[go: up one dir, main page]

CN107786542A - Methods of marking and device based on big data intellectual analysis malice IP - Google Patents

Methods of marking and device based on big data intellectual analysis malice IP Download PDF

Info

Publication number
CN107786542A
CN107786542A CN201710886569.6A CN201710886569A CN107786542A CN 107786542 A CN107786542 A CN 107786542A CN 201710886569 A CN201710886569 A CN 201710886569A CN 107786542 A CN107786542 A CN 107786542A
Authority
CN
China
Prior art keywords
attack
days
target
malice
malice degree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710886569.6A
Other languages
Chinese (zh)
Inventor
胡波亮
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201710886569.6A priority Critical patent/CN107786542A/en
Publication of CN107786542A publication Critical patent/CN107786542A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Methods of marking and device provided in an embodiment of the present invention based on big data intellectual analysis malice IP, belong to data mining technology field.This method is by obtaining multiple target attack daily records in preset time period, multiple target attack daily records in the preset time period are analyzed again, to obtain the target of attack number of the IP in the preset time period, attacking wayses number and attack number of days, finally by the target of attack number, the attacking wayses number and the attack number of days, obtain the malice degree corresponding to the IP, the malice degree for the attack IP that cloud protects can be dynamically updated by the malice degree corresponding to the IP, and quickly it can provide support for cloud protection, it is determined that the time span that attack IP limitations access, and provide malice IP intelligence sharing and it can be found that potential continuation malicious attack IP.

Description

Methods of marking and device based on big data intellectual analysis malice IP
Technical field
The present invention relates to data mining technology field, in particular to commenting based on big data intellectual analysis malice IP Divide method and device.
Background technology
Cloud Protection Product, the access log and attack logs of magnanimity have been included daily.Although it can be analyzed by daily record Which IP is attack IP and normal access IP, but never has good technical scheme at present to define IP malice journey Degree, all it is that analysis daily record is carried out by advanced security engineer, the last qualitative IP of engineer malice degree is such as high-risk, in Danger, low danger.But this mode waste of manpower, efficiency is low, and response speed is not high.Potential continuation be present in even some IP Attack.So as to there is the problem of how excavating this IP like and being closed down in the prior art.
The content of the invention
Methods of marking and device provided by the invention based on big data intellectual analysis malice IP, it is intended to improve above-mentioned technology Problem.
A kind of methods of marking based on big data intellectual analysis malice IP provided by the invention, including:Obtain preset time Multiple target attack daily records in section;Based on multiple target attack daily records, target of attack number, the attacker of the IP are obtained Method number and attack number of days;Based on the target of attack number, the attacking wayses number and the attack number of days, it is right to obtain the IP institutes The malice degree answered.
Preferably, it is described based on the target of attack number, the attacking wayses number and the attack number of days, described in acquisition Malice degree corresponding to IP, including:The first malice degree, the attacking wayses number obtained corresponding to the target of attack number is right The 3rd malice degree weight corresponding to the second malice degree and the attack number of days answered;Obtain the first malice degree, described The general comment score value of two malice degree and the 3rd malice degree;Obtain the malice degree corresponding to the general comment score value.
Preferably, the general comment score value meets:C=λdomains CdomainsruleIds CruleIdsdays Cdays, wherein, The C represents the general comment score value, the λdomainsRepresent the first weight, the λruleIdsRepresent the second weight, the λdaysTable Show the 3rd weight, the summation of first weight, second weight and the 3rd weight is 1, the CdomainsRepresent institute State first malice degree of the IP on the target of attack number, the CruleIdsRepresent of the IP on the attacking wayses number Two malice degree, the CdaysRepresent threeth malice degree of the IP on the attack number of days, the Cdomains, the CruleIds With the CdaysExpression is all higher than or equal to zero and less than or equal to 1.
Preferably, multiple target attack daily records in described acquisition preset time period, including:Gather in preset time period Multiple attack logs that IP corresponding to user is accessed;Reptile attack record in each attack logs of filtering;Incited somebody to action Multiple attack logs after filter are as multiple target attack daily records.
Preferably, it is described based on multiple target attack daily records, obtain target of attack number, the attacking wayses of the IP Number and attack number of days, also include before:The target attack daily record is pre-processed.
A kind of scoring apparatus based on big data intellectual analysis malice IP provided by the invention, including:Data capture unit, For obtaining multiple target attack daily records in preset time period;Data processing unit, for based on multiple target attacks Daily record, obtain the target of attack number, attacking wayses number and attack number of days of the IP;Score unit, for based on the attack mesh Number, the attacking wayses number and the attack number of days are marked, obtains the malice degree corresponding to the IP.
Preferably, the scoring unit is specifically used for:Obtain the first malice degree corresponding to the target of attack number, described The 3rd malice degree weight corresponding to the second malice degree and the attack number of days corresponding to attacking wayses number;Obtain described first The general comment score value of malice degree, the second malice degree and the 3rd malice degree;Obtain the malice corresponding to the general comment score value Degree.
Preferably, the general comment score value meets:C=λdomains CdomainsruleIds CruleIdsdays Cdays, wherein, The C represents the general comment score value, the λdomainsRepresent the first weight, the λruleIdsRepresent the second weight, the λdaysTable Show the 3rd weight, the summation of first weight, second weight and the 3rd weight is 1, the CdomainsRepresent institute State first malice degree of the IP on the target of attack number, the CruleIdsRepresent of the IP on the attacking wayses number Two malice degree, the CdaysRepresent threeth malice degree of the IP on the attack number of days, the Cdomains, the CruleIds With the CdaysExpression is all higher than or equal to zero and less than or equal to 1.
Preferably, the data capture unit is specifically used for:IP in collection preset time period corresponding to user is accessed Multiple attack logs;Reptile attack record in each attack logs of filtering;By multiple day of attacks after filtering Will is as multiple target attack daily records.
Preferably, the data processing unit, also includes before:Data pre-processing unit, for the target attack Daily record is pre-processed.
The methods of marking and device based on big data intellectual analysis malice IP that the invention described above provides, it is default by obtaining Multiple target attack daily records in period, then multiple target attack daily records in the preset time period are analyzed, with The target of attack number, attacking wayses number and attack number of days of the IP in the preset time period is obtained, finally by described Target of attack number, the attacking wayses number and the attack number of days, obtain the malice degree corresponding to the IP, pass through the IP institutes Corresponding malice degree can dynamically update the attack IP of cloud protection malice degree, and quickly can provide branch for cloud protection Hold, it is determined that attacking the time span that IP limitations access, and malice IP intelligence sharing is provided and it can be found that potentially continued Property malicious attack IP.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below by embodiment it is required use it is attached Figure is briefly described, it will be appreciated that the following drawings illustrate only certain embodiments of the present invention, therefore be not construed as pair The restriction of scope, for those of ordinary skill in the art, on the premise of not paying creative work, can also be according to this A little accompanying drawings obtain other related accompanying drawings.
Fig. 1 is the structured flowchart of a kind of electronic equipment provided in an embodiment of the present invention;
Fig. 2 is the flow for the methods of marking based on big data intellectual analysis malice IP that first embodiment of the invention provides Figure;
Fig. 3 is the flow for the methods of marking based on big data intellectual analysis malice IP that second embodiment of the invention provides Figure;
Fig. 4 is the function mould for the scoring apparatus based on big data intellectual analysis malice IP that third embodiment of the invention provides Block schematic diagram;
Fig. 5 is the function mould for the scoring apparatus based on big data intellectual analysis malice IP that fourth embodiment of the invention provides Block schematic diagram.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is Part of the embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.Therefore, The detailed description of the embodiments of the invention to providing in the accompanying drawings is not intended to limit the model of claimed invention below Enclose, but be merely representative of the selected embodiment of the present invention.Based on the embodiment in the present invention, those of ordinary skill in the art are not having There is the every other embodiment made and obtained under the premise of creative work, belong to the scope of protection of the invention.
As shown in figure 1, the structured flowchart for a kind of electronic equipment provided in an embodiment of the present invention.The electronic equipment 300 Including the scoring apparatus based on big data intellectual analysis malice IP, memory 302, storage control 303, processor 304 and outer If interface 305.
The memory 302, storage control 303, processor 304 and 305 each element of Peripheral Interface are direct between each other Or be electrically connected with indirectly, to realize the transmission of data or interaction.For example, these elements can pass through one or more between each other Communication bus or signal wire, which are realized, to be electrically connected with.The scoring apparatus based on big data intellectual analysis malice IP includes at least one It is individual to be stored in the memory 302 or be solidificated in the electronic equipment 300 in the form of software or firmware (firmware) Operating system (operating system, OS) in software function module.The processor 304 is used to perform memory The executable module stored in 302, such as the software work(that the scoring apparatus based on big data intellectual analysis malice IP includes Can module or computer program.
Wherein, memory 302 may be, but not limited to, random access memory (Random Access Memory, RAM), read-only storage (Read Only Memory, ROM), programmable read only memory (Programmable Read- Only Memory, PROM), erasable read-only memory (Erasable Programmable Read-Only Memory, EPROM), electricallyerasable ROM (EEROM) (Electric Erasable Programmable Read-Only Memory, EEPROM) etc..Wherein, memory 302 is used for storage program, and the processor 304 is after execute instruction is received, described in execution Program, the method performed by server 100 that the stream process that foregoing any embodiment of the embodiment of the present invention discloses defines can answer Realized in processor 304, or by processor 304.
Processor 304 is probably a kind of IC chip, has the disposal ability of signal.Above-mentioned processor 304 can To be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network processing unit (Network Processor, abbreviation NP) etc.;Can also be digital signal processor (DSP), application specific integrated circuit (ASIC), Ready-made programmable gate array (FPGA) either other PLDs, discrete gate or transistor logic, discrete hard Part component.It can realize or perform disclosed each method, step and the logic diagram in the embodiment of the present invention.General processor Can be microprocessor or the processor can also be any conventional processor etc..
Various input/output devices are coupled to processor 304 and memory 302 by the Peripheral Interface 305.At some In embodiment, Peripheral Interface 305, processor 304 and storage control 303 can be realized in one single chip.Other one In a little examples, they can be realized by independent chip respectively.
Referring to Fig. 2, it is the methods of marking based on big data intellectual analysis malice IP that first embodiment of the invention provides Flow chart.The idiographic flow shown in Fig. 2 will be described in detail below.
Step S101, obtain multiple target attack daily records in preset time period.
Wherein, the preset time period can be one week or one month.The specific time of the preset time period Selection can be chosen as the case may be, here, being not especially limited.
The target attack daily record refers to the access of user after cloud protective platform, by access strategy cleaning it Afterwards, the corresponding attack logs recorded.
As a kind of embodiment, multiple attack logs that the IP in preset time period corresponding to user is accessed are gathered; Reptile attack record in each attack logs of filtering;Multiple attack logs after filtering are attacked as multiple targets Hit daily record.Wherein, the reptile attack record filtered in each attack logs refers to by first identifying the attack logs In reptile record, for example, obtaining reptile specifically attacks record, the specific attack record will be met as reptile note Record, so as to be filtered to the reptile attack record in the attack logs.
In this embodiment, it is preferred that after the multiple target attack daily record is collected, by the multiple target attack Daily record is stored, for example, storing attack logs using Elasticsearch.
Step S102, based on multiple target attack daily records, obtain the target of attack number of the IP, attacking wayses number and Attack number of days.
Wherein, the target of attack number refers to the sum of all targets of attack in the preset time period.
The attacking wayses number refers to the sum of all attacking wayses in the preset time period.
The attack number of days refers to total number of days that attack is produced in the preset time period.
Step S103, based on the target of attack number, the attacking wayses number and the attack number of days, obtain the IP institutes Corresponding malice degree.
The malice degree refers to the malice degree that the IP is attacked.
As a kind of embodiment, the first malice degree, the attacking wayses number corresponding to the target of attack number are obtained The 3rd malice degree weight corresponding to the second corresponding malice degree and the attack number of days;Obtain the first malice degree, institute State the general comment score value of the second malice degree and the 3rd malice degree;Obtain the malice degree corresponding to the general comment score value.
Wherein, the general comment score value meets:C=λdomains CdomainsruleIds CruleIdsdays Cdays, wherein, institute State C and represent the general comment score value, the λdomainsRepresent the first weight, the λruleIdsRepresent the second weight, the λdaysRepresent 3rd weight, the summation of first weight, second weight and the 3rd weight is 1, the CdomainsDescribed in expression First malice degree of the IP on the target of attack number, the CruleIdsRepresent second of the IP on the attacking wayses number Malice degree, the CdaysRepresent threeth malice degree of the IP on the attack number of days, the Cdomains, the CruleIdsWith The CdaysExpression is all higher than or equal to zero and less than or equal to 1.I.e. described Cdomains, the CruleIdsWith the CdaysIt is full Foot { Cx|Cx∈ [0,1] }, wherein, subscript x represents each dimension.
As a kind of embodiment, the CdomainsCan be by using the sample gathered in advance according to data structure For (x, C1i) carry out regression fit obtain f1(x) function, the Cdomains=f1(x), wherein, C1iMore than or equal to zero, and it is small In or equal to 1.
The CdaysAccording to data structure can also be (x, C by using the sample gathered in advance2i) carry out regression fit Obtain f2(x) function, i.e. Cdays=f2(x), wherein, C2iMore than or equal to zero, and less than or equal to 1.
In the present embodiment, the CruleIdsCan be by using the sample mapping function f (r) gathered in advance:R, i.e., CruleIds=f (r).Wherein, r represents the tuple of attacking wayses.The structure of the r such as (0001,0011 ...).
In the present embodiment, the length of the r can be 10 or 15, can also be 20, it is preferable that the r's Length is 15.
In the present embodiment, because the seriousness of different attacking wayses is different, so calculating CruleIdsWhen need Consider the factor, do different weight mappings, finally obtained using f (r).
As another embodiment, the CdomainsFunction Fitting can not had to, for example, the CdomainsIt can pass through The target of attack in the target attack daily record is directly read, then carries out mixing always, and then obtain in the preset time period The target of attack number, the target of attack number is divided by with preset value, obtains the Cdomains, for example, Cdomains= domains/b.The domains represents the target of attack number, and the b represents default value, wherein the preset value can be with Selected as the case may be, for example, the b can be 100 or 200, here, being not especially limited.
The CdaysFunction Fitting can also not had to, for example, the Cdays=days/n.What the days was represented is to continue The number of days of attack, the n are preset time period.
In the present embodiment, as a kind of embodiment, the λdomains, the λruleIdsWith the λdaysIt can pass through It is (C using the sample gathered in advance and according to data structuredomains, Cdays, CruleIds, Ci) and using in machine learning Linear regression algorithm training pattern is trained to obtain.
As another embodiment, the λdomains, the λruleIdsWith the λdaysCan be by presetting one Fixed value, for example, the λdomains:The λruleIds:The λdays=4:2:4, and for example, the λdomains:The λruleIds:Institute State λdays=4:3:3.Here, it is not especially limited.
In the present embodiment, except passing through the CruleIds, the CdomainsWith the CdaysCalculate the IP's of user Attack beyond malice degree, other dimensions, such as geographical position can also be extended:National region.Here, it is not especially limited.
Referring to Fig. 3, it is the methods of marking based on big data intellectual analysis malice IP that second embodiment of the invention provides Flow chart.The idiographic flow shown in Fig. 3 will be described in detail below.
Step S201, obtain multiple target attack daily records in preset time period.
Step S201 embodiment refer to step corresponding in first embodiment, here, repeating no more.
Step S202, the target attack daily record is pre-processed.
As a kind of embodiment, in preset time period, in units of day, carry out counting user IP and website attack is touched The regular number of hair.So as to obtain the multiple data for including target data structure so that subsequent step by using The target data structure, accelerate travelling speed.The target data structure is:(IP, day, ruleId, domain, Count), wherein ruleId represents the rule of triggering, and count is the number for this days of day triggering the ruleId.
In the present embodiment, the IP refers to IP address, i.e. Internet Protocol Address.
In the present embodiment, arithmetic speed can effectively be accelerated by carrying out pretreatment to the target attack daily record.
Step S203, based on multiple target attack daily records, obtain the target of attack number of the IP, attacking wayses number and Attack number of days.
Step S204, based on the target of attack number, the attacking wayses number and the attack number of days, obtain the IP institutes Corresponding malice degree.
Step S203 and step S204 embodiment refer to step corresponding in first embodiment, here, Repeat no more.
Referring to Fig. 4, it is the scoring apparatus based on big data intellectual analysis malice IP that third embodiment of the invention provides High-level schematic functional block diagram.The scoring apparatus 400 based on big data intellectual analysis malice IP includes data capture unit 410th, data processing unit 420 and scoring unit 430.
Data capture unit 410, for obtaining multiple target attack daily records in preset time period.
Wherein, the data capture unit 410 is specifically used for:IP in collection preset time period corresponding to user is accessed Multiple attack logs;Reptile attack record in each attack logs of filtering;By multiple day of attacks after filtering Will is as multiple target attack daily records.
Data processing unit 420, for based on multiple target attack daily records, obtain the IP target of attack number, Attacking wayses number and attack number of days.
Score unit 430, for based on the target of attack number, the attacking wayses number and the attack number of days, obtaining Malice degree corresponding to the IP.
Wherein, the scoring unit 430 is specifically used for:Obtain the first malice degree corresponding to the target of attack number, institute State the second malice degree corresponding to attacking wayses number and the 3rd malice degree weight corresponding to the attack number of days;Obtain described The general comment score value of one malice degree, the second malice degree and the 3rd malice degree;Obtain the evil corresponding to the general comment score value Meaning degree.
Wherein, the general comment score value meets:C=λdomains CdomainsruleIds CruleIdsdays Cdays, wherein, institute State C and represent the general comment score value, the λdomainsRepresent the first weight, the λruleIdsRepresent the second weight, the λdaysRepresent 3rd weight, the summation of first weight, second weight and the 3rd weight is 1, the CdomainsDescribed in expression First malice degree of the IP on the target of attack number, the CruleIdsRepresent second of the IP on the attacking wayses number Malice degree, the CdaysRepresent threeth malice degree of the IP on the attack number of days, the Cdomains, the CruleIdsWith The CdaysExpression is all higher than or equal to zero and less than or equal to 1.
Referring to Fig. 5, it is the scoring apparatus based on big data intellectual analysis malice IP that fourth embodiment of the invention provides High-level schematic functional block diagram.The scoring apparatus 500 based on big data intellectual analysis malice IP includes data capture unit 510th, data pre-processing unit 520, data processing unit 530 and scoring unit 540.
Data capture unit 510, for obtaining multiple target attack daily records in preset time period.
Wherein, the data capture unit 510 is specifically used for:IP in collection preset time period corresponding to user is accessed Multiple attack logs;Reptile attack record in each attack logs of filtering;By multiple day of attacks after filtering Will is as multiple target attack daily records.
Data pre-processing unit 520, for being pre-processed to the target attack daily record.
Data processing unit 530, for based on multiple target attack daily records, obtain the IP target of attack number, Attacking wayses number and attack number of days.
Score unit 540, for based on the target of attack number, the attacking wayses number and the attack number of days, obtaining Malice degree corresponding to the IP.
Wherein, the scoring unit 540 is specifically used for:Obtain the first malice degree corresponding to the target of attack number, institute State the second malice degree corresponding to attacking wayses number and the 3rd malice degree weight corresponding to the attack number of days;Obtain described The general comment score value of one malice degree, the second malice degree and the 3rd malice degree;Obtain the evil corresponding to the general comment score value Meaning degree.
Wherein, the general comment score value meets:C=λdomains CdomainsruleIds CruleIdsdays Cdays, wherein, institute State C and represent the general comment score value, the λdomainsRepresent the first weight, the λruleIdsRepresent the second weight, the λdaysRepresent 3rd weight, the summation of first weight, second weight and the 3rd weight is 1, the CdomainsDescribed in expression First malice degree of the IP on the target of attack number, the CruleIdsRepresent second of the IP on the attacking wayses number Malice degree, the CdaysRepresent threeth malice degree of the IP on the attack number of days, the Cdomains, the CruleIdsWith The CdaysExpression is all higher than or equal to zero and less than or equal to 1.
In summary, methods of marking and device provided by the invention based on big data intellectual analysis malice IP, by obtaining Multiple target attack daily records in preset time period are taken, then multiple target attack daily records in the preset time period are divided Analysis, to obtain the target of attack number of the IP in the preset time period, attacking wayses number and attack number of days, finally by The target of attack number, the attacking wayses number and the attack number of days, obtain the malice degree corresponding to the IP, by described Malice degree corresponding to IP can dynamically update the attack IP of cloud protection malice degree, and quickly can be provided for cloud protection Support, it is determined that the time span that attack IP limitations access, and provide malice IP intelligence sharing and it can be found that potentially holding Continuous property malicious attack IP.
In several embodiments provided herein, it should be understood that disclosed apparatus and method, can also pass through Other modes are realized.Device embodiment described above is only schematical, for example, flow chart and block diagram in accompanying drawing Show the device of multiple embodiments according to the present invention, method and computer program product architectural framework in the cards, Function and operation.At this point, each square frame in flow chart or block diagram can represent the one of a module, program segment or code Part, a part for the module, program segment or code include one or more and are used to realize holding for defined logic function Row instruction.It should also be noted that at some as in the implementation replaced, the function that is marked in square frame can also with different from The order marked in accompanying drawing occurs.For example, two continuous square frames can essentially perform substantially in parallel, they are sometimes It can perform in the opposite order, this is depending on involved function.It is it is also noted that every in block diagram and/or flow chart The combination of individual square frame and block diagram and/or the square frame in flow chart, function or the special base of action as defined in performing can be used Realize, or can be realized with the combination of specialized hardware and computer instruction in the system of hardware.
In addition, each functional module in each embodiment of the present invention can integrate to form an independent portion Point or modules individualism, can also two or more modules be integrated to form an independent part.
If the function is realized in the form of software function module and is used as independent production marketing or in use, can be with It is stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially in other words The part to be contributed to prior art or the part of the technical scheme can be embodied in the form of software product, the meter Calculation machine software product is stored in a storage medium, including some instructions are causing a computer equipment (can be People's computer, server, or network equipment etc.) perform all or part of step of each embodiment methods described of the present invention. And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-OnlyMemory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with the medium of store program codes.Need Illustrate, herein, such as first and second or the like relational terms be used merely to by an entity or operation with Another entity or operation make a distinction, and not necessarily require or imply between these entities or operation any this reality be present The relation or order on border.Moreover, term " comprising ", "comprising" or its any other variant are intended to the bag of nonexcludability Contain, so that process, method, article or equipment including a series of elements not only include those key elements, but also including The other element being not expressly set out, or also include for this process, method, article or the intrinsic key element of equipment. In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that including the key element Process, method, other identical element also be present in article or equipment.
The preferred embodiments of the present invention are the foregoing is only, are not intended to limit the invention, for the skill of this area For art personnel, the present invention can have various modifications and variations.Within the spirit and principles of the invention, that is made any repaiies Change, equivalent substitution, improvement etc., should be included in the scope of the protection.It should be noted that:Similar label and letter exists Similar terms is represented in following accompanying drawing, therefore, once being defined in a certain Xiang Yi accompanying drawing, is then not required in subsequent accompanying drawing It is further defined and explained.

Claims (10)

  1. A kind of 1. methods of marking based on big data intellectual analysis malice IP, it is characterised in that including:
    Obtain multiple target attack daily records in preset time period;
    Based on multiple target attack daily records, the target of attack number, attacking wayses number and attack number of days of the IP are obtained;
    Based on the target of attack number, the attacking wayses number and the attack number of days, the malice degree corresponding to the IP is obtained.
  2. 2. according to the method for claim 1, it is characterised in that described based on the target of attack number, the attacker Method number and the attack number of days, the malice degree corresponding to the IP is obtained, including:
    Obtain the first malice degree corresponding to the target of attack number, the second malice degree corresponding to the attacking wayses number and institute State the 3rd malice degree weight corresponding to attack number of days;
    Obtain the general comment score value of the first malice degree, the second malice degree and the 3rd malice degree;
    Obtain the malice degree corresponding to the general comment score value.
  3. 3. according to the method for claim 2, it is characterised in that the general comment score value meets:C=λdomains Cdomains+ λruleIds CruleIdsdays Cdays, wherein, the C represents the general comment score value, the λdomainsThe first weight is represented, it is described λruleIdsRepresent the second weight, the λdaysRepresent the 3rd weight, first weight, second weight and the 3rd power The summation of weight is 1, the CdomainsRepresent first malice degree of the IP on the target of attack number, the CruleIdsRepresent Second malice degree of the IP on the attacking wayses number, the CdaysRepresent the three of the IP on the attack number of days Malice degree, the Cdomains, the CruleIdsWith the CdaysExpression is all higher than or equal to zero and less than or equal to 1.
  4. 4. according to the method for claim 1, it is characterised in that multiple target attacks in described acquisition preset time period Daily record, including:
    Multiple attack logs that IP in collection preset time period corresponding to user is accessed;
    Reptile attack record in each attack logs of filtering;
    Using multiple attack logs after filtering as multiple target attack daily records.
  5. 5. according to the method for claim 1, it is characterised in that it is described based on multiple target attack daily records, obtain Target of attack number, attacking wayses number and the attack number of days of the IP, also includes before:
    The target attack daily record is pre-processed.
  6. A kind of 6. scoring apparatus based on big data intellectual analysis malice IP, it is characterised in that including:
    Data capture unit, for obtaining multiple target attack daily records in preset time period;
    Data processing unit, for based on multiple target attack daily records, obtaining target of attack number, the attacking wayses of the IP Number and attack number of days;
    Score unit, for based on the target of attack number, the attacking wayses number and the attack number of days, obtaining the IP institutes Corresponding malice degree.
  7. 7. device according to claim 6, it is characterised in that the scoring unit is specifically used for:
    Obtain the first malice degree corresponding to the target of attack number, the second malice degree corresponding to the attacking wayses number and institute State the 3rd malice degree weight corresponding to attack number of days;
    Obtain the general comment score value of the first malice degree, the second malice degree and the 3rd malice degree;
    Obtain the malice degree corresponding to the general comment score value.
  8. 8. device according to claim 7, it is characterised in that the general comment score value meets:C=λdomains Cdomains+ λruleIds CruleIdsdays Cdays, wherein, the C represents the general comment score value, the λdomainsThe first weight is represented, it is described λruleIdsRepresent the second weight, the λdaysRepresent the 3rd weight, first weight, second weight and the 3rd power The summation of weight is 1, the CdomainsRepresent first malice degree of the IP on the target of attack number, the CruleIdsRepresent Second malice degree of the IP on the attacking wayses number, the CdaysRepresent the three of the IP on the attack number of days Malice degree, the Cdomains, the CruleIdsWith the CdaysExpression is all higher than or equal to zero and less than or equal to 1.
  9. 9. device according to claim 6, it is characterised in that the data capture unit is specifically used for:
    Multiple attack logs that IP in collection preset time period corresponding to user is accessed;
    Reptile attack record in each attack logs of filtering;
    Using multiple attack logs after filtering as multiple target attack daily records.
  10. 10. device according to claim 6, it is characterised in that the data processing unit, also include before:
    Data pre-processing unit, for being pre-processed to the target attack daily record.
CN201710886569.6A 2017-09-26 2017-09-26 Methods of marking and device based on big data intellectual analysis malice IP Pending CN107786542A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710886569.6A CN107786542A (en) 2017-09-26 2017-09-26 Methods of marking and device based on big data intellectual analysis malice IP

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710886569.6A CN107786542A (en) 2017-09-26 2017-09-26 Methods of marking and device based on big data intellectual analysis malice IP

Publications (1)

Publication Number Publication Date
CN107786542A true CN107786542A (en) 2018-03-09

Family

ID=61433932

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710886569.6A Pending CN107786542A (en) 2017-09-26 2017-09-26 Methods of marking and device based on big data intellectual analysis malice IP

Country Status (1)

Country Link
CN (1) CN107786542A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413071A (en) * 2018-10-31 2019-03-01 新华三信息安全技术有限公司 A kind of anomalous traffic detection method and device
CN109729069A (en) * 2018-11-26 2019-05-07 武汉极意网络科技有限公司 Detection method, device and the electronic equipment of unusual IP addresses
CN113055362A (en) * 2021-03-01 2021-06-29 深信服科技股份有限公司 Method, device, equipment and storage medium for preventing abnormal behaviors
CN115208647A (en) * 2022-07-05 2022-10-18 南京领行科技股份有限公司 Attack behavior handling method and device
CN115632827A (en) * 2022-09-28 2023-01-20 杭州安恒信息技术股份有限公司 A network protection method, device, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104391979A (en) * 2014-12-05 2015-03-04 北京国双科技有限公司 Malicious web crawler recognition method and device
CN104601591A (en) * 2015-02-02 2015-05-06 中国人民解放军国防科学技术大学 Detection method of network attack source organization
US20160352763A1 (en) * 2015-05-27 2016-12-01 Iyuntian Co., Ltd. Method And System For Detecting Malicious Code
CN106375331A (en) * 2016-09-23 2017-02-01 北京网康科技有限公司 Mining method and device of attacking organization
CN106453412A (en) * 2016-12-01 2017-02-22 绵阳灵先创科技有限公司 Malicious domain name determination method based on frequency characteristics

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104391979A (en) * 2014-12-05 2015-03-04 北京国双科技有限公司 Malicious web crawler recognition method and device
CN104601591A (en) * 2015-02-02 2015-05-06 中国人民解放军国防科学技术大学 Detection method of network attack source organization
US20160352763A1 (en) * 2015-05-27 2016-12-01 Iyuntian Co., Ltd. Method And System For Detecting Malicious Code
CN106375331A (en) * 2016-09-23 2017-02-01 北京网康科技有限公司 Mining method and device of attacking organization
CN106453412A (en) * 2016-12-01 2017-02-22 绵阳灵先创科技有限公司 Malicious domain name determination method based on frequency characteristics

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413071A (en) * 2018-10-31 2019-03-01 新华三信息安全技术有限公司 A kind of anomalous traffic detection method and device
CN109413071B (en) * 2018-10-31 2021-08-06 新华三信息安全技术有限公司 Abnormal flow detection method and device
CN109729069A (en) * 2018-11-26 2019-05-07 武汉极意网络科技有限公司 Detection method, device and the electronic equipment of unusual IP addresses
CN109729069B (en) * 2018-11-26 2021-12-28 武汉极意网络科技有限公司 Abnormal IP address detection method and device and electronic equipment
CN113055362A (en) * 2021-03-01 2021-06-29 深信服科技股份有限公司 Method, device, equipment and storage medium for preventing abnormal behaviors
CN115208647A (en) * 2022-07-05 2022-10-18 南京领行科技股份有限公司 Attack behavior handling method and device
CN115632827A (en) * 2022-09-28 2023-01-20 杭州安恒信息技术股份有限公司 A network protection method, device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
CN107786542A (en) Methods of marking and device based on big data intellectual analysis malice IP
US11032304B2 (en) Ontology based persistent attack campaign detection
CN107645503B (en) A rule-based detection method for malicious domain names belonging to DGA family
CN104601556B (en) A kind of attack detection method and system towards WEB
JP7067489B2 (en) Security information analysis device, security information analysis method, security information analysis program, security information evaluation device, security information evaluation method and security information analysis system
CN107241296B (en) Webshell detection method and device
CN110336811A (en) A kind of Cyberthreat analysis method, device and electronic equipment based on honey pot system
Naseer et al. Malware detection: issues and challenges
CN104933056A (en) Uniform resource locator (URL) de-duplication method and device
Gan et al. Analysis of computer virus propagation behaviors over complex networks: a case study of Oregon routing network
CN107222511B (en) Malicious software detection method and device, computer device and readable storage medium
CN108664549A (en) A kind of big data processing system, method and apparatus
CN107196930A (en) Method, system and the mobile terminal of computer network abnormality detection
CN108924118A (en) One kind hitting library behavioral value method and system
CN114035827A (en) Application program updating method, device, equipment and storage medium
CN107908796A (en) E-Government duplicate checking method, apparatus and computer-readable recording medium
CN107733693A (en) Network security operation and maintenance capability evaluation method and system based on security event statistics
Lynnyk et al. DDOS Attacks Analysis Based on Machine Learning in Challenges of Global Changes.
Kumar et al. Detection of malware using deep learning techniques
CN103745383A (en) Method and system of realizing redirection service based on operator data
CN113141369B (en) Artificial intelligence-based firewall policy management method and related equipment
CN114817928A (en) Cyberspace data fusion analysis method, system, electronic device and storage medium
JPWO2020070916A1 (en) Calculation device, calculation method and calculation program
CN108595685A (en) A kind of data processing method and device
CN106484746A (en) The analysis method of website transformation event and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180309

RJ01 Rejection of invention patent application after publication