CN107302547A - A kind of web service exceptions detection method and device - Google Patents
A kind of web service exceptions detection method and device Download PDFInfo
- Publication number
- CN107302547A CN107302547A CN201710720367.4A CN201710720367A CN107302547A CN 107302547 A CN107302547 A CN 107302547A CN 201710720367 A CN201710720367 A CN 201710720367A CN 107302547 A CN107302547 A CN 107302547A
- Authority
- CN
- China
- Prior art keywords
- characteristic vector
- abnormal
- daily records
- behavior
- web service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application discloses a kind of web service exceptions detection method, including multiple characteristic values that behavior is accessed in HTTP daily records are extracted, generate characteristic vector;According to the Outlier Detection Algorithm model pre-established, the abnormal index of the characteristic vector is calculated;Judge whether the abnormal index exceeds preset threshold range;If so, then judging the access abnormal behavior corresponding to the characteristic vector.The application, by extraction and analysis to the access record progress characteristic value in HTTP daily records, is that can detect that abnormal behaviour without dependent Rule storehouse, therefore can effectively improve the detectability to UNKNOWN TYPE abnormal behaviour.Disclosed herein as well is a kind of web service exceptions detection means, equally with above-mentioned beneficial effect.
Description
Technical field
The application is related to information security field, more particularly to a kind of web service exceptions detection method and device.
Background technology
With continuing to develop for information technology, in contemporary work and life, web is accessed in the application of all trades and professions
Play an important role.
However, the unsafe factor in network can cause normal operation system various abnormal behaviours, example occur
Local vital document information is such as scanned by network worm malice, be i.e. explosion is attacked by rogue program, or is bypassed by some
The routine access of security control is back door, and security breaches etc. occurs, and these are likely to bring bigger to operation system
Failure and problem, cause to have a strong impact on and lose.Therefore, abnormality detection is extremely important for web business.
The detection of abnormal behaviour in accessing in the prior art web, is mainly based upon the rule extracted to security expert
Carry out matching detection.Security expert accesses behavior according to the various web that there is safety problem known at present and extracts rule,
Then matching detection is carried out to the flow bag or access log that access web server using the rule:If some access row
To match with the rule, then illustrate that the access behavior has safety problem, belong to abnormal behaviour.
But, because abnormality detection scheme of the prior art can only be regular according to known anomaly behavior extraction, therefore,
The detection scheme can only detect known abnormal behaviour, and can not then be examined for some safety problems not in rule base
Survey.As can be seen here, the detectability of web service exceptions detection method of the prior art has much room for improvement.
The content of the invention
The purpose of the application is to provide a kind of web service exceptions detection method and device, so as to effectively improve
The detectability of the abnormal behaviour of UNKNOWN TYPE in accessing web.
In order to solve the above technical problems, the application provides a kind of web service exceptions detection method, including:
Multiple characteristic values that behavior is accessed in HTTP daily records are extracted, characteristic vector is generated;
According to the Outlier Detection Algorithm model pre-established, the abnormal index of the characteristic vector is calculated;
Judge whether the abnormal index exceeds preset threshold range;If so, then judging corresponding to the characteristic vector
Access abnormal behavior.
Alternatively, the characteristic value includes following any type or any combination:
Access time distribution characteristics value, request number of times metrology features value, server response word throttling characteristic value, transition probability
Characteristic value.
Alternatively, multiple characteristic values of behavior are accessed in the extraction HTTP daily records, generation characteristic vector includes:
Obtain HTTP daily records;
The HTTP daily records are filed according to source IP;
Slicing treatment is carried out according to preset duration to the HTTP daily records after filing;
Calculate and extract the access behavior in multiple characteristic values of access behavior in each time slicing, generation time slicing
Corresponding characteristic vector.
Alternatively, after the acquisition HTTP daily records, it is described the HTTP daily records are filed according to source IP before
Also include:
Filter out unrelated with access behavior in original HTTP daily records or interference abnormality detection log recording.
Alternatively, the Outlier Detection Algorithm model that the basis is pre-established, calculates the abnormal index of the characteristic vector
Including:
According to the multivariate Gaussian abnormal distribution detection algorithm model or IsolationForest abnormality detections pre-established
Algorithm model, calculates the abnormal index of the characteristic vector.
Alternatively, judge whether the abnormal index exceeds preset threshold range described;If so, then judging the feature
Also include after access abnormal behavior corresponding to vector:
According to the scope of each characteristic value of default all kinds of abnormal behaviours, the access corresponding to the characteristic vector is judged
The Exception Type of behavior.
Present invention also provides a kind of web service exceptions detection means, including:
Extraction module:Multiple characteristic values of behavior are accessed in HTTP daily records for extracting, characteristic vector is generated;
Detection module:For according to the Outlier Detection Algorithm model pre-established, the exception for calculating the characteristic vector to refer to
Number;Judge whether the abnormal index exceeds preset threshold range;If so, then judging the access row corresponding to the characteristic vector
For exception.
Alternatively, the extraction module specifically for:
Obtain HTTP daily records;The HTTP daily records are filed according to source IP;To the HTTP daily records after filing according to pre-
If duration carries out slicing treatment;Multiple characteristic values of access behavior in each time slicing are calculated and extracted, time slicing is generated
The interior corresponding characteristic vector of access behavior.
Alternatively, the extraction module is additionally operable to:
After the acquisition HTTP daily records, it is described the HTTP daily records are filed according to source IP before, filter out original
Log recording unrelated with accessing behavior or interference abnormality detection in the daily record of beginning HTTP.
Alternatively, the detection module is additionally operable to:
If the access abnormal behavior corresponding to the characteristic vector, each feature according to default all kinds of abnormal behaviours
It is worth scope, judges the Exception Type of the access behavior corresponding to the characteristic vector.
In web service exception detection methods provided herein, multiple features that behavior is accessed in HTTP daily records are extracted
Value, generates characteristic vector;According to the Outlier Detection Algorithm model pre-established, the abnormal index of the characteristic vector is calculated;Sentence
Whether the abnormal index that breaks exceeds preset threshold range;If so, then judging that the access behavior corresponding to the characteristic vector is different
Often.
It can be seen that, compared to prior art, in web service exception detection methods provided herein, by being gone to accessing
For characteristic value analyzed, and calculate abnormal index and judged, abnormal behaviour can be detected.As can be seen here, this Shen
The web service exception detection methods please provided are feature based analysis rather than rule match, thus be need not rely upon known
Rule base, so as to comprehensively detect all kinds of safety problems, improves detectability.Web service exceptions provided herein
Detection means can realize above-mentioned web service exceptions detection method, equally with above-mentioned beneficial effect.
Brief description of the drawings
In order to illustrate more clearly of the technical scheme in the embodiment of the present application, needed in being described below to the embodiment of the present application
The accompanying drawing to be used makees brief introduction.Certainly, about in only the application of the accompanying drawing description of the embodiment of the present application below
A part of embodiment, to those skilled in the art, on the premise of not paying creative work, can be with root
Other accompanying drawings are obtained according to the accompanying drawing of offer, the other accompanying drawings obtained fall within the protection domain of the application.
A kind of flow chart for web service exceptions detection method that Fig. 1 is provided by the embodiment of the present application;
The flow chart for another web service exception detection method that Fig. 2 is provided by the embodiment of the present application;
A kind of structured flowchart for web service exceptions detection means that Fig. 3 is provided by the embodiment of the present application;
A kind of application architecture figure for web service exceptions detection means that Fig. 4 is provided by the embodiment of the present application.
Embodiment
In order to more clearly and completely be described to the technical scheme in the embodiment of the present application, below in conjunction with this Shen
Accompanying drawing that please be in embodiment, the technical scheme in the embodiment of the present application is introduced.Obviously, described embodiment is only
Some embodiments of the present application, rather than whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art
The every other embodiment obtained under the premise of creative work is not made also belongs to the scope of the application protection.
Fig. 1 is refer to, a kind of flow chart for web service exceptions detection method that Fig. 1 is provided by the embodiment of the present application is main
Comprise the following steps:
Step 101:Multiple characteristic values that behavior is accessed in HTTP daily records are extracted, characteristic vector is generated.
Web service exception detection methods provided herein, are mainly based upon to HTTP (Hypertext Transfer
Protocol) analysis of the access data recorded in daily record and deploy.
HTTP, i.e. HTTP, are a kind of procotol being most widely used on internet, all web
File is in compliance with this consensus standard.And in HTTP daily records, then have recorded the session letter that each IP user accesses server every time
Breath, including the source IP and source port of each session, purpose IP and destination interface, Session Time stamp, session duration, request bag length,
Requesting method, response bag length, return conditional code etc..
By analyzing and counting the related session information of each session in HTTP daily records, it can therefrom extract and calculate web
The characteristic value of user access activity, and then generate characteristic vector, the access feature to represent the access behavior.
Characteristic value mentioned here, can include following any type characteristic value or any combination:Access time is distributed
Characteristic value, request number of times metrology features value, server response byte characteristic value, transition probability characteristic value;And characteristic vector is then
Each numerical value in the vector generated by foregoing characteristic value, this feature vector represents one of user access activity
Feature.
Specifically, the reflection of access time distribution characteristics value is that user accesses HTTP frequency and the feature at interval;Request
Described by number of times metrology features value is the quantative attribute that user asks HTTP;Server response word throttling characteristic value is described
The feature of the business change of user's request;Transition probability characteristic value describes page jump, requesting method conversion and responded
The probability characteristics of state code conversion.For which characteristic value specifically used, those skilled in the art can be according to actual use
Situation is voluntarily selected and set, and the embodiment of the present application is not defined to this.
It should be noted that because access behavior is initiated by source IP, that is, access behavior and made a distinction with source IP,
Therefore, data of the above characteristic value also both for the access behavior of same source IP carry out statistics and analysis.So,
When the characteristic value that multiple source IPs are accessed with behavior is extracted, after can HTTP daily records be filed according to source IP first again
The extraction of characteristic value is carried out respectively.
In addition, supplementary notes are also needed, because features above value is relevant with the duration counted, therefore, in order to set up one
Individual unified web service exceptions detection criterion, the features above value of each source IP must describe the visit in equal duration
The characteristic value of behavioural characteristic is asked, otherwise, the statistical significance of this feature value will be lost.
Step 102:According to the Outlier Detection Algorithm model pre-established, the abnormal index of the characteristic vector is calculated.
Outlier Detection Algorithm model mentioned here, can use multivariate Gaussian abnormal distribution detection algorithm model, also may be used
With using other Outlier Detection Algorithm models such as Isolation Forest, to be carried out to the characteristic vector generated in step 101
The calculating of abnormal index.Abnormal index, as its name suggests, exactly weigh the corresponding access behavior of this feature vector whether abnormal finger
Mark, there is a set of corresponding computational methods in different algorithms.Specifically abnormal index is calculated using which kind of algorithm, this
Art personnel voluntarily can be selected and set, and the embodiment of the present application is not defined.
Step 103:Judge whether abnormal index exceeds preset threshold range;If so, then judging corresponding to characteristic vector
Access abnormal behavior.
If the abnormal index of a certain characteristic vector is beyond default threshold range, it can illustrate, this feature vector
Represented access behavior has abnormal behaviour.
It can be seen that, the web service exception detection methods that the embodiment of the present application is provided, by analyzing what is recorded in HTTP daily records
Access information, characteristic value and characteristic vector to the access behavior of user are extracted, and pass through Outlier Detection Algorithm model meter
The abnormal index of characteristic vector is calculated, judges whether abnormal index exceeds preset threshold range and judge corresponding access will pass through
Whether behavior is abnormal.As can be seen here, web service exception detection algorithms provided herein be feature based analysis and it is irregular
Matching, thus without relying on the rule base set up to known exception behavior, thus unknown abnormal behaviour can be detected, improve
Detectability.
Fig. 2 is refer to, on the basis of the web service exception detection methods shown in the application Fig. 1, Fig. 2 is that the application is real
The flow chart for another web service exception detection method that example is provided is applied, is mainly included the following steps that.Same or similar portion
Divide and refer to content shown in Fig. 1, just repeat no more here.
Step 201:HTTP daily records are obtained, and are filtered out unrelated with access behavior in HTTP daily records or interference abnormality detection
Log recording.
In order to improve the extraction efficiency to accessing behavioural characteristic value, original HTTP daily records can be located in advance first
Reason, you can to filter out the record unrelated with accessing behavior, such as purpose IP is not belonging to the access log record of web server, with
And the record of interference abnormality detection is washed, such as field information records imperfect or wrong record, the file type accessed
Belong to the log recordings such as picture, CSS.
Step 202:HTTP daily records are filed according to source IP.
Because each access behavior is initiated by source IP, i.e., source IP is the build-in attribute of an access behavior, this
Individual information is extremely important for the management of web safety, therefore, before the statistics of characteristic value and extraction is carried out, and first has to clearly
The source IP of access behavior.Specifically, it will can be filed through the pretreated HTTP daily records of step 201 according to source IP, so as to
The progress of subsequent step.
Step 203:Slicing treatment is carried out according to preset duration to the HTTP daily records after filing.
As it was noted above, the characteristic value extracted is it has to be ensured that be the characteristic value of the access feature in the equal period,
Otherwise the symbolical meaningses of characteristic value will be lost.Simultaneously as log recording content is typically more, so, can be by the period
A less chronomere is taken as, the calculating of data can also be simplified to a certain extent, speed is improved.Therefore, for convenience
Calculating and statistics to the characteristic value in timing statisticses, can be first before characteristic value be extracted, to the HTTP daily records after filing
Slicing treatment is carried out according to preset duration, i.e. HTTP daily records are cut into the HTTP days in multiple time slicings by preset duration
Will, to extract the generation characteristic vector of the characteristic value in the time slicing.As for the preset duration be specially how long, this area skill
Art personnel voluntarily can be selected and set, and the embodiment of the present application is not defined.
Step 204:Calculate and extract and visited in multiple characteristic values of access behavior in each time slicing, generation time slicing
Ask behavior corresponding characteristic vector.
Hereinbefore the characteristic value for accessing behavior is provided a brief description, below will be by way of example to all kinds of characteristic values
Describe in detail.
(1) access time distribution characteristics value.
The reflection of such characteristic value is that the source IP accesses HTTP frequency and the feature at interval, for example:
Time_mean, represents the average value of the adjacent two access intra-record slack byte time of certain time endogenous IP user, uses
To describe the frequecy characteristic of source IP user access activity.
Time_std, represents the standard deviation of the adjacent two access intra-record slack byte time of certain time endogenous IP user,
For describing the spaced features of source IP user access activity.
(2) request number of times metrology features value.
Described by such characteristic value is the quantative attribute that source IP user asks HTTP, for example:
Req_count, represents the total degree for all requests that certain time endogenous IP user sends.
Page_count, represents different URI (the Uniform Resource that certain time endogenous IP user is accessed
Identifier, universal resource identifier) quantity.
Get_count, represents the number of times that certain time endogenous IP user is made requests in GET request mode.In HTTP/
In 1.1 agreements, GET and POST, OPTIONS, HEAD, PUT, DELETE, TRACE, CONNECT be defined as HTTP eight kinds please
Mode is sought, for showing the different modes of operation to the resource on server.Merely just list and one of which is asked
The number of times metrology features value of mode, it is, of course, also possible to which the request number of times of other one or more of request methods is entered to any of the above
Row statistics, those skilled in the art should can obtain other specific various features values by modes such as analogies.
400_count, represents to receive the responsive state synchronous codes numbers of 4 prefixs in certain time, that is, receive 400~
Responsive state synchronous codes number in the range of 417.Because the conditional code of 4 prefixs represents request error, for example, responsive state code
403 expression servers have understood that but refusal is performed for request, and 404 expression requested resources are not found on the server, 405
Represent that the requesting method specified in request cannot be used for requested resource, therefore, this feature value to be solved for the application
Web service exceptions the problem of detect, with certain directive significance.
(3) server response word throttling characteristic value.
Such characteristic value describes the feature of the business change of source IP user request, for example:
Bytes_mean, represents the average value of each bar HTTP access logs response word joint number in certain time.
Bytes_std, represents the standard deviation of each bar HTTP access logs response word joint number in certain time.
Method_code_status, is the statistics of the combination number of times to requesting method and responsive state code, for example,
What (GET, 200) was represented is that the request sent in GET request mode is responded successfully, wherein, responsive state code 200 represents that request rings
It should succeed, and requested resource will be returned with responsive state code.
(4) transition probability characteristic value.
Such characteristic value describes the probability of page jump, requesting method conversion and responsive state code conversion, for example:
Prob_req_seq, represents the URI sequence transition probability asked in certain time in each bar request.
Prob_method_seq, represents the sequence transition probability of the request method of each bar request in certain time.
Prob_status_code_seq, represents that the sequence transfer of the responsive state code of each bar request in certain time is general
Rate.
Wherein, sequence transition probability is the concept in Markov Chain, and it refers to according to some status switch in n state
Between the probability changed.When carrying out calculating transition probability, it is necessary to calculate the adjacent shape of any two in the sequence first
Transition probability between state, then opens (n-1) th Root by the product of all transition probabilities of the sequence, you can tries to achieve sequence and turns
Move probability.
For example, for prob_req_seq, if the sequence that the URI pages are accessed in sometime burst is [a, b, c, a, b],
And it is 0.5 that page a, which jumps to page b transition probability, the transition probability that page b jumps to page c is 0.6, and page c jumps to page
Face a transition probability is 0.8, then the final transition probability value of above-mentioned access sequence is
For another example for prob_status_code_seq, if the HTTP in sometime burst accesses behavior
Responsive state code is followed successively by [200,200,404,200,200], and conditional code is 0.8 by 200 transition probabilities for being transformed to 200,
It is 0.2 by 200 transition probabilities for being transformed to 404, is 0.3 by 404 transition probabilities for being transformed to 200, then above-mentioned conditional code sequence
Row final transition probability value be
Transition probability is still a probability characteristics value, and its scope is still between 0~1;Also, transition probability is got over
Greatly, it is that normal possibility is higher to represent the sequence, otherwise lower.
It should be noted that only list a part of characteristic value in all kinds of characteristic values above, the application is included but not
It is limited to above content, those skilled in the art can obtain other characteristic values by modes such as analogies, the application and without limit
It is fixed.In addition, any characteristic value can be arbitrarily named, simply given by way of example wherein in above content
One kind is named, but the application is not defined to this.
Step 205:According to the Outlier Detection Algorithm model pre-established, the abnormal index of characteristic vector is calculated.
Step 206:Judge whether abnormal index exceeds preset threshold range;If so, the then access corresponding to characteristic vector
Abnormal behavior.
Step 207:According to the scope of each characteristic value of default all kinds of abnormal behaviours, judge that the characteristic vector institute is right
The Exception Type for the access behavior answered.
When judging to obtain the access abnormal behavior represented by this feature vector by step 206, it can carry out further
Analysis and judgement, to recognize the specific type of the abnormal behaviour.In order to it is accurate recognize abnormal behaviour type, it is necessary to feature to
Each characteristic value in amount is made a concrete analysis of.Now can be by each feature of security expert's knowledge to all kinds of abnormal behaviours
It is worth the threshold range of definition, to detecting that judgement is compared in abnormal set of eigenvectors, thereby confirms that the tool of the abnormal behaviour
Body Exception Type, such as malice scanning, explosion, back door, leak etc..Certainly, if necessary, can also further export
Detect the HTTP log recordings corresponding to abnormal set of eigenvectors, so as to understand it is more for information about.
It can be seen that, the web service exception detection methods that the embodiment of the present application is provided, in the web service exceptions inspection shown in Fig. 1
On the basis of survey method, specific abnormal row can also be judged according to security expert's knowledge after abnormal behaviour is detected
For type.Therefore, can more fast and effeciently to carry out web business different for web service exceptions detection method provided herein
Often detection, clearly detects Exception Type, greatly improves Consumer's Experience.
The web service exception detection means provided below the embodiment of the present application is introduced.Web industry described below
Being engaged in abnormal detector can be mutually to should refer to above-described web service exceptions detection method.
Referring to Fig. 3, Fig. 3 is a kind of structured flowchart of web service exceptions detection means provided herein;Including carrying
Modulus block 301 and detection module 302.
Extraction module 301 is mainly used in extracting the characteristic value that behavior is accessed in HTTP daily records, generates characteristic vector.
Specifically, extraction module 301 can be used for obtaining HTTP daily records;And filed HTTP daily records according to source IP;
Then slicing treatment is carried out according to preset duration to the HTTP daily records after filing;Calculate and extract and row is accessed in each time slicing
For multiple characteristic values, generation time slicing in the corresponding characteristic vector of access behavior.
Wherein, the characteristic value can include following any type characteristic value or any combination:Access time distribution characteristics
Value, request number of times metrology features value, server response word throttling characteristic value, transition probability characteristic value.And characteristic vector be then by
Each numerical value in the vector of foregoing characteristic value generation, this feature vector represents one of the user access activity
Feature.
The reflection of access time distribution characteristics value is that user accesses HTTP frequency and the feature at interval;Request number of times is measured
Described by characteristic value is the quantative attribute that user asks HTTP, and server response word throttling characteristic value describes user's request
Business change feature, transition probability characteristic value describe page jump, requesting method conversion and responsive state code change
The probability changed.For which characteristic value specifically used, those skilled in the art can voluntarily select according to actual use situation
And set, the embodiment of the present application is not defined to this.
In addition, extraction module 301 can be also used for after HTTP daily records are obtained, be returned HTTP daily records according to source IP
Before shelves, unrelated with access behavior in original HTTP daily records or interference abnormality detection log recording is filtered out, to a certain extent
The efficiency and accuracy of abnormality detection can be improved.
Detection module 302 is mainly used in, according to the Outlier Detection Algorithm model pre-established, calculating the characteristic vector
Abnormal index;And judge whether the abnormal index exceeds preset threshold range;If so, then judging corresponding to the characteristic vector
Access abnormal behavior.
Wherein, described Outlier Detection Algorithm model can be multivariate Gaussian abnormal distribution detection algorithm model, certainly
It can voluntarily be selected according to actual conditions for the Outlier Detection Algorithm models such as Isolation Forest, those skilled in the art
Select and set, the embodiment of the present application is not defined to this.
In addition, detection module 302 can be also used for after the access abnormal behavior corresponding to judging characteristic vector, foundation
The scope of each characteristic value of default all kinds of abnormal behaviours, judges the exception class of the access behavior corresponding to the characteristic vector
Type.
Fig. 4 is refer to, Fig. 4 is a kind of application architecture figure of web service exceptions detection means provided herein.
As shown in figure 4, extraction module 301 carries out characteristics extraction to HTTP access logs, multiple characteristic vectors (figure is generated
Shown in for n).Then calculating processing is carried out, such as to characteristic vector according to Outlier Detection Algorithm model by detection module 302
Really calculate obtained abnormal index and exceed preset threshold range, as detect exception;Then again according to a plurality of security expert's knowledge
(being n bars shown in figure), determines whether out Exception Type, obtains Exception Type result.
It can be seen that, web service exception detection means provided herein conducts interviews using to the record in HTTP daily records
The extraction of behavioural characteristic value, and abnormal index is calculated by Outlier Detection Algorithm model, and then judge that the access behavior is
No exception.Because web service exceptions detection means provided herein is without using the rule set up according to known exception behavior
Then storehouse, therefore can detect unknown abnormal behaviour, improves safety detection level.In addition, web business provided herein
Abnormal detector can also utilize security expert's knowledge, and exception class is determined whether out to the access behavior for detecting abnormal
Type, it is convenient for users to use.
The embodiment of each in the application is described by the way of progressive, and what each embodiment was stressed is and other realities
Apply the difference of example, between each embodiment identical similar portion mutually referring to.For device disclosed in embodiment
Speech, because it is corresponded to the method disclosed in Example, so description is fairly simple, related part is referring to method part illustration
.
Professional further appreciates that, with reference to the method and step of the embodiments described herein description, energy
It is enough to be realized with electronic hardware, computer software or the combination of the two, in order to clearly demonstrate the interchangeable of hardware and software
Property, the composition and step of each example are generally described according to function in the above description.These functions are actually with hard
Part or software mode are performed, depending on the application-specific and design constraint of technical scheme.Professional and technical personnel can be with
Described function is realized using distinct methods to each specific application, but this realization is it is not considered that beyond this Shen
Scope please.
Directly it can be held with reference to the step of the method or algorithm that the embodiments described herein is described with hardware, processor
Capable software module, or the two combination are implemented.Software module can be placed in random access memory (RAM), internal memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology
In any other form of storage medium well known in field.
Technical scheme provided herein is described in detail above.Specific case used herein is to this Shen
Principle and embodiment please is set forth, the explanation of above example be only intended to help understand the present processes and its
Core concept.It should be pointed out that for those skilled in the art, not departing from the premise of the application principle
Under, some improvement and modification can also be carried out to the application, these are improved and modification also falls into the protection of the application claim
In the range of.
Claims (10)
1. a kind of web service exceptions detection method, it is characterised in that including:
Multiple characteristic values that behavior is accessed in HTTP daily records are extracted, characteristic vector is generated;
According to the Outlier Detection Algorithm model pre-established, the abnormal index of the characteristic vector is calculated;
Judge whether the abnormal index exceeds preset threshold range;If so, then judging the access corresponding to the characteristic vector
Abnormal behavior.
2. web service exceptions detection method according to claim 1, it is characterised in that the characteristic value includes following any
One class or any combination:
Access time distribution characteristics value, request number of times metrology features value, server response word throttling characteristic value, transition probability feature
Value.
3. web service exceptions detection method according to claim 1, it is characterised in that accessed in the extraction HTTP daily records
Multiple characteristic values of behavior, generation characteristic vector includes:
Obtain HTTP daily records;
The HTTP daily records are filed according to source IP;
Slicing treatment is carried out according to preset duration to the HTTP daily records after filing;
Calculate and extract the access behavior correspondence in multiple characteristic values of access behavior in each time slicing, generation time slicing
Characteristic vector.
4. web service exceptions detection method according to claim 3, it is characterised in that after the acquisition HTTP daily records,
It is described the HTTP daily records are filed according to source IP before also include:
Filter out unrelated with access behavior in original HTTP daily records or interference abnormality detection log recording.
5. according to any one of Claims 1-4 web service exceptions detection method, it is characterised in that the basis is built in advance
Vertical Outlier Detection Algorithm model, calculating the abnormal index of the characteristic vector includes:
Calculated according to the multivariate Gaussian abnormal distribution detection algorithm model or Isolation Forest abnormality detections pre-established
Method model, calculates the abnormal index of the characteristic vector.
6. web service exceptions detection method according to claim 5, it is characterised in that judge the abnormal index described
Whether preset threshold range is exceeded;If so, then judging also to include after the access abnormal behavior corresponding to the characteristic vector:
According to the scope of each characteristic value of default all kinds of abnormal behaviours, the access behavior corresponding to the characteristic vector is judged
Exception Type.
7. a kind of web service exceptions detection means, it is characterised in that including:
Extraction module:Multiple characteristic values of behavior are accessed in HTTP daily records for extracting, characteristic vector is generated;
Detection module:For according to the Outlier Detection Algorithm model pre-established, calculating the abnormal index of the characteristic vector;Sentence
Whether the abnormal index that breaks exceeds preset threshold range;If so, then judging that the access behavior corresponding to the characteristic vector is different
Often.
8. web service exceptions detection means according to claim 7, it is characterised in that the extraction module specifically for:
Obtain HTTP daily records;The HTTP daily records are filed according to source IP;To the HTTP daily records after filing according to it is default when
It is long to carry out slicing treatment;Calculate and extract in multiple characteristic values of access behavior in each time slicing, generation time slicing
The corresponding characteristic vector of access behavior.
9. web service exceptions detection means according to claim 8, it is characterised in that the extraction module is additionally operable to:
After the acquisition HTTP daily records, it is described the HTTP daily records are filed according to source IP before, filter out original
Log recording unrelated with accessing behavior or interference abnormality detection in HTTP daily records.
10. according to any one of claim 7 to the 9 web service exceptions detection means, it is characterised in that the detection module
It is additionally operable to:
If the access abnormal behavior corresponding to the characteristic vector, each characteristic value model according to default all kinds of abnormal behaviours
Enclose, judge the Exception Type of the access behavior corresponding to the characteristic vector.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710720367.4A CN107302547B (en) | 2017-08-21 | 2017-08-21 | Web service anomaly detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710720367.4A CN107302547B (en) | 2017-08-21 | 2017-08-21 | Web service anomaly detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107302547A true CN107302547A (en) | 2017-10-27 |
| CN107302547B CN107302547B (en) | 2021-07-02 |
Family
ID=60131997
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710720367.4A Active CN107302547B (en) | 2017-08-21 | 2017-08-21 | Web service anomaly detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107302547B (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108259482A (en) * | 2018-01-04 | 2018-07-06 | 平安科技(深圳)有限公司 | Network Abnormal data detection method, device, computer equipment and storage medium |
| CN108491720A (en) * | 2018-03-20 | 2018-09-04 | 腾讯科技(深圳)有限公司 | A kind of application and identification method, system and relevant device |
| CN109450864A (en) * | 2018-10-17 | 2019-03-08 | 国网河北省电力有限公司电力科学研究院 | A kind of safety detection method, device and system |
| CN109462580A (en) * | 2018-10-24 | 2019-03-12 | 全球能源互联网研究院有限公司 | Training flow detection model, the method and device for detecting service traffics exception |
| CN109492394A (en) * | 2018-10-25 | 2019-03-19 | 平安科技(深圳)有限公司 | The recognition methods of abnormal traffic request and terminal device |
| CN109688166A (en) * | 2019-02-28 | 2019-04-26 | 新华三信息安全技术有限公司 | A kind of exception outgoing behavioral value method and device |
| CN109948738A (en) * | 2019-04-11 | 2019-06-28 | 合肥工业大学 | Energy consumption method for detecting abnormality, the apparatus and system of coating drying room |
| CN109981596A (en) * | 2019-03-05 | 2019-07-05 | 腾讯科技(深圳)有限公司 | A kind of host external connection detection method and device |
| CN110311888A (en) * | 2019-05-09 | 2019-10-08 | 深信服科技股份有限公司 | A kind of Web anomalous traffic detection method, device, equipment and medium |
| CN110399268A (en) * | 2019-07-26 | 2019-11-01 | 阿里巴巴集团控股有限公司 | A kind of method, device and equipment of anomaly data detection |
| CN110751354A (en) * | 2018-07-24 | 2020-02-04 | 北京京东金融科技控股有限公司 | Abnormal user detection method and device |
| CN110830450A (en) * | 2019-10-18 | 2020-02-21 | 平安科技(深圳)有限公司 | Abnormal flow monitoring method, device and equipment based on statistics and storage medium |
| CN111090885A (en) * | 2019-12-20 | 2020-05-01 | 北京天融信网络安全技术有限公司 | User behavior auditing method and device, electronic equipment and storage medium |
| CN111147944A (en) * | 2019-12-26 | 2020-05-12 | 广州易方信息科技股份有限公司 | On-demand infringement risk discovery method based on big data log analysis |
| CN111314326A (en) * | 2020-02-01 | 2020-06-19 | 深信服科技股份有限公司 | Method, device, equipment and medium for confirming HTTP vulnerability scanning host |
| CN111600880A (en) * | 2020-05-14 | 2020-08-28 | 深信服科技股份有限公司 | Method, system, storage medium and terminal for detecting abnormal access behavior |
| CN111984346A (en) * | 2020-08-12 | 2020-11-24 | 八维通科技有限公司 | Method, system, device and storage medium for call chain tracking in micro-service environment |
| CN112866279A (en) * | 2021-02-03 | 2021-05-28 | 恒安嘉新(北京)科技股份公司 | Webpage security detection method, device, equipment and medium |
| CN113940034A (en) * | 2019-04-18 | 2022-01-14 | 甲骨文国际公司 | Detecting behavioral anomalies for cloud users |
| WO2023174002A1 (en) * | 2022-03-18 | 2023-09-21 | 华为技术有限公司 | System monitoring method and apparatus |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105072089A (en) * | 2015-07-10 | 2015-11-18 | 中国科学院信息工程研究所 | WEB malicious scanning behavior abnormity detection method and system |
| CN105337985A (en) * | 2015-11-19 | 2016-02-17 | 北京师范大学 | Attack detection method and system |
| US9282114B1 (en) * | 2011-06-30 | 2016-03-08 | Emc Corporation | Generation of alerts in an event management system based upon risk |
| CN105554007A (en) * | 2015-12-25 | 2016-05-04 | 北京奇虎科技有限公司 | web anomaly detection method and device |
| CN105577440A (en) * | 2015-12-24 | 2016-05-11 | 华为技术有限公司 | Network fault time location method and analyzing device |
| CN105656886A (en) * | 2015-12-29 | 2016-06-08 | 北京邮电大学 | Method and device for detecting website attack behaviors based on machine learning |
| US9516053B1 (en) * | 2015-08-31 | 2016-12-06 | Splunk Inc. | Network security threat detection by user/user-entity behavioral analysis |
| CN106357618A (en) * | 2016-08-26 | 2017-01-25 | 北京奇虎科技有限公司 | Web abnormality detection method and device |
| CN106506327A (en) * | 2016-10-11 | 2017-03-15 | 东软集团股份有限公司 | A kind of spam filtering method and device |
-
2017
- 2017-08-21 CN CN201710720367.4A patent/CN107302547B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9282114B1 (en) * | 2011-06-30 | 2016-03-08 | Emc Corporation | Generation of alerts in an event management system based upon risk |
| CN105072089A (en) * | 2015-07-10 | 2015-11-18 | 中国科学院信息工程研究所 | WEB malicious scanning behavior abnormity detection method and system |
| US9516053B1 (en) * | 2015-08-31 | 2016-12-06 | Splunk Inc. | Network security threat detection by user/user-entity behavioral analysis |
| CN105337985A (en) * | 2015-11-19 | 2016-02-17 | 北京师范大学 | Attack detection method and system |
| CN105577440A (en) * | 2015-12-24 | 2016-05-11 | 华为技术有限公司 | Network fault time location method and analyzing device |
| CN105554007A (en) * | 2015-12-25 | 2016-05-04 | 北京奇虎科技有限公司 | web anomaly detection method and device |
| CN105656886A (en) * | 2015-12-29 | 2016-06-08 | 北京邮电大学 | Method and device for detecting website attack behaviors based on machine learning |
| CN106357618A (en) * | 2016-08-26 | 2017-01-25 | 北京奇虎科技有限公司 | Web abnormality detection method and device |
| CN106506327A (en) * | 2016-10-11 | 2017-03-15 | 东软集团股份有限公司 | A kind of spam filtering method and device |
Non-Patent Citations (1)
| Title |
|---|
| 赵刚等: "基于系统调用时间特征的异常行为智能检测系统", 《计算机应用与软件》 * |
Cited By (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108259482A (en) * | 2018-01-04 | 2018-07-06 | 平安科技(深圳)有限公司 | Network Abnormal data detection method, device, computer equipment and storage medium |
| CN108259482B (en) * | 2018-01-04 | 2019-05-28 | 平安科技(深圳)有限公司 | Network Abnormal data detection method, device, computer equipment and storage medium |
| US11683330B2 (en) | 2018-01-04 | 2023-06-20 | Ping An Technology (Shenzhen) Co., Ltd. | Network anomaly data detection method and device as well as computer equipment and storage medium |
| CN108491720A (en) * | 2018-03-20 | 2018-09-04 | 腾讯科技(深圳)有限公司 | A kind of application and identification method, system and relevant device |
| CN110751354B (en) * | 2018-07-24 | 2024-03-05 | 京东科技控股股份有限公司 | Abnormal user detection method and device |
| CN110751354A (en) * | 2018-07-24 | 2020-02-04 | 北京京东金融科技控股有限公司 | Abnormal user detection method and device |
| CN109450864A (en) * | 2018-10-17 | 2019-03-08 | 国网河北省电力有限公司电力科学研究院 | A kind of safety detection method, device and system |
| CN109462580A (en) * | 2018-10-24 | 2019-03-12 | 全球能源互联网研究院有限公司 | Training flow detection model, the method and device for detecting service traffics exception |
| CN109462580B (en) * | 2018-10-24 | 2021-03-30 | 全球能源互联网研究院有限公司 | Training flow detection model, method and device for detecting abnormal business flow |
| CN109492394A (en) * | 2018-10-25 | 2019-03-19 | 平安科技(深圳)有限公司 | The recognition methods of abnormal traffic request and terminal device |
| CN109492394B (en) * | 2018-10-25 | 2024-05-03 | 平安科技(深圳)有限公司 | Abnormal service request identification method and terminal equipment |
| CN109688166A (en) * | 2019-02-28 | 2019-04-26 | 新华三信息安全技术有限公司 | A kind of exception outgoing behavioral value method and device |
| CN109688166B (en) * | 2019-02-28 | 2021-06-04 | 新华三信息安全技术有限公司 | Abnormal outgoing behavior detection method and device |
| CN109981596A (en) * | 2019-03-05 | 2019-07-05 | 腾讯科技(深圳)有限公司 | A kind of host external connection detection method and device |
| CN109981596B (en) * | 2019-03-05 | 2020-09-04 | 腾讯科技(深圳)有限公司 | Host external connection detection method and device |
| CN109948738A (en) * | 2019-04-11 | 2019-06-28 | 合肥工业大学 | Energy consumption method for detecting abnormality, the apparatus and system of coating drying room |
| CN113940034A (en) * | 2019-04-18 | 2022-01-14 | 甲骨文国际公司 | Detecting behavioral anomalies for cloud users |
| CN110311888A (en) * | 2019-05-09 | 2019-10-08 | 深信服科技股份有限公司 | A kind of Web anomalous traffic detection method, device, equipment and medium |
| CN110399268A (en) * | 2019-07-26 | 2019-11-01 | 阿里巴巴集团控股有限公司 | A kind of method, device and equipment of anomaly data detection |
| CN110399268B (en) * | 2019-07-26 | 2023-09-26 | 创新先进技术有限公司 | Abnormal data detection method, device and equipment |
| CN110830450A (en) * | 2019-10-18 | 2020-02-21 | 平安科技(深圳)有限公司 | Abnormal flow monitoring method, device and equipment based on statistics and storage medium |
| WO2021073114A1 (en) * | 2019-10-18 | 2021-04-22 | 平安科技(深圳)有限公司 | Abnormal traffic monitoring method, apparatus and device based on statistics, and storage medium |
| CN111090885A (en) * | 2019-12-20 | 2020-05-01 | 北京天融信网络安全技术有限公司 | User behavior auditing method and device, electronic equipment and storage medium |
| CN111147944A (en) * | 2019-12-26 | 2020-05-12 | 广州易方信息科技股份有限公司 | On-demand infringement risk discovery method based on big data log analysis |
| CN111147944B (en) * | 2019-12-26 | 2021-11-09 | 广州易方信息科技股份有限公司 | On-demand infringement risk discovery method based on big data log analysis |
| CN111314326B (en) * | 2020-02-01 | 2022-06-21 | 深信服科技股份有限公司 | Method, device, equipment and medium for confirming HTTP vulnerability scanning host |
| CN111314326A (en) * | 2020-02-01 | 2020-06-19 | 深信服科技股份有限公司 | Method, device, equipment and medium for confirming HTTP vulnerability scanning host |
| CN111600880A (en) * | 2020-05-14 | 2020-08-28 | 深信服科技股份有限公司 | Method, system, storage medium and terminal for detecting abnormal access behavior |
| CN111984346B (en) * | 2020-08-12 | 2023-10-27 | 八维通科技有限公司 | Method, system, device and storage medium for calling chain tracking in micro-service environment |
| CN111984346A (en) * | 2020-08-12 | 2020-11-24 | 八维通科技有限公司 | Method, system, device and storage medium for call chain tracking in micro-service environment |
| CN112866279B (en) * | 2021-02-03 | 2022-12-09 | 恒安嘉新(北京)科技股份公司 | Webpage security detection method, device, equipment and medium |
| CN112866279A (en) * | 2021-02-03 | 2021-05-28 | 恒安嘉新(北京)科技股份公司 | Webpage security detection method, device, equipment and medium |
| WO2023174002A1 (en) * | 2022-03-18 | 2023-09-21 | 华为技术有限公司 | System monitoring method and apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107302547B (en) | 2021-07-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107302547A (en) | A kind of web service exceptions detection method and device | |
| CN111262722B (en) | Safety monitoring method for industrial control system network | |
| EP2244418B1 (en) | Database security monitoring method, device and system | |
| CN104519032B (en) | A kind of security strategy and system of internet account number | |
| CN111949803B (en) | Knowledge graph-based network abnormal user detection method, device and equipment | |
| CN107992398A (en) | The monitoring method and monitoring system of a kind of operation system | |
| CN107786545A (en) | A kind of attack detection method and terminal device | |
| CN107465651A (en) | Network attack detecting method and device | |
| CN108989150A (en) | A kind of login method for detecting abnormality and device | |
| CN112463553B (en) | System and method for analyzing intelligent alarms based on common alarm association | |
| WO2014110370A2 (en) | Method and apparatus of identifying a website user | |
| CN110602029A (en) | Method and system for identifying network attack | |
| CN107493277A (en) | The online method for detecting abnormality of big data platform based on maximum information coefficient | |
| CN108334758A (en) | A kind of detection method, device and the equipment of user's ultra vires act | |
| EP3742700B1 (en) | Method, product, and system for maintaining an ensemble of hierarchical machine learning models for detection of security risks and breaches in a network | |
| CN105306463A (en) | Modbus TCP intrusion detection method based on support vector machine | |
| CN108259202A (en) | A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems | |
| CN109040130A (en) | Mainframe network behavior pattern measure based on attributed relational graph | |
| CN107294953A (en) | Attack operation detection method and device | |
| CN107679626A (en) | Machine learning method, device, system, storage medium and equipment | |
| CN110602021A (en) | Safety risk value evaluation method based on combination of HTTP request behavior and business process | |
| US20220385635A1 (en) | Combined machine learning and formal techniques for network traffic analysis | |
| CN104090835A (en) | eID (electronic IDentity) and spectrum theory based cross-platform virtual asset transaction audit method | |
| CN115086060A (en) | Flow detection method, device and equipment and readable storage medium | |
| US20160219069A1 (en) | Method for detecting anomalies in network traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Chen Ruiqin Inventor after: Liang Yu Inventor after: Wang Dawei Inventor after: Gu Liang Inventor before: Lu Yi |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |