WO2020258672A1 - Network access anomaly detection method and device - Google Patents

Network access anomaly detection method and device Download PDF

Info

Publication number
WO2020258672A1
WO2020258672A1 PCT/CN2019/118437 CN2019118437W WO2020258672A1 WO 2020258672 A1 WO2020258672 A1 WO 2020258672A1 CN 2019118437 W CN2019118437 W CN 2019118437W WO 2020258672 A1 WO2020258672 A1 WO 2020258672A1
Authority
WO
WIPO (PCT)
Prior art keywords
network access
feature set
terminal device
access request
candidate feature
Prior art date
Application number
PCT/CN2019/118437
Other languages
French (fr)
Chinese (zh)
Inventor
黎立桂
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020258672A1 publication Critical patent/WO2020258672A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the present application relates to the technical field of security detection. Specifically, the present application relates to a method and device for detecting abnormality of network access.
  • the current method is to collect data such as click time and mouse drag trajectory during the user verification process to identify the user type based on this behavior data. This type of method has a high error rate and is easy to identify a real user as an abnormal user. The accuracy is low.
  • this application provides an abnormality detection method for network access, which includes the following steps:
  • the feature number of each candidate feature set is compared in the order of the smallest to the most, and the support for the simultaneous appearance frequency of the features in each candidate feature set is obtained, and the candidate features that are greater than or equal to the minimum support are obtained
  • the set is set as a frequent feature set
  • acquiring multiple non-linear characteristics of the relevant parameters of the terminal device according to the network access request, and forming multiple candidate feature sets ,Also includes:
  • a corresponding characteristic list is formed.
  • the feature type of the feature list includes the necessary information type generated by the terminal device initiating a network access request.
  • the step of receiving a network access request sent by a terminal device, acquiring multiple non-linear characteristics of relevant parameters of the terminal device according to the network access request, and forming multiple candidate feature sets includes :
  • the feature number of each candidate feature set is compared hierarchically in ascending order to obtain the support for the simultaneous appearance frequency of features in each candidate feature set, respectively, And before the step of setting candidate feature sets greater than or equal to the minimum support as frequent feature sets, it also includes:
  • the step of obtaining the corresponding inverse confidence degree according to the confidence degree of the frequent feature set includes:
  • the inverse confidence of the best frequent feature set is used as an abnormality threshold.
  • the minimum support degree is the upper quartile of all candidate feature sets formed within a set time period.
  • an abnormality detection device for network access which includes:
  • a forming module configured to receive a network access request sent by a terminal device, obtain multiple non-linear characteristics of relevant parameters of the terminal device according to the network access request, and form multiple candidate feature sets;
  • the setting module is used to compare the feature numbers of each candidate feature set in order from small to many according to the candidate feature set, and obtain the support degree of the simultaneous appearance frequency of the features in each candidate feature set respectively, and it is greater than or equal to
  • the candidate feature set with the minimum support is set as a frequent feature set;
  • An obtaining module configured to obtain a corresponding inverse confidence degree according to the confidence degree of the frequent feature set
  • the judging module is used for judging that the corresponding network access is abnormal when the reverse confidence of the frequent feature set is greater than the abnormal threshold.
  • this application also provides a server, which includes:
  • One or more processors are One or more processors;
  • One or more computer-readable instructions wherein the one or more computer-readable instructions are stored in the memory and configured to be executed by the one or more processors, and the one or more computers may The read instruction configuration is used to execute the network access abnormality detection method described in the embodiment of the first aspect.
  • the present application also provides a computer-readable storage medium having computer-readable instructions stored on the computer-readable storage medium.
  • the computer-readable instructions When the computer-readable instructions are executed by a processor, the computer-readable instructions described in the embodiments of the first aspect are implemented. Anomaly detection method for network access.
  • the method and device for detecting anomaly of network access are based on the candidate feature set formed by several features obtained according to the network request, and the support and confidence of the candidate feature set are obtained as the decision point. According to the basis of whether the network access is abnormal, the result of determining whether the corresponding network access request is abnormal is finally obtained.
  • the technical solution provided by this application forms multiple candidate feature sets from the features acquired in the network access request, and compares the support and confidence values, avoiding the identification and reprocessing of the corresponding features, and the transformation of the detection object , Simplifies the processing of detection data, improves detection efficiency, and ultimately improves the ability to detect abnormal access to terminal equipment.
  • FIG. 1 is an application environment diagram of the anomaly detection solution for network access in an embodiment of the present application
  • FIG. 2 is a flowchart of a method for detecting anomaly of network access according to an embodiment of the present application
  • FIG. 3 is a schematic diagram of an abnormality detection device for network access according to an embodiment of this application.
  • FIG. 4 is a schematic structural diagram of a server according to an embodiment of the application.
  • terminal and “terminal equipment” used herein include both wireless signal receiver equipment, equipment that only has wireless signal receivers without transmitting capability, and equipment receiving and transmitting hardware.
  • Such equipment may include: cellular or other communication equipment, which has a single-line display or multi-line display or cellular or other communication equipment without a multi-line display; PCS (Personal Communications Service, personal communication system), which can combine voice, data processing, fax and/or data communication capabilities; PDA (Personal Digital Assistant, personal digital assistant), which can include radio frequency receivers, pagers, Internet/Intranet access, web browsers, notepads, calendars, and/or GPS (Global Positioning System (Global Positioning System) receiver; conventional laptop and/or palmtop computer or other device, which has and/or includes a radio frequency receiver, conventional laptop and/or palmtop computer or other device.
  • GPS Global Positioning System (Global Positioning System) receiver
  • conventional laptop and/or palmtop computer or other device which has and/or includes a radio frequency receiver, conventional laptop and/or palmtop computer or other device.
  • terminal and terminal equipment used here may be portable, transportable, installed in vehicles (aviation, sea and/or land), or suitable and/or configured to operate locally, and/or In a distributed form, it runs on the earth and/or any other location in space.
  • the "terminal” and “terminal equipment” used here can also be communication terminals, Internet terminals, music/video playback terminals, such as PDA, MID (Mobile Internet Device, mobile Internet device) and/or mobile phone with music/video playback function, it can also be a smart TV, set-top box and other devices.
  • the remote network device used here includes but is not limited to a computer, a network host, a single network server, a set of multiple network servers, or a cloud composed of multiple servers.
  • cloud is based on cloud computing (Cloud Computing) consists of a large number of computers or network servers.
  • cloud computing is a type of distributed computing, a super virtual computer composed of a group of loosely coupled computer sets.
  • the remote network equipment, terminal equipment and WNS server can communicate through any communication method, including but not limited to mobile communication based on 3GPP, LTE, WIMAX, and TCP/IP, UDP protocol-based mobile communications.
  • Computer network communication and short-range wireless transmission based on Bluetooth and infrared transmission standards.
  • Figure 1 is an application environment diagram of the embodiment of the application; in this embodiment, the technical solution of the application can be implemented on a server.
  • the terminal devices 110 and 120 can access the server through the internet 130.
  • the terminal device 110 and/or 120 sends a network request to the server 130, and the server 130 performs data interaction according to the network request.
  • the server 130 obtains the access data and attribute data of the terminal device 110 and/or 120 according to the request information of the terminal device 110 and/or 120, and performs abnormality detection on the terminal device according to the data.
  • S210 Receive a network access request sent by a terminal device, obtain multiple nonlinear features of relevant parameters of the terminal device according to the network access request, and form multiple candidate feature sets.
  • the server When the server interacts with the terminal device, it obtains the relevant parameters of the terminal device according to the network request sent by the terminal device. Regarding the acquisition of the feature, relevant information can be extracted according to processing needs, and the related information can be analyzed to obtain the corresponding feature, and the multiple nonlinear features obtained in the foregoing manner.
  • the user sends registration and verification requests, and the front-end uses JavaScript scripts to obtain the relevant characteristics of the terminal device, including device type (IPone, Mac, Andriod), system information (OS type, version, resolution), and device
  • device type IPone, Mac, Andriod
  • OS type system information
  • device Multiple features such as the maximum number of touchable points and IP supported in a touch screen event, and the features are in a non-linear relationship with each other.
  • Several features may be extracted or randomly selected as needed to form multiple candidate feature sets to perform abnormality detection on the network access request sent by the terminal device.
  • the candidate feature set the feature numbers of the candidate feature sets are compared hierarchically in ascending order to obtain the support for the simultaneous appearance frequency of features in each candidate feature set, and the support is greater than or equal to the minimum support.
  • the candidate feature set is set as a frequent feature set.
  • the support of each candidate feature set is calculated separately, and the frequency of simultaneous appearance of each candidate feature set.
  • the feature may include a certain system version information of the terminal device, and the terminal device supports touch control.
  • the feature of a certain system version information of the terminal device can be obtained by obtaining the user_agent of the device through JS, and obtained by analyzing the user_agent.
  • the features of the terminal device supporting touch control can be directly obtained through JS.
  • the support of all candidate feature sets is compared with the minimum support, and the candidate feature set greater than or equal to the minimum support is set as a frequent feature set.
  • the hierarchical comparison is performed in the order of the feature number of each candidate feature set from small to large, and the specific method of hierarchical comparison is as follows:
  • the candidate feature set with three features is only: ⁇ 1, 2, 3 ⁇ .
  • the confidence of each frequent feature set is calculated. According to the confidence, the inverse confidence of the corresponding frequent feature set is obtained.
  • the sample to be inspected is the corresponding frequent feature set of a certain network access request initiated by the terminal device obtained according to the above steps S210-S230.
  • the reverse confidence of the sample to be checked is greater than the abnormal threshold, it is determined that the corresponding network access is an abnormal access.
  • the abnormal threshold may be set for the network access request sent by the terminal device, and the set abnormal threshold may be 70%.
  • the abnormal threshold may also be obtained based on the obtained frequent feature set.
  • the anomaly detection method for network access is based on multiple nonlinear features obtained from a network access request, and combining several features into multiple candidate feature sets, and comparing the corresponding support degree with the minimum support degree, The corresponding frequent feature set is obtained, and finally, according to the confidence of the above frequent feature set, the detection result of whether the network access request is abnormal is obtained by comparing with the abnormal threshold.
  • the technical solution of the present application uses the support and confidence calculation of the candidate feature set formed by the features obtained by the network access request initiated by the terminal device to generate a distinguished feature set, which is faster, and use this as whether to respond The basis of the request.
  • the feature engineering and machine learning algorithms are used in this application to independently learn the distinguishing rules in user data .
  • With strong interpretability can identify diverse abnormal scenes, and as the sample size grows, it can cover more and more complex situations.
  • step S210 it further includes:
  • a corresponding characteristic list is formed.
  • corresponding features can be obtained from the network access request initiated by the terminal device according to preset feature items, and the preset feature items are aggregated to form a feature list.
  • the feature item in the feature list may be specific information about a certain category, for example, the operating system of the terminal device may be specifically IOS system or windows system; the model of the terminal device may be specific It is a mac computer or a windows computer; for the touch screen events of the terminal device, different features can be set according to the specific touch points supported by the current main terminal device and/or operating system. In this way, after different features are combined, abnormal situations can be found more accurately from the correspondence between features.
  • the feature type of the feature list includes the necessary information type generated by the terminal device initiating a network access request.
  • the necessary information type is the type of the feature that must be generated in the process of the terminal device initiating the network access request, and can be obtained without secondary calculation or statistics. Such as information about the model of the terminal device, operating system version number information, IP information or touch screen events.
  • the fundamental feature information generated by the abnormal access can be directly processed and the result of the data processing can be judged, so that the data can be processed as little as possible, and the accuracy rate can be easily improved.
  • step S210 it includes:
  • A1. Receive each network access request sent by the terminal device, and obtain multiple non-linear characteristics according to the corresponding network access request;
  • the characteristics obtained from the terminal device are obtained for each network access request initiated by the terminal device.
  • the acquired features can be correspondingly acquired and collected corresponding to the feature items in the feature list.
  • some or all of the feature items are extracted from the collected feature items, and a plurality of candidate feature sets are formed correspondingly, so as to provide corresponding data for the network access anomaly detection of the terminal device.
  • step S220 it may further include:
  • the maximum number of touch points supported in the touch screen event of a computer running a windows system obtained through JS is 255.
  • computers running mac or windows operating systems generally do not support touch. If the touch screen event information obtained through JS supports touch, it is likely to be an abnormal user.
  • the corresponding server is started to run the operation of step S220, and the support degree of each candidate feature set is calculated.
  • the support degree of each candidate feature set is calculated.
  • it includes the operating system characteristics of the terminal device and the characteristics of the maximum number of touch points supported by the terminal device.
  • the device model feature of the terminal device may be added to the candidate feature set.
  • the step of obtaining the corresponding inverse confidence based on the confidence of the frequent feature set in step S230 includes:
  • the inverse confidence of the best frequent feature set is used as an abnormality threshold.
  • the confidence of each frequent feature set is performed, and the confidence of each frequent feature set is compared. According to the comparison result, the frequent feature set with the highest confidence is obtained as the best frequent feature set.
  • the inverse confidence degree is calculated for the highest confidence degree, that is, the inverse confidence degree of the best frequent feature set is used as the abnormal threshold.
  • abnormal detection is performed on the corresponding network access request.
  • the support and confidence are updated to obtain the corresponding best frequent feature set at this time, and based on the inverse confidence of the best frequent feature set The degree is used as the judgment basis for abnormal detection.
  • the corresponding parameters can be updated and adjusted at any time according to the obtained data changes regarding the characteristics of the terminal equipment, so as to adjust the judgment standard according to the data changes.
  • the server directly rejects the request or re-requires the terminal device to perform access verification; if the network request currently initiated by the terminal device is determined to be a normal access request, then Respond directly to requests.
  • the minimum support degree mentioned in step S220 may be set.
  • the minimum support degree is the upper quartile of all candidate feature sets formed within a set time period.
  • the minimum support can be adjusted according to the acquired features and changes in the candidate feature set composed of the features, to ensure that the frequent feature set is more accurately acquired, and to ensure the accuracy and flexibility of anomaly detection results Sex.
  • an embodiment of the present application also provides an abnormality detection device for network access, as shown in FIG. 3, including:
  • the forming module 310 is configured to receive a network access request sent by a terminal device, obtain multiple nonlinear characteristics of relevant parameters of the terminal device according to the network access request, and form multiple candidate feature sets;
  • the setting module 320 is configured to compare the number of features of each candidate feature set in order from small to many according to the candidate feature set, and obtain the support degree of the simultaneous appearance frequency of the features in each candidate feature set, and set it to be greater than The candidate feature set equal to the minimum support is set as a frequent feature set;
  • the obtaining module 330 is configured to obtain the corresponding inverse confidence according to the confidence of the frequent feature set
  • the determining module 340 is configured to determine that the corresponding network access is an abnormal access when the reverse confidence of the frequent feature set is greater than the abnormal threshold.
  • FIG. 4 is a schematic diagram of the internal structure of the server in an embodiment.
  • the server includes a processor 410, a storage medium 420, a memory 430, and a network interface 440 connected through a system bus.
  • the storage medium 420 of the server stores an operating system, a database, and computer-readable instructions.
  • the database may store control information sequences.
  • the processor 410 can implement a network
  • the processor 410 can implement the functions of the feature formation module 310, the setting module 320, the acquisition module 330, and the determination module 340 in a network access abnormality detection device in the embodiment shown in FIG.
  • the processor 410 of the server is used to provide computing and control capabilities to support the operation of the entire server.
  • the memory 430 of the server may store computer-readable instructions, and when the computer-readable instructions are executed by the processor 410, the processor 410 can execute a method for detecting abnormality of network access.
  • the network interface 440 of the server is used to connect and communicate with the terminal.
  • the present application also proposes a storage medium storing computer-readable instructions.
  • the one or more processors perform the following steps: receiving The network access request sent by the terminal device acquires multiple nonlinear features of the relevant parameters of the terminal device according to the network access request, and forms multiple candidate feature sets; according to the candidate feature set, each candidate feature The feature number of the set is compared in the order from small to most, and the support for the simultaneous appearance frequency of features in each candidate feature set is obtained, and the candidate feature set with the minimum support is set as a frequent feature set; according to the frequent features The confidence of the set is obtained, and the corresponding inverse confidence is obtained; when the inverse confidence of the frequent feature set is greater than the abnormal threshold, the corresponding network access is determined to be an abnormal access.
  • the method and device for detecting anomaly of network access are based on the candidate feature set formed by several features obtained according to the network request, and the support and confidence of the candidate feature set are obtained as the decision point. According to the basis of whether the network access is abnormal, the result of determining whether the corresponding network access request is abnormal is finally obtained.
  • the technical solution provided by this application forms multiple candidate feature sets from the features acquired in the network access request, and compares the support and confidence values, avoiding the identification and reprocessing of the corresponding features, and the transformation of the detection object , Simplifies the processing of detection data, improves detection efficiency, and ultimately improves the ability to detect abnormal access to terminal equipment.
  • the anomaly detection method and device of the present application through network access uses the candidate feature set formed by the combination of features that embody normal network access verification, and based on the comparison result of its support and confidence, the judgment is obtained Whether network access is the result of abnormal access.
  • the technical solution provided in this application can convert characteristic information into parameter information that is convenient for comparison, reducing the difficulty of obtaining information by the terminal device, and is similar to the surface phenomenon of the use track in the prior art when the user initiates a network access request.
  • the comparison of methods for determining abnormal access also improves the accuracy of detection.
  • the aforementioned storage medium may be a magnetic disk, an optical disk, a read-only storage memory (Read-Only Memory, ROM) and other storage media.
  • the storage medium may be a non-volatile storage medium, or a random access memory (Random Access Memory, RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present application relates to the technical field of security checking, and provides a network access anomaly detection method and a device. The method comprises: receiving a network access request sent by a terminal apparatus, acquiring, according to the network access request, multiple non-linear features of parameters related to the terminal apparatus, and forming multiple candidate feature sets; performing, according to the candidate feature sets, hierarchical comparison on the candidate feature sets in an ascending order of the number of features therein, obtaining a support level of a feature co-occurence frequency of each of the candidate feature sets, and setting a candidate feature set having a support level greater than or equal to a minimum support level as a frequent feature set; obtaining a corresponding inverse confidence level according to a confidence level of the frequent feature set; and if the inverse confidence level of the frequent feature set is greater than an anomaly threshold, determining a corresponding network access as an anomalous access. The method improves an anomaly detection capability of current network access for terminal apparatuses.

