN117421506A (en) 2023-07-12 2023-07-12 Website data monitoring method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117421506A (en)

Similar Documents

Publication Publication Date Title
EP3494506A1 (en) Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform
CN113961425B (en) Method, device and equipment for processing alarm message
CN103220277B (en) The monitoring method of cross-site scripting attack, Apparatus and system
CN115883187A (en) Method, device, equipment and medium for identifying abnormal information in network traffic data
CN114157480A (en) Method, device, equipment and storage medium for determining network attack scheme
CN106953874B (en) Website falsification-proof method and device
CN113452700A (en) Method, device, equipment and storage medium for processing safety information
CN117040799A (en) Page interception rule generation and page access control method and device and electronic equipment
CN117313159A (en) Data processing method, device, equipment and storage medium
CN117421506A (en) Website data monitoring method and device, electronic equipment and storage medium
CN116204843A (en) Abnormal account detection method and device, electronic equipment and storage medium
CN116015860A (en) Network asset simulation method, device, equipment and medium based on honeypot technology
CN114238069A (en) Web application firewall testing method and device, electronic equipment, medium and product
CN115242608A (en) Method, device and equipment for generating alarm information and storage medium
US9379897B1 (en) Method and apparatus for providing an interactive hierarchical entitlement map
CN114039765A (en) Safety management and control method and device for power distribution Internet of things and electronic equipment
CN112968876A (en) Content sharing method and device, electronic equipment and storage medium
CN115378746B (en) Network intrusion detection rule generation method, device, equipment and storage medium
KR102674440B1 (en) Anomaly detection method using intelligent whitelist
CN114553524B (en) Traffic data processing method and device, electronic equipment and gateway
US12062055B2 (en) Systems and methods for increasing data security in social media online platforms
CN116756443A (en) Link-based exit method, device, equipment and storage medium
CN116232691A (en) Abnormal access detection method and device, electronic equipment and storage medium
CN112817678A (en) Webpage component display method and device and electronic equipment
CN115484073A (en) Abnormal flow identification method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination