WO2016082462A1 - 识别用户行为的方法及装置 - Google Patents
识别用户行为的方法及装置 Download PDFInfo
- Publication number
- WO2016082462A1 WO2016082462A1 PCT/CN2015/078019 CN2015078019W WO2016082462A1 WO 2016082462 A1 WO2016082462 A1 WO 2016082462A1 CN 2015078019 W CN2015078019 W CN 2015078019W WO 2016082462 A1 WO2016082462 A1 WO 2016082462A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- access
- time
- sliding window
- behavior
- preset
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000011156 evaluation Methods 0.000 claims abstract description 55
- 230000006399 behavior Effects 0.000 claims description 263
- 238000010586 diagram Methods 0.000 description 8
- 230000009286 beneficial effect Effects 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 4
- 125000006850 spacer group Chemical group 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2133—Verifying human interaction, e.g., Captcha
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/142—Denial of service attacks against network infrastructure
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
Definitions
- the present disclosure relates to the field of communications and computer processing, and more particularly to a method and apparatus for identifying user behavior.
- a malicious attack method is to frequently send a data packet to a website in a short time. This kind of situation often occurs when the goods are snapped up, and the website is frequently visited in a short period of time to snap up the price-cut goods.
- This high-frequency access behavior is generally achieved by snapping up software, which is not available for human operations.
- the present disclosure provides a method and apparatus for recognizing user behavior.
- a method of identifying a user behavior comprising:
- the evaluation result it is determined whether the access behavior of the terminal is malicious access.
- the technical solution provided by the embodiment of the present disclosure may include the following beneficial effects: the present embodiment monitors the user's access behavior in real time through a time sliding window, and evaluates the access behavior, thereby determining whether the user's access behavior is malicious.
- the time sliding window comprises m aliquots of time slices
- the evaluating, according to the access behavior in the time sliding window, the access behavior in the time sliding window including:
- each time slice it is determined whether the number of accesses in the time slice exceeds a preset number of slice times, and a time slice in which n access times exceed a preset slice number threshold is obtained;
- Determining, according to the evaluation result, whether the access behavior of the terminal is a malicious access including:
- the technical solution provided by the embodiment of the present disclosure may include the following beneficial effects: the present embodiment monitors whether the number of accesses continues to be at a relatively high value by monitoring the access behavior in each time slice, thereby evaluating whether the access behavior is malicious. The assessment results are more accurate.
- the evaluating the access behavior in the time sliding window according to the access behavior in the time sliding window comprises:
- Determining, according to the evaluation result, whether the access behavior of the terminal is a malicious access including:
- the technical solution provided by the embodiment of the present disclosure may include the following beneficial effects: the present embodiment determines whether the access behavior occurs at a fixed frequency by performing variance calculation on the time interval, and if yes, determining that the access behavior is determined by Software triggers, not the user. According to this, malicious behavior can be identified more accurately.
- the evaluating the access behavior in the time sliding window according to the access behavior in the time sliding window comprises:
- Determining, according to the evaluation result, whether the access behavior of the terminal is a malicious access including:
- the embodiment can further compare the variance with the average value of the time interval, and can more accurately identify the malicious behavior.
- the evaluating the access behavior in the time sliding window according to the access behavior in the time sliding window comprises:
- the access behavior in the time sliding window is evaluated.
- the technical solution provided by the embodiment of the present disclosure may include the following beneficial effects: based on the foregoing solution, the present embodiment further evaluates the access behavior by using the total number of access behaviors, and can more accurately identify malicious behavior.
- an apparatus for identifying a user behavior including:
- An obtaining module configured to acquire an access behavior of a terminal in a preset time sliding window
- An evaluation module configured to evaluate an access behavior in the time sliding window according to an access behavior in the time sliding window
- a determining module configured to determine, according to the evaluation result, whether the access behavior of the terminal is a malicious access.
- the time sliding window comprises m aliquots of time slices
- the evaluation module includes:
- the time slice sub-module is configured to determine, for each time slice, whether the number of accesses in the time slice exceeds a preset number of slice times, and obtain a time slice in which n access times exceed a preset slice number threshold;
- a first ratio sub-module configured to determine whether a ratio of n to m exceeds a preset first ratio threshold
- the determining module determines that the access behavior of the terminal is malicious access when the ratio of n to m exceeds a preset first ratio threshold.
- the evaluation module includes:
- interval sub-module configured to obtain a time interval of two adjacent access behaviors for each adjacent two access behaviors in the time sliding window
- a variance submodule for calculating a time variance of the access behavior according to the obtained time interval
- a first evaluation submodule configured to determine whether the time variance is greater than a preset variance threshold
- the determining module determines that the access behavior of the terminal is a malicious access when the time variance is greater than a preset variance threshold.
- the first evaluation module comprises:
- interval sub-module configured to obtain a time interval of two adjacent access behaviors for each adjacent two access behaviors in the time sliding window
- a variance submodule for calculating a time variance of the access behavior according to the obtained time interval
- a ratio sub-module for calculating a ratio of the time variance to an average of the time intervals
- a second ratio submodule configured to determine whether the ratio is less than a preset second ratio threshold
- the determining module determines that the access behavior of the terminal is malicious access when the ratio is less than a preset second ratio threshold.
- the evaluation module includes:
- a total number determining sub-module configured to determine whether the total number exceeds a preset total threshold
- the second evaluation submodule is configured to evaluate the access behavior in the time sliding window according to the judgment result.
- an apparatus for identifying a user behavior includes:
- a memory for storing processor executable instructions
- processor is configured to:
- the evaluation result it is determined whether the access behavior of the terminal is malicious access.
- FIG. 1 is a flow chart showing a method of identifying user behavior, according to an exemplary embodiment.
- FIG. 2 is a flow chart showing a method of identifying user behavior, according to an exemplary embodiment.
- FIG. 3 is a flow chart showing a method of identifying user behavior, according to an exemplary embodiment.
- FIG. 4 is a block diagram of an apparatus for identifying user behavior, according to an exemplary embodiment.
- FIG. 5 is a block diagram of an evaluation module, according to an exemplary embodiment.
- FIG. 6A is a block diagram of an evaluation module, according to an exemplary embodiment.
- FIG. 6B is a block diagram of an evaluation module, according to an exemplary embodiment.
- FIG. 7 is a block diagram of an evaluation module, according to an exemplary embodiment.
- FIG. 8 is a block diagram of an apparatus, according to an exemplary embodiment.
- the embodiment monitors the access behavior of the terminal through the time sliding window, and can accurately identify whether the access behavior of the terminal is malicious.
- the time sliding window in this embodiment is a dynamic time window, and the length of the sliding window is fixed, for example, the length is 3600 seconds.
- the end position of the time sliding window is always the current time, so the time sliding window moves with time.
- the method for detecting the number of accesses according to the preset duration is, for example, the preset duration is 1000 seconds. It is detected once every 0 to 1000 seconds, once every 1001 to 2000 seconds, and so on. However, the access behavior that occurs from 500 to 1500 seconds cannot be detected.
- the real-time detection is performed according to the movement of the sliding window. For example, the length of the time sliding window is 1000 seconds, and the detection is once every 0 to 1000 seconds, once in 1 to 1001 seconds, once in 2 to 100 seconds, and so on. . It can be seen that the detection is more accurate and the malicious behavior can be more accurately identified than the related art scheme.
- FIG. 1 is a flowchart of a method for recognizing user behavior according to an exemplary embodiment. As shown in FIG. 1 , the method may be implemented by a server, including the following steps:
- step 101 the access behavior of the terminal within the preset time sliding window is acquired.
- step 102 an access behavior within the time sliding window is evaluated based on an access behavior within the time sliding window.
- step 103 it is determined whether the access behavior of the terminal is a malicious access according to the evaluation result.
- the access behavior of the terminal can be monitored in real time through the time sliding window, and the access behavior during a period of time is monitored at the same time, and whether the access behavior is malicious or not, and the recognition result is more accurate.
- This embodiment is directed to the behavior monitoring and evaluation of a single terminal, and the terminal can be determined by means of a user name, an IP (Internet Protocol) address, or a MAC (Media Access Control) address.
- the terminal is required to send a verification code; or, the access of the user (or the terminal) is temporarily blocked; or the user is added to the blacklist to permanently reject the user's access; and the user may also send a warning message or the like.
- step 102 can be implemented as step A.
- step A the access behavior within the time sliding window is evaluated based on the access behavior within each time slice in the time sliding window.
- the time sliding window is further refined into a plurality of time slices, each of which has the same length (equal).
- the time sliding window has a length of 3600 seconds and contains 10 time slices, and each time slice has a length of 360 seconds.
- the user's access behavior is monitored in units of time slices, and the monitoring granularity is further reduced, which helps to more accurately identify malicious behavior.
- the present embodiment evaluates the access behavior in each time slice and the overall access behavior in the time sliding window, and the evaluation result is more accurate.
- step A may comprise steps A1 - step A2.
- step A1 for each time slice, it is determined whether the number of accesses in the time slice exceeds a preset number of slice times, and a time slice in which n access times exceed a preset slice number threshold is obtained;
- step A2 it is determined whether the ratio of n to m exceeds a preset first ratio threshold
- Step 103 can be implemented as step A3.
- step A3 when the ratio of n to m exceeds a preset first ratio threshold, the access behavior of the terminal is determined to be malicious access.
- a time slice in which the number of accesses exceeds a preset number of slice times is determined. It is determined whether the ratio of the number of time slices exceeding the slice number threshold to the total number of time slices exceeds a preset first ratio threshold. According to the judgment result, the said The access behavior within the time sliding window is evaluated.
- the ratio of the number of time slices exceeding the number of slice times to the total number of time slices exceeds a preset first ratio threshold, it is determined that the number of accesses is too high, and there is malicious access; otherwise, it is determined that there is no malicious access.
- the length of the time sliding window T is 3600 seconds, including 10 time slices t1-t10, and the length of each time slice is 360 seconds.
- the access behavior is evaluated, and the There is a malicious access behavior in the time sliding window T.
- step 102 can also be implemented by scenario B.
- step B1 a time interval of two adjacent access behaviors is obtained for each adjacent two access behaviors within the time sliding window.
- step B2 the time variance of the access behavior is calculated based on the obtained time interval.
- step B3 the access behavior in the time sliding window is evaluated according to the time variance. It is determined whether the time variance is greater than a preset variance threshold.
- step 103 when the time variance is greater than a preset variance threshold, determining that the access behavior of the terminal is a malicious access.
- the time variance can be compared with the preset variance threshold. If the variance is greater than the preset variance threshold, the variance is relatively large, that is, the fluctuation of the time interval of the access behavior is relatively large, and the access behavior may be determined to be from the access behavior. Users, rather than snapping up software, can determine that there is no malicious behavior. Conversely, if it is not greater than the preset variance threshold, it is determined that there is malicious behavior.
- the time interval x1, x2, x3, ..., xn of the two adjacent access behaviors is obtained. It is the average value of x1 to xn.
- the variance formula is as follows:
- Scheme B can also be combined with steps A1 - A3. For example, calculating a variance corresponding to each time slice, determining a time slice whose variance is greater than a variance threshold, and determining a ratio of the number of time slices whose variance is greater than the variance threshold to the total number of time slices, and then comparing the ratio with the first proportional threshold. Determine if there is malicious access.
- scenario B can be further improved.
- step B3 may include step B31 - step B32.
- step B31 a ratio of the time variance to the average of the time intervals is calculated.
- step B32 it is determined whether the ratio is less than a preset second ratio threshold.
- the access behavior in the time sliding window is evaluated according to the judgment result.
- Step 103 can be implemented as step B33.
- step B33 when the ratio is less than a preset second ratio threshold, determining that the access behavior of the terminal is a malicious access.
- the time variance is very close to the average of the time interval, and the access behavior is determined to be triggered by the snapping software. There is malicious access. On the contrary, it can be determined that the access behavior is generated by the user triggering, and there is no malicious access.
- the average value x is 1 and the time variance is 0.5.
- the ratio of the time variance to the average is 50%, which is greater than the preset second ratio threshold of 100%.
- the variance of 0.5 is relatively small, the deviation is relatively large with respect to the average value of 1.
- the average value x is 10 and the time variance is 0.5.
- the ratio of the time variance to the average is 5%, which is less than the preset second ratio threshold of 10%. Since the average value 10 is relatively large, the time variance of 0.5 is very close to the average value.
- This embodiment can more accurately evaluate the access behavior by comparing the degree of proximity of the variance to the average value (which can be referred to as the degree of deviation from another angle).
- step 102 can be implemented as scenario C.
- step C1 the total number of access behaviors within the time sliding window is obtained.
- step C2 it is determined whether the total number exceeds a preset total threshold.
- step C3 the access behavior in the time sliding window is evaluated according to the determination result.
- the total number of access behaviors in the time sliding window exceeds the total threshold, it may be determined that the amount of access is too high and there is malicious access. Conversely, it is determined that there is no malicious access.
- Scheme C can be combined with the above scheme. Based on the judgment result of step A or scheme B, the judgment of scheme C is further performed, and when it is determined that there is malicious access, the conclusion that there is malicious access is made.
- FIG. 2 is a flowchart of a method for recognizing user behavior according to an exemplary embodiment. As shown in FIG. 2, the method may be implemented by a server, including the following steps:
- step 201 the access behavior of the terminal within the preset time sliding window is acquired.
- step 202 for each time slice in the time sliding window, the number of accesses corresponding to the time slice is The preset number of slice times is compared.
- step 203 a time slice in which the number of accesses exceeds a preset number of slice times threshold is determined.
- step 204 the ratio of the number of time slices exceeding the slice count threshold to the total number of time slices is calculated.
- step 205 it is determined whether the calculated ratio exceeds a preset first ratio threshold.
- step 206 is continued; when the preset first ratio threshold is not exceeded, step 207 is continued.
- step 206 it is determined that there is a malicious access behavior.
- step 207 it is determined that there is no malicious access behavior.
- a more detailed access behavior monitoring can be performed by using a time slice. Through the monitoring of the smaller number of access times, it is more accurate to identify whether there is malicious access.
- FIG. 3 is a flowchart of a method for recognizing user behavior according to an exemplary embodiment. As shown in FIG. 3, the method may be implemented by a server, including the following steps:
- step 301 an access behavior of the terminal within the preset time sliding window is obtained.
- step 302 a time interval of two adjacent access behaviors is obtained for each adjacent two access behaviors within the time sliding window.
- step 303 an average of the time intervals is calculated based on the obtained time interval.
- step 304 the time variance of the access behavior is calculated based on the obtained time interval.
- step 305 a ratio of the time variance to the average of the time intervals is calculated.
- step 306 it is determined whether the ratio is less than a preset second ratio threshold. When it is less than the preset second ratio threshold, step 307 is continued; when not less than the preset second ratio threshold, step 308 is continued.
- step 307 it is determined that there is a malicious access behavior.
- step 308 it is determined that there is no malicious access behavior.
- This embodiment determines whether the access behavior is uniformly obtained in time by the variance, and if so, determines the access behavior generated by the software, instead of the user triggering, thus determining that there is a malicious access; otherwise, determining that there is no malicious access.
- This method can more accurately identify malicious access behavior.
- FIG. 4 is a schematic diagram of an apparatus for identifying user behavior, according to an exemplary embodiment.
- the apparatus includes an acquisition module 401, an evaluation module 402, and a determination module 403.
- the obtaining module 401 is configured to acquire an access behavior of the terminal in the preset time sliding window.
- the evaluation module 402 is configured to evaluate the access behavior in the time sliding window according to the access behavior in the time sliding window.
- the determining module 403 is configured to determine, according to the evaluation result, whether the access behavior of the terminal is a malicious access.
- the time sliding window includes m equally divided time slices; as shown in FIG. 5, the evaluation module 402 includes a time slice sub-module 4021 and a first ratio sub-module 4028.
- the time slice sub-module 4021 is configured to determine, for each time slice, whether the number of accesses in the time slice is exceeded. After a preset number of fragmentation thresholds, a time slice in which n access times exceed a preset slice number threshold is obtained.
- the first ratio sub-module 4028 is configured to determine whether the ratio of n to m exceeds a preset first ratio threshold.
- the determining module 403 determines that the access behavior of the terminal is malicious access when the ratio of n to m exceeds a preset first ratio threshold.
- the evaluation module 402 includes a spacer module 4022, a variance sub-module 4023, and a first evaluation sub-module 4024.
- the interval sub-module 4022 is configured to obtain a time interval of two adjacent access behaviors for each adjacent two access behaviors in the time sliding window.
- the variance sub-module 4023 is configured to calculate a time variance of the access behavior according to the obtained time interval.
- the first evaluation sub-module 4024 is configured to determine whether the time variance is greater than a preset variance threshold.
- the determining module 403 determines that the access behavior of the terminal is malicious access when the time variance is greater than a preset variance threshold.
- the temporal slice sub-module 4021 may also include a spacer sub-module 4022, a variance sub-module 4023, and a first evaluation sub-module 4024.
- the evaluation module 402 includes a spacer module 4022, a variance submodule 4023, a ratio submodule 4029, and a second scale submodule 40210.
- the interval sub-module 4022 is configured to obtain a time interval of two adjacent access behaviors for each adjacent two access behaviors in the time sliding window.
- the variance sub-module 4023 is configured to calculate a time variance of the access behavior according to the obtained time interval.
- the ratio sub-module 4029 is configured to calculate a ratio of the time variance to an average of the time intervals.
- the second ratio sub-module 40210 is configured to determine whether the ratio is less than a preset second ratio threshold.
- the determining module 403 determines that the access behavior of the terminal is malicious access when the ratio is less than a preset second ratio threshold.
- the evaluation module 402 includes a total number sub-module 4025, a total number determining sub-module 4026, and a second evaluation sub-module 4027.
- the total number of sub-modules 4025 are used to obtain the total number of access behaviors within the time sliding window.
- the total number determining sub-module 4026 is configured to determine whether the total number exceeds a preset total threshold.
- the second evaluation sub-module 4027 is configured to evaluate the access behavior in the time sliding window according to the determination result.
- FIG. 8 is a block diagram of an apparatus 800 for identifying user behavior, according to an exemplary embodiment.
- device 800 can be provided as a computer.
- apparatus 800 includes a processing component 822 that further includes one or more processors, and memory resources represented by memory 832 for storing instructions executable by processing component 822, such as an application.
- the application stored in the memory 832 may include One or more modules each corresponding to a set of instructions.
- processing component 822 is configured to execute instructions to perform the above method to identify user behavior.
- Device 800 may also include a power supply component 826 configured to perform power management of device 800, a wired or wireless network interface 850 configured to connect device 800 to the network, and an input/output (I/O) interface 858.
- Device 800 can operate based on an operating system stored in memory 832, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM or the like.
- a device for identifying user behavior comprising:
- a memory for storing processor executable instructions
- processor is configured to:
- the evaluation result it is determined whether the access behavior of the terminal is malicious access.
- the processor can also be configured to:
- the time sliding window includes m equally divided time slices
- the evaluating, according to the access behavior in the time sliding window, the access behavior in the time sliding window including:
- each time slice it is determined whether the number of accesses in the time slice exceeds a preset number of slice times, and a time slice in which n access times exceed a preset slice number threshold is obtained;
- Determining, according to the evaluation result, whether the access behavior of the terminal is a malicious access including:
- the processor can also be configured to:
- the evaluating, according to the access behavior in the time sliding window, the access behavior in the time sliding window including:
- Determining, according to the evaluation result, whether the access behavior of the terminal is a malicious access including:
- the processor can also be configured to:
- the access behavior in the time sliding window Evaluation including:
- Determining, according to the evaluation result, whether the access behavior of the terminal is a malicious access including:
- the processor can also be configured to:
- the evaluating, according to the access behavior in the time sliding window, the access behavior in the time sliding window including:
- the access behavior in the time sliding window is evaluated.
- a non-transitory computer readable storage medium when instructions in the storage medium are executed by a processor of a mobile terminal, to enable the mobile terminal to perform a method of identifying user behavior, the method comprising:
- the evaluation result it is determined whether the access behavior of the terminal is malicious access.