Description

网络访问的异常检测方法和装置 Method and device for detecting abnormality of network access To
本申请要求于2019年06月28日提交中国专利局、申请号为201910580036.4、发明名称为“网络访问的异常检测方法和装置”的中国专利申请的优先权,其全部内容通过引用结合在申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on June 28, 2019, the application number is 201910580036.4, and the invention title is "Network Access Anomaly Detection Method and Device", the entire content of which is incorporated into the application by reference .
技术领域Technical field
本申请涉及安全检测技术领域,具体而言,本申请涉及一种网络访问的异常检测方法和装置。The present application relates to the technical field of security detection. Specifically, the present application relates to a method and device for detecting abnormality of network access.
背景技术Background technique
随着网络的广泛使用,为了保证正常用户在对应网站的上网体验,除了网站设计外,网站的安全维护也是受到了大家的关注。目前,威胁网站安全的主要手段之一是通过网络爬虫访问网站,导致网站不能做出正确的判断,从而容易造成反应错误。针对该问题,目前的方法是通过采集用户验证过程中的点击时间、鼠标拖动轨迹等数据,针对此行为数据判别用户种类,此类方法错误率较高,容易将真实用户判别为异常用户,准确性低。With the widespread use of the Internet, in order to ensure normal users’ online experience on the corresponding website, in addition to the website design, the safety and maintenance of the website has also attracted everyone’s attention. At present, one of the main means to threaten website security is to visit the website through web crawlers, which causes the website to fail to make correct judgments, which can easily cause incorrect responses. In response to this problem, the current method is to collect data such as click time and mouse drag trajectory during the user verification process to identify the user type based on this behavior data. This type of method has a high error rate and is easy to identify a real user as an abnormal user. The accuracy is low.
发明内容Summary of the invention
为克服以上技术问题,特别是现有技术中通过终端设备登录网络时用户的使用痕迹数据容易将真实用户判别为异常用户的问题,特提出以下技术方案:In order to overcome the above technical problems, especially the problem in the prior art that the user's usage trace data when logging in to the network through a terminal device can easily identify a real user as an abnormal user, the following technical solutions are proposed:
第一方面,本申请提供一种网络访问的异常检测方法,其包括以下步骤: In the first aspect, this application provides an abnormality detection method for network access, which includes the following steps:
接收终端设备发送的网络访问请求,根据所述网络访问请求获取所述终端设备相关参数的多个非线性的特征,并形成多个候选特征集; Receiving a network access request sent by a terminal device, acquiring multiple non-linear characteristics of relevant parameters of the terminal device according to the network access request, and forming multiple candidate feature sets;
根据所述候选特征集,将各所述候选特征集的特征数从小到多的顺序进行层级比较,分别得到各个候选特征集中特征同时出现频率的支持度,并将大于等于最小支持度的候选特征集设定为频繁特征集;According to the candidate feature set, the feature number of each candidate feature set is compared in the order of the smallest to the most, and the support for the simultaneous appearance frequency of the features in each candidate feature set is obtained, and the candidate features that are greater than or equal to the minimum support are obtained The set is set as a frequent feature set;
根据所述频繁特征集的置信度,得到对应的反置信度;Obtain the corresponding inverse confidence degree according to the confidence degree of the frequent feature set;
当所述频繁特征集的反向置信度大于异常阈值时,判定对应的网络访问为异常访问。When the reverse confidence of the frequent feature set is greater than the abnormal threshold, it is determined that the corresponding network access is an abnormal access.
在其中一个实施例中,在所述接收终端设备发送的网络访问请求,根据所述网络访问请求获取所述终端设备相关参数的多个非线性的特征,并形成多个候选特征集的步骤之前,还包括:In one of the embodiments, before the step of receiving the network access request sent by the terminal device, acquiring multiple non-linear characteristics of the relevant parameters of the terminal device according to the network access request, and forming multiple candidate feature sets ,Also includes:
对于接收终端设备发送的网络访问请求所能获取的特性形成对应的特征列表。For the characteristics that can be obtained by receiving the network access request sent by the terminal device, a corresponding characteristic list is formed.
在其中一个实施例中,所述特征列表的特征类型包括所述终端设备发起网络访问请求所产生的必要信息类型。In one of the embodiments, the feature type of the feature list includes the necessary information type generated by the terminal device initiating a network access request.
在其中一个实施例中,所述接收终端设备发送的网络访问请求,根据所述网络访问请求获取所述终端设备相关参数的多个非线性的特征,并形成多个候选特征集的步骤,包括:In one of the embodiments, the step of receiving a network access request sent by a terminal device, acquiring multiple non-linear characteristics of relevant parameters of the terminal device according to the network access request, and forming multiple candidate feature sets includes :
接收终端设备发送的每一次网络访问请求,根据对应的所述获取的多个非线性的特征;Receive each network access request sent by the terminal device, according to the corresponding multiple non-linear characteristics acquired;
对应所述特征列表,将所有获取的非线性的特征提取部分或全部特征,形成多个候选特征集。Corresponding to the feature list, extract some or all of the acquired nonlinear features to form multiple candidate feature sets.
在其中一个实施例中,在所述根据所述候选特征集,将各所述候选特征集的特征数从小到多的顺序进行层级比较,分别得到各个候选特征集中特征同时出现频率的支持度,并将大于等于最小支持度的候选特征集设定为频繁特征集的步骤之前,还包括:In one of the embodiments, according to the candidate feature set, the feature number of each candidate feature set is compared hierarchically in ascending order to obtain the support for the simultaneous appearance frequency of features in each candidate feature set, respectively, And before the step of setting candidate feature sets greater than or equal to the minimum support as frequent feature sets, it also includes:
判断获取的所述终端设备的操作系统特征与所述终端设备的最多支持的可触控点数是否对应。Determine whether the acquired operating system feature of the terminal device corresponds to the maximum number of touch points supported by the terminal device.
在其中一个实施例中,所述根据所述频繁特征集的置信度,得到对应的反置信度的步骤,包括:In one of the embodiments, the step of obtaining the corresponding inverse confidence degree according to the confidence degree of the frequent feature set includes:
根据各个频繁特征集的置信度进行对比,在对比的结果中的置信度最高的频繁特征集作为最佳频繁特征集;Compare according to the confidence of each frequent feature set, and the frequent feature set with the highest confidence in the comparison result is the best frequent feature set;
所述最佳频繁特征集的反置信度作为异常阈值。The inverse confidence of the best frequent feature set is used as an abnormality threshold.
在其中一个实施例中,所述最小支持度为设定时间段内形成的所有的候选特征集的上四分位数。In one of the embodiments, the minimum support degree is the upper quartile of all candidate feature sets formed within a set time period.
第二方面,本申请还提供一种网络访问的异常检测装置,其包括:In the second aspect, the present application also provides an abnormality detection device for network access, which includes:
形成模块,用于接收终端设备发送的网络访问请求,根据所述网络访问请求获取所述终端设备相关参数的多个非线性的特征,并形成多个候选特征集; A forming module, configured to receive a network access request sent by a terminal device, obtain multiple non-linear characteristics of relevant parameters of the terminal device according to the network access request, and form multiple candidate feature sets; To
设定模块,用于根据所述候选特征集,将各所述候选特征集的特征数从小到多的顺序进行层级比较,分别得到各个候选特征集中特征同时出现频率的支持度,并将大于等于最小支持度的候选特征集设定为频繁特征集;The setting module is used to compare the feature numbers of each candidate feature set in order from small to many according to the candidate feature set, and obtain the support degree of the simultaneous appearance frequency of the features in each candidate feature set respectively, and it is greater than or equal to The candidate feature set with the minimum support is set as a frequent feature set;
获取模块,用于根据所述频繁特征集的置信度,得到对应的反置信度;An obtaining module, configured to obtain a corresponding inverse confidence degree according to the confidence degree of the frequent feature set;
判定模块,用于当所述频繁特征集的反向置信度大于异常阈值时,判定对应的网络访问为异常访问。The judging module is used for judging that the corresponding network access is abnormal when the reverse confidence of the frequent feature set is greater than the abnormal threshold.
第三方面,本申请还提供一种服务器,其包括:In the third aspect, this application also provides a server, which includes:
一个或多个处理器; One or more processors;
存储器;Memory
一个或多个计算机可读指令,其中所述一个或多个计算机可读指令被存储在所述存储器中并被配置为由所述一个或多个处理器执行,所述一个或多个计算机可读指令配置用于执行第一方面实施例所述的网络访问的异常检测方法。One or more computer-readable instructions, wherein the one or more computer-readable instructions are stored in the memory and configured to be executed by the one or more processors, and the one or more computers may The read instruction configuration is used to execute the network access abnormality detection method described in the embodiment of the first aspect.
第四方面,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机可读指令,该计算机可读指令被处理器执行时实现第一方面实施例所述的网络访问的异常检测方法。In a fourth aspect, the present application also provides a computer-readable storage medium having computer-readable instructions stored on the computer-readable storage medium. When the computer-readable instructions are executed by a processor, the computer-readable instructions described in the embodiments of the first aspect are implemented. Anomaly detection method for network access.
本申请提供的一种网络访问的异常检测方法和装置,根据所述网络请求得到的由若干个特征形成的候选特征集,并以此得到所述候选特征集的支持度和置信度作为判定所述网络访问是否为异常访问的依据,最终得到对应的网络访问请求是否为异常的判定结果。The method and device for detecting anomaly of network access provided by the present application are based on the candidate feature set formed by several features obtained according to the network request, and the support and confidence of the candidate feature set are obtained as the decision point. According to the basis of whether the network access is abnormal, the result of determining whether the corresponding network access request is abnormal is finally obtained.
本申请所提供的技术方案通过网络访问请求中所获取的特征形成多个候选特征集,利用支持度和置信度的值进行对比,避免了对相应的特征进行识别再处理,通过检测对象的转化,简化了检测数据的处理过程,提高了检测效率,最终提升了对终端设备异常访问的检测能力。The technical solution provided by this application forms multiple candidate feature sets from the features acquired in the network access request, and compares the support and confidence values, avoiding the identification and reprocessing of the corresponding features, and the transformation of the detection object , Simplifies the processing of detection data, improves detection efficiency, and ultimately improves the ability to detect abnormal access to terminal equipment.
本申请附加的方面和优点将在下面的描述中部分给出,这些将从下面的描述中变得明显,或通过本申请的实践了解到。The additional aspects and advantages of this application will be partly given in the following description, which will become obvious from the following description, or be understood through the practice of this application.
附图说明Description of the drawings
本申请上述的和/或附加的方面和优点从下面结合附图对实施例的描述中将变得明显和容易理解,其中:The above and/or additional aspects and advantages of the present application will become obvious and easy to understand from the following description of the embodiments in conjunction with the accompanying drawings, in which:
图1是本申请中的实施例执行所述网络访问的异常检测方案的应用环境图;FIG. 1 is an application environment diagram of the anomaly detection solution for network access in an embodiment of the present application;
图2是本申请中的一个实施例的网络访问的异常检测方法的流程图;FIG. 2 is a flowchart of a method for detecting anomaly of network access according to an embodiment of the present application;
图3为本申请中的一个实施例的网络访问的异常检测装置的示意图;FIG. 3 is a schematic diagram of an abnormality detection device for network access according to an embodiment of this application;
图4为本申请中的一个实施例的服务器的结构示意图。FIG. 4 is a schematic structural diagram of a server according to an embodiment of the application.
具体实施方式Detailed ways
下面详细描述本申请的实施例,所述实施例的示例在附图中示出,其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的,仅用于解释本申请,而不能解释为对本申请的限制。The embodiments of the present application are described in detail below. Examples of the embodiments are shown in the accompanying drawings, wherein the same or similar reference numerals indicate the same or similar elements or elements with the same or similar functions. The embodiments described below with reference to the drawings are exemplary, and are only used to explain the present application, and cannot be construed as a limitation to the present application.
本技术领域技术人员可以理解,除非特意声明,这里使用的单数形式“一”、“一个”、“所述”和“该”也可包括复数形式。应该进一步理解的是,本申请的说明书中使用的措辞“包括”是指存在所述特征、整数、步骤、操作、元件和/或组件,但是并不排除存在或添加一个或多个其他特征、整数、步骤、操作、元件、组件和/或它们的组。应该理解,当我们称元件被“连接”或“耦接”到另一元件时,它可以直接连接或耦接到其他元件,或者也可以存在中间元件。此外,这里使用的“连接”或“耦接”可以包括无线连接或无线耦接。这里使用的措辞“和/或”包括一个或更多个相关联的列出项的全部或任一单元和全部组合。Those skilled in the art can understand that, unless specifically stated, the singular forms "a", "an", "said" and "the" used herein may also include plural forms. It should be further understood that the term "comprising" used in the specification of this application refers to the presence of the described features, integers, steps, operations, elements, and/or components, but does not exclude the presence or addition of one or more other features, Integers, steps, operations, elements, components, and/or groups thereof. It should be understood that when we refer to an element as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element, or intervening elements may also be present. In addition, “connected” or “coupled” used herein may include wireless connection or wireless coupling. The term "and/or" as used herein includes all or any unit and all combinations of one or more associated listed items.
本技术领域技术人员可以理解,除非另外定义,这里使用的所有术语(包括技术术语和科学术语),具有与本申请所属领域中的普通技术人员的一般理解相同的意义。还应该理解的是,诸如通用字典中定义的那些术语,应该被理解为具有与现有技术的上下文中的意义一致的意义,并且除非像这里一样被特定定义,否则不会用理想化或过于正式的含义来解释。Those skilled in the art can understand that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meanings as those commonly understood by those of ordinary skill in the art to which this application belongs. It should also be understood that terms such as those defined in general dictionaries should be understood to have a meaning consistent with the meaning in the context of the prior art, and unless specifically defined as here, they will not be idealized or overly Explain the formal meaning.
本技术领域技术人员可以理解,这里所使用的“终端”、“终端设备”既包括无线信号接收器的设备,其仅具备无发射能力的无线信号接收器的设备,又包括接收和发射硬件的设备,其具有能够在双向通讯链路上,执行双向通讯的接收和发射硬件的设备。这种设备可以包括:蜂窝或其他通讯设备,其具有单线路显示器或多线路显示器或没有多线路显示器的蜂窝或其他通讯设备;PCS(Personal Communications Service,个人通讯系统),其可以组合语音、数据处理、传真和/或数据通讯能力;PDA(Personal Digital Assistant,个人数字助理),其可以包括射频接收器、寻呼机、互联网/内联网访问、网络浏览器、记事本、日历和/或GPS(Global Positioning System,全球定位系统)接收器;常规膝上型和/或掌上型计算机或其他设备,其具有和/或包括射频接收器的常规膝上型和/或掌上型计算机或其他设备。这里所使用的“终端”、“终端设备”可以是便携式、可运输、安装在交通工具(航空、海运和/或陆地)中的,或者适合于和/或配置为在本地运行,和/或以分布形式,运行在地球和/或空间的任何其他位置运行。这里所使用的“终端”、“终端设备”还可以是通讯终端、上网终端、音乐/视频播放终端,例如可以是PDA、MID(Mobile Internet Device,移动互联网设备)和/或具有音乐/视频播放功能的移动电话,也可以是智能电视、机顶盒等设备。Those skilled in the art can understand that the term "terminal" and "terminal equipment" used herein include both wireless signal receiver equipment, equipment that only has wireless signal receivers without transmitting capability, and equipment receiving and transmitting hardware. A device with a receiving and transmitting hardware device capable of performing two-way communication on a two-way communication link. Such equipment may include: cellular or other communication equipment, which has a single-line display or multi-line display or cellular or other communication equipment without a multi-line display; PCS (Personal Communications Service, personal communication system), which can combine voice, data processing, fax and/or data communication capabilities; PDA (Personal Digital Assistant, personal digital assistant), which can include radio frequency receivers, pagers, Internet/Intranet access, web browsers, notepads, calendars, and/or GPS (Global Positioning System (Global Positioning System) receiver; conventional laptop and/or palmtop computer or other device, which has and/or includes a radio frequency receiver, conventional laptop and/or palmtop computer or other device. The "terminal" and "terminal equipment" used here may be portable, transportable, installed in vehicles (aviation, sea and/or land), or suitable and/or configured to operate locally, and/or In a distributed form, it runs on the earth and/or any other location in space. The "terminal" and "terminal equipment" used here can also be communication terminals, Internet terminals, music/video playback terminals, such as PDA, MID (Mobile Internet Device, mobile Internet device) and/or mobile phone with music/video playback function, it can also be a smart TV, set-top box and other devices.
本技术领域技术人员可以理解,这里所使用的远端网络设备,其包括但不限于计算机、网络主机、单个网络服务器、多个网络服务器集或多个服务器构成的云。在此,云由基于云计算(Cloud Computing)的大量计算机或网络服务器构成,其中,云计算是分布式计算的一种,由一群松散耦合的计算机集组成的一个超级虚拟计算机。本申请的实施例中,远端网络设备、终端设备与WNS服务器之间可通过任何通讯方式实现通讯,包括但不限于,基于3GPP、LTE、WIMAX的移动通讯、基于TCP/IP、UDP协议的计算机网络通讯以及基于蓝牙、红外传输标准的近距无线传输方式。Those skilled in the art can understand that the remote network device used here includes but is not limited to a computer, a network host, a single network server, a set of multiple network servers, or a cloud composed of multiple servers. Here, cloud is based on cloud computing (Cloud Computing) consists of a large number of computers or network servers. Among them, cloud computing is a type of distributed computing, a super virtual computer composed of a group of loosely coupled computer sets. In the embodiments of this application, the remote network equipment, terminal equipment and WNS server can communicate through any communication method, including but not limited to mobile communication based on 3GPP, LTE, WIMAX, and TCP/IP, UDP protocol-based mobile communications. Computer network communication and short-range wireless transmission based on Bluetooth and infrared transmission standards.
参考图1所示,图1是本申请实施例方案的应用环境图;该实施例中,本申请技术方案可以基于服务器上实现,如图1中,终端设备110和120可以通过internet网络访问服务器130,终端设备110和/或120向服务器130发出的网络请求,服务器130根据网络请求进行数据交互。在进行数据交互时,服务器130根据终端设备110和/或120的请求信息获取终端设备110和/或120的访问数据和属性数据,并根据该数据对该终端设备进行异常检测。As shown in Figure 1, Figure 1 is an application environment diagram of the embodiment of the application; in this embodiment, the technical solution of the application can be implemented on a server. In Figure 1, the terminal devices 110 and 120 can access the server through the internet 130. The terminal device 110 and/or 120 sends a network request to the server 130, and the server 130 performs data interaction according to the network request. During data exchange, the server 130 obtains the access data and attribute data of the terminal device 110 and/or 120 according to the request information of the terminal device 110 and/or 120, and performs abnormality detection on the terminal device according to the data.
S210、接收终端设备发送的网络访问请求,根据所述网络访问请求获取所述终端设备相关参数的多个非线性的特征,并形成多个候选特征集。S210: Receive a network access request sent by a terminal device, obtain multiple nonlinear features of relevant parameters of the terminal device according to the network access request, and form multiple candidate feature sets.
服务器与终端设备进行数据交互的时候,根据终端设备发出的网络请求,获取该终端设备的相关参数。关于所述特征的获取,可以根据处理需要,提取相关信息,并对相关信息进行解析,得到对应的特征,根据上述方式得到的多个非线性特征。When the server interacts with the terminal device, it obtains the relevant parameters of the terminal device according to the network request sent by the terminal device. Regarding the acquisition of the feature, relevant information can be extracted according to processing needs, and the related information can be analyzed to obtain the corresponding feature, and the multiple nonlinear features obtained in the foregoing manner.
在该步骤中,用户通过发送注册、验证请求,前端利用JavaScript脚本获取终端设备的相关的特征,包括设备类型(IPone、Mac、Andriod)、系统信息(OS类型、版本、分辨率)、设备的触屏事件中最多支持的可触控点数、IP等的多个特征,所述特征之间相互为非线性关系。可以根据需要提取或者随机抽取若干个特征,形成多个候选特征集,以对所述终端设备所发送的网络访问请求进行异常检测。In this step, the user sends registration and verification requests, and the front-end uses JavaScript scripts to obtain the relevant characteristics of the terminal device, including device type (IPone, Mac, Andriod), system information (OS type, version, resolution), and device Multiple features such as the maximum number of touchable points and IP supported in a touch screen event, and the features are in a non-linear relationship with each other. Several features may be extracted or randomly selected as needed to form multiple candidate feature sets to perform abnormality detection on the network access request sent by the terminal device.
S220、根据所述候选特征集,将各所述候选特征集的特征数从小到多的顺序进行层级比较,分别得到各个候选特征集中特征同时出现频率的支持度,并将大于等于最小支持度的候选特征集设定为频繁特征集。S220. According to the candidate feature set, the feature numbers of the candidate feature sets are compared hierarchically in ascending order to obtain the support for the simultaneous appearance frequency of features in each candidate feature set, and the support is greater than or equal to the minimum support. The candidate feature set is set as a frequent feature set.
根据上述步骤S210所得到的所有候选特征集,根据各个候选特征集的特征布局情况,分别计算得到各个候选特征集的支持度,对各个候选特征集中特征同时出现的频率。According to all the candidate feature sets obtained in step S210, and according to the feature layout of each candidate feature set, the support of each candidate feature set is calculated separately, and the frequency of simultaneous appearance of each candidate feature set.
在本实施例中,所述特征可包括为所述终端设备的某个系统版本信息、所述终端设备支持触控。其中,所述终端设备的某个系统版本信息的特征可以通过JS获取设备的user_agent,并通过对user_agent解析得到。所述终端设备支持触控的特征可通过JS直接获得。In this embodiment, the feature may include a certain system version information of the terminal device, and the terminal device supports touch control. Wherein, the feature of a certain system version information of the terminal device can be obtained by obtaining the user_agent of the device through JS, and obtained by analyzing the user_agent. The features of the terminal device supporting touch control can be directly obtained through JS.
将所有候选特征集的支持度与最小支持度进行比较,大于等于最小支持度的候选特征集设定为频繁特征集。The support of all candidate feature sets is compared with the minimum support, and the candidate feature set greater than or equal to the minimum support is set as a frequent feature set.
在本实施例中,为了减少支持度比较的运算量,按照各个所述候选特征集的特征数从小到多的顺序进行层级比较,具体层级比较的方法如下:In this embodiment, in order to reduce the amount of calculation for the support comparison, the hierarchical comparison is performed in the order of the feature number of each candidate feature set from small to large, and the specific method of hierarchical comparison is as follows:
为了方便说明,将所述特征以数字序号1、2、3、4、5进行说明:For the convenience of description, the features are described with numerical serial numbers 1, 2, 3, 4, and 5:
假如有特征集合I={1,2,3,4,5},有特征集T:If there is a feature set I={1, 2, 3, 4, 5}, there is a feature set T:
1,2,31,2,3
1,2,41,2,4
1,3,41,3,4
1,2,3,51,2,3,5
1,3,51,3,5
2,4,52,4,5
1,2,3,41,2,3,4
设定最小支持度为3/7。Set the minimum support to 3/7.
首先,生成只包含一个特征的候选特征集:First, generate a candidate feature set containing only one feature:
{1},{2},{3},{4},{5}{1}, {2}, {3}, {4}, {5}
生成包含两个特征的候选特征集:Generate a candidate feature set containing two features:
根据上述生成只包含一个特征的候选特征集生成所有的包含两个特征的候选特征集:所以生成的候选特征集如下:According to the above-mentioned generation of candidate feature sets containing only one feature, all candidate feature sets containing two features are generated: so the generated candidate feature sets are as follows:
