A method and apparatus for detecting unauthorized access

By clustering and feature matrix analysis of account historical access behavior, a set of resource addresses is constructed, solving the problem of unauthorized access detection in existing technologies and realizing automated and accurate unauthorized access detection, which is suitable for complex web applications.

CN116846644BActive Publication Date: 2026-06-09CHINA TELECOM CORP LTD TECHNOLOGY INNOVATION CENTER +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA TELECOM CORP LTD TECHNOLOGY INNOVATION CENTER
Filing Date
2023-07-06
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing technologies are insufficient to effectively detect and prevent unauthorized access, especially in complex web applications where manually setting business logic and permission rules is difficult to apply.

Method used

By clustering historical access behaviors of accounts, a set of resource addresses corresponding to each account category is constructed. The clustering algorithm is used to generate an access behavior feature matrix and construct a relationship grid to determine the account category and then determine whether the access request is an unauthorized access.

Benefits of technology

It achieves automated and accurate unauthorized access detection, reduces reliance on prior knowledge of technical personnel, and is suitable for complex web applications.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116846644B_ABST
    Figure CN116846644B_ABST
Patent Text Reader

Abstract

The application discloses a method and device for detecting unauthorized access, which is used for detecting account unauthorized access behavior through analyzing account historical access records. The method comprises the following steps: receiving an access request of a first account to a target resource address of a server; the first account is any one of a plurality of accounts of the server; obtaining a pre-stored resource address set corresponding to each account category, and determining a resource address set corresponding to an account category to which the first account belongs; the resource address set corresponding to any account category is created according to historical access records of any account category; each account category is obtained by clustering a plurality of accounts according to historical access behaviors of the plurality of accounts; and judging whether the access request is unauthorized access according to whether the target resource address is included in the determined resource address set.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network information security technology, and in particular to a method and apparatus for detecting unauthorized access. Background Technology

[0002] With the rapid development of the internet, the variety of applications is increasing, and the user base is expanding. At the same time, cybersecurity issues are becoming more frequent, with unauthorized access attacks caused by logical vulnerabilities being the most prevalent. Typically, the workflow of a web application includes login, request submission, permission verification, database query, and result return. However, web applications may assume that login authentication is sufficient to verify a user's identity, thus failing to perform further verification when the user queries the database. This allows users to access the databases of other users with the same or higher privileges, resulting in unauthorized access.

[0003] To prevent unauthorized access, related technologies have proposed detecting unauthorized access through manually configured business logic and permissions. However, with the development of web applications, application processes have become increasingly complex and numerous, making it difficult to rely on manually configured business logic and permissions. Summary of the Invention

[0004] This application provides a method and apparatus for detecting unauthorized access, which can detect unauthorized access behavior of an account by analyzing the account's historical access records.

[0005] Firstly, this application proposes a method for detecting unauthorized access, including:

[0006] Receive an access request from a first account for a target resource address on the server; the first account is any one of multiple accounts on the server.

[0007] Obtain a pre-stored set of resource addresses corresponding to each account category, and determine the set of resource addresses corresponding to the account category to which the first account belongs; wherein the set of resource addresses corresponding to any account category is created based on the historical access records of any account category; and each account category is obtained by clustering the multiple accounts based on their historical access behavior.

[0008] Whether the access request is an unauthorized access is determined by whether the target resource address is included in the determined set of resource addresses.

[0009] In some embodiments, the resource address set corresponding to any of the account categories is created in the following manner:

[0010] Obtain the resource addresses accessed by each account within a historically defined time period, including any account category;

[0011] Delete resource addresses that have been accessed less than the access threshold from the obtained resource addresses, and create a set of resource addresses corresponding to any of the account categories based on the remaining resource addresses.

[0012] In some embodiments, clustering the plurality of accounts to obtain account categories includes:

[0013] Obtain access requests from the aforementioned multiple accounts within a historically defined time period;

[0014] An access behavior feature matrix for each account is created based on the obtained access requests; the access behavior feature matrix for any account includes the number of resource addresses accessed by the account within the set historical time period, the access duration of each resource address accessed by the account, the frequency of each resource address accessed by the account, and the time interval between the accesses of the resource addresses by the account.

[0015] The multiple accounts are clustered based on the similarity between the access behavior feature matrices of every two accounts to determine the account category to which each account belongs.

