Abnormal access behavior detection method and system on basis of WEB logs

Abstract

The invention relates to an abnormal access behavior detection method on the basis of WEB logs. The abnormal access behavior detection method includes steps of 1) performing IP(internet protocol) access statistics and URL access statistics after removing interference information by analyzing WEB raw logs so as to acquire an IP access statistic list and a URL access statistic list, 2) according to the IP access statistic list, performing crawler behavior characteristic recognition, error response code statistics and access frequency deviation degree detection while updating IP abnormal characteristic list, and 3) sequencing the abnormal characteristics in the IP abnormal characteristic list according to a set order of precedence, and outputting the sequenced IP abnormal characteristic list to obtain abnormal access results. By the abnormal access behavior detection method, an access model is built with no depending on history access data, abnormal access is checked by lateral comparison, and abnormal parameter detection is performed by voting and referring query strings.

Description

technical field [0001] The invention relates to a method and system for detecting abnormal access behaviors based on WEB logs, belonging to the field of WEB security. Background technique [0002] With the continuous development of Internet technology and application, WEB application has gradually become an indispensable aspect of modern people's production and life, and it has also become the main attack target on the Internet. [0003] WEB logs are audit information about WEB access behaviors recorded by WEB servers. From the WEB logs, you can understand the access behavior of website visitors. Traditional WEB log detection mainly focuses on global website traffic detection, visitor information statistics, and access content information statistics. The quality of service of the website. Currently, mainstream log detection tools include AWStats, Webalizer, etc. However, the above information statistics are mainly for normal user access behaviors, and the above detection...

AI Technical Summary

Problems solved by technology

However, the above information statistics are mainly for normal user access behaviors, and for malicious user access, the above detection techniques cannot be found

Therefore, website administrators or security administrators can only check whether there are suspicious attacks from the WEB logs through manual detection.

[0004] Generally, the security detection of WEB logs is divided into two aspects. One is to identify typical attack accesses, such as SQL injection, cross-site scripting, buffer overflow, etc., by matching attack feature rules on a single request URL in the log. It is relatively easy to implement, but only known types of attacks can be found, and the attacker's attack behavior cannot be globally analyzed

On the other hand, it is the behavior detection for abnormal access traces, including malicious crawling of website information, malicious scanning of website vulnerabilities, application layer DDoS attacks, etc. These behaviors cannot be detected by feature detection of a single URL

At present, there is no mature solution for this type of abnormal behavior detection. The general solution is to establish a normal model of user access through data mining, but this requires historical data of normal access. At the same time, once the current website access is affected by some special circumstances Impact, such as a special event that leads to a sudden increase in website visits, will make the visit model obtained from historical data not suitable for current visits, resulting in a large number of false positives or false negatives

Images