Search

CN-122027318-A - Protection method, system, device, equipment, medium and product for abnormal access

CN122027318ACN 122027318 ACN122027318 ACN 122027318ACN-122027318-A

Abstract

The invention relates to the technical field of network security and provides a protection method, a system, a device, equipment, a medium and a product for abnormal access, wherein the protection method for abnormal access comprises the steps of acquiring an access log uploaded by an edge node, wherein the access log is acquired by the edge node after verifying an access request for a target service resource initiated by a client; constructing an access characteristic vector by extracting various types of access attributes in an access log, identifying an abnormal access mode based on the access characteristic vector, and further determining a target abnormal access object; and finally, generating a target protection strategy aiming at the target abnormal access object, and indicating the edge node to execute the target protection strategy. The method and the device can effectively improve the identification accuracy and the protection efficiency of complex abnormal access behaviors.

Inventors

  • WEN PAN
  • XIE HAOJIE
  • LI WENYAN
  • WANG WEIHENG
  • ZENG SHAOBIN
  • CHEN JINHAI

Assignees

  • 杭州网易云音乐科技有限公司

Dates

Publication Date
20260512
Application Date
20260305

Claims (10)

  1. 1. A method for protecting against abnormal access, the method comprising: the method comprises the steps of obtaining an access log uploaded by an edge node, wherein the access log is acquired after the edge node verifies and passes an access request for a target service resource initiated by a client; extracting multiple types of access attributes in the access log to construct an access feature vector, and identifying an abnormal access mode based on the access feature vector to determine a target abnormal access object; generating a target protection policy for the target abnormal access object to instruct the edge node to execute the target protection policy.
  2. 2. The method of claim 1, wherein prior to the step of obtaining the access log uploaded by the edge node, the method further comprises: The method comprises the steps of generating a verification interaction strategy and issuing the verification interaction strategy to the edge node, wherein the verification interaction strategy is used for indicating the edge node to issue a verification script to the client when receiving an access request of the client for target business resources; And if the verification information fed back by the client based on the verification script meets a preset validity condition, judging that the access request initiated by the client for the target service resource passes the verification.
  3. 3. The method of claim 2, wherein the verification information comprises a timestamp, a one-time token, browser fingerprint information, and a digital signature generated by the client performing a preset computing task; The preset validity condition comprises that the consistency check of the digital signature is passed, the disposable token is not multiplexed, the time stamp is in a preset effective time window, and the browser fingerprint information accords with preset real browser environment characteristics.
  4. 4. The method of claim 1, wherein the plurality of types of access attributes include an IP address of the client, a Uniform resource locator of an access resource, a user agent, and source page information; The constructing the access feature vector includes: And carrying out standardized processing on the IP address of the client, the uniform resource locator of the access resource, the user agent and the source page information extracted from the access log, and constructing the access characteristic vector.
  5. 5. The method of claim 4, wherein the identifying an abnormal access pattern based on the access feature vector comprises: performing cluster analysis on the access feature vector by adopting a density-based clustering algorithm; if the access clusters meeting the preset aggregation conditions are identified, judging that the access clusters are abnormal access modes; the preset aggregation condition comprises that the IP address of the client is from a centralized IP address field, a uniform resource locator of a single access resource, a non-business feature of a user agent and a null source page information.
  6. 6. The system is characterized by comprising an edge node and a service end in communication connection with the edge node; The edge node is used for receiving an access request of a client for a target service resource, issuing a verification script to the client, receiving and verifying verification information fed back by the client, releasing the access request after verification is passed, and collecting an access log in the access process of the client; The server is configured to execute the protection method for abnormal access according to any one of claims 1 to 5, so as to determine a target abnormal access object according to the access log uploaded by the edge node, and generate a target protection policy for the target abnormal access object; The edge node is further configured to receive and execute the target protection policy, so as to intercept or limit the target abnormal access object.
  7. 7. A guard against abnormal access, the apparatus comprising: The system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring an access log uploaded by an edge node, wherein the access log is acquired by the edge node after an access request for a target service resource initiated by a client is verified; the determining module is used for extracting multiple types of access attributes in the access log to construct an access characteristic vector, and identifying an abnormal access mode based on the access characteristic vector so as to determine a target abnormal access object; And the generating module is used for generating a target protection strategy aiming at the target abnormal access object so as to instruct the edge node to execute the target protection strategy.
  8. 8. An electronic device, comprising: A memory and a processor, the memory and the processor being communicatively connected to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the method of protecting against abnormal access of any one of claims 1 to 5.
  9. 9. A computer-readable storage medium having stored thereon computer instructions for causing a computer to perform the method of protecting against abnormal access of any one of claims 1 to 5.
  10. 10. A computer program product comprising computer instructions for causing a computer to perform the method of protection against abnormal access of any one of claims 1 to 5.

Description

Protection method, system, device, equipment, medium and product for abnormal access Technical Field The disclosure relates to the technical field of network security, in particular to a protection method, a protection system, a protection device, protection equipment, protection media and protection products for abnormal access. Background With the development of internet services, malicious access and attack means for service resources are increasingly complex. Existing protection techniques typically rely on a single means, such as access frequency limiting (speed limiting) based on IP addresses or static blacklist mechanisms. However, the passive defense means has obvious defects that on one hand, a request initiated by an automation script cannot be effectively distinguished from a normal request of a real user, accidental injury or missed judgment is easily caused, and on the other hand, the existing protection mechanism is difficult to accurately define the boundary between attack flow and normal service flow in the face of a low-frequency and distributed complex attack mode, so that the protection effect is poor, and the service resources are greatly consumed. Therefore, a protection method for abnormal access is needed to solve the problems of low accuracy of identifying abnormal access and poor protection effect in the related art. Disclosure of Invention The disclosure provides a protection method, a system, a device, equipment, a medium and a product for abnormal access, which are used for solving the problems of low accuracy of abnormal access identification and poor protection effect in the related technology. In a first aspect, the present disclosure provides a method for protecting against abnormal access, the method comprising: the method comprises the steps of obtaining an access log uploaded by an edge node, wherein the access log is acquired by the edge node after verification of an access request for a target service resource initiated by a client; Extracting multiple types of access attributes in the access log to construct an access feature vector, and identifying an abnormal access mode based on the access feature vector to determine a target abnormal access object; a target protection policy for the target exception access object is generated to instruct the edge node to execute the target protection policy. In an alternative embodiment, before the step of obtaining the access log uploaded by the edge node, the method further comprises: The method comprises the steps of generating a verification interaction strategy and transmitting the verification interaction strategy to an edge node, wherein the verification interaction strategy is used for indicating the edge node to transmit a verification script to a client when receiving an access request of the client for target business resources; if the verification information fed back by the client based on the verification script meets the preset validity condition, judging that the access request initiated by the client for the target service resource passes the verification. In an alternative embodiment, the verification information comprises a timestamp, a disposable token, browser fingerprint information and a digital signature generated by the client executing a preset calculation task; the preset validity conditions comprise that the consistency check of the digital signature is passed, the disposable token is not multiplexed, the time stamp is in a preset effective time window, and the browser fingerprint information accords with the preset real browser environment characteristics. In an alternative embodiment, the multiple types of access attributes include the IP address of the client, the Uniform resource locator of the access resource, the user agent, and the source page information; Constructing an access feature vector, comprising: And carrying out standardized processing on the IP address of the client, the uniform resource locator of the access resource, the user agent and the source page information extracted from the access log, and constructing an access characteristic vector. In an alternative embodiment, identifying an abnormal access pattern based on the access feature vector includes: Performing cluster analysis on the access feature vector by adopting a density-based clustering algorithm; if the access clusters meeting the preset aggregation conditions are identified, judging that the access clusters are abnormal access modes; the preset aggregation conditions comprise that the IP address of the client is from a centralized IP address field, a uniform resource locator of a single access resource, the user agent is a non-business feature and the source page information is null. In an alternative embodiment, before the step of obtaining the access log uploaded by the edge node, the method further comprises: dividing the whole network bandwidth data into a plurality of monitoring grids according to the combined dimen