KR101122413B1 - A method for determining validity of command and a system thereof - Google Patents

Abstract

The present invention relates to a method of determining the validity of a command input from a user's terminal. More specifically, the validity of the command can be determined by using a request format of the command or log information generated in association with the command. It is about how to judge the validity of a command.

In accordance with an aspect of the present invention, a method of determining validity of a command may include maintaining a blocked network database including blocked network address information, receiving a command from a user terminal, extracting network address information included in the command, and Determining whether the network address information is blocked network address information by referring to a blocked network address database, and generating log information associated with the command if the network address information is not the blocked network address information (the log; The information includes at least one of network address information included in the command, input time information on the input time of the command, and request content information), recording the log information in a log database, and the log information. Using And a step of determining the validity of the instruction.

Command, Command, Validity, Criteria, Blocked Network Address Information, Log Information.

Description

Command Validation Method and Its System {A METHOD FOR DETERMINING VALIDITY OF COMMAND AND A SYSTEM THEREOF}

1 is a diagram illustrating a network connection of a determination system for performing a method for determining validity of an instruction according to the present invention.

2 is a flowchart illustrating a method of determining validity of an instruction according to an embodiment of the present invention.

3 is a diagram illustrating an example of log information recorded in a log database according to one embodiment of the present invention.

4 is a flowchart illustrating a case of determining validity of an instruction by using an encryption / decryption method according to an embodiment of the present invention.

5 is a block diagram showing an internal configuration of a determination system according to another embodiment of the present invention.

6 is an internal block diagram of a general purpose computer device that may be employed to perform a method for determining the validity of an instruction in accordance with the present invention.

<Explanation of symbols for the main parts of the drawings>

500: Judgment System

501: blocking IP address database 502: command input unit                 

503: log information generating unit 504: log database

505: log database management unit 506: validity determination unit

The present invention relates to a method of determining the validity of a command input from a user's terminal. More specifically, the validity of the command can be determined by using a request format of the command or log information generated in association with the command. It is about how to judge the validity of a command.

In the server / client model, a client connects to a server through a communication network, inputs a predetermined request, and the server responds to the user terminal in response to the request.

However, the user may input the request for other purposes than for obtaining the response.

For example, a search server providing a search service may be used to statistically analyze a user's search request and generate a search result list to provide a list of search results according to the user's preference. Since a search result that a user who is provided with a predetermined list of search results selects frequently is considered to be highly related to the search request and the user's preference is high, the search server gives priority to the search result, For a search request, the search result may be preferentially provided to the user.

In this case, the user's "selection of search results" was used on the one hand as a "request to be provided with information related to the search results or to access a web page associated with the search results". User, who is aware of this fact, may repeatedly select the same search result from the list of search results provided in response to a given search query, thereby giving priority to the search result of his choice. Of course, when the user repeatedly selects a search result with malicious intention and the priority is given to the search result, the original purpose of providing the search result which is highly related to the search result and preferred by the user is priority. It cannot be achieved.

Therefore, when the user inputs a request for selecting a search result, the search server needs to determine whether the request has been entered with malicious intention. As a result of the determination, when the request is entered with a malicious intention, information related to the search result is provided according to the request, but it is preferable not to use the request as a criterion for generating a search result list. As such, it may be necessary to determine whether a " request " of a user input into a given system is caused by the malicious intention of another user than the system is intended.

Hereinafter, the term "command" as used herein refers to a "request" of a user to perform a predetermined operation on a given server system, a "conversation" of a user to provide predetermined information to the server system, or Used as a generic concept including the "information" itself, the "command" can be delivered to the server system by transmitting a "command" from the user's terminal to the server system.

Korean Patent Application No. 10-2002-7010554 ("Name of the Invention: System and Method for Determining the Validity of Conversation on a Network" (hereinafter referred to as "Application Invention") is a method of determining the validity of a user's command. The above-mentioned Korean patent application refers to a conversation entered by the user with malicious intention in the application specification as an "illegal conversation".

The present invention discloses 1) collecting data from a user conversation on a network, including "aggregate mode data" and "unique characteristic data" about an estimated user, 2) storing data in a database, and 3) communicating with a network. Constructing a predictive model in a collective fashion and intrinsic feature data to identify illegal conversations, and 4) identifying illegal conversations in a database using the prediction model.

The invention is referred to as "collective mode data" as "number of unique user IDs per search list click / unit hour", "number of unique user IDs per entry source / unit hour", "advertiser / unit accepting any billable clicks". Number of unique user IDs per hour 'and so forth.

In addition, the present invention discloses "the date of the click which generated an income", the "time stamp of the click which generated an income", etc. as "unique characteristic data."

However, the present invention determines whether the dialogue is valid by using the prediction model whenever one dialogue is input. That is, "For one conversation," "Acceptable but rare class (ABUC) values", "Classic behavior (NBC) values", and "Unacceptable class (UC) values", respectively. It is determined that the conversation belongs to the class having the largest value.

Therefore, even if it is easy to determine that the conversation is invalid according to the pattern of the conversation, the same system resources are used to calculate and compare the ABUC value, the NBC value, and the UC value, respectively. There is a problem that a lot of unnecessary consumption.

In addition, there is still a need to consider whether there is a more appropriate criterion for determining whether a given conversation is valid in addition to the criterion selected by the present invention to build a predictive model.

Therefore, there is a need for a method that can solve various problems of the prior art and provide various new criteria for accurately determining whether a user's command is valid.

An object of the present invention is to provide a method and system for determining validity of a command that can quickly determine whether a command input from a terminal having a predetermined network address is invalid by setting blocking network address information.

In addition, when it is difficult to determine whether a command input from a terminal having a predetermined network address is invalid, the present invention sets network address information for the network address as invalid suspicious network address information, and subsequently inputs from the network address. The validity of the command to more accurately determine the validity of the command by using the two or more steps of setting, such as determining whether to set the network address information to block the network address information using further collected commands or information collected later. Another object of the present invention is to provide a determination method and a system thereof.

In addition, the present invention proposes a new criterion for determining whether a command is valid, and in particular, determining the validity of the command to accurately determine whether the command is valid in consideration of both the request format of the command and the request content of the command. It is another object to provide a method and system thereof.

In order to achieve the above object and to solve the above-mentioned problems of the prior art, the method of determining validity of the command according to the present invention, the method of determining validity of the command according to the present invention, the blocked network database including the blocked network address information Maintaining the command line, receiving a command from a user terminal, extracting network address information included in the command, and determining whether the network address information is blocked network address information by referring to the blocked network address database. If the network address information is not the blocked network address information, generating log information associated with the command (the log information may include network address information included in the command and input time information of an input time of the command. And the request contents And recording the log information in a log database, and determining the validity of the command by using the log information.

Further, according to one aspect of the present invention, the step of determining the validity of the command using the log information, the step of retrieving log information including the network address information from the log information recorded in the log database, Extracting input point information included in the retrieved log information, and determining that the command is invalid when all or part of the extracted input point information has an association according to a predetermined rule.

Further, according to another aspect of the present invention, the method for determining the validity of the command, if it is determined that the command is invalid as a result of determining the network address information as the block network address information, and the network address information The method further includes writing to a blocking network address database.

Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

1 is a diagram illustrating a network connection of a determination system for performing a method for determining validity of an instruction according to the present invention. The determination system 100 may include a determination server 101 and a log database 102, and may be connected to a user terminal 110 or the like through a wired or wireless communication network. The determination server 101 may process a command input from the user and provide the user with a response according to the processing result.

Hereinafter, when a user inputs a command related to a search to a search server that provides a search service, the determination system 100 that determines the validity of the command will be described as an example. However, this is merely an example, and the server 120 may include a server that provides various services according to a client / server model such as a search service, a game service, and a reservation service.

In addition, the determination server 101 for determining the validity of the user's command (or command) may be implemented with the same device as the search server 120 or interworked with the search server 120.

In addition, hereinafter, an example in which an IP address is used as an example of a network address has been described as an example, which is merely exemplary, and all information used to identify a location on a network of a terminal is included in the network address.

2 is a flowchart illustrating a method of determining validity of an instruction according to an embodiment of the present invention.

In step 201, a blocking IP database 103 including blocking IP address information is maintained. &Quot; Blocking IP address information " is information selected according to a predetermined criterion and is information on an IP address of a terminal that is likely to enter a malicious, that is, invalid command. A process of determining the blocking IP address information will be described later.

In operation 202, the search server 120 receives a command from the user terminal 110. As described above, "command" is information used for inputting a "command" of the user, and the term "command" is used as a concept including a request of a user, a conversation, and the like.

The determination server 101 extracts the IP address information included in the command in step 203 and refers to the blocking IP address database 103 in step 204 to determine whether the extracted IP address information is blocking IP address information. Determine whether or not. The extracted IP address information is information on an IP address of the terminal 110 that inputs the command.

If the extracted IP address information is blocking IP address information, the determination server 101 does not generate log information associated with the command. Therefore, the process of determining whether the command is valid using the log information associated with the command is not performed, and the command is automatically invalidated. That is, when it is determined that the command is invalid by using the blocking IP address information, the determination server 101 may not perform the process following step 205.

The blocking IP address information may be information about an IP address of a terminal that regularly inputs an invalid command as a result of performing a method of determining validity of a command as described below, and is also input by an administrator of the determination system 100. It may also be IP address information.

For example, in an embodiment of determining an advertisement cost charged to an advertiser based on a number of times a predetermined search result is selected by a user, the competitor's competitor repeatedly inputs a command for selecting the search result with malicious intention. It is likely that they want to raise advertising costs. Therefore, the administrator can prevent this by recording the IP address information on the IP address of the terminal connected to the network of the known competitor in the blocking IP address database 103 as the blocking IP address information.

Further, according to another embodiment of the present invention, the determination system 100 further includes a database of allowed IP addresses (not shown). For example, the allowed IP address information is information about an IP address of the terminal of the advertiser or an IP address of the terminal of the administrator. The decision server 101 may treat the IP address information in the same manner as the blocking IP address information, and the terminal of the administrator or the advertiser's terminal, which often inputs a command that is not intended as malicious intention but not recognized as valid. The IP address information may be determined as allowed IP address information and may be managed separately from the blocked IP address information. The manager is likely to enter a command to confirm whether the advertisement is being performed normally for management purposes.

The determination server 101 determines that the command is invalid when the IP address information is allowed IP address information. However, unlike the case of the blocking IP address information, the determination server 101 may generate and record log information about the command.

The decision server 101 interprets the request format of the command in step 205 and determines the validity of the command based on the request format in step 206.

According to another embodiment of the present invention, if it is determined that the command is invalid based on the request format, the determination process of step 207 or less may not be performed on the command.

In step 208 the decision server 101 generates log information associated with the command. The log information may include the extracted IP address information, input time point information on a time point when the command is input to the search server 120, request content information included in the command, and the like.

The request content information included in the command may be, for example, information for the user to select a search result. That is, when a user inputs a predetermined search query to the search server 120 to request a search, the search server 120 generates a list of search results corresponding to the search query and provides the search result to the user. A search result may be selected from a list of search results, and the command may include request content information for selecting a search result.

At step 209 the decision server 101 writes the log information to the log database 102. 3 is a diagram illustrating an example of log information recorded in the log database 102. As shown in FIG. 3, according to another embodiment of the present invention, the log information may be sorted according to an input time of a command or systematically recorded in association with the IP address information. In addition, in addition to log information corresponding to a command input from a user, the log database 102 includes log information 301, a search server 120, or a determination server related to the connection when the user accesses the search server 120. Log information associated with the information 101 provided to the user (eg, log information 302 associated with a list of search results provided to the user) may also be recorded.

In step 210, the determination server 101 determines the validity of the command using the log information. The determination server 101 may use only log information generated in association with the command, or may further determine the validity of the command by using one or more log information recorded in the log database 102.

Hereinafter, the process of determining the validity of the command based on the request format (step 206) and the process of determining the validity of the command using the log information (step 209) will be described in detail. .

1. The process of determining the validity of the command based on the request format of the command

(1) When the validity of the command is determined based on the HTTP version of the command

According to the present embodiment, the request format is a version of Hyper Text Transfer Protocol (HTTP) used to write the command.

In order to enter commands into the search server 120 with malicious intentions, a user may use a program that causes certain commands to be generated "automatically" without manually generating the commands.

In general, a command is written on the Internet according to HTTP, and since the content is simple and widely known as the version of HTTP is lower, the program is often written using a version lower than the latest version. As such, when the command is created by a version of HTTP which is not generally used, the command is likely to be invalid.

For example, when the HTTP / 1.1 version is generally used, the judging server 101 selects the HTTP / 1.1 version as a valid version and identifies the HTTP version of the command so that the command is a valid version (ie, HTTP). /1.1), such as HTTP / 1.0 or HTTP / 1.1 or later, it may be determined in step 203 that the command is likely to be invalid. The valid version, which is a criterion for determining the validity of an instruction, may change over time.

(2) When the validity of the command is determined based on the additional information included in the command

According to the present embodiment, the request format is the presence or absence of additional information included in the command. For example, the additional information is browser information of a web browser installed in the terminal or URL information of a web page directly connected to the terminal.

In general, when a web browser connects to a server such as a search server 120 and transmits a command, the web browser often includes web browser information about the type or version of the web browser in the command according to HTTP. In addition, a web browser often includes URL information of a web page directly accessed by the web browser in the command according to HTTP and transmits the URL information.

Therefore, it is highly likely that an instruction not including the additional information is automatically generated by the instruction automatic generation program. Therefore, the determination server 101 may reflect whether the additional information is included in the command in determining the validity of the command.

(3) When the validity of the command is determined based on the identification information included in the command

The determination server 101 allows the command to include identification information for each request content information and IP address information of the terminal. Therefore, when the number of times of inputting the command including the identification information is calculated, it may be determined how many times the command including the content of the same request is input from the terminal having the same IP address information.

It is common for a user to enter a command for making a specific request, for example, a command for selecting a search result once. Accordingly, the determination server 101 may determine that a command including the identification information is invalid when a command having the same identification information is input more than a predetermined value, for example, two or more times.

(3) When a command is input within a certain time after a predetermined event occurs

The determination server 101 may determine that the command is invalid when a predetermined event occurs and a command generated according to the event is input within too short time after the occurrence of the event.

For example, the event is that the search server 120 provides the user with a predetermined list of search results according to the user's search request. The user who is provided with the search result list may input a command for selecting a specific search result included in the search result list.

In this case, a "person" needs to go through a series of processes such as "recognizing the search result list, grasping and selecting an appropriate search result" in order to input the command, and a certain time is required to perform the process. .

Therefore, when the time interval from when the search result list is provided until the user inputs a command for selecting a search result is too short (for example, 0.5 seconds), the determination server 101 invalidates the command. Judging by

(4) In case of validity of command by using encryption / decryption method

A case in which validity of an instruction is determined using an encryption / decryption method according to the present embodiment will be described with reference to FIG. 4.

In step 401, a service server such as a search server, when a user inputs a command through a predetermined web page, in step 402, the determination server 101 controls the encrypted information to be included in the command.

For example, information about which channel is input to the command and which information is input in association with the information of the channel may be encrypted and included.

According to an embodiment, the encryption method may be in accordance with an encryption protocol provided by HTTP. In addition, according to another embodiment of the present invention, the determination server 101 may provide a program including the encryption algorithm to the terminal 110 in the form of a plug-in (plug-in), the terminal 110 The program may be installed to encrypt instructions according to the encryption algorithm.

In step 403, the determination server 101 receives and decrypts the encrypted command.

In step 405, the determination server 101 determines that the command is invalid if the command is not encrypted or if the command is not decrypted by the decryption method.

2. Process of determining validity of command using log information

(1) When a command input point has a predetermined regularity, such as when a command including "specific IP address information" is input at regular time intervals.

The determination server 101 retrieves log information including IP address information included in the command among log information recorded in the log database 102. According to another embodiment of the present invention, the determination server 101 may search only the log information recorded within a certain period of the log information including the IP address information.

When the retrieved log information is referred to as first log information, the determination server 101 extracts input point information included in the first log information, and all or part of the extracted input point information is associated with a predetermined rule. If it is determined that the command is invalid.

For example, the time point at which the command is input is "2004/04/02, 09: 00 : 30" and the input time point information included in the first log information is "2004/04/02, 08: 50 : 30", respectively. "," 2004/04/02 08: 40: 30 "," 2004/04/02 08: 30: 30 "," 2004/04/02 08: 20: 30 "... In this case, it can be seen that the command associated with the first log information is input to the search server 120 at 10 minute intervals. The regularity may include all cases where mathematical regularity is found, for example, when the time interval at the input time point at which the command is input is constant, for example, when the time interval is increased by an equal order sequence or an equivalent sequence sequence. Can be.

As described above, when regularity is recognized at the time of inputting a command including specific IP address information, since the command is likely to be a command generated by using a program or the like that automatically generates the command, the determination server 101 The command is determined to be invalid.

According to another embodiment of the present invention, the determination server 101 may determine the command as invalid only when the number of the input time information that follows a predetermined rule among the searched input time information is a predetermined number or more.

In addition, according to another embodiment of the present invention, the determination server 101 may identify log information including the input time point information following the rule, and determine all the commands associated with the identified log information as invalid. . That is, all sets of commands that are found to have regularity at the time of input of the command input from the terminal having a predetermined IP address are invalidated.

In addition, according to another embodiment of the present invention, when it is determined that the command is invalid, the determination server 101 may record the IP address information as the blocking IP address information in the blocking IP address database 103.

(2) When a command input point has a predetermined regularity, such as when a command including "specific request content information" is input at regular time intervals.

The determination server 101 retrieves log information including request content information included in the command from among log information recorded in the log database 102. According to another embodiment of the present invention, the determination server 101 may search only the log information recorded within a certain period of the log information including the IP address information.

When the retrieved log information is referred to as first log information, the determination server 101 extracts input point information included in the first log information, and all or part of the extracted input point information is associated with a predetermined rule. If it is determined that the command is invalid.

For example, the time point at which the command is input is "2004/04/02, 09: 00 : 30" and the input time point information included in the first log information is "2004/04/02, 08: 50 : 30", respectively. "," 2004/04/02 08: 40: 30 "," 2004/04/02 08: 30: 30 "," 2004/04/02 08: 20: 30 "... In this case, it can be seen that the command associated with the first log information is input to the search server 120 at 10 minute intervals. The regularity may include all cases where mathematical regularity is found, for example, when the time interval at the input time point at which the command is input is constant, for example, when the time interval is increased by an equal order sequence or an equivalent sequence sequence. Can be.

As described above, when regularity is recognized at the time of inputting a command including specific request content information, since the command is likely to be a command generated using a program or the like that automatically generates the command, the determination server 101 The command is determined to be invalid.

According to another embodiment of the present invention, the determination server 101 may determine the command as invalid only when the number of the input time information that follows a predetermined rule among the searched input time information information is a predetermined number or more.

In addition, according to another embodiment of the present invention, the determination server 101 may identify log information including the input time point information following the rule, and determine all the commands associated with the identified log information as invalid. . That is, all sets of commands that are found to have regularity at the time of input of the command input from the terminal having a predetermined IP address are invalidated.

In addition, according to another embodiment of the present invention, when it is determined that the command is invalid, the determination server 101 may record the IP address information as the blocking IP address information in the blocking IP address database 103.