 {1,2},{1,3},{1,4},{1,5} {1, 2}, {1, 3}, {1, 4}, {1, 5}
 {2,3},{2,4},{2,5}  {2, 3}, {2, 4}, {2, 5}
 {3,4},{3,5}  {3, 4}, {3, 5}
 {4,5}  {4, 5}
计算它们的支持度,发现只有{1,2},{1,3},{1,4},{2,3},{2,4},{2,5}的支持度满足要求,因此求得包含两个特征的候选特征集:Calculating their support, it is found that only {1, 2}, {1, 3}, {1, 4}, {2, 3}, {2, 4}, {2, 5} supports the requirements, so Find a candidate feature set containing two features:
{1,2},{1,3},{1,4},{2,3},{2,4}{1, 2}, {1, 3}, {1, 4}, {2, 3}, {2, 4}
生成包含三个特征的候选特征集:  Generate a candidate feature set containing three features:   
根据对包含两个特征的候选特征集进行并集得到{1,2,3},{1,2,4},{1,3,4}。According to the union of candidate feature sets containing two features, {1, 2, 3}, {1, 2, 4}, {1, 3, 4} are obtained.
但是由于{1,3,4}的子集{3,4}不在2-频繁特征集中,所以需要把{1,3,4}剔除掉But since the subset {3, 4} of {1, 3, 4} is not in the 2-frequent feature set, we need to remove {1, 3, 4}
然后再来计算{1,2,3}和{1,2,4}的支持度,发现{1,2,3}的支持度为3/7 ,{1,2,4}的支持度为2/7,所以需要把{1,2,4}剔除。Then calculate the support of {1, 2, 3} and {1, 2, 4} and find that the support of {1, 2, 3} is 3/7 , The support of {1, 2, 4} is 2/7, so {1, 2, 4} needs to be eliminated.
因此得到三个特征的候选特征集只有:{1,2,3}。Therefore, the candidate feature set with three features is only: {1, 2, 3}.
即在层级比较的过程中,当出现所述候选特征集的支持度等于或者大于最小支持度时,频繁特征集生成过程结束。That is, in the process of level comparison, when the support degree of the candidate feature set is equal to or greater than the minimum support degree, the frequent feature set generation process ends.
这样,免得需要对所有的候选特征集均进行遍历,与所述最小支持度进行对比。In this way, it is avoided that all candidate feature sets need to be traversed and compared with the minimum support.
S230、根据所述频繁特征集的置信度,得到对应的反置信度。S230: Obtain a corresponding inverse confidence degree according to the confidence degree of the frequent feature set.
从上述步骤S220所得到频繁特征集,并计算每个频繁特征集的置信度。根据所述置信度,得到对应频繁特征集的反置信度。From the frequent feature set obtained in the above step S220, the confidence of each frequent feature set is calculated. According to the confidence, the inverse confidence of the corresponding frequent feature set is obtained.
S240、当待检样本的反向置信度大于异常阈值时,判定对应的网络访问为异常访问。S240: When the reverse confidence of the sample to be inspected is greater than the abnormal threshold, determine that the corresponding network access is an abnormal access.
在该步骤中,所述待检样本为根据上述步骤S210-S230得到的所述终端设备所发起的某次网络访问请求的对应频繁特征集。当所述待检样本的反向置信度大于异常阈值时,判定对应的网络访问为异常访问。所述异常阈值可以是针对所述终端设备所发送的网络访问请求,设定该异常阈值,所述设定的异常阈值可以是70%。所述异常阈值也可以依据所述得到的频繁特征集得到。In this step, the sample to be inspected is the corresponding frequent feature set of a certain network access request initiated by the terminal device obtained according to the above steps S210-S230. When the reverse confidence of the sample to be checked is greater than the abnormal threshold, it is determined that the corresponding network access is an abnormal access. The abnormal threshold may be set for the network access request sent by the terminal device, and the set abnormal threshold may be 70%. The abnormal threshold may also be obtained based on the obtained frequent feature set.
本申请所提供的一种网络访问的异常检测方法,根据网络访问请求得到的多个非线性特征,并通过若干个特征组合成多个候选特征集,根据对应的支持度与最小支持度比较,得到对应的频繁特征集,最后根据上述频繁特征集的置信度,得到与异常阈值进行对比是否所述网络访问请求为异常的检测结果。本申请的技术方案利用由所述终端设备发起的网络访问请求得到的特征所形成的候选特征集的支持度和置信度计算,生成具有区分性的特征集合,速度更快,以此作为是否响应请求的依据。与现有技术中只能通过用户的发起网络访问请求时的使用轨迹的表面现象进行异常访问的判定方法相比,在本申请中利用特征工程和机器学习算法,自主学习用户数据中的区分规则,可解释性强,能够识别多样性的异常场景,并且随着样本量增长,可以覆盖更多、更复杂的情况。The anomaly detection method for network access provided by this application is based on multiple nonlinear features obtained from a network access request, and combining several features into multiple candidate feature sets, and comparing the corresponding support degree with the minimum support degree, The corresponding frequent feature set is obtained, and finally, according to the confidence of the above frequent feature set, the detection result of whether the network access request is abnormal is obtained by comparing with the abnormal threshold. The technical solution of the present application uses the support and confidence calculation of the candidate feature set formed by the features obtained by the network access request initiated by the terminal device to generate a distinguished feature set, which is faster, and use this as whether to respond The basis of the request. Compared with the prior art method for determining abnormal access only through the surface phenomenon of the use track when the user initiates a network access request, the feature engineering and machine learning algorithms are used in this application to independently learn the distinguishing rules in user data , With strong interpretability, can identify diverse abnormal scenes, and as the sample size grows, it can cover more and more complex situations.
在步骤S210之前,还包括:Before step S210, it further includes:
对于接收终端设备发送的网络访问请求所能获取的特性形成对应的特征列表。For the characteristics that can be obtained by receiving the network access request sent by the terminal device, a corresponding characteristic list is formed.
在本实施例中,可以根据预设的特征项从所述终端设备所发起的网络访问请求中获取对应的特征,而所述预设的特征的项汇总后形成特征列表。所述特征列表中的特征项可以是关于某类类中的某个具体的信息,例如,关于所述终端设备的操作系统,可以具体为IOS系统、windows系统;关于所述终端设备型号可以具体为mac电脑、windows电脑;关于终端设备的触屏事件,可以根据目前主要终端设备和/或操作系统的最多支持的可触控的具体点数设定不同的特征。这样,以便不同的特征组合后,更能精准地从特征之间的对应情况发现异常情况。In this embodiment, corresponding features can be obtained from the network access request initiated by the terminal device according to preset feature items, and the preset feature items are aggregated to form a feature list. The feature item in the feature list may be specific information about a certain category, for example, the operating system of the terminal device may be specifically IOS system or windows system; the model of the terminal device may be specific It is a mac computer or a windows computer; for the touch screen events of the terminal device, different features can be set according to the specific touch points supported by the current main terminal device and/or operating system. In this way, after different features are combined, abnormal situations can be found more accurately from the correspondence between features.
在此基础上,所述特征列表的特征类型包括所述终端设备发起网络访问请求所产生的必要信息类型。On this basis, the feature type of the feature list includes the necessary information type generated by the terminal device initiating a network access request.
所述必要信息类型为所述终端设备发起网络访问请求的过程中必定产生的特征所属的类型,无需经过二次运算或统计便可获取。如关于所述终端设备的型号、操作系统版本号信息、IP信息或触屏事件。The necessary information type is the type of the feature that must be generated in the process of the terminal device initiating the network access request, and can be obtained without secondary calculation or statistics. Such as information about the model of the terminal device, operating system version number information, IP information or touch screen events.
这样,能直接对异常访问所产生的根本特征信息进行处理并对数据处理的结果进行判定,这样能以尽量少的数据处理,并且容易得到准确率得到提高。In this way, the fundamental feature information generated by the abnormal access can be directly processed and the result of the data processing can be judged, so that the data can be processed as little as possible, and the accuracy rate can be easily improved.
对于步骤S210,包括:For step S210, it includes:
A1、接收终端设备发送的每一次网络访问请求,根据对应的网络访问请求获取的多个非线性的特征;A1. Receive each network access request sent by the terminal device, and obtain multiple non-linear characteristics according to the corresponding network access request;
A2、对应所述特征列表,将所有获取的非线性的特征提取部分或全部特征,形成多个候选特征集。A2. Corresponding to the feature list, extract some or all of the acquired nonlinear features to form multiple candidate feature sets.
在本实施例中,所从终端设备得到的特征是针对其所发起的每一次网络访问请求多获取的。所获取的特征可以对应所述特征列表中的特征的项进行对应获取并收集。根据网络访问的异常检测的需要,从所收集的特征的项中提取部分或全部的特征的项,对应形成多个候选特征集,以备所述终端设备的网络访问异常检测提供相应的数据。In this embodiment, the characteristics obtained from the terminal device are obtained for each network access request initiated by the terminal device. The acquired features can be correspondingly acquired and collected corresponding to the feature items in the feature list. According to the needs of abnormal detection of network access, some or all of the feature items are extracted from the collected feature items, and a plurality of candidate feature sets are formed correspondingly, so as to provide corresponding data for the network access anomaly detection of the terminal device.
在本实施例中,在步骤S220之前,还可包括:In this embodiment, before step S220, it may further include:
判断获取的所述终端设备的操作系统特征与所述终端设备的最多支持的可触控点数是否对应。Determine whether the acquired operating system feature of the terminal device corresponds to the maximum number of touch points supported by the terminal device.
例如,通过JS获取运行windows系统的电脑的触屏事件中最多支持的可触控点数为255。但是,一般情况下,运行mac或windows操作系统的电脑一般不支持可触控,如果通过JS获取的触屏事件信息为支持可触控,则很有可能为异常用户。For example, the maximum number of touch points supported in the touch screen event of a computer running a windows system obtained through JS is 255. However, under normal circumstances, computers running mac or windows operating systems generally do not support touch. If the touch screen event information obtained through JS supports touch, it is likely to be an abnormal user.
相反地,对于运行安卓的移动终端设备一般支持可触控,如果JS获取的触屏事件信息为不支持可触控,则很有可能为异常用户。Conversely, mobile terminal devices running Android generally support touch control. If the touch screen event information obtained by JS does not support touch control, it is likely to be an abnormal user.
根据上述不对应的情况,启动对应的服务器运行步骤S220的操作,对各个候选特征集的支持度进行运算。尤其是包括了所述终端设备的操作系统特征与所述终端设备的最多支持的可触控点数的特征。为了进一步增加检测的准确性,可以在候选特征集中,增加所述终端设备的设备型号特征。According to the aforementioned non-correspondence, the corresponding server is started to run the operation of step S220, and the support degree of each candidate feature set is calculated. In particular, it includes the operating system characteristics of the terminal device and the characteristics of the maximum number of touch points supported by the terminal device. In order to further increase the accuracy of detection, the device model feature of the terminal device may be added to the candidate feature set.
对于步骤S230中的所述根据所述频繁特征集的置信度,得到对应的反置信度的步骤,包括:The step of obtaining the corresponding inverse confidence based on the confidence of the frequent feature set in step S230 includes:
B1、根据各个频繁特征集的置信度进行对比,在对比的结果中的置信度最高的频繁特征集作为最佳频繁特征集;B1. Compare according to the confidence of each frequent feature set, and the frequent feature set with the highest confidence in the comparison result is the best frequent feature set;
B2、所述最佳频繁特征集的反置信度作为异常阈值。B2. The inverse confidence of the best frequent feature set is used as an abnormality threshold.
从步骤S220得到的频繁特征集,并对每个频繁特征集进行置信度,并对各个频繁特征集的置信度进行对比。根据对比的结果,得到置信度最高的频繁特征集作为最佳频繁特征集。对所述最高的置信度进行反置信度计算,即将最佳频繁特征集的反置信度作为异常阈值。From the frequent feature set obtained in step S220, the confidence of each frequent feature set is performed, and the confidence of each frequent feature set is compared. According to the comparison result, the frequent feature set with the highest confidence is obtained as the best frequent feature set. The inverse confidence degree is calculated for the highest confidence degree, that is, the inverse confidence degree of the best frequent feature set is used as the abnormal threshold.
根据所述异常阈值,对对应的网络访问请求进行异常检测。According to the abnormal threshold, abnormal detection is performed on the corresponding network access request.
如果所述终端设备的网络访问请求增加了新的特征集,则对所述支持度和置信度进行更新,得到此时对应的最佳频繁特征集,并根据该最佳频繁特征集的反置信度作为异常检测的判定依据。If a new feature set is added to the network access request of the terminal device, the support and confidence are updated to obtain the corresponding best frequent feature set at this time, and based on the inverse confidence of the best frequent feature set The degree is used as the judgment basis for abnormal detection.
这样,可以根据所得到的关于终端设备的特征的数据变化,随时更新和调节对应的参数,以便根据数据的变化,调整判定的标准。In this way, the corresponding parameters can be updated and adjusted at any time according to the obtained data changes regarding the characteristics of the terminal equipment, so as to adjust the judgment standard according to the data changes.
对于所述终端设备当前发起的网络请求被判定为异常访问请求,服务器直接拒绝请求或重新要求所述终端设备进行访问验证;若所述终端设备当前发起的网络请求被判定为正常访问请求,则直接响应请求。If the network request currently initiated by the terminal device is determined to be an abnormal access request, the server directly rejects the request or re-requires the terminal device to perform access verification; if the network request currently initiated by the terminal device is determined to be a normal access request, then Respond directly to requests.
另外,对于步骤S220所提到的最小支持度,可以是设定得到的。In addition, the minimum support degree mentioned in step S220 may be set.
在本实施例中,所述最小支持度为设定时间段内形成的所有的候选特征集的上四分位数。In this embodiment, the minimum support degree is the upper quartile of all candidate feature sets formed within a set time period.
这样,可以根据所获取的特征及所述特征所组成的候选特征集的变化而调整所述最小支持度,确保所述频繁特征集的获取更为准确,以保证异常检测结果的准确性和灵活性。In this way, the minimum support can be adjusted according to the acquired features and changes in the candidate feature set composed of the features, to ensure that the frequent feature set is more accurately acquired, and to ensure the accuracy and flexibility of anomaly detection results Sex.
基于与上述网络访问的异常检测方法相同的发明构思,本申请实施例还提供了一种网络访问的异常检测装置,如图3所示,包括:Based on the same inventive concept as the above-mentioned network access abnormality detection method, an embodiment of the present application also provides an abnormality detection device for network access, as shown in FIG. 3, including:
形成模块310,用于接收终端设备发送的网络访问请求,根据所述网络访问请求获取所述终端设备相关参数的多个非线性的特征,并形成多个候选特征集; The forming module 310 is configured to receive a network access request sent by a terminal device, obtain multiple nonlinear characteristics of relevant parameters of the terminal device according to the network access request, and form multiple candidate feature sets; To
设定模块320,用于根据所述候选特征集,将各所述候选特征集的特征数从小到多的顺序进行层级比较,分别得到各个候选特征集中特征同时出现频率的支持度,并将大于等于最小支持度的候选特征集设定为频繁特征集;The setting module 320 is configured to compare the number of features of each candidate feature set in order from small to many according to the candidate feature set, and obtain the support degree of the simultaneous appearance frequency of the features in each candidate feature set, and set it to be greater than The candidate feature set equal to the minimum support is set as a frequent feature set;
获取模块330,用于根据所述频繁特征集的置信度,得到对应的反置信度;The obtaining module 330 is configured to obtain the corresponding inverse confidence according to the confidence of the frequent feature set;
判定模块340,用于当所述频繁特征集的反向置信度大于异常阈值时,判定对应的网络访问为异常访问。The determining module 340 is configured to determine that the corresponding network access is an abnormal access when the reverse confidence of the frequent feature set is greater than the abnormal threshold.
请参考图4,图4为一个实施例中服务器的内部结构示意图。如图4所示,该服务器包括通过系统总线连接的处理器410、存储介质420、存储器430和网络接口440。其中,该服务器的存储介质420存储有操作系统、数据库和计算机可读指令,数据库中可存储有控件信息序列,该计算机可读指令被处理器410执行时,可使得处理器410实现一种网络访问的异常检测方法,处理器410能实现图3所示实施例中的一种网络访问的异常检测装置中的特征形成模块310、设定模块320、获取模块330和判定模块340的功能。该服务器的处理器410用于提供计算和控制能力,支撑整个服务器的运行。该服务器的存储器430中可存储有计算机可读指令,该计算机可读指令被处理器410执行时,可使得处理器410执行一种网络访问的异常检测方法。该服务器的网络接口440用于与终端连接通信。本领域技术人员可以理解,图4中示出的结构,仅仅是与本申请方案相关的部分结构的框图,并不构成对本申请方案所应用于其上的服务器的限定,具体的服务器可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。Please refer to FIG. 4, which is a schematic diagram of the internal structure of the server in an embodiment. As shown in FIG. 4, the server includes a processor 410, a storage medium 420, a memory 430, and a network interface 440 connected through a system bus. Wherein, the storage medium 420 of the server stores an operating system, a database, and computer-readable instructions. The database may store control information sequences. When the computer-readable instructions are executed by the processor 410, the processor 410 can implement a network In the access abnormality detection method, the processor 410 can implement the functions of the feature formation module 310, the setting module 320, the acquisition module 330, and the determination module 340 in a network access abnormality detection device in the embodiment shown in FIG. The processor 410 of the server is used to provide computing and control capabilities to support the operation of the entire server. The memory 430 of the server may store computer-readable instructions, and when the computer-readable instructions are executed by the processor 410, the processor 410 can execute a method for detecting abnormality of network access. The network interface 440 of the server is used to connect and communicate with the terminal. Those skilled in the art can understand that the structure shown in FIG. 4 is only a block diagram of part of the structure related to the solution of the present application, and does not constitute a limitation on the server to which the solution of the present application is applied. The specific server may include More or fewer components are shown in the figure, or some components are combined, or have different component arrangements.
在一个实施例中,本申请还提出了一种存储有计算机可读指令的存储介质,该计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行以下步骤:接收终端设备发送的网络访问请求,根据所述网络访问请求获取所述终端设备相关参数的多个非线性的特征,并形成多个候选特征集;根据所述候选特征集,将各所述候选特征集的特征数从小到多的顺序进行层级比较,分别得到各个候选特征集中特征同时出现频率的支持度,并将大于等于最小支持度的候选特征集设定为频繁特征集;根据所述频繁特征集的置信度,得到对应的反置信度;当所述频繁特征集的反向置信度大于异常阈值时,判定对应的网络访问为异常访问。In one embodiment, the present application also proposes a storage medium storing computer-readable instructions. When the computer-readable instructions are executed by one or more processors, the one or more processors perform the following steps: receiving The network access request sent by the terminal device acquires multiple nonlinear features of the relevant parameters of the terminal device according to the network access request, and forms multiple candidate feature sets; according to the candidate feature set, each candidate feature The feature number of the set is compared in the order from small to most, and the support for the simultaneous appearance frequency of features in each candidate feature set is obtained, and the candidate feature set with the minimum support is set as a frequent feature set; according to the frequent features The confidence of the set is obtained, and the corresponding inverse confidence is obtained; when the inverse confidence of the frequent feature set is greater than the abnormal threshold, the corresponding network access is determined to be an abnormal access.
综合上述实施例可知,本申请最大的有益效果在于:Based on the foregoing embodiments, it can be seen that the greatest beneficial effect of this application lies in:
本申请提供的一种网络访问的异常检测方法和装置,根据所述网络请求得到的由若干个特征形成的候选特征集,并以此得到所述候选特征集的支持度和置信度作为判定所述网络访问是否为异常访问的依据,最终得到对应的网络访问请求是否为异常的判定结果。The method and device for detecting anomaly of network access provided by the present application are based on the candidate feature set formed by several features obtained according to the network request, and the support and confidence of the candidate feature set are obtained as the decision point. According to the basis of whether the network access is abnormal, the result of determining whether the corresponding network access request is abnormal is finally obtained.
本申请所提供的技术方案通过网络访问请求中所获取的特征形成多个候选特征集,利用支持度和置信度的值进行对比,避免了对相应的特征进行识别再处理,通过检测对象的转化,简化了检测数据的处理过程,提高了检测效率,最终提升了对终端设备异常访问的检测能力。The technical solution provided by this application forms multiple candidate feature sets from the features acquired in the network access request, and compares the support and confidence values, avoiding the identification and reprocessing of the corresponding features, and the transformation of the detection object , Simplifies the processing of detection data, improves detection efficiency, and ultimately improves the ability to detect abnormal access to terminal equipment.
综上,本申请通过网络访问的异常检测方法和装置,通过利用体现验证正常网络访问的特征的组合形成的候选特征集,并根据其支持度和置信度的对比结果为依据,得到判定所述网络访问是否为异常访问的结果。本申请提供的技术方案能将特征信息转化便于对比的参数信息,降低了所述终端设备所获取信息的难度,与现有技术中只能通过用户的发起网络访问请求时的使用轨迹的表面现象进行异常访问的判定的方式对比,也提高了检测的准确度。In summary, the anomaly detection method and device of the present application through network access uses the candidate feature set formed by the combination of features that embody normal network access verification, and based on the comparison result of its support and confidence, the judgment is obtained Whether network access is the result of abnormal access. The technical solution provided in this application can convert characteristic information into parameter information that is convenient for comparison, reducing the difficulty of obtaining information by the terminal device, and is similar to the surface phenomenon of the use track in the prior art when the user initiates a network access request. The comparison of methods for determining abnormal access also improves the accuracy of detection.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机可读指令来指令相关的硬件来完成,该计算机可读指令可存储于一计算机可读取存储介质中,该可读指令在执行时,可包括如上述各方法的实施例的流程。其中,前述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)等存储介质,所述存储介质可以是非易失性存储介质,或随机存储记忆体(Random Access Memory,RAM)等。A person of ordinary skill in the art can understand that all or part of the processes in the methods of the foregoing embodiments can be implemented by instructing relevant hardware through computer-readable instructions, which can be stored in a computer-readable storage medium. When the readable instruction is executed, it may include the procedures of the above-mentioned method embodiments. Among them, the aforementioned storage medium may be a magnetic disk, an optical disk, a read-only storage memory (Read-Only Memory, ROM) and other storage media. The storage medium may be a non-volatile storage medium, or a random access memory (Random Access Memory, RAM).
以上所述实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above-mentioned embodiments can be combined arbitrarily. In order to make the description concise, all possible combinations of the technical features in the above-mentioned embodiments are not described. However, as long as there is no contradiction in the combination of these technical features, All should be considered as the scope of this specification.
以上所述实施例仅表达了本申请的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对本申请专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本申请构思的前提下,还可以做出若干变形和改进,这些都属于本申请的保护范围。因此,本申请专利的保护范围应以所附权利要求为准。The above-mentioned embodiments only express several implementation manners of the present application, and their descriptions are relatively specific and detailed, but they should not be understood as a limitation on the patent scope of the present application. It should be pointed out that for those of ordinary skill in the art, without departing from the concept of this application, several modifications and improvements can be made, and these all fall within the protection scope of this application. Therefore, the scope of protection of the patent of this application shall be subject to the appended claims.

