A website intrusion detection method based on big data log analysis

Abstract

The invention relates to a website intrusion detection method based on big data log analysis, and the method comprises the following steps: collecting web logs in a preset time period, and carrying out the aggregation of the web logs according to the IPs of visitors; matching the visitor IP with an IP white list, and screening out to-be-detected IPs which are not in the IP white list; analyzing aweb log corresponding to the to-be-detected IP, respectively calculating risk values of various request parameters by using a user-defined risk model, and comprehensively judging the danger level of the to-be-detected IP according to the calculated risk values; and when it is judged that the danger level of the to-be-detected IP reaches a specified level, judging the to-be-detected IP as a suspicious IP. According to the method, the IP of the visitor and the access request information of the visitor are integrated through the risk model, the intrusion risk values of the visitor are calculatedin multiple aspects, website intrusion is more accurate and comprehensive compared with a traditional WAF technology, and missing detection or false detection can be reduced; due to the fact that analysis is conducted through the web log, deployment to the upper layer of the application is not needed, the performance expenditure of the server is reduced, and various intrusion attack means can be recognized.

Description

technical field [0001] The invention relates to a website intrusion detection method based on big data log analysis, which belongs to the technical field of network security. Background technique [0002] At present, most websites use WAF (web application-level intrusion prevention system) technology to intercept. This technology mainly judges whether the information requested by the user contains some specific strings, or a specific URL address is accessed. Rule requests are directly blocked to ensure system security. [0003] The biggest problem with this method is that all identifications are judged based on rules. However, with the development of computer networks and communication technologies, computer network security threats and security risks continue to increase, and attack methods are diversified, and many rules can be bypassed. As a result, WAF cannot intercept attacks accurately and timely. At the same time, a large number of normal users' normal requests may ...

AI Technical Summary

Problems solved by technology

[0003] The biggest problem with this method is that all identifications are judged based on rules. However, with the development of computer networks and communication technologies, computer network security threats and security risks continue to increase, and attack methods are diversified, and many rules can be bypassed. As a result, WAF cannot intercept attacks accurately and timely

At the same time, a large number of normal users' normal requests may also contain these characteristic strings, resulting in the blocking of normal users' access and affecting the user's use to a certain extent.

[0004] Mainstream WAF products cannot identify unauthorized vulnerabilities, sensitive information leakage, crawler attacks, CC (Challenge Collapsar) attacks

[0005] WAF (website application-level intrusion prevention system) needs to be deployed to the upper layer of the application, and there is a certain performance overhead

Images