(3) When an abnormally large number of commands from a terminal having a specific IP address is input for a certain period of time

The determination server 101 calculates the first number of commands input during the first period from each terminal using the log information recorded in the log database 102 during the first period. The network address can be used to identify each terminal. That is, the command input from the terminal having the same network address may be regarded as input from one terminal. However, an exception is provided when the network address is a network address of a proxy server or a router.

The determination server 101 calculates a second number of commands input during the second period from the terminal having the network address included in the command using the log information recorded in the log database 102 for the second period. .

The first period may be the same as the second period, but the first period may be selected to be larger than the second period. In addition, the second period may determine the validity of the command in consideration of a pattern in which the command is input for each specific time period by selecting a specific time period such as morning, afternoon, evening, late night, or dawn. For example, since the number of times a command is input is significantly reduced at about 4 am, the validity may be determined by reflecting this.

The determination server 101 may determine the validity of the command using the first number of terminals and the second number of terminals.

For example, the determination server 101 calculates an average value of the first number of terminals and compares the second number with the average value to determine the validity of the command. The determination server 101 may determine that the command is invalid when the second number exceeds the average value or when the second number exceeds a value obtained by adding a predetermined value to the average value. In addition, the determination server 101 may calculate the ratio of the average value and the second number and determine that the command is invalid when the ratio exceeds a predetermined value.

In addition, the determination server 101 calculates a maximum value of the first number for each terminal or calculates a variance value of the first number for each terminal and compares the maximum value or the variance value with the second number. You can also determine the validity of a command.

In addition, according to another embodiment of the present invention, when it is determined that the command is invalid, the determination server 101 may record the IP address information as the blocking IP address information in the blocking IP address database 103.

In the above description, the case in which the first number for each terminal or an average value thereof is used is described as an example, and this method compares the first number and the second number to each of the second number in each determination process described later. Compared to the case where it is determined whether the first number is abnormally large. In addition, a specific method for comparing the first number and the second number as described above is merely exemplary, and the scope of the present invention is not limited thereto, and the first number having a predetermined meaning and another predetermined meaning are not limited thereto. Compares the second number to all the determination methods for determining the validity of the instruction.

(4) When there is an unusually large number of specific commands entered during a certain period of time

The determination server 101 calculates the first number of commands input during the first period according to the request content information using the log information recorded in the log database 102 during the first period. That is, the number of commands including the same request content information is calculated for each of the command weeks input during the first period.

The determination server 101 calculates a second number of log information including request content information included in the command by using the log information recorded in the log database 102 during the second period. The second number is the number of commands including request content information identical to the command among the commands input during the second period.                     

The determination server 101 may determine the validity of the command by using the first number of the request content information and the second number. That is, the determination server 101 compares the first number for each terminal and the request content information with the second number, and when the second number is determined to be abnormally larger than the first number, invalidates the command. You can judge. Specific examples of the comparison method between the first number and the second number are as described above.

(5) When an abnormally large number of commands for making a specific request from a terminal having a specific IP address is input for a certain time

The determination server 101 calculates, by request content information, the first number of commands input during the first period from each terminal using the log information recorded in the log database 102 during the first period. That is, each of the number of instructions including predetermined request content information input from a predetermined terminal is calculated during the first period. IP addresses can be used to identify each terminal. That is, the command input from the same IP address may be regarded as input from one terminal.

The determination server 101 includes the request content information among the commands input during the second period from the terminal having the IP address included in the command using the log information recorded in the log database 102 for the second period. A second number of instructions to calculate is calculated.

The first period may be the same as the second period, but the first period may be selected to be larger than the second period. In addition, the second period may determine the validity of the command in consideration of a pattern in which the command is input for each specific time period by selecting a specific time period such as morning, afternoon, evening, late night, or dawn. For example, since the number of times a command is input is significantly reduced at about 4 am, the validity may be determined by reflecting this.

The determination server 101 may compare the first number for each terminal and the request content information with the second number, and determine that the command is invalid when it is determined that the second number is abnormally larger than the first number. Can be.

In addition, according to another embodiment of the present invention, when it is determined that the command is invalid, the determination server 101 may record the IP address information as the blocking IP address information in the blocking IP address database 103.

(6) When there is no primary information associated with the secondary instruction

The search server 120 receives a search query from a user, generates a list of search results corresponding to the search query, and provides the search query to the user. The user who has received the search result list selects a search result from the search result list, and the search server 120 provides information corresponding to the selected search result, or the user accesses a web page associated with the search result. Relay to connect. As such, various information is transmitted and received (communicated) between the search server 120 or the determination server 101 and the user's terminal.                     

In the present specification, when the information communicated between the search server 120 or the determination server 101 and the user has a sequential causal relationship, the causative information is generated based on the primary information and the primary information. Information is defined as secondary information. The information also includes instructions.

For example, the search result list may be generated based on the search query, the search query may be defined as a primary command, and the search result list as secondary information. In addition, when a user inputs a command for selecting the search result and the information is provided in response to the selection command, the command may be defined as a primary command and the information as secondary information.

The determination server 101 generates log information corresponding to the information communicating with the terminal of the user and records the log information in the log database 102. The log information includes information on the time point at which the information or the information is transmitted and received.

When the command inputted from the terminal is determined to be a secondary command based on the request content, the determination server 101 refers to the log database 102 and corresponds to the primary information (or primary command) associated with the command. Retrieve log information. The log information corresponding to the primary information associated with the command may be searched by referring to the contents of the query included in the secondary command and the IP address information included in the secondary command.

Since the secondary command is generated based on the primary information, if the log information corresponding to the primary information is not retrieved, it may be said that the command is not an input command according to a normal procedure. The command can be determined to be invalid.

(7) When there is no primary information associated with the secondary instruction-When using the information contained in the instruction itself

Whether a command is input according to a normal procedure, for example, providing a predetermined web page according to a user's request for providing a web page, and receiving an additional request using the information included in the web page from the user. The further request, upon procedure, presupposes the provision of the web page.

Therefore, the determination server 101 may include the above history information in the command itself to determine the validity of the command. Since the history information serves as a criterion for determining the validity of the command, it is preferable to control the history information to be encrypted and included in the command.

The determination server 101 receives a first command from a user's terminal and provides a web page including predetermined information to the user according to the first command.

The user may input a second command based on the information. For example, the first command may be a search request including a predetermined search query, and the second command may be a command for selecting a predetermined search result from a list of search results.

At this time, the determination server 101 allows the history information to be included in the second command. The history information may include URL information of a web page directly accessed by the terminal (such URL information may be provided from a web browser), a first IP address of the terminal, or a terminal of the terminal that has entered the first command. 2 IP address. In a normal case, the second IP address of the terminal and the first IP address of the terminal which input the first command will match.

According to such a configuration, when a predetermined command is input, the determination server 101 may determine whether the command is valid using the history information included in the command.

For example, the determination server 101 may invalidate the command if the command does not include URL information corresponding to the current or previous web page.

Alternatively, when the URL information is included in the command, the determination server 101 determines that the URL is not the URL of a web page which should be normally accessed or previously accessed by the terminal to input the command. The instruction is considered invalid.

In addition, the determination server 101 invalidates the command if the second command, which is generated under the input of the first command, does not include the first IP address information of the terminal that inputs the first command. You can judge.

In addition, the determination server 101 compares the first IP address information and the second IP address information included in the second command and determines that the second command is invalid when it does not match.

(8) An abnormally large number of specific queries in a certain network group for a certain time

The decision server 101 identifies the network group associated with the IP address based on the IP address information.

An example of a network group is a network class according to IPv4. The network class is about a mechanism for partitioning the IP address space. In the IP address system according to IPv4, which is composed of four octets having 8 bits, the network to which the terminal having the IP address is connected can be identified from the IP address information. For example, a class C network has IP addresses from 192.0.0.0 to 223.255.255.0, and three octets from the beginning were used to represent the network number.

The determination server 101 calculates, for each request content information, the first number of commands input from each terminal during the first period using the log information recorded in the log database 102. The determination server 101 may determine that the command input from the terminal having the same IP address is input from one terminal. However, an exception is provided when the network address is an IP address of a proxy server or a router.

The determination server 101 uses the log information recorded in the log database 102 to calculate a second number of instructions including IP address information associated with the network class and including the request content information during the second period.

The determination server 101 may compare the first number and the second number and determine that the command is invalid when the second number is abnormally larger than the first number.                     

Therefore, according to the present exemplary embodiment, when a predetermined command is input with a malicious intention by using a plurality of terminals connected to the same network group such as the same network class, it can be detected.

Meanwhile, although the above embodiment has been described using the IPv4 scheme as an example, it is obvious that the present invention can be applied to the IP address scheme that adopts the scheme of classifying the IP address space into one or more groups.

(9) When the same command with the same identification information included in the command is inputted repeatedly

In the present embodiment, when the determination server 101 receives a command for requesting predetermined information from the user's terminal, the determination server 101 controls the command to include the information or identification information associated with the IP address of the terminal.

In addition, the determination server 101 determines the number of times of inputting the command including the identification information by referring to the identification information included in the command, and when the plurality of commands including the identification information are input as a result of the determination, the command Is considered invalid.

According to the above configuration, the determination server 101 can determine whether the user of the same terminal repeatedly requests the same information, and the command for unnecessarily repeatedly requesting the information once received is input with malicious intention. You can think of it as a command.

In addition, according to another embodiment of the present invention, the determination server 101 may determine that all commands including the same identification information are invalid, and the first command inputted in time among the commands including the identification information is determined. You can also determine that an instruction that you have excluded is invalid.

In the above, the process of determining the validity of the command based on the request format (step 206) and the process of determining the validity of the command using the log information (step 209) have been described in detail. The determination server 101 may adopt one or more determination methods as described above, and determine the validity of the command by comprehensively reviewing the determination result according to each determination method. In addition, the determination server 101 may determine whether the command is valid using the overall determination result calculated by giving weight to each determination result.

On the other hand, when the determination server 101 determines the validity of the command using the log information as described above in (2) (1) to (3) and (4), if it is determined that the command is not valid, the command The IP address information included in the information is determined as the blocking IP address information.

According to another embodiment of the present invention, the determination system 100 further maintains the invalid IP address database 104 including not only the blocking IP address database 103 but also the invalid suspect IP address database 104 to obtain a predetermined IP address. It may be determined "step by step" whether the command input from the terminal having the invalidity is invalid.

The determination server 101 refers to the invalid suspicious IP address database 104 or the blocking IP address database 103 to determine whether the IP address information included in the command is blocking IP address information or invalid suspicious IP address information. do.

As a result of the determination, when the IP address information is suspected invalid IP address information, log information is generated in association with the command. In this case, the command is referred to as "first command" and the log information as "first log information".

The determination server 101 searches the log information including the IP address information with reference to the log database 102, and refers to the retrieved log information as "second log information." In addition, according to another embodiment of the present invention, the determination server 101 may search only the second log information associated with the command input for a predetermined period of time using the input time point information included in the log information.

The determination server 101 determines whether the IP address information is blocked IP address information by using the first log information and the second log information. At this time, the determination server 101 determines whether the command is invalid by using the determination method described in 2. (1) to (3), and blocks the IP address information when the command is determined to be invalid. Can be determined by address information.

For example, a command from a terminal with an IP address of 123.25.29.01 was entered at 2 pm on April 17, 2004, and at 4 pm on April 17, 2004, and again from 6 pm on April 17, 2004 at the terminal. If the command is input to the judgment server 101 is likely to be invalid, but the command inputted at 6, but it is difficult to determine accurately, the IP address information for the IP address to the invalid suspect IP address database 104 Record it.                     

Subsequently, when a command is input again from the terminal having the IP address, the determination server 101 determines the input time of the command. When the input time is 8:00 on April 17, 2004, the judging server 101 determines that the command inputted at regular time intervals, that is, two hour intervals, is a command generated by an automatic command generation program, and determines the command. It is invalidated. In addition, the IP address information is deleted from the invalid suspicious IP address database 104 and recorded in the blocking IP address database 103 so that all commands input from the terminal are considered invalid.

In addition, according to another embodiment of the present invention, a plurality of invalid suspicious IP address database may exist, and accordingly, two or more steps of determining may be performed until the predetermined IP address is determined as the blocking IP address.

According to such a configuration, when it is difficult to determine whether the IP address information of the terminal which inputs the command is the blocking IP address information only by log information on the command input so far, the IP address information is determined as the invalid suspicious IP address information. Subsequently, by further observing the command including the IP address information, it is possible to more accurately determine whether a predetermined command is invalid by determining whether to determine the IP address information as the blocking IP address information.

In addition, according to another embodiment of the present invention, the determination server 101 is a case in which a command including the blocking IP address information recorded in the blocking IP address database 103 is input or in the request format of the command as described above. If it is determined that the command is invalid, the log information associated with the command is not generated / recorded. Thus, the decision server 101 can save the system resources needed to process the log information associated with the command.

In addition, when the blocking IP address information is used, the blocking IP address may be used even if a user who has input a command with a malicious intention using the terminal wants to input the command by concealing the malicious intention using another method. All the commands input from the terminal having an invalidity can be invalidated by deciding all the commands input from the terminal for malicious intention.

On the other hand, the determination server 101 may not respond to any command determined to be invalid. In addition, the determination server 101 may cause a predetermined effect to occur even for the command determined to be invalid. For example, if the command is a request to select a search result from a list of search results provided by search server 120, search server 120 may be associated with the selected search result regardless of whether the command is invalid. Information can be transmitted to the terminal. However, when the command is also used as a criterion for charging an advertiser providing an advertisement in association with the search result, or a criterion for determining a preference of a user who selects the search result, the command determined to be invalid It is preferable not to use the above as a reference.

Further, embodiments of the present invention include a computer readable medium having program instructions for performing various computer implemented operations. The program recorded on the computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. The media may be those specially designed and constructed for the purposes of the present invention, or they may be of the kind well-known and available to those having skill in the computer software arts.

Hereinafter, a determination system 100 for determining the validity of an instruction according to another embodiment of the present invention will be described. 5 is a block diagram illustrating an internal configuration of the determination system 100. The determination system 100, 500 includes a blocking IP address database 501, a command input unit 502, a log information generation unit 503, a log database 504, a log database management unit 505, and a validity determination unit 506. It includes.

The blocking IP address database 501 includes blocking IP address information. The blocking IP address information is used to invalidate a command input from a terminal having a predetermined IP address as described below.

The command input unit 502 receives a command from the user terminal 510 through a wired or wireless communication network.

The log information generator 503 generates log information associated with the command. The log information includes IP address information included in the command, input time point information on an input time point of the command, request content information included in the command, and the like.

According to the present embodiment, before generating log information associated with the command, the log information generation unit 503 refers to the blocking IP address database 501 to determine whether the IP address information included in the command is blocking IP address information. Determine whether or not. As a result of the determination, when the IP address information is the blocking IP address information, the log information generator 503 does not generate log information associated with the command.                     

In addition, the validity determination unit 506 determines that the command is invalid when the IP address information is blocked IP address information.

The log database manager 505 records the log information in the log database 504.

The validity determination unit 506 determines the validity of the command by using log information generated in association with the command or one or more log information recorded in the log database 504.

Since the detailed configuration for determining the validity of the command by using the log information has been described in the above-described embodiment, the detailed description thereof will be omitted in this embodiment.

6 is an internal block diagram of a general purpose computer device that may be employed to perform a method for determining the validity of an instruction in accordance with the present invention.

Computer device 600 includes one or more processors 610 connected to a main memory including random access memory (RAM) 620 and read only memory (ROM) 630. The processor 610 may also be called a central processing unit (CPU). As is well known in the art, the ROM 630 serves to transfer data and instructions to the CPU unidirectionally, and the RAM 620 typically transfers data and instructions bidirectionally. Used to. RAM 620 and ROM 630 may include any suitable form of computer readable media. Mass storage 640 is bidirectionally coupled to processor 610 to provide additional data storage capability, and may be any of the computer readable recording media described above. The mass storage device 640 is used to store programs, data, and the like, and is a secondary memory device such as a hard disk which is generally slower than the main memory device. Certain mass storage devices such as CD ROM 660 may be used. The processor 610 may include one or more input / output interfaces such as a video monitor, trackball, mouse, keyboard, microphone, touchscreen display, card reader, magnetic or paper tape reader, voice or handwriting reader, joystick, or other known computer input / output device. 650 is connected. Finally, the processor 610 may be connected to a wired or wireless communication network through the network interface 670. Through this network connection, the procedure of the method described above can be performed. The apparatus and tools described above are well known to those skilled in the computer hardware and software arts.

The hardware device described above may be configured to operate as one or more software modules to perform the operations of the present invention.

While specific embodiments of the present invention have been described so far, various modifications are possible without departing from the scope of the present invention.

Therefore, the scope of the present invention should not be limited to the described embodiments, but should be defined not only by the claims below, but also by the equivalents of the claims.

As described above, the present invention has been described by way of limited embodiments and drawings, but the present invention is not limited to the above-described embodiments, which can be variously modified and modified by those skilled in the art to which the present invention pertains. Modifications are possible. Accordingly, the spirit of the present invention should be understood only by the claims set forth below, and all equivalent or equivalent modifications thereof will belong to the scope of the present invention.

According to the present invention, there is provided a method and system for determining validity of a command which can quickly determine whether a command input from a terminal having a predetermined network address is invalid by setting blocking network address information.

In addition, according to the present invention, if it is difficult to determine whether a command input from a terminal having a predetermined network address is invalid, the network address information for the network address is set as invalid suspicious network address information, and later from the network address. A method and system for determining validity of a command that can more accurately determine whether a command is valid by using a two or more setting process of determining whether to block the network address information by using an input command. This is provided.

In addition, according to the present invention, a new criterion for determining the validity of the command is proposed, and in particular, in consideration of both the request form of the command and the request content of the command of the command that can accurately determine the validity of the command A validity determination method and system are provided.

Claims (26)

delete delete delete delete delete In the method of determining the validity of the command, Determining a number of times of input of an instruction including identification information; And Determining the validity of the command based on the number of inputs of the command Including, Determining the validity of the command, When the difference between the number of inputs of the command during the first period and the number of inputs of the command during the second period after the first period exceeds a preset reference number, the command is determined as a candidate for the invalid command How to determine the validity of a command. The method of claim 6, The identification information includes IP address information, Determining the validity of the command, And determining the command as a candidate of an invalid command when the number of inputs of the command having the same IP address information exceeds a preset reference number. delete delete delete delete delete delete In the method of determining the validity of the command, Determining a number of times of input of an instruction; And Determining the validity of the command based on the number of inputs of the command Including, Determining the validity of the command, When the difference between the number of inputs of the command during the first period and the number of inputs of the command during the second period after the first period exceeds a preset reference number, the command is determined as a candidate for the invalid command How to determine the validity of a command. The method of claim 14, Determining the number of times the command is input, Method for determining validity of a command, characterized in that for determining the number of input for the command with the same IP address information. The method of claim 14, Determining the number of times the command is input, Method for determining the validity of the command, characterized in that for determining the number of input for the same command request information. delete delete delete delete delete delete delete delete Extracting identification information included in the command; And Determining the validity of the command based on a number of times of inputting the command including the identification information; Including, Determining the validity of the command, When the difference between the number of inputs of the command during the first period and the number of inputs of the command during the second period after the first period exceeds a preset reference number, the command is determined as a candidate for the invalid command How to determine the validity of a command. The method of claim 25, Determining the validity of the command, And determining the command as a candidate of the invalid command when the number of inputs of the command including the same identification information exceeds a preset reference number.

Images