[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN113535823B - Abnormal access behavior detection method and device and electronic equipment - Google Patents

Abnormal access behavior detection method and device and electronic equipment Download PDF

Info

Publication number
CN113535823B
CN113535823B CN202110842412.XA CN202110842412A CN113535823B CN 113535823 B CN113535823 B CN 113535823B CN 202110842412 A CN202110842412 A CN 202110842412A CN 113535823 B CN113535823 B CN 113535823B
Authority
CN
China
Prior art keywords
access
information
behaviors
abnormal
similar
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110842412.XA
Other languages
Chinese (zh)
Other versions
CN113535823A (en
Inventor
张学亮
周晓阳
鲍青波
吴瑕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202110842412.XA priority Critical patent/CN113535823B/en
Publication of CN113535823A publication Critical patent/CN113535823A/en
Application granted granted Critical
Publication of CN113535823B publication Critical patent/CN113535823B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2465Query processing support for facilitating data mining operations in structured databases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2462Approximate or statistical queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2474Sequence data queries, e.g. querying versioned data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • G06F16/285Clustering or classification

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Probability & Statistics with Applications (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Fuzzy Systems (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a method and a device for detecting abnormal access behaviors and electronic equipment, wherein the method comprises the following steps: extracting time identification and attribute information from the acquired historical access request, and constructing access information capable of uniquely identifying access behaviors based on the time identification and the attribute information; ordering the access information based on the time identification to form a first sequence; intercepting a first segment containing a plurality of access information from a first sequence through a sliding time window; analyzing attribute information of the access information in the first segment to identify similar access behaviors in the access behaviors identified by the access information and determine the number of the similar access behaviors; and under the condition that the number of the similar access behaviors is larger than a first threshold value, determining that the similar access behaviors are abnormal access behaviors. The method can accurately detect the repeated abnormal access behaviors in a certain time range.

Description

Abnormal access behavior detection method and device and electronic equipment
Technical Field
The present application relates to the field of security protection technologies, and in particular, to a method and an apparatus for detecting abnormal access behavior, and an electronic device.
Background
The server or the distributed cluster system is generally provided with a safety protection system to detect and implement protection on abnormal access behaviors in real time, and although the safety protection system can effectively identify some abnormal access behaviors, the real-time detection of the safety protection system generally has higher timeliness requirements, correlation analysis on a large amount of access data is difficult, and missed abnormal access behaviors still exist. Therefore, by analyzing the historical access data to identify abnormal access behaviors, it is necessary to provide basis for subsequent security protection.
Disclosure of Invention
In view of the above problems in the prior art, the present application provides a method, an apparatus, and an electronic device for detecting abnormal access behaviors, where the technical solution adopted by the embodiment of the present application is as follows:
an abnormal access behavior detection method, comprising:
extracting time identification and attribute information from the acquired historical access request, and constructing access information capable of uniquely identifying the access behavior corresponding to the historical access request based on the time identification and the attribute information;
sorting the access information based on the time identification to form a first sequence;
intercepting a first segment containing a plurality of access information from the first sequence through a sliding time window;
analyzing attribute information of the access information in the first segment to identify similar access behaviors in the access behaviors identified by the access information and determine the number of the similar access behaviors;
and under the condition that the number of the similar access behaviors is larger than a first threshold value, determining that the similar access behaviors are abnormal access behaviors.
In some embodiments, the attribute information includes at least a source IP address; the analyzing the attribute information of the access information in the first segment to identify the same kind of access behavior in the access behaviors identified by the access information includes:
and analyzing attribute information of the access information in the first fragment to identify similar access behaviors with the same source IP address and determine the number of the similar access behaviors.
In some embodiments, the analyzing the attribute information of the access information in the first segment to identify the same class of access behavior of the source IP address includes:
and identifying the access information with the same source IP address and the attribute information containing the user name and the password, and determining the access behavior identified by the access information as the similar access behavior.
In some embodiments, the analyzing the attribute information of the access information in the first segment to identify homogeneous ones of the access behaviors identified by the access information and determining the number of homogeneous access behaviors includes:
performing cluster analysis on a plurality of access information in the first segment to obtain at least one cluster;
and determining the access behaviors identified by the access information in the same cluster as the similar access behaviors, and determining the quantity of the access information in the cluster.
In some embodiments, said intercepting, from said first sequence, a first fragment containing a plurality of access information by sliding a time window, comprises:
circularly intercepting the first segment from the first sequence according to a preset sliding step length through the sliding time window; wherein the sliding step length is smaller than the window duration of the sliding time window.
In some embodiments, the method further comprises:
and acquiring the access information for identifying the abnormal access behavior as information.
In some embodiments, the method further comprises:
analyzing the information;
in the case where a plurality of the access information in the intelligence information has the same source IP address, the source IP address is added to a blacklist.
In some embodiments, the method further comprises:
analyzing the information;
in case that a plurality of the access information in the intelligence information has the same target port, a security protection module is added at the target port of the electronic device.
An abnormal access behavior detection apparatus, comprising:
the first acquisition module is used for extracting time identification and attribute information from the acquired historical access request and constructing access information capable of uniquely identifying the access behavior corresponding to the historical access request based on the time identification and the attribute information;
the ordering module is used for ordering the access information based on the time identification so as to form a first sequence;
a selecting module, configured to intercept a first segment including a plurality of access information from the first sequence through a sliding time window;
the first analysis module is used for analyzing attribute information of the access information in the first fragment to identify similar access behaviors in the access behaviors identified by the access information and determine the number of the similar access behaviors;
and the determining module is used for determining that the similar access behaviors are abnormal access behaviors under the condition that the number of the similar access behaviors is larger than a first threshold value.
An electronic device comprising at least a memory having a program stored thereon and a processor which when executing the program on the memory implements a method as described above.
A computer-readable storage medium having stored therein computer-executable instructions that when executed implement a method as described above.
According to the abnormal access behavior detection method, time identification and attribute information are extracted from historical access requests, access information is constructed based on the time identification and the attribute information, the access information is ordered according to time sequence to form a first sequence, a sliding time window is utilized to connect a first segment from the first sequence, the access behaviors identified by the access information in the first segment are analyzed based on the attribute information, the number of similar access behaviors is determined, and the similar access behaviors are determined to be abnormal access behaviors under the condition that the number of similar access behaviors is larger than a first threshold value. The method utilizes the sliding time window to translate according to the time sequence, continuously counts the number of similar access behaviors in a specific time span, and can accurately detect the repeated abnormal access behaviors in a certain time range.
Drawings
FIG. 1 is a flowchart of an abnormal access behavior detection method according to an embodiment of the present application;
fig. 2 is a schematic view of a scenario in step S3 in the method for detecting abnormal access behavior according to the embodiment of the present application;
FIG. 3 is a block diagram showing an apparatus for detecting abnormal access behavior according to an embodiment of the present application;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Various aspects and features of the present application are described herein with reference to the accompanying drawings.
It should be understood that various modifications may be made to the embodiments of the application herein. Therefore, the above description should not be taken as limiting, but merely as exemplification of the embodiments. Other modifications within the scope and spirit of the application will occur to persons of ordinary skill in the art.
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the application and, together with a general description of the application given above, and the detailed description of the embodiments given below, serve to explain the principles of the application.
These and other characteristics of the application will become apparent from the following description of alternative forms of embodiment given as non-limiting examples, with reference to the accompanying drawings.
It is also to be understood that, although the application has been described with reference to some specific examples, those skilled in the art can certainly realize many other equivalent forms of the application.
The above and other aspects, features and advantages of the present application will become more apparent in light of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present application will be described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely exemplary of the application, which can be embodied in various forms. Well-known and/or repeated functions and constructions are not described in detail to avoid obscuring the application in unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not intended to be limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present application in virtually any appropriately detailed structure.
The specification may use the word "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the application.
The embodiment of the application provides an abnormal access behavior detection method, which comprises the following steps:
extracting time identification and attribute information from the acquired historical access request, and constructing access information capable of uniquely identifying the access behavior corresponding to the historical access request based on the time identification and the attribute information;
sorting the access information based on the time identification to form a first sequence;
intercepting a first segment containing a plurality of access information from the first sequence through a sliding time window;
analyzing attribute information of the access information in the first segment to identify similar access behaviors in the access behaviors identified by the access information and determine the number of the similar access behaviors;
and under the condition that the number of the similar access behaviors is larger than a first threshold value, determining that the similar access behaviors are abnormal access behaviors.
According to the abnormal access behavior detection method, time identification and attribute information are extracted from historical access requests, access information is constructed based on the time identification and the attribute information, the access information is ordered according to time sequence to form a first sequence, a sliding time window is utilized to connect a first segment from the first sequence, the access behaviors identified by the access information in the first segment are analyzed based on the attribute information, the number of similar access behaviors is determined, and the similar access behaviors are determined to be abnormal access behaviors under the condition that the number of similar access behaviors is larger than a first threshold value. The method utilizes the sliding time window to translate according to the time sequence, continuously counts the number of similar access behaviors in a specific time span, and can accurately detect the repeated abnormal access behaviors in a certain time range.
The steps and principles of the abnormal access behavior detection method according to the embodiments of the present application will be described in detail with reference to the accompanying drawings and specific embodiments.
Fig. 1 is a flowchart of an abnormal access behavior detection method according to an embodiment of the present application, and referring to fig. 1, the abnormal access behavior detection method according to an embodiment of the present application specifically includes the following steps:
s1, extracting time identification and attribute information from the acquired historical access request, and constructing access information capable of uniquely identifying access behaviors corresponding to the historical access request based on the time identification and the attribute information.
Historical data of the electronic device or the distributed system generally stores historical access requests, and the historical access requests generally comprise time identifiers and attribute information, wherein the attribute information can comprise information such as source addresses, target interfaces, request fields and the like. The history access request is acquired, the time identification and the attribute information can be extracted from the history access request one by one, and the access information is constructed based on the time identification and the attribute information. The historical access requests can be processed in parallel to obtain the access information in batches, so that the access information obtaining efficiency is improved.
Specifically, one or more time identification fields (T) may be preconfigured, and time information is obtained from the access request based on the preconfigured time identification fields. Because the formats of different time identification fields are different, and the time zones in which the terminal devices sending the access requests are located are different, the formats of the time information may be different, and in order to ensure the consistency of the time information, the acquired time information may be subjected to standardization processing to form the time identification.