[0016] In some embodiments, creating an access behavior feature matrix for each account based on the acquired access requests includes:

[0017] The access request belonging to the first account is determined based on the account name included in the obtained access request;

[0018] Based on the access time and accessed resource address included in each access request belonging to the first account, determine the number of resource addresses accessed by the first account, the access duration of the first account accessing each resource address, the frequency of the first account accessing each resource address, and the time interval of the first account accessing resource addresses.

[0019] A feature matrix of the first account's access behavior is generated based on the number of resource addresses accessed by the first account, the access duration of the first account to each resource address, the frequency of the first account's access to each resource address, and the time interval between the first account's access to resource addresses.

[0020] In some embodiments, clustering the multiple accounts based on the similarity between the access behavior feature matrices of every two accounts to determine the account category to which each account belongs includes:

[0021] Calculate the distance between the access behavior feature matrices of every two accounts;

[0022] A relational grid is constructed using the calculated distances; each point in the relational grid represents an account, and the distance between any two points is the distance between the access behavior feature matrices of the two accounts corresponding to those two points.

[0023] The relationship grid is divided using a pre-defined clustering algorithm to determine the account category to which each account belongs.

[0024] Secondly, this application proposes an unauthorized access detection device, the device comprising:

[0025] A communication unit is used to receive an access request from a first account for a target resource address on the server; the first account is any one of a plurality of accounts on the server.

[0026] The processing unit is configured to acquire a pre-stored set of resource addresses corresponding to each account category, and to determine the set of resource addresses corresponding to the account category to which the first account belongs; wherein the set of resource addresses corresponding to any account category is created based on the historical access records of the account category; and each account category is obtained by clustering the multiple accounts based on their historical access behavior.

[0027] The processing unit is further configured to determine whether the access request is an unauthorized access based on whether the target resource address is included in the determined set of resource addresses.

[0028] In some embodiments, the processing unit is further configured to create a set of resource addresses corresponding to any of the account categories as follows:

[0029] Obtain the resource addresses accessed by each account within a historically defined time period, including any account category;

[0030] Delete resource addresses that have been accessed less than the access threshold from the obtained resource addresses, and create a set of resource addresses corresponding to any of the account categories based on the remaining resource addresses.

[0031] In some embodiments, the processing unit is further configured to cluster the plurality of accounts to obtain account categories:

[0032] Obtain access requests from the aforementioned multiple accounts within a historically defined time period;

[0033] An access behavior feature matrix for each account is created based on the obtained access requests; the access behavior feature matrix for any account includes the number of resource addresses accessed by the account within the set historical time period, the access duration of each resource address accessed by the account, the frequency of each resource address accessed by the account, and the time interval between the accesses of the resource addresses by the account.

[0034] The multiple accounts are clustered based on the similarity between the access behavior feature matrices of every two accounts to determine the account category to which each account belongs.

[0035] In some embodiments, the processing unit is specifically used for:

[0036] The access request belonging to the first account is determined based on the account name included in the obtained access request;

[0037] Based on the access time and accessed resource address included in each access request belonging to the first account, determine the number of resource addresses accessed by the first account, the access duration of the first account accessing each resource address, the frequency of the first account accessing each resource address, and the time interval of the first account accessing resource addresses.

[0038] A feature matrix of the first account's access behavior is generated based on the number of resource addresses accessed by the first account, the access duration of the first account to each resource address, the frequency of the first account's access to each resource address, and the time interval between the first account's access to resource addresses.

[0039] In some embodiments, the processing unit is specifically used for:

[0040] Calculate the distance between the access behavior feature matrices of every two accounts;

[0041] A relational grid is constructed using the calculated distances; each point in the relational grid represents an account, and the distance between any two points is the distance between the access behavior feature matrices of the two accounts corresponding to those two points.

[0042] The relationship grid is divided using a pre-defined clustering algorithm to determine the account category to which each account belongs.

[0043] Thirdly, an electronic device is provided, comprising a controller and a memory. The memory stores computer-executable instructions, and the controller executes the computer-executable instructions in the memory to perform operational steps of any possible implementation of the method of the first aspect using hardware resources in the controller.

[0044] Fourthly, a computer-readable storage medium is provided, which stores instructions that, when executed on a computer, cause the computer to perform the methods described above.

[0045] This application proposes clustering accounts based on their historical access behavior to determine multiple account categories. Then, based on the historical access records of each account category, a resource address set corresponding to each account category is constructed. This allows the resource address set corresponding to any account category to represent the regular access characteristics of that account category. Furthermore, when an access request for a specific resource address is received from any account within that account category, the system can determine whether the access request conforms to the account's regular access characteristics based on whether the resource address set includes that resource address. If it does not conform, the access request can be determined to be unauthorized access. Attached Figure Description

[0046] The accompanying drawings, which are included to provide a further understanding of this application and form part of this application, illustrate exemplary embodiments and are used to explain this application, but do not constitute an undue limitation of this application. In the drawings:

[0047] Figure 1 A schematic flowchart of an unauthorized access detection method provided in an embodiment of this application;

[0048] Figure 2 A schematic flowchart of another unauthorized access detection method provided in an embodiment of this application;

[0049] Figure 3 A schematic diagram of the structure of an unauthorized access detection device provided in an embodiment of this application;

[0050] Figure 4 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation

[0051] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of this application will be clearly and completely described below with reference to the accompanying drawings of the embodiments of this application. Obviously, the described embodiments are only some embodiments of the technical solutions of this application, and not all embodiments. Based on the embodiments recorded in this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the technical solutions of this application.

[0052] The terms "first," "second," etc., used in the specification, claims, and accompanying drawings of this invention are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that embodiments of the invention described herein can be implemented in sequences other than those illustrated or described herein. Furthermore, the term "and / or" herein is merely a description of the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, and B alone. Additionally, the character " / " herein, unless otherwise specified, generally indicates that the preceding and following related objects have an "or" relationship.

[0053] Broken Access Control (BAC) is a common logical security vulnerability, prevalent in web applications. It can be understood as the web application's server overly trusting data manipulation requests from clients. An account should typically only be allowed to perform CRUD operations on its own information. However, due to negligence by backend developers, user authentication is not performed during these CRUD operations, allowing attackers to access other accounts' data. BAC is categorized into horizontal and vertical privilege escalation. Horizontal privilege escalation refers to accounts with the same level of permissions being able to access each other's data, while vertical privilege escalation refers to accounts with different levels of permissions being able to access each other's data. For example, horizontal privilege escalation means that users A and B have the same permission level; they can access and process their own private data. However, if the server only verifies the role of the user accessing the data without further data segmentation or validation, allowing user A to access user B's data is considered horizontal privilege escalation. Vertical privilege escalation refers to situations where ordinary users can access administrator accounts' data, or administrators can access ordinary users' data. This is because the backend lacks access control or only sets permissions on the data directory without setting permissions on the resource address, allowing attacking accounts to guess the resource address and thus access data or pages that administrators can access.

[0054] Regarding the aforementioned unauthorized access, related technologies have proposed methods to detect unauthorized access to each account by setting business logic or business permission rules. For example, business permissions for each account can be set based on their access behavior over a period of time. This method requires technical personnel to have strong prior knowledge to set the permissions correctly, and also requires verification of the accuracy of the set information. Therefore, existing methods for setting business permissions are not suitable for complex web applications. In view of this, this application proposes an unauthorized access detection method. By learning from the historical access behavior of each account, the category to which each account belongs is determined, and then the historical access data of each category of accounts can be used to determine whether users of that category have engaged in unauthorized behavior during actual access.

[0055] The proposed solution in this application is described below. (See also...) Figure 1 This is a flowchart of an unauthorized access detection method provided in an embodiment of this application. Optionally, Figure 1 The method flow shown can be executed by the protection engine included in the web application server or by the firewall of the web application. This application does not limit the execution subject of the solution. Figure 1 The method flow shown specifically includes:

[0056] 101. Receive the first account's access request for the target resource address on the server.

[0057] The first account can be any one of the multiple accounts in the web application. The target resource address can be any resource address on the web application server; the resource address can also be called the server's Uniform Resource Locator (URL).

[0058] 102. Obtain the pre-stored set of resource addresses corresponding to each account category.

[0059] The set of resource addresses corresponding to any account category is created based on the historical access records of the accounts included in that account category. The account category is obtained by clustering multiple accounts based on the historical access behavior of multiple accounts in the web application. The historical access behavior of the accounts included in an account category is similar.

[0060] 103. Determine whether the access request from the first account is an unauthorized access based on whether the target resource address is included in the target resource address set corresponding to the account category to which the first account belongs.

[0061] For example, the resource addresses included in the target resource address set can be resource addresses historically accessed by the account category to which the first account belongs.

[0062] Based on the above scheme, this application proposes to cluster accounts to determine multiple account categories according to their historical access behavior, and then construct a resource address set corresponding to each account category based on the historical access records of each account category. This allows the resource address set corresponding to any account category to represent the regular access characteristics of that account category. Furthermore, when receiving an access request for a certain resource address from any account within that account category, the system can determine whether the access request conforms to the account's regular access characteristics based on whether the resource address set includes that resource address. If it does not conform, the access request can be determined to be unauthorized access.

[0063] In some embodiments, when creating the resource address set corresponding to each account category, historical access records for each account category can be obtained for construction. For example, taking account category A among multiple account categories as an example, the process of creating the resource address set corresponding to account category A will be described. It should be noted that account category A is any one of multiple account categories, not specifically one. As an optional approach, the resource addresses accessed by each account included in account category A within a historically defined time period can be obtained. The number of times any resource address accessed within this historically defined time period can be greater than 1, therefore the number of obtained resource addresses is greater than or equal to the number of accounts included in account category A. Further, the number of times the obtained resource addresses were accessed within the historically defined time period can be determined. Further still, resource addresses with access counts less than a threshold can be deleted, and the remaining resource addresses form the resource address set corresponding to account category A.

[0064] Based on the above scheme, the resource address set is constructed according to the historical access records of account categories, so it can represent the regular access characteristics of account categories and thus be used to determine whether subsequent account access is unauthorized.

[0065] Optionally, before constructing the resource address set corresponding to each account category, the account categories can be determined first. As an alternative approach, accounts can be categorized based on the historical access behavior of all accounts in the web application to determine the account category to which each account belongs. See steps one through four below for a detailed explanation of the process of constructing account categories.

[0066] Step 1: Obtain access logs generated by the web application server within a specified historical time period.

[0067] Optionally, the web application's server can generate corresponding access logs for each account's access. These logs may include the accessed resource address (or interface name, URL, etc.), access time, and the username of the accessing account. As an example, a probe can be used to obtain access logs generated by the web application server within a historically defined time period. Furthermore, the obtained access logs can be cleaned to remove abnormal characters and filter out access failure logs.

[0068] For example, after obtaining and cleaning the access logs, the cleaned access logs can be stored in the database.

[0069] Step 2: Create an access behavior feature matrix for each account based on the obtained access logs.

[0070] The access behavior feature matrix for any account can include the number of resource addresses accessed by the user within a historically defined time period, the duration of access to each resource address, the access frequency, and the time interval between accesses to the resource addresses.

[0071] For example, when creating an access behavior feature matrix, the acquired access logs can first be formatted to facilitate the extraction of access time, username, and resource address. For instance, text content such as protocols, IP addresses, and port numbers can be removed from the access logs, and the remaining text can be uniformly encoded, such as by converting it to Lowcase format.

[0072] Furthermore, by using the extracted access time, username, and resource address, we can determine the number of resource addresses accessed by each account, the frequency of access to each resource address, the duration of access to each resource address, and the time interval between accesses. For example, we can use the information for account A as an example. For instance, based on the access logs, we can determine that account A accessed 10 resource addresses within a historically defined time period, the frequency (or number of times) of accessing each of those 10 resource addresses, the average duration of access to each resource address, and the average time interval between accesses. Based on this determined information, we can construct an access behavior feature matrix for account A. It can be seen that the access behavior feature matrix for each account can characterize the account's regular access habits.

[0073] Step 3: Construct a relational grid based on the username and access behavior feature matrix of each account.

[0074] For example, each node in the relational mesh represents an account, and each node corresponds to a username. The length of the line connecting any two nodes can be determined based on the distance between the access behavior feature matrices of the two accounts corresponding to those two nodes.

[0075] In one possible implementation, the access behavior feature matrix of each account obtained in step two can be normalized, and the Euclidean distance between any two matrices can be calculated. This Euclidean distance is then used as the relationship weight between the two accounts. Further, a relationship mesh can be constructed based on the username of each account and the relationship weight between any two accounts. Each node in the relationship mesh corresponds to a username, and the set of nodes can be denoted as: V = {v...} i Let |i = 1, 2, ..., n}, where n is the number of nodes (or accounts). For any two nodes u and v, let the edge between them be (u, v) ∈ E, where E is the set of edges, including the weights of the relationships between any two accounts. The resulting relation mesh is G = {V, E}.

[0076] Step 4: Determine the account category based on the network administrator's relationship.

[0077] Optionally, a predefined clustering algorithm can be used to divide the relationship mesh, grouping nodes that are close together into one category, thus obtaining multiple user categories. For example, community detection algorithms, such as the Label Propagation Algorithm (LPA) or Louvain, can be used. Optionally, the resulting account categories can also be called communities. Further, each account category can be numbered, and an association between the account category and the corresponding set of resource addresses can be established based on the number. Optionally, the steps for creating the set of resource addresses corresponding to the account category can be found in the above embodiments and will not be repeated here.

[0078] For example, the process of constructing account categories and creating a set of resource addresses corresponding to each account category based on historical access records can be updated periodically. For instance, past access records can be retrieved and account categories and resource address sets can be established at regular intervals. Optionally, when detecting unauthorized access based on the created account categories and corresponding resource address sets, the received access requests can first be preprocessed to remove text such as protocols, port numbers, and IP addresses, and the remaining text can be uniformly encoded into lowcase format. This allows for a more accurate determination of the account category to which the accessing account belongs. Furthermore, whether the target resource address requested is included in the determined set of resource addresses corresponding to the account category is used to determine whether the access request constitutes unauthorized access.

[0079] To further understand the solution proposed in this application, specific embodiments are described below. See also Figure 2 The above is a flowchart illustrating an unauthorized access detection method provided in an embodiment of this application, specifically including:

[0080] 201. Retrieve access logs generated by the web application server within a specified historical time period.

[0081] 202. Create an access behavior feature matrix for each account based on the access logs.

[0082] 203. Generate a relational grid based on the behavioral feature matrix of each account.

[0083] 204. A predefined community detection algorithm is used to divide the relationship grid into multiple account categories.

[0084] 205. Generate a set of resource addresses corresponding to each account category based on the access records of the accounts included in each account category within a historical set time period.

[0085] 206. When an access request for a target resource address is received from account A, determine whether the access request is an unauthorized access based on whether the resource address set corresponding to the account category to which account A belongs includes the target resource address.

[0086] Based on the same concept as the above method, referring to bronze drum 3, an unauthorized access detection device 300 is provided in this application embodiment. The device 300 is used to implement the various steps in the above method. To avoid repetition, it will not be described again here. The device 300 includes: a communication unit 301 and a processing unit 302.

[0087] The communication unit 301 is used to receive an access request from a first account for a target resource address on the server; the first account is any one of a plurality of accounts on the server.

[0088] Processing unit 302 is configured to obtain a pre-stored set of resource addresses corresponding to each account category, and to determine the set of resource addresses corresponding to the account category to which the first account belongs; wherein the set of resource addresses corresponding to any account category is created based on the historical access records of the account category; and each account category is obtained by clustering the multiple accounts based on the historical access behavior of the multiple accounts.

[0089] The processing unit 302 is further configured to determine whether the access request is an unauthorized access based on whether the target resource address is included in the determined set of resource addresses.

[0090] In some embodiments, the processing unit 302 is further configured to create a set of resource addresses corresponding to any of the account categories as follows:

[0091] Obtain the resource addresses accessed by each account within a historically defined time period, including any account category;

[0092] Delete resource addresses that have been accessed less than the access threshold from the obtained resource addresses, and create a set of resource addresses corresponding to any of the account categories based on the remaining resource addresses.

[0093] In some embodiments, the processing unit 302 is further configured to cluster the plurality of accounts to obtain account categories:

[0094] Obtain access requests from the aforementioned multiple accounts within a historically defined time period;

[0095] An access behavior feature matrix for each account is created based on the obtained access requests; the access behavior feature matrix for any account includes the number of resource addresses accessed by the account within the set historical time period, the access duration of each resource address accessed by the account, the frequency of each resource address accessed by the account, and the time interval between the accesses of the resource addresses by the account.

[0096] The multiple accounts are clustered based on the similarity between the access behavior feature matrices of every two accounts to determine the account category to which each account belongs.

[0097] In some embodiments, the processing unit 302 is specifically used for:

[0098] The access request belonging to the first account is determined based on the account name included in the obtained access request;

[0099] Based on the access time and accessed resource address included in each access request belonging to the first account, determine the number of resource addresses accessed by the first account, the access duration of the first account accessing each resource address, the frequency of the first account accessing each resource address, and the time interval of the first account accessing resource addresses.

[0100] A feature matrix of the first account's access behavior is generated based on the number of resource addresses accessed by the first account, the access duration of the first account to each resource address, the frequency of the first account's access to each resource address, and the time interval between the first account's access to resource addresses.

[0101] In some embodiments, the processing unit 302 is specifically used for:

[0102] Calculate the distance between the access behavior feature matrices of every two accounts;

[0103] A relational grid is constructed using the calculated distances; each point in the relational grid represents an account, and the distance between any two points is the distance between the access behavior feature matrices of the two accounts corresponding to those two points.

[0104] The relationship grid is divided using a pre-defined clustering algorithm to determine the account category to which each account belongs.

[0105] Figure 4 A schematic diagram of the structure of an electronic device 400 provided in an embodiment of this application is shown. The electronic device 400 in this embodiment may further include a communication interface 403, such as a network port, through which the electronic device can transmit data. For example, the communication interface 403 can be used to implement the above-mentioned... Figure 3 The function of the communication unit 301 in the middle.

[0106] In this embodiment, the memory 402 stores instructions that can be executed by at least one controller 401. By executing the instructions stored in the memory 402, the at least one controller 401 can perform various steps in the above-described method. For example, the controller 401 can implement the above-described... Figure 3 The function of the processing unit 302 in the middle.

[0107] The controller 401 is the control center of the electronic device, capable of connecting various parts of the device via various interfaces and lines. It executes instructions stored in the memory 402 and retrieves data stored in the memory 402. Optionally, the controller 401 may include one or more processing units. The controller 401 may integrate an application controller and a modem controller. The application controller primarily handles the operating system and applications, while the modem controller primarily handles wireless communication. It is understood that the modem controller may not be integrated into the controller 401. In some embodiments, the controller 401 and the memory 402 may be implemented on the same chip; in other embodiments, they may be implemented on separate chips.

[0108] Controller 401 can be a general-purpose controller, such as a central processing unit (CPU), digital signal controller, application-specific integrated circuit, field-programmable gate array or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component, capable of implementing or executing the methods, steps, and logic block diagrams disclosed in the embodiments of this application. The general-purpose controller can be a microcontroller or any conventional controller. The steps performed by the data statistics platform disclosed in the embodiments of this application can be directly executed by the hardware controller, or executed by a combination of hardware and software modules within the controller.

[0109] Memory 402, as a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. Memory 402 may include at least one type of storage medium, such as flash memory, hard disk, multimedia card, card-type memory, random access memory (RAM), static random access memory (SRAM), programmable read-only memory (PROM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), magnetic storage, magnetic disk, optical disk, etc. Memory 402 can be any other medium capable of carrying or storing desired program code in the form of instructions or data structures that can be accessed by a computer, but is not limited thereto. In the embodiments of this application, memory 402 can also be a circuit or any other device capable of implementing storage functions for storing program instructions and / or data.

[0110] By designing and programming the controller 401, for example, the code corresponding to the method described in the foregoing embodiment can be embedded into the chip, so that the chip can execute the steps of the foregoing method when running. How to design and program the controller 401 is a well-known technique to those skilled in the art, and will not be described in detail here.

[0111] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0112] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to this application. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a controller of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing device to produce a machine, such that the instructions, which execute via the controller of the computer or other programmable data processing device, generate instructions for implementing the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0113] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0114] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0115] Although preferred embodiments of this application have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of this application.

[0116] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.

Claims

1. A method for detecting unauthorized access, characterized in that, The method includes: Receive an access request from a first account for a target resource address on the server; the first account is any one of multiple accounts on the server. Obtain a pre-stored set of resource addresses corresponding to each account category, and determine the set of resource addresses corresponding to the account category to which the first account belongs; wherein the set of resource addresses corresponding to any account category is created based on the historical access records of any account category; and each account category is obtained by clustering the multiple accounts based on their historical access behavior. Whether the access request is an unauthorized access is determined based on whether the target resource address is included in the determined set of resource addresses; Clustering the multiple accounts yields the account categories, including: Obtain access requests from the aforementioned multiple accounts within a historically defined time period; An access behavior feature matrix for each account is created based on the obtained access requests; the access behavior feature matrix for any account includes the number of resource addresses accessed by the account within the set historical time period, the access duration of each resource address accessed by the account, the frequency of each resource address accessed by the account, and the time interval between the accesses of the resource addresses by the account. The multiple accounts are clustered based on the similarity between the access behavior feature matrices of every two accounts to determine the account category to which each account belongs.