- the instructions in the storage medium may further include:
- the time sliding window includes m equally divided time slices
- the evaluating, according to the access behavior in the time sliding window, the access behavior in the time sliding window including:
- each time slice it is determined whether the number of accesses in the time slice exceeds a preset number of slice times, and a time slice in which n access times exceed a preset slice number threshold is obtained;
- Determining, according to the evaluation result, whether the access behavior of the terminal is a malicious access including:
- the instructions in the storage medium may further include:
- the evaluating, according to the access behavior in the time sliding window, the access behavior in the time sliding window including:
- Determining, according to the evaluation result, whether the access behavior of the terminal is a malicious access including:
- the instructions in the storage medium may further include:
- the evaluating, according to the access behavior in the time sliding window, the access behavior in the time sliding window including:
- Determining, according to the evaluation result, whether the access behavior of the terminal is a malicious access including:
- the instructions in the storage medium may further include:
- the evaluating, according to the access behavior in the time sliding window, the access behavior in the time sliding window including:
- the access behavior in the time sliding window is evaluated.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Cardiology (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
- Information Transfer Between Computers (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
Description
Claims (11)
- 一种识别用户行为的方法,其特征在于,包括:获取在预设的时间滑动窗口内的终端的访问行为;根据所述时间滑动窗口内的访问行为,对所述时间滑动窗口内的访问行为进行评估;根据评估结果确定所述终端的访问行为是否为恶意访问。
- 根据权利要求1所述的识别用户行为的方法,其特征在于,所述时间滑动窗口包括m个等分的时间片;所述根据所述时间滑动窗口内的访问行为,对所述时间滑动窗口内的访问行为进行评估,包括:针对每个时间片,判断在时间片内的访问次数是否超过预设的分片次数阈值,得到n个访问次数超过预设的分片次数阈值的时间片;判断n与m的比例是否超过预设的第一比例阈值;所述根据评估结果确定所述终端的访问行为是否为恶意访问,包括:在n与m的比例超过预设的第一比例阈值时,确定所述终端的访问行为为恶意访问。
- 根据权利要求1所述的识别用户行为的方法,其特征在于,所述根据所述时间滑动窗口内的访问行为,对所述时间滑动窗口内的访问行为进行评估,包括:针对所述时间滑动窗口内的每相邻两个访问行为,获得相邻两个访问行为的时间间隔;根据获得的时间间隔,计算访问行为的时间方差;判断所述时间方差是否大于预设的方差阈值;所述根据评估结果确定所述终端的访问行为是否为恶意访问,包括:在所述时间方差大于预设的方差阈值时,确定所述终端的访问行为为恶意访问。
- 根据权利要求1所述的识别用户行为的方法,其特征在于,所述根据所述时间滑动窗口内的访问行为,对所述时间滑动窗口内的访问行为进行评估,包括:针对所述时间滑动窗口内的每相邻两个访问行为,获得相邻两个访问行为的时间间隔;根据获得的时间间隔,计算访问行为的时间方差;计算所述时间方差与时间间隔的平均值的比值;判断所述比值是否小于预设的第二比例阈值;所述根据评估结果确定所述终端的访问行为是否为恶意访问,包括:在所述比值小于预设的第二比例阈值时,确定所述终端的访问行为为恶意访问。
- 根据权利要求1中任一项所述的识别用户行为的方法,其特征在于,所述根据所述时间滑动窗口内的访问行为,对所述时间滑动窗口内的访问行为进行评估,包括:获得所述时间滑动窗口内的访问行为的总数;判断所述总数是否超过预设的总数阈值;根据判断结果,对所述时间滑动窗口内的访问行为进行评估。
- 一种识别用户行为的装置,其特征在于,包括:获取模块,用于获取在预设的时间滑动窗口内的终端的访问行为;评估模块,用于根据所述时间滑动窗口内的访问行为,对所述时间滑动窗口内的访问行为进行评估;确定模块,用于根据评估结果确定所述终端的访问行为是否为恶意访问。
- 根据权利要求6所述的识别用户行为的装置,其特征在于,所述时间滑动窗口包括m个等分的时间片;所述评估模块包括:时间片子模块,用于针对每个时间片,判断在时间片内的访问次数是否超过预设的分片次数阈值,得到n个访问次数超过预设的分片次数阈值的时间片;第一比例子模块,用于判断n与m的比例是否超过预设的第一比例阈值;所述确定模块在n与m的比例超过预设的第一比例阈值时,确定所述终端的访问行为为恶意访问。
- 根据权利要求6所述的识别用户行为的装置,其特征在于,所述评估模块包括:间隔子模块,用于针对所述时间滑动窗口内的每相邻两个访问行为,获得相邻两个访问行为的时间间隔;方差子模块,用于根据获得的时间间隔,计算访问行为的时间方差;第一评估子模块,用于判断所述时间方差是否大于预设的方差阈值;所述确定模块在所述时间方差大于预设的方差阈值时,确定所述终端的访问行为为恶意访问。
- 根据权利要求6所述的识别用户行为的装置,其特征在于,所述评估模块包括:间隔子模块,用于针对所述时间滑动窗口内的每相邻两个访问行为,获得相邻两个访问行为的时间间隔;方差子模块,用于根据获得的时间间隔,计算访问行为的时间方差;比值子模块,用于计算所述时间方差与时间间隔的平均值的比值;第二比例子模块,用于判断所述比值是否小于预设的第二比例阈值;所述确定模块在所述比值小于预设的第二比例阈值时,确定所述终端的访问行为为恶意访问。
- 根据权利要求6中任一项所述的识别用户行为的装置,其特征在于,所述评估模块包括:总数子模块,用于获得所述时间滑动窗口内的访问行为的总数;总数判断子模块,用于判断所述总数是否超过预设的总数阈值;第二评估子模块,用于根据判断结果,对所述时间滑动窗口内的访问行为进行评估。
- 一种识别用户行为的装置,其特征在于,包括:处理器;用于存储处理器可执行指令的存储器;其中,所述处理器被配置为:获取在预设的时间滑动窗口内的终端的访问行为;根据所述时间滑动窗口内的访问行为,对所述时间滑动窗口内的访问行为进行评估;根据评估结果确定所述终端的访问行为是否为恶意访问。
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
BR112015018912A BR112015018912A2 (pt) | 2014-11-27 | 2015-04-30 | método e dispositivo para identificar comportamento de usuário |
MX2015009131A MX350670B (es) | 2014-11-27 | 2015-04-30 | Método y dispositivo para identificar el comportamiento de usuario. |
KR1020157016876A KR101677217B1 (ko) | 2014-11-27 | 2015-04-30 | 유저 행위 식별 방법 및 유저 행위 식별 장치, 프로그램 및 저장매체 |
JP2016561070A JP2017503293A (ja) | 2014-11-27 | 2015-04-30 | ユーザ行為識別方法及びユーザ行為識別装置、プログラム、及び記録媒体 |
RU2015128769A RU2628127C2 (ru) | 2014-11-27 | 2015-04-30 | Способ и устройство для идентификации поведения пользователя |
US14/933,197 US20160156653A1 (en) | 2014-11-27 | 2015-11-05 | Method and Device for Identifying User Behavior |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410708281.6 | 2014-11-27 | ||
CN201410708281.6A CN104486298B (zh) | 2014-11-27 | 2014-11-27 | 识别用户行为的方法及装置 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/933,197 Continuation US20160156653A1 (en) | 2014-11-27 | 2015-11-05 | Method and Device for Identifying User Behavior |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016082462A1 true WO2016082462A1 (zh) | 2016-06-02 |
Family
ID=52760802
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2015/078019 WO2016082462A1 (zh) | 2014-11-27 | 2015-04-30 | 识别用户行为的方法及装置 |
Country Status (9)
Country | Link |
---|---|
US (1) | US20160156653A1 (zh) |
EP (1) | EP3026864B1 (zh) |
JP (1) | JP2017503293A (zh) |
KR (1) | KR101677217B1 (zh) |
CN (1) | CN104486298B (zh) |
BR (1) | BR112015018912A2 (zh) |
MX (1) | MX350670B (zh) |
RU (1) | RU2628127C2 (zh) |
WO (1) | WO2016082462A1 (zh) |
Families Citing this family (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104486298B (zh) * | 2014-11-27 | 2018-03-09 | 小米科技有限责任公司 | 识别用户行为的方法及装置 |
CN104881479B (zh) * | 2015-06-03 | 2018-07-13 | 北京京东尚科信息技术有限公司 | 一种限制用户最小操作间隔的方法及装置 |
CN106327230B (zh) * | 2015-06-30 | 2019-12-24 | 阿里巴巴集团控股有限公司 | 一种异常用户检测方法及设备 |
CN104967629B (zh) * | 2015-07-16 | 2018-11-27 | 网宿科技股份有限公司 | 网络攻击检测方法及装置 |
CN105282047B (zh) * | 2015-09-25 | 2020-04-14 | 小米科技有限责任公司 | 访问请求处理方法及装置 |
CN106789831B (zh) * | 2015-11-19 | 2020-10-23 | 阿里巴巴集团控股有限公司 | 识别网络攻击的方法和装置 |
CN106789844B (zh) * | 2015-11-23 | 2020-06-16 | 阿里巴巴集团控股有限公司 | 一种恶意用户识别方法及装置 |
EP4102437A1 (en) | 2016-03-04 | 2022-12-14 | Axon Vibe AG | Systems and methods for predicting user behavior based on location data |
CN106506451B (zh) * | 2016-09-30 | 2019-08-27 | 百度在线网络技术(北京)有限公司 | 恶意访问的处理方法及装置 |
JP6737189B2 (ja) * | 2017-01-18 | 2020-08-05 | トヨタ自動車株式会社 | 不正判定システム及び不正判定方法 |
CN106657410B (zh) * | 2017-02-28 | 2018-04-03 | 国家电网公司 | 基于用户访问序列的异常行为检测方法 |
CN107046489B (zh) * | 2017-04-07 | 2020-07-28 | 上海熙菱信息技术有限公司 | 一种频次类实时统计模型系统及方法 |
CN107481090A (zh) * | 2017-07-06 | 2017-12-15 | 众安信息技术服务有限公司 | 一种用户异常行为检测方法、装置和系统 |
FR3094518B1 (fr) | 2019-04-01 | 2021-02-26 | Idemia Identity & Security France | Procédé de détection de bots dans un réseau d’utilisateurs |
KR102034998B1 (ko) * | 2019-07-12 | 2019-10-22 | 경상대학교산학협력단 | 돼지움직임 감지용 광이표 |
KR102295463B1 (ko) * | 2019-07-12 | 2021-08-27 | 경상국립대학교산학협력단 | 가속도 센서를 구비한 돼지이표 |
CN111224939B (zh) * | 2019-11-15 | 2022-07-12 | 上海钧正网络科技有限公司 | 任务请求的拦截方法、装置、计算机设备和存储介质 |
CN110933115B (zh) * | 2019-12-31 | 2022-04-29 | 上海观安信息技术股份有限公司 | 基于动态session的分析对象行为异常检测方法及装置 |
CN113114611B (zh) * | 2020-01-13 | 2024-02-06 | 北京沃东天骏信息技术有限公司 | 黑名单管理的方法和装置 |
CN112784288B (zh) * | 2021-01-22 | 2024-05-10 | 尚娱软件(深圳)有限公司 | 访问管理方法、终端及计算机可读存储介质 |
US11991196B2 (en) | 2021-03-04 | 2024-05-21 | Qatar Foundation For Education, Science And Community Development | Anomalous user account detection systems and methods |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101446956A (zh) * | 2008-12-12 | 2009-06-03 | 北京理工大学 | 预测模型的在线增量式插入与删除方法 |
WO2011022272A2 (en) * | 2009-08-18 | 2011-02-24 | Behavioral Recognition Systems, Inc. | Scene preset identification using quadtree decomposition analysis |
CN102769549A (zh) * | 2011-05-05 | 2012-11-07 | 腾讯科技(深圳)有限公司 | 网络安全监控的方法和装置 |
CN104486298A (zh) * | 2014-11-27 | 2015-04-01 | 小米科技有限责任公司 | 识别用户行为的方法及装置 |
Family Cites Families (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2000148276A (ja) * | 1998-11-05 | 2000-05-26 | Fujitsu Ltd | セキュリティ監視装置,セキュリティ監視方法およびセキュリティ監視用プログラム記録媒体 |
KR100479328B1 (ko) * | 2002-12-24 | 2005-03-31 | 한국전자통신연구원 | 슬라이딩 윈도우 캐쉬 구조 |
JP2005044277A (ja) * | 2003-07-25 | 2005-02-17 | Fuji Xerox Co Ltd | 不正通信検出装置 |
KR101074597B1 (ko) * | 2004-09-17 | 2011-10-17 | 주식회사 케이티 | 가상 웹서버 기반의 침입 유도 시스템 및 그 방법 |
JP2006279930A (ja) * | 2005-03-01 | 2006-10-12 | Nec Corp | 不正アクセス検出方法及び装置、並びに不正アクセス遮断方法及び装置 |
AU2008208617A1 (en) * | 2007-01-16 | 2008-07-31 | Absolute Software Corporation | A security module having a secondary agent in coordination with a host agent |
US7885976B2 (en) * | 2007-02-23 | 2011-02-08 | International Business Machines Corporation | Identification, notification, and control of data access quantity and patterns |
EP2009864A1 (en) | 2007-06-28 | 2008-12-31 | Nibelung Security Systems GmbH | Method and apparatus for attack prevention |
JP4948359B2 (ja) * | 2007-10-26 | 2012-06-06 | 三菱電機株式会社 | 不正アクセス検知装置及び不正アクセス検知方法及びプログラム |
US20090144545A1 (en) * | 2007-11-29 | 2009-06-04 | International Business Machines Corporation | Computer system security using file system access pattern heuristics |
JP2009217555A (ja) * | 2008-03-11 | 2009-09-24 | Mitsubishi Electric Corp | ネットワーク異常判定装置 |
US8572736B2 (en) * | 2008-11-12 | 2013-10-29 | YeeJang James Lin | System and method for detecting behavior anomaly in information access |
US8326987B2 (en) * | 2008-11-12 | 2012-12-04 | Lin Yeejang James | Method for adaptively building a baseline behavior model |
JP2010146160A (ja) * | 2008-12-17 | 2010-07-01 | Kureo:Kk | 通信管理装置、通信管理方法、およびプログラム |
WO2010088550A2 (en) * | 2009-01-29 | 2010-08-05 | Breach Security, Inc. | A method and apparatus for excessive access rate detection |
JP5911431B2 (ja) * | 2010-01-21 | 2016-05-11 | アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited | 悪意のあるアクセスの遮断 |
WO2013019198A1 (en) * | 2011-07-29 | 2013-02-07 | Hewlett-Packard Development Company, L. P. | Systems and methods for distributed rule-based correlation of events |
JP5791548B2 (ja) * | 2012-03-15 | 2015-10-07 | 三菱電機株式会社 | アドレス抽出装置 |
US20130291107A1 (en) * | 2012-04-27 | 2013-10-31 | The Irc Company, Inc. | System and Method for Mitigating Application Layer Distributed Denial of Service Attacks Using Human Behavior Analysis |
US20140304833A1 (en) * | 2013-04-04 | 2014-10-09 | Xerox Corporation | Method and system for providing access to crowdsourcing tasks |
CN104113519B (zh) * | 2013-04-16 | 2017-07-14 | 阿里巴巴集团控股有限公司 | 网络攻击检测方法及其装置 |
RU133954U1 (ru) * | 2013-04-29 | 2013-10-27 | Федеральное государственное образовательное бюджетное учреждение высшего профессионального образования "Санкт-Петербургский государственный университет телекоммуникаций им. проф. М.А. Бонч-Бруевича" (СПбГУТ) | Устройство защиты сети |
-
2014
- 2014-11-27 CN CN201410708281.6A patent/CN104486298B/zh active Active
-
2015
- 2015-04-30 RU RU2015128769A patent/RU2628127C2/ru active
- 2015-04-30 WO PCT/CN2015/078019 patent/WO2016082462A1/zh active Application Filing
- 2015-04-30 BR BR112015018912A patent/BR112015018912A2/pt not_active IP Right Cessation
- 2015-04-30 KR KR1020157016876A patent/KR101677217B1/ko active IP Right Grant
- 2015-04-30 MX MX2015009131A patent/MX350670B/es active IP Right Grant
- 2015-04-30 JP JP2016561070A patent/JP2017503293A/ja active Pending
- 2015-11-05 US US14/933,197 patent/US20160156653A1/en not_active Abandoned
- 2015-11-24 EP EP15196035.8A patent/EP3026864B1/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101446956A (zh) * | 2008-12-12 | 2009-06-03 | 北京理工大学 | 预测模型的在线增量式插入与删除方法 |
WO2011022272A2 (en) * | 2009-08-18 | 2011-02-24 | Behavioral Recognition Systems, Inc. | Scene preset identification using quadtree decomposition analysis |
CN102769549A (zh) * | 2011-05-05 | 2012-11-07 | 腾讯科技(深圳)有限公司 | 网络安全监控的方法和装置 |
CN104486298A (zh) * | 2014-11-27 | 2015-04-01 | 小米科技有限责任公司 | 识别用户行为的方法及装置 |
Also Published As
Publication number | Publication date |
---|---|
MX2015009131A (es) | 2016-08-01 |
BR112015018912A2 (pt) | 2017-07-18 |
EP3026864B1 (en) | 2018-09-26 |
MX350670B (es) | 2017-09-12 |
US20160156653A1 (en) | 2016-06-02 |
CN104486298A (zh) | 2015-04-01 |
EP3026864A1 (en) | 2016-06-01 |
RU2015128769A (ru) | 2017-01-20 |
RU2628127C2 (ru) | 2017-08-15 |
JP2017503293A (ja) | 2017-01-26 |
KR20160077009A (ko) | 2016-07-01 |
KR101677217B1 (ko) | 2016-11-17 |
CN104486298B (zh) | 2018-03-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2016082462A1 (zh) | 识别用户行为的方法及装置 | |
WO2019134307A1 (zh) | 恶意用户识别方法、装置及可读存储介质 | |
AU2017268608B2 (en) | Method, device, server and storage medium of detecting DoS/DDoS attack | |
CN105282047B (zh) | 访问请求处理方法及装置 | |
US9565203B2 (en) | Systems and methods for detection of anomalous network behavior | |
US9208323B1 (en) | Classifier-based security for computing devices | |
CN106161345B (zh) | 针对性攻击的发现 | |
CN110417778B (zh) | 访问请求的处理方法和装置 | |
US20180268224A1 (en) | Information processing device, determination device, notification system, information transmission method, and program | |
CN105100032B (zh) | 一种防止资源盗取的方法及装置 | |
US20160330217A1 (en) | Security breach prediction based on emotional analysis | |
JP2017539039A5 (zh) | ||
US11336661B2 (en) | Detecting remote application profiling | |
EP2854362B1 (en) | Software network behavior analysis and identification system | |
US10567398B2 (en) | Method and apparatus for remote malware monitoring | |
US20170061150A1 (en) | User Permission Allocation Method and Device | |
TWI615730B (zh) | 以應用層日誌分析為基礎的資安管理系統及其方法 | |
US9251367B2 (en) | Device, method and program for preventing information leakage | |
CN107426136B (zh) | 一种网络攻击的识别方法和装置 | |
US20220311793A1 (en) | Worm Detection Method and Network Device | |
US8910305B1 (en) | Method and apparatus for analyzing mouse cursor path | |
KR20150133370A (ko) | 웹서비스 접속제어 시스템 및 방법 | |
KR102574205B1 (ko) | 네트워크 공격 탐지 방법 및 장치 | |
US9130985B1 (en) | Data driven device detection | |
US9961133B2 (en) | Method and apparatus for remote application monitoring |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ENP | Entry into the national phase |
Ref document number: 20157016876 Country of ref document: KR Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2016561070 Country of ref document: JP Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2015128769 Country of ref document: RU Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: MX/A/2015/009131 Country of ref document: MX |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112015018912 Country of ref document: BR |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15863039 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 112015018912 Country of ref document: BR Kind code of ref document: A2 Effective date: 20150806 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 15863039 Country of ref document: EP Kind code of ref document: A1 |