Claims (20)

  1. 一种网络访问的异常检测方法,其特征在于,包括以下步骤: An anomaly detection method for network access is characterized by including the following steps:
    接收终端设备发送的网络访问请求,根据所述网络访问请求获取所述终端设备相关参数的多个非线性的特征,并形成多个候选特征集; Receiving a network access request sent by a terminal device, acquiring multiple non-linear characteristics of relevant parameters of the terminal device according to the network access request, and forming multiple candidate feature sets; To
    根据所述候选特征集,将各所述候选特征集的特征数从小到多的顺序进行层级比较,分别得到各个候选特征集中特征同时出现频率的支持度,并将大于等于最小支持度的候选特征集设定为频繁特征集;According to the candidate feature set, the feature number of each candidate feature set is compared in the order of the smallest to the most, and the support for the simultaneous appearance frequency of the features in each candidate feature set is obtained, and the candidate features that are greater than or equal to the minimum support are obtained The set is set as a frequent feature set;
    根据所述频繁特征集的置信度,得到对应的反置信度;Obtain the corresponding inverse confidence degree according to the confidence degree of the frequent feature set;
    当所述频繁特征集的反向置信度大于异常阈值时,判定对应的网络访问为异常访问。When the reverse confidence of the frequent feature set is greater than the abnormal threshold, it is determined that the corresponding network access is an abnormal access.
  2. 根据权利要求1所述的方法,其特征在于,The method according to claim 1, wherein:
    在所述接收终端设备发送的网络访问请求,根据所述网络访问请求获取所述终端设备相关参数的多个非线性的特征,并形成多个候选特征集的步骤之前,还包括:Before the step of receiving the network access request sent by the terminal device, acquiring multiple non-linear characteristics of the relevant parameters of the terminal device according to the network access request, and forming multiple candidate feature sets, the method further includes:
    对于接收终端设备发送的网络访问请求所能获取的特性形成对应的特征列表。For the characteristics that can be obtained by receiving the network access request sent by the terminal device, a corresponding characteristic list is formed.
  3. 根据权利要求2所述的方法,其特征在于,The method according to claim 2, wherein:
    所述特征列表的特征类型包括所述终端设备发起网络访问请求所产生的必要信息类型。The feature type of the feature list includes the necessary information type generated by the terminal device initiating a network access request.
  4. 根据权利要求2或3其中一项所述的方法,其特征在于,The method according to one of claims 2 or 3, characterized in that:
    所述接收终端设备发送的网络访问请求,根据所述网络访问请求获取所述终端设备相关参数的多个非线性的特征,并形成多个候选特征集的步骤,包括:The step of receiving a network access request sent by a terminal device, acquiring multiple non-linear characteristics of relevant parameters of the terminal device according to the network access request, and forming multiple candidate feature sets includes:
    接收终端设备发送的每一次网络访问请求,根据对应的所述获取的多个非线性的特征;Receive each network access request sent by the terminal device, according to the corresponding multiple non-linear characteristics acquired;
    对应所述特征列表,将所有获取的非线性的特征提取部分或全部特征,形成多个候选特征集。Corresponding to the feature list, extract some or all of the acquired nonlinear features to form multiple candidate feature sets.
  5. 根据权利要求4所述的方法,其特征在于,The method of claim 4, wherein:
    在所述根据所述候选特征集,将各所述候选特征集的特征数从小到多的顺序进行层级比较,分别得到各个候选特征集中特征同时出现频率的支持度,并将大于等于最小支持度的候选特征集设定为频繁特征集的步骤之前,还包括:According to the candidate feature set, the feature number of each candidate feature set is compared in order from small to many, and the support for the simultaneous appearance frequency of features in each candidate feature set is obtained, and the support is greater than or equal to the minimum support Before the step of setting candidate feature sets as frequent feature sets, it also includes:
    判断获取的所述终端设备的操作系统特征与所述终端设备的最多支持的可触控点数是否对应。Determine whether the acquired operating system feature of the terminal device corresponds to the maximum number of touch points supported by the terminal device.
  6. 根据权利要求1所述的方法,其特征在于,The method according to claim 1, wherein:
    所述根据所述频繁特征集的置信度,得到对应的反置信度的步骤,包括:The step of obtaining the corresponding inverse confidence degree according to the confidence degree of the frequent feature set includes:
    根据各个频繁特征集的置信度进行对比,在对比的结果中的置信度最高的频繁特征集作为最佳频繁特征集;Compare according to the confidence of each frequent feature set, and the frequent feature set with the highest confidence in the comparison result is the best frequent feature set;
    所述最佳频繁特征集的反置信度作为异常阈值。The inverse confidence of the best frequent feature set is used as an abnormality threshold.
  7. 根据权利要求1所述的方法,其特征在于,The method according to claim 1, wherein:
    所述最小支持度为设定时间段内形成的所有的候选特征集的上四分位数。The minimum support degree is the upper quartile of all candidate feature sets formed within the set time period.
  8. 一种网络访问的异常检测装置,其特征在于,包括:An abnormality detection device for network access, which is characterized in that it comprises:
    形成模块,用于接收终端设备发送的网络访问请求,根据所述网络访问请求获取所述终端设备的多个非线性的特征,并形成多个候选特征集; A forming module, configured to receive a network access request sent by a terminal device, obtain multiple non-linear characteristics of the terminal device according to the network access request, and form multiple candidate feature sets; To
    设定模块,用于根据所述候选特征集,分别得到各个候选特征集的支持度,并将大于等于最小支持度的候选特征集设定为频繁特征集;A setting module, configured to obtain the support of each candidate feature set according to the candidate feature set, and set the candidate feature set that is greater than or equal to the minimum support as a frequent feature set;
    获取模块,用于根据所述频繁特征集的置信度,得到对应的反置信度;An obtaining module, configured to obtain a corresponding inverse confidence degree according to the confidence degree of the frequent feature set;
    判定模块,用于当所述频繁特征集的反向置信度大于异常阈值时,判定对应的网络访问为异常访问。The judging module is used for judging that the corresponding network access is abnormal when the reverse confidence of the frequent feature set is greater than the abnormal threshold.
  9. 根据权利要求8所述的异常检测装置,其特征在于,所述异常检测装置,还包括:The abnormality detection device according to claim 8, wherein the abnormality detection device further comprises:
    列表获取模块,用于对于接收终端设备发送的网络访问请求所能获取的特性形成对应的特征列表。The list acquisition module is used to form a corresponding feature list for the features that can be acquired by receiving the network access request sent by the terminal device.
  10. 根据权利要求9所述的异常检测装置,其特征在于,所述特征列表的特征类型包括所述终端设备发起网络访问请求所产生的必要信息类型。The abnormality detection device according to claim 9, wherein the characteristic type of the characteristic list includes the necessary information type generated by the terminal device initiating a network access request.
  11. 根据权利要求8或9其中一项所述的异常检测装置,其特征在于,所述形成模块,包括:The abnormality detection device according to one of claims 8 or 9, wherein the forming module comprises:
    接收单元,用于接收终端设备发送的每一次网络访问请求,根据对应的所述获取的多个非线性的特征;The receiving unit is configured to receive each network access request sent by the terminal device, and obtain multiple non-linear characteristics according to the corresponding said;
    获取单元,用于对应所述特征列表,将所有获取的非线性的特征提取部分或全部特征,形成多个候选特征集。The acquiring unit is configured to extract part or all of the acquired nonlinear features corresponding to the feature list to form multiple candidate feature sets.
  12. 根据权利要求11所述的异常检测装置,其特征在于,所述的异常检测装置,还包括:The abnormality detection device according to claim 11, wherein the abnormality detection device further comprises:
    判断模块,用于判断获取的所述终端设备的操作系统特征与所述终端设备的最多支持的可触控点数是否对应。The judging module is used to judge whether the acquired operating system feature of the terminal device corresponds to the maximum number of touch points supported by the terminal device.
  13. 根据权利要求8所述的异常检测装置,其特征在于,获取模块包括:The abnormality detection device according to claim 8, wherein the acquisition module comprises:
    根据各个频繁特征集的置信度进行对比,在对比的结果中的置信度最高的频繁特征集作为最佳频繁特征集,所述最佳频繁特征集的反置信度作为异常阈值。The comparison is performed according to the confidence of each frequent feature set, the frequent feature set with the highest confidence in the comparison result is taken as the best frequent feature set, and the inverse confidence of the best frequent feature set is taken as the abnormality threshold.
  14. 根据权利要求8所述的异常检测装置,其特征在于,所述最小支持度为设定时间段内形成的所有的候选特征集的上四分位数。The abnormality detection device according to claim 8, wherein the minimum support degree is an upper quartile of all candidate feature sets formed in a set time period.
  15. 一种服务器,其特征在于,包括:一个或多个处理器; 存储器;A server, characterized by comprising: one or more processors; memory;
    一个或多个计算机可读指令,其中所述一个或多个计算机可读指令被存储在所述存储器中并被配置为由所述一个或多个处理器执行,所述一个或多个计算机可读指令配置用于执行如下步骤:One or more computer-readable instructions, wherein the one or more computer-readable instructions are stored in the memory and configured to be executed by the one or more processors, and the one or more computers may The read command configuration is used to perform the following steps:
    接收终端设备发送的网络访问请求,根据所述网络访问请求获取所述终端设备相关参数的多个非线性的特征,并形成多个候选特征集; Receiving a network access request sent by a terminal device, acquiring multiple non-linear characteristics of relevant parameters of the terminal device according to the network access request, and forming multiple candidate feature sets; To
    根据所述候选特征集,将各所述候选特征集的特征数从小到多的顺序进行层级比较,分别得到各个候选特征集中特征同时出现频率的支持度,并将大于等于最小支持度的候选特征集设定为频繁特征集;According to the candidate feature set, the feature number of each candidate feature set is compared in the order of the smallest to the most, and the support for the simultaneous appearance frequency of the features in each candidate feature set is obtained, and the candidate features that are greater than or equal to the minimum support are obtained The set is set as a frequent feature set;
    根据所述频繁特征集的置信度,得到对应的反置信度;Obtain the corresponding inverse confidence degree according to the confidence degree of the frequent feature set;
    当所述频繁特征集的反向置信度大于异常阈值时,判定对应的网络访问为异常访问。When the reverse confidence of the frequent feature set is greater than the abnormal threshold, it is determined that the corresponding network access is an abnormal access.
  16. 根据权利要求15所述的服务器,其特征在于,在所述接收终端设备发送的网络访问请求,根据所述网络访问请求获取所述终端设备相关参数的多个非线性的特征,并形成多个候选特征集的步骤之前,还包括:The server according to claim 15, wherein the receiving network access request sent by the terminal device acquires multiple non-linear characteristics of the relevant parameters of the terminal device according to the network access request, and forms multiple Before the step of candidate feature set, it also includes:
    对于接收终端设备发送的网络访问请求所能获取的特性形成对应的特征列表。For the characteristics that can be obtained by receiving the network access request sent by the terminal device, a corresponding characteristic list is formed.
  17. 根据权利要求16所述的服务器,其特征在于,所述特征列表的特征类型包括所述终端设备发起网络访问请求所产生的必要信息类型。The server according to claim 16, wherein the characteristic type of the characteristic list includes the necessary information type generated by the terminal device initiating a network access request.
  18. 根据权利要求16或17所述的服务器,其特征在于,所述接收终端设备发送的网络访问请求,根据所述网络访问请求获取所述终端设备相关参数的多个非线性的特征,并形成多个候选特征集的步骤,包括:The server according to claim 16 or 17, wherein the receiving network access request sent by the terminal device acquires multiple nonlinear characteristics of the relevant parameters of the terminal device according to the network access request, and forms multiple The steps of a candidate feature set include:
    接收终端设备发送的每一次网络访问请求,根据对应的所述获取的多个非线性的特征;Receive each network access request sent by the terminal device, according to the corresponding multiple non-linear characteristics acquired;
    对应所述特征列表,将所有获取的非线性的特征提取部分或全部特征,形成多个候选特征集。Corresponding to the feature list, extract some or all of the acquired nonlinear features to form multiple candidate feature sets.
  19. 根据权利要求18所述的服务器,其特征在于,其特征在于,The server according to claim 18, characterized in that,
    在所述根据所述候选特征集,将各所述候选特征集的特征数从小到多的顺序进行层级比较,分别得到各个候选特征集中特征同时出现频率的支持度,并将大于等于最小支持度的候选特征集设定为频繁特征集的步骤之前,还包括:According to the candidate feature set, the feature number of each candidate feature set is compared in order from small to many, and the support degree of the simultaneous appearance frequency of each candidate feature set is obtained, and the support is greater than or equal to the minimum support Before the step of setting candidate feature sets as frequent feature sets, it also includes:
    判断获取的所述终端设备的操作系统特征与所述终端设备的最多支持的可触控点数是否对应。Determine whether the acquired operating system feature of the terminal device corresponds to the maximum number of touch points supported by the terminal device.
  20. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有计算机可读指令,该计算机可读指令被处理器执行以下步骤:A computer-readable storage medium, wherein the computer-readable storage medium stores computer-readable instructions, and the computer-readable instructions are executed by a processor in the following steps:
    接收终端设备发送的网络访问请求,根据所述网络访问请求获取所述终端设备相关参数的多个非线性的特征,并形成多个候选特征集; Receiving a network access request sent by a terminal device, acquiring multiple non-linear characteristics of relevant parameters of the terminal device according to the network access request, and forming multiple candidate feature sets; To
    根据所述候选特征集,将各所述候选特征集的特征数从小到多的顺序进行层级比较,分别得到各个候选特征集中特征同时出现频率的支持度,并将大于等于最小支持度的候选特征集设定为频繁特征集;According to the candidate feature set, the feature number of each candidate feature set is compared in the order of the smallest to the most, and the support for the simultaneous appearance frequency of the features in each candidate feature set is obtained, and the candidate features that are greater than or equal to the minimum support are obtained The set is set as a frequent feature set;
    根据所述频繁特征集的置信度,得到对应的反置信度;Obtain the corresponding inverse confidence degree according to the confidence degree of the frequent feature set;
    当所述频繁特征集的反向置信度大于异常阈值时,判定对应的网络访问为异常访问。 When the reverse confidence of the frequent feature set is greater than the abnormal threshold, it is determined that the corresponding network access is an abnormal access.
PCT/CN2019/118437 2019-06-28 2019-11-14 Network access anomaly detection method and device WO2020258672A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910580036.4 2019-06-28
CN201910580036.4A CN110392046B (en) 2019-06-28 2019-06-28 Method and device for detecting abnormity of network access

Publications (1)

Publication Number Publication Date
WO2020258672A1 true WO2020258672A1 (en) 2020-12-30

Family

ID=68286022

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/118437 WO2020258672A1 (en) 2019-06-28 2019-11-14 Network access anomaly detection method and device

Country Status (2)

Country Link
CN (1) CN110392046B (en)
WO (1) WO2020258672A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113850499A (en) * 2021-09-23 2021-12-28 平安银行股份有限公司 Data processing method and device, electronic equipment and storage medium

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110392046B (en) * 2019-06-28 2021-12-24 平安科技(深圳)有限公司 Method and device for detecting abnormity of network access
CN114666391B (en) * 2020-12-03 2023-09-19 中国移动通信集团广东有限公司 Method, device, equipment and storage medium for determining access track
CN113726814B (en) * 2021-09-09 2022-09-02 中国电信股份有限公司 User abnormal behavior identification method, device, equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020082886A1 (en) * 2000-09-06 2002-06-27 Stefanos Manganaris Method and system for detecting unusual events and application thereof in computer intrusion detection
CN104539484A (en) * 2014-12-31 2015-04-22 深圳先进技术研究院 Method and system for dynamically estimating network connection reliability
CN105512210A (en) * 2015-11-27 2016-04-20 网神信息技术(北京)股份有限公司 Correlated event type detection method and device
CN105681312A (en) * 2016-01-28 2016-06-15 李青山 Mobile internet exceptional user detection method based on frequent itemset mining
CN108255996A (en) * 2017-12-29 2018-07-06 西安交大捷普网络科技有限公司 Safe log analyzing method based on Apriori algorithm
CN108595667A (en) * 2018-04-28 2018-09-28 广东电网有限责任公司 A kind of correlation analysis method of Network Abnormal data
CN110392046A (en) * 2019-06-28 2019-10-29 平安科技(深圳)有限公司 The method for detecting abnormality and device of network access

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10326789B1 (en) * 2015-09-25 2019-06-18 Amazon Technologies, Inc. Web Bot detection and human differentiation
CA3011936A1 (en) * 2017-08-03 2019-02-03 Interset Software, Inc. Systems and methods for discriminating between human and non-human interactions with computing devices on a computer network
CN107704764A (en) * 2017-10-18 2018-02-16 广州华多网络科技有限公司 Build method, apparatus, equipment and the man-machine knowledge method for distinguishing of training set
CN109120634B (en) * 2018-09-05 2021-02-05 广州视源电子科技股份有限公司 Port scanning detection method and device, computer equipment and storage medium
CN109408556B (en) * 2018-09-28 2024-02-02 中国平安人寿保险股份有限公司 Abnormal user identification method and device based on big data, electronic equipment and medium
CN109936561B (en) * 2019-01-08 2022-05-13 平安科技(深圳)有限公司 User request detection method and device, computer equipment and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020082886A1 (en) * 2000-09-06 2002-06-27 Stefanos Manganaris Method and system for detecting unusual events and application thereof in computer intrusion detection
CN104539484A (en) * 2014-12-31 2015-04-22 深圳先进技术研究院 Method and system for dynamically estimating network connection reliability
CN105512210A (en) * 2015-11-27 2016-04-20 网神信息技术(北京)股份有限公司 Correlated event type detection method and device
CN105681312A (en) * 2016-01-28 2016-06-15 李青山 Mobile internet exceptional user detection method based on frequent itemset mining
CN108255996A (en) * 2017-12-29 2018-07-06 西安交大捷普网络科技有限公司 Safe log analyzing method based on Apriori algorithm
CN108595667A (en) * 2018-04-28 2018-09-28 广东电网有限责任公司 A kind of correlation analysis method of Network Abnormal data
CN110392046A (en) * 2019-06-28 2019-10-29 平安科技(深圳)有限公司 The method for detecting abnormality and device of network access

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
HONG, SHIJIE: "Non-official translation: Research of Intrusion Detection Based on Sequential Pattern Mining", INFORMATION & TECHNOLOGY, CHINA MASTER’S THESES FULL-TEXT DATABASE, no. 09, 15 September 2009 (2009-09-15), DOI: 20200228121637X *
LI, HANGUANG ET AL.: "Intrusion Detection Technology Research Based on Apriori Algorithm", 2012 INTERNATIONAL CONFERENCE ON APPLIED PHYSICS AND INDUSTRIAL ENGINEERING, 31 December 2012 (2012-12-31), XP028473266, DOI: 20200228122011A *
LI, HELING: "Non-official translation: Study on Application of Data Mining to Network Intrusion Detection", INFORMATION & TECHNOLOGY, CHINA MASTER'S THESES FULL-TEXT DATABASE, no. 09, 15 September 2013 (2013-09-15), DOI: 20200228121753A *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113850499A (en) * 2021-09-23 2021-12-28 平安银行股份有限公司 Data processing method and device, electronic equipment and storage medium
CN113850499B (en) * 2021-09-23 2024-04-09 平安银行股份有限公司 Data processing method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN110392046A (en) 2019-10-29
CN110392046B (en) 2021-12-24

Similar Documents

Publication Publication Date Title
WO2020258672A1 (en) Network access anomaly detection method and device
WO2020258657A1 (en) Abnormality detection method and apparatus, computer device and storage medium
WO2020143322A1 (en) User request detection method and apparatus, computer device, and storage medium
WO2017213400A1 (en) Malware detection by exploiting malware re-composition variations
WO2020253135A1 (en) Automated analysis method and device, user equipment, and storage medium
WO2020155773A1 (en) Method of monitoring for suspicious text input, device, computer apparatus, and storage medium
WO2020107762A1 (en) Ctr estimation method and device, and computer readable storage medium
WO2021072881A1 (en) Object storage-based request processing method, apparatus and device, and storage medium
WO2020015060A1 (en) Power consumption anomaly estimation method and apparatus, device, and computer storage medium
WO2020073494A1 (en) Webpage backdoor detecting method, device, storage medium and apparatus
WO2020119369A1 (en) Intelligent it operation and maintenance fault positioning method, apparatus and device, and readable storage medium
WO2020143297A1 (en) Disaster recovery method, apparatus and device for call center, and storage medium
WO2020062644A1 (en) Json hijack bug detection method, apparatus and device, and storage medium
WO2020077832A1 (en) Cloud desktop access method, apparatus and device, and storage medium
WO2016190652A1 (en) Electronic device, information providing system and information providing method thereof
WO2014077458A1 (en) Method for distinguishing type of communication network and method for providing content using same
WO2020233060A1 (en) Event notification method and apparatus, event notification server, and storage medium
WO2020103275A1 (en) Money deduction control method, apparatus, and device, and readable storage medium
WO2020085558A1 (en) High-speed analysis image processing apparatus and driving method for apparatus
WO2020186780A1 (en) User operation recording and restoring method and apparatus, device, and readable storage medium
WO2018014594A1 (en) Network request and response processing method, device, terminal, server and storage medium
WO2019124770A1 (en) Terminal apparatus and control method of terminal apparatus
WO2014148784A1 (en) Linguistic model database for linguistic recognition, linguistic recognition device and linguistic recognition method, and linguistic recognition system
WO2020258673A1 (en) Network access abnormality determination method and apparatus, server and storage medium
WO2016036049A1 (en) Search service providing apparatus, system, method, and computer program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19934771

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19934771

Country of ref document: EP

Kind code of ref document: A1