Optionally, the obtained time information may be formatted according to a preset standard time unit (i.e. time granularity) to form a time identifier in the form of a digital sequence that does not include characters, for example, when the standard time unit is seconds, the time information may be millisecond/1000, and when the standard time unit is minutes, the time information may be millisecond/1000/60. For example, the time information acquired from the access request according to the event_time field may be 2017-05-01-10:00:00, and when the preset standard time unit is seconds, the time identifier formed after the time information is formatted may be: 20170501100000.
the acquisition process of the attribute information may be similar to the time information, and an attribute information identification field, such as request_str, source_ip, etc., may be preset. And traversing each field in the access request according to the preset attribute information identification field to acquire various attribute information such as { attribute information 1, attribute information 2, attribute information 3 … … and attribute information N }. In the case where the time stamp and the attribute information are acquired, the time stamp and the attribute information may be spliced to form access information (K), such as k= { time stamp, attribute information 1, attribute information 2, attribute information 3 … …, attribute information N }.
And S2, sorting the access information based on the time identification to form a first sequence.
In the case where the access information has been constructed, the access information may be arranged based on the time stamp to form a first sequence of access information arranged in time series. In implementation, an array (RS) Map < Long, map < String, long > may be created in advance, and the acquired access information may be stored in the array in time order, thereby forming the first sequence.
Since there are cases where multiple access requests are received simultaneously, multiple access information with the same time identification exists, in the implementation, the access information with the same time identification can be combined into one information unit. Thus, the first sequence comprises a plurality of time nodes arranged in a time sequence, each time node having an information unit, which information unit may comprise one or more access information.
S3, a first fragment containing a plurality of access information is intercepted from the first sequence through a sliding time window.
The sliding time window can slide along the time sequence according to a preset sliding step length and window duration, and data are framed from the time sequence. That is, the data in the time sequence falling into the sliding time window is the data framed by the sliding time window when the sliding time window slides once according to the preset sliding step length.
In a specific embodiment, said intercepting, from said first sequence, a first fragment containing a plurality of access information by sliding a time window, comprises:
and circularly intercepting the first segment from the first sequence through the sliding time window according to a preset sliding step length, wherein the sliding step length is smaller than the window duration of the sliding time window.
The sliding step size is configured to be smaller than a window duration of the sliding time window such that there may be an overlap between the truncated first segments, but the access information in the first sequence is selected at least once. In practical application, the shorter the sliding step length is, the higher the data selection density is, and the less the possibility of missing detection is. For example, in the case of a standard time unit of seconds, the sliding step length may be configured to be 1 second, and the window duration may be configured to be 60 seconds, as shown in fig. 2, and access information under at least 60 time nodes is selected for each sliding.
S4, analyzing attribute information of the access information in the first segment to identify similar access behaviors in the access behaviors identified by the access information, and determining the number of the similar access behaviors.
The homogeneous access behavior refers to a behavior with homogeneous attribute characteristics, such as a homogeneous access behavior, an access behavior aiming at the same target port, an access behavior for requesting to execute the same operation, and the like. The attribute information generally comprises information such as a source address, a target port, a request field and the like, and the analysis of the attribute information can identify the data source, the request object, the operation requested to be executed and the like of the access request, so that the analysis of the attribute information can show similar access behaviors in the access behaviors identified by the access information, and the number of similar access behaviors can be counted on the basis. It should be noted that, the number of homogeneous access behaviors refers to the number of homogeneous access behaviors in access behaviors identified by the access information in the first segment, and homogeneous access behaviors in different segments are not accumulated.
And S5, determining the similar access behaviors as abnormal access behaviors under the condition that the number of the similar access behaviors is larger than a first threshold.
The first threshold is a limit value of the number of abnormal accesses formed by the same access behavior within a certain time range. Under the condition that the number of the same kind of access behaviors is larger than a first threshold value, the condition shows that the same kind of access behaviors repeatedly occur in a certain time range, and the number of the access behaviors exceeds the number limit value forming abnormal access, and the access behaviors are likely to be abnormal access behaviors such as violent cracking, illegal data acquisition and the like.
According to the abnormal access behavior detection method, time identification and attribute information are extracted from historical access requests, access information is constructed based on the time identification and the attribute information, the access information is ordered according to time sequence to form a first sequence, a sliding time window is utilized to connect a first segment from the first sequence, the access behaviors identified by the access information in the first segment are analyzed based on the attribute information, the number of similar access behaviors is determined, and the similar access behaviors are determined to be abnormal access behaviors under the condition that the number of similar access behaviors is larger than a first threshold value. The method utilizes the sliding time window to translate according to the time sequence, continuously counts the number of similar access behaviors in a specific time span, and can accurately detect the repeated abnormal access behaviors in a certain time range.
In some embodiments, the attribute information includes at least a source IP address; the analyzing the attribute information of the access information in the first segment to identify the same kind of access behavior in the access behaviors identified by the access information includes:
and analyzing attribute information of the access information in the first fragment to identify similar access behaviors with the same source IP address and determine the number of the similar access behaviors.
The source IP address is used to identify the requesting device that sent the access requests, and having the same source IP address characterizes that the access requests were sent by the same requesting device. The same requesting device repeatedly executes homogeneous access requests within a certain time range, and then the access requests are likely to be cracking actions or other illegal actions executed by lawbreakers. Thus, in the case where the first fragment is acquired, access information having the same source IP address can be identified therefrom, and then access behaviors identified by the access information having the same source IP address are analyzed based on the attribute information, identifying the same kind of access behaviors therein. For example, an access behavior that requests to perform the same operation.
In some embodiments, the analyzing the attribute information of the access information in the first segment to identify the same class of access behavior of the source IP address includes:
and identifying the access information with the same source IP address and the attribute information containing the user name and the password, and determining the access behavior identified by the access information as the similar access behavior.
Brute force cracking is also called exhaustive attack, i.e. a method of repeatedly testing mistakes is adopted to execute personal account login operation so as to try to crack passwords or user names, and is one of the most common network attack behaviors. When the login request is repeatedly sent within a certain time range of the same request device, the login request may be a violent cracking behavior. The user name (uneame) and password (password) are necessary information for performing personal account login, so that in the case of acquiring the first fragment, access information with the same source IP address can be identified therefrom, then access information with uneame field and password field can be identified from the access information with the same source IP address, and the access behaviors identified by the access information with uneame field and password field are determined as the same kind of access behaviors to detect the brute force cracking behavior.
In some embodiments, the analyzing the attribute information of the access information in the first segment to identify homogeneous ones of the access behaviors identified by the access information and determining the number of homogeneous access behaviors includes:
performing cluster analysis on a plurality of access information in the first segment to obtain at least one cluster;
and determining the access behaviors identified by the access information in the same cluster as the similar access behaviors, and determining the quantity of the access information in the cluster.
In practice, many service systems are equipped with an online security system, and when the same requesting device repeatedly performs the same kind of operation such as a login operation in a short time, it is easily shielded by the security system. In order to avoid being shielded by the security protection system, illegal personnel generally disguise the access request in a disguising manner such as source IP address randomization when performing brute force cracking or performing other illegal operations, so as to avoid being shielded by the security protection system.
In order to effectively identify abnormal access behavior from the disguised access request, after the first segment is acquired, a cluster analysis may be performed on the plurality of access information in the first segment to acquire at least one cluster. For example, in the case where the access information includes { time identification, attribute information 1, attribute information 2, attribute information 3 … … attribute information N }, the multidimensional feature data of the access information may be subjected to cluster analysis to obtain a plurality of clusters, the access behaviors identified by the access information located in the same cluster may be determined as the same class of access behaviors, and the number of the access behaviors in the cluster may be determined by determining the number of the access information in the cluster. Thus, the disguised abnormal access behavior can be effectively identified.
In order to effectively identify the disguised abnormal access behaviors, the machine learning model may be used to analyze the multiple access information in the first segment to determine the same kind of access information, and determine the access behaviors identified by the same kind of access information as the same kind of access behaviors. For example, access requests sent by malicious programs in a sandbox can be obtained, labels are added to the access requests, a training data set and a verification data set are built, the built machine learning model is trained based on the training data set, the machine learning model is verified through the verification data set, and when the recognition accuracy of similar access behaviors reaches a preset value, the machine learning model is determined to be trained to be complete. The access information may then be analyzed by a trained machine learning model. The machine learning model may be a decision tree, a neural network model, or other various types of machine learning models.
In some embodiments, the method further comprises:
and acquiring the access information for identifying the abnormal access behavior as information.
That is, when it is determined that an abnormal access behavior exists, access information for identifying the abnormal access behavior may be obtained as information, which provides a basis for deducing an abnormal network behavior, judging a network risk, constructing a security protection system, and the like.
In some embodiments, the method further comprises:
analyzing the information;
in the case where a plurality of the access information in the intelligence information has the same source IP address, the source IP address is added to a blacklist.
The information comprises access information for identifying abnormal access behaviors, when a plurality of access information have the same source IP address, the information indicates that the terminal equipment executed by the source IP address repeatedly executes the abnormal access behaviors in a short time, and the source IP address can be added into a blacklist of a real-time safety protection system, so that the safety protection system can shield access requests sent by the terminal equipment in real time, and the safety protection level of a service system is improved.
In some embodiments, the method further comprises:
analyzing the information;
in case that a plurality of the access information in the intelligence information has the same target port, a security protection module is added at the target port of the electronic device.
Different ports in a service system are generally used to provide different services, that is, the data that can be acquired through the different ports are also different, and the protection parameter configuration of the security protection system for the different ports is also different. And if the plurality of access information in the information has the same target port, the surface abnormal access behaviors all point to the same port, and at the moment, a safety protection module can be added at the target port of the electronic equipment, so that the safety protection level of the target port is improved.
Referring to fig. 3, the embodiment of the present application further provides an abnormal access behavior detection apparatus, including:
a first obtaining module 10, configured to extract a time identifier and attribute information from the obtained historical access request, and construct access information capable of uniquely identifying an access behavior corresponding to the historical access request based on the time identifier and the attribute information;
a ranking module 20, configured to rank the access information based on the time identifier, so as to form a first sequence;
a selection module 30, configured to intercept a first segment containing a plurality of access information from the first sequence through a sliding time window;
a first analysis module 40, configured to analyze attribute information of the access information in the first segment to identify similar access behaviors in the access behaviors identified by the access information, and determine the number of similar access behaviors;
a determining module 50, configured to determine that the homogeneous access behavior is an abnormal access behavior if the number of homogeneous access behaviors is greater than a first threshold.
In some embodiments, the attribute information includes at least a source IP address; the first analysis module 40 is specifically configured to:
and analyzing attribute information of the access information in the first fragment to identify similar access behaviors with the same source IP address and determine the number of the similar access behaviors.
In some embodiments, the first analysis module 40 is specifically configured to:
and identifying the access information with the same source IP address and the attribute information containing the user name and the password, and determining the access behavior identified by the access information as the similar access behavior.
In some embodiments, the first analysis module 40 is specifically configured to:
performing cluster analysis on a plurality of access information in the first segment to obtain at least one cluster;
and determining the access behaviors identified by the access information in the same cluster as the similar access behaviors, and determining the quantity of the access information in the cluster.
In some embodiments, the selecting module 30 is specifically configured to:
circularly intercepting the first segment from the first sequence according to a preset sliding step length through the sliding time window; wherein the sliding step length is smaller than the window duration of the sliding time window.
In some embodiments, the apparatus further comprises:
and the second acquisition module is used for acquiring the access information for identifying the abnormal access behavior as information.
In some embodiments, the apparatus further comprises a second analysis module, the second analysis module being specifically configured to:
analyzing the information;
in the case where a plurality of the access information in the intelligence information has the same source IP address, the source IP address is added to a blacklist.
In some embodiments, the apparatus further comprises a third analysis module, the third analysis module being specifically configured to:
analyzing the information;
in case that a plurality of the access information in the intelligence information has the same target port, a security protection module is added at the target port of the electronic device.
With reference to fig. 4, the embodiment of the present application further provides an electronic device, which at least includes a memory 102 and a processor 101, where a program is stored in the memory 102, and the processor 101 implements the active learning method for malicious document detection according to any one of the embodiments above when executing the program on the memory 102.
The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores computer executable instructions, and the active learning method for malicious document detection according to any embodiment is realized when the computer executable instructions in the computer readable storage medium are executed.
It will be appreciated by those skilled in the art that embodiments of the application may be provided as a method, an electronic device, a computer-readable storage medium, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied therein. When implemented in software, these functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The processor may be a general purpose processor, a digital signal processor, an application-specific integrated circuit (ASIC), a programmable logic device (programmable logic device, PLD), or a combination thereof. The PLD may be a complex programmable logic device (complex programmable logic device, CPLD), a field-programmable gate array (field-programmable gate array, FPGA), general-purpose array logic (generic array logic, GAL) or any combination thereof. The general purpose processor may be a microprocessor or any conventional processor or the like.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
The readable storage medium may be a magnetic disk, an optical disk, a DVD, a USB, a read-only memory (ROM), a random-access memory (RAM), etc., and the present application is not limited to a specific storage medium format.
The above embodiments are only exemplary embodiments of the present application and are not intended to limit the present application, the scope of which is defined by the claims. Various modifications and equivalent arrangements of this application will occur to those skilled in the art, and are intended to be within the spirit and scope of the application.