2. The method according to claim 1, characterized in that, The resource address set corresponding to any of the account categories is created in the following manner: Obtain the resource addresses accessed by each account within a historically defined time period, including any account category; Delete resource addresses that have been accessed less than the access threshold from the obtained resource addresses, and create a set of resource addresses corresponding to any of the account categories based on the remaining resource addresses.

3. The method according to claim 1, characterized in that, The step of creating an access behavior feature matrix for each account based on the acquired access requests includes: The access request belonging to the first account is determined based on the account name included in the obtained access request; Based on the access time and accessed resource address included in each access request belonging to the first account, determine the number of resource addresses accessed by the first account, the access duration of the first account accessing each resource address, the frequency of the first account accessing each resource address, and the time interval of the first account accessing resource addresses. A feature matrix of the first account's access behavior is generated based on the number of resource addresses accessed by the first account, the access duration of the first account to each resource address, the frequency of the first account's access to each resource address, and the time interval between the first account's access to resource addresses.

4. The method according to claim 1, characterized in that, The step of clustering the multiple accounts based on the similarity between the access behavior feature matrices of every two accounts to determine the account category to which each account belongs includes: Calculate the distance between the access behavior feature matrices of every two accounts; A relational grid is constructed using the calculated distances; each point in the relational grid represents an account, and the distance between any two points is the distance between the access behavior feature matrices of the two accounts corresponding to those two points. The relationship grid is divided using a pre-defined clustering algorithm to determine the account category to which each account belongs.

5. A device for detecting unauthorized access, characterized in that, The device includes: A communication unit is used to receive an access request from a first account for a target resource address on the server; the first account is any one of a plurality of accounts on the server. The processing unit is configured to acquire a pre-stored set of resource addresses corresponding to each account category, and to determine the set of resource addresses corresponding to the account category to which the first account belongs; wherein the set of resource addresses corresponding to any account category is created based on the historical access records of the account category; and each account category is obtained by clustering the multiple accounts based on their historical access behavior. The processing unit is further configured to determine whether the access request is an unauthorized access based on whether the target resource address is included in the determined set of resource addresses; The processing unit is further configured to cluster the multiple accounts to obtain account categories: Obtain access requests from the aforementioned multiple accounts within a historically defined time period; An access behavior feature matrix for each account is created based on the obtained access requests; the access behavior feature matrix for any account includes the number of resource addresses accessed by the account within the set historical time period, the access duration of each resource address accessed by the account, the frequency of each resource address accessed by the account, and the time interval between the accesses of the resource addresses by the account. The multiple accounts are clustered based on the similarity between the access behavior feature matrices of every two accounts to determine the account category to which each account belongs.

6. The apparatus according to claim 5, characterized in that, The processing unit is further configured to create a set of resource addresses corresponding to any of the account categories as follows: Obtain the resource addresses accessed by each account within a historically defined time period, including any account category; Delete resource addresses that have been accessed less than the access threshold from the obtained resource addresses, and create a set of resource addresses corresponding to any of the account categories based on the remaining resource addresses.

7. The apparatus according to claim 5, characterized in that, The processing unit is specifically used for: The access request belonging to the first account is determined based on the account name included in the obtained access request; Based on the access time and accessed resource address included in each access request belonging to the first account, determine the number of resource addresses accessed by the first account, the access duration of the first account accessing each resource address, the frequency of the first account accessing each resource address, and the time interval of the first account accessing resource addresses. A feature matrix of the first account's access behavior is generated based on the number of resource addresses accessed by the first account, the access duration of the first account to each resource address, the frequency of the first account's access to each resource address, and the time interval between the first account's access to resource addresses.

8. The apparatus according to claim 5, characterized in that, The processing unit is specifically used for: Calculate the distance between the access behavior feature matrices of every two accounts; A relational grid is constructed using the calculated distances; each point in the relational grid represents an account, and the distance between any two points is the distance between the access behavior feature matrices of the two accounts corresponding to those two points. The relationship grid is divided using a pre-defined clustering algorithm to determine the account category to which each account belongs.

9. An electronic device, characterized in that, include: Memory and controller; Memory, used to store program instructions; A controller is configured to invoke program instructions stored in the memory and execute the method of any one of claims 1-4 according to the obtained program.

10. A computer storage medium storing computer-executable instructions, characterized in that, The computer-executable instructions are used to perform the method as described in any one of claims 1-4.