Claims (8)

1. An abnormal access behavior detection method, characterized by comprising:
extracting time identification and attribute information from the acquired historical access request, and constructing access information capable of uniquely identifying the access behavior corresponding to the historical access request based on the time identification and the attribute information;
sorting the access information based on the time identification to form a first sequence;
circularly intercepting a first segment containing a plurality of access information from the first sequence according to a preset sliding step length through a sliding time window; wherein the sliding step length is smaller than the window duration of the sliding time window;
analyzing attribute information of the access information in the first segment to identify similar access behaviors in the access behaviors identified by the access information and determine the number of the similar access behaviors;
determining that the same-class access behavior is an abnormal access behavior under the condition that the number of the same-class access behaviors is larger than a first threshold, wherein the abnormal access behavior comprises a violent cracking behavior;
wherein the analyzing the attribute information of the access information in the first segment to identify the similar access behaviors in the access behaviors identified by the access information, and determining the number of similar access behaviors includes:
performing cluster analysis on a plurality of access information in the first segment to obtain at least one cluster;
and determining the access behaviors identified by the access information in the same cluster as the similar access behaviors, and determining the quantity of the access information in the cluster.
2. The abnormal access behavior detection method according to claim 1, wherein the attribute information includes at least a source IP address; the analyzing the attribute information of the access information in the first segment to identify the same kind of access behavior in the access behaviors identified by the access information includes:
and analyzing attribute information of the access information in the first fragment to identify similar access behaviors with the same source IP address and determine the number of the similar access behaviors.
3. The method for detecting abnormal access behavior according to claim 2, wherein analyzing the attribute information of the plurality of access information in the first segment to identify the same kind of access behavior as the source IP address includes:
and identifying the access information with the same source IP address and the attribute information containing the user name and the password, and determining the access behavior identified by the access information as the similar access behavior.
4. The abnormal access behavior detection method according to claim 1, characterized in that the method further comprises:
and acquiring the access information for identifying the abnormal access behavior as information.
5. The abnormal access behavior detection method according to claim 4, wherein the method further comprises:
analyzing the information;
in the case where a plurality of the access information in the intelligence information has the same source IP address, the source IP address is added to a blacklist.
6. The abnormal access behavior detection method according to claim 4, wherein the method further comprises:
analyzing the information;
in case that a plurality of the access information in the intelligence information has the same target port, a security protection module is added at the target port of the electronic device.
7. An abnormal access behavior detection apparatus, comprising:
the first acquisition module is used for extracting time identification and attribute information from the acquired historical access request and constructing access information capable of uniquely identifying the access behavior corresponding to the historical access request based on the time identification and the attribute information;
the ordering module is used for ordering the access information based on the time identification so as to form a first sequence;
the selecting module is used for circularly intercepting a first segment containing a plurality of access information from the first sequence according to a preset sliding step length through a sliding time window; wherein the sliding step length is smaller than the window duration of the sliding time window;
the first analysis module is used for analyzing attribute information of the access information in the first fragment to identify similar access behaviors in the access behaviors identified by the access information and determine the number of the similar access behaviors;
the determining module is used for determining the similar access behaviors as abnormal access behaviors under the condition that the number of the similar access behaviors is larger than a first threshold, wherein the abnormal access behaviors comprise violent cracking behaviors;
the first analysis module is specifically configured to:
performing cluster analysis on a plurality of access information in the first segment to obtain at least one cluster;
and determining the access behaviors identified by the access information in the same cluster as the similar access behaviors, and determining the quantity of the access information in the cluster.
8. An electronic device comprising at least a memory and a processor, the memory having a program stored thereon, characterized in that the processor, when executing the program on the memory, implements the method of any of claims 1-6.
CN202110842412.XA 2021-07-26 2021-07-26 Abnormal access behavior detection method and device and electronic equipment Active CN113535823B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110842412.XA CN113535823B (en) 2021-07-26 2021-07-26 Abnormal access behavior detection method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110842412.XA CN113535823B (en) 2021-07-26 2021-07-26 Abnormal access behavior detection method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN113535823A CN113535823A (en) 2021-10-22
CN113535823B true CN113535823B (en) 2023-11-10

Family

ID=78120770

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110842412.XA Active CN113535823B (en) 2021-07-26 2021-07-26 Abnormal access behavior detection method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN113535823B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114095241A (en) * 2021-11-18 2022-02-25 中国电信股份有限公司 Detection method, detection device and computer-readable storage medium
CN116684202B (en) * 2023-08-01 2023-10-24 光谷技术有限公司 Internet of things information security transmission method

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108304410A (en) * 2017-01-13 2018-07-20 阿里巴巴集团控股有限公司 A kind of detection method, device and the data analysing method of the abnormal access page
CN108881194A (en) * 2018-06-07 2018-11-23 郑州信大先进技术研究院 Enterprises user anomaly detection method and device
CN109842628A (en) * 2018-12-13 2019-06-04 成都亚信网络安全产业技术研究院有限公司 A kind of anomaly detection method and device
CN110381151A (en) * 2019-07-24 2019-10-25 秒针信息技术有限公司 A kind of warping apparatus detection method and device
CN110796500A (en) * 2019-11-07 2020-02-14 秒针信息技术有限公司 Information monitoring method and device, electronic equipment and storage medium
CN111669373A (en) * 2020-05-25 2020-09-15 山东理工大学 Network anomaly detection method and system based on space-time convolutional network and topology perception
CN112131381A (en) * 2020-08-20 2020-12-25 彭涛 Method and device for identifying high-alarm-level place, electronic equipment and storage medium
CN112565275A (en) * 2020-12-10 2021-03-26 杭州安恒信息技术股份有限公司 Anomaly detection method, device, equipment and medium for network security scene

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108304410A (en) * 2017-01-13 2018-07-20 阿里巴巴集团控股有限公司 A kind of detection method, device and the data analysing method of the abnormal access page
CN108881194A (en) * 2018-06-07 2018-11-23 郑州信大先进技术研究院 Enterprises user anomaly detection method and device
CN109842628A (en) * 2018-12-13 2019-06-04 成都亚信网络安全产业技术研究院有限公司 A kind of anomaly detection method and device
CN110381151A (en) * 2019-07-24 2019-10-25 秒针信息技术有限公司 A kind of warping apparatus detection method and device
CN110796500A (en) * 2019-11-07 2020-02-14 秒针信息技术有限公司 Information monitoring method and device, electronic equipment and storage medium
CN111669373A (en) * 2020-05-25 2020-09-15 山东理工大学 Network anomaly detection method and system based on space-time convolutional network and topology perception
CN112131381A (en) * 2020-08-20 2020-12-25 彭涛 Method and device for identifying high-alarm-level place, electronic equipment and storage medium
CN112565275A (en) * 2020-12-10 2021-03-26 杭州安恒信息技术股份有限公司 Anomaly detection method, device, equipment and medium for network security scene

Also Published As

Publication number Publication date
CN113535823A (en) 2021-10-22

Similar Documents

Publication Publication Date Title
CN108989150B (en) Login abnormity detection method and device
CN108092975B (en) Abnormal login identification method, system, storage medium and electronic equipment
CN110099059B (en) Domain name identification method and device and storage medium
US9871826B1 (en) Sensor based rules for responding to malicious activity
US10257222B2 (en) Cloud checking and killing method, device and system for combating anti-antivirus test
CN112003838B (en) Network threat detection method, device, electronic device and storage medium
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN108924118B (en) Method and system for detecting database collision behavior
CN107547490B (en) Scanner identification method, device and system
CN108156141B (en) Real-time data identification method and device and electronic equipment
CN113535823B (en) Abnormal access behavior detection method and device and electronic equipment
CN114020578A (en) User portrait-based abnormal account detection method, device, equipment and medium
CN112153062B (en) Multi-dimension-based suspicious terminal equipment detection method and system
CN114553523A (en) Attack detection method and device based on attack detection model, medium and equipment
US20200342095A1 (en) Rule generaton apparatus and computer readable medium
CN111404937A (en) Method and device for detecting server vulnerability
CN111625700B (en) Anti-grabbing method, device, equipment and computer storage medium
CN110691090B (en) Website detection method, device, equipment and storage medium
CN112953948A (en) Real-time network transverse worm attack flow detection method and device
CN112583789A (en) Method, device and equipment for determining illegally logged-in login interface
CN109190408B (en) Data information security processing method and system
CN105099996B (en) Website verification method and device
CN115801309A (en) Big data-based computer terminal access security verification method and system
CN115643044A (en) Data processing method, device, server and storage medium
CN113972994B (en) Flow analysis method and device based on industrial control honeypot, computer equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant