阅读说明：本技术 基于中间件流量分析技术的web业务行为逻辑检测方法 (Web service behavior logic detection method based on middleware flow analysis technology ) 是由 严彬元 魏力鹏 陈卿 袁捷 吕嵘晶 王皓然 龙玉江 刘俊荣 周泽元 班秋成 周琳 于 2021-06-08 设计创作，主要内容包括：本发明公开了一种基于中间件流量分析技术的web业务行为逻辑检测方法,该方法通过获取当前web应用生成的第一流量数据,将所述第一流量数据进行归一化处理,获得包含有用户身份信息的第一数据流；根据用户身份信息提取终端设备当前web应用的历史业务安全行为记录,建立用户访问web应用的正常行为模型；将含有用户身份信息的第一数据流输入所述的正常行为模型,确定当前用户访问web应用系统的行为与正常行为的行为偏离度,能够解决现有的根据安全配置规则对数据库访问记录进行分析,将数据库访问记录以报警/非报警分类的方法无法满足对违规业务行为的有效检测的问题。(The invention discloses a web service behavior logic detection method based on a middleware flow analysis technology, which comprises the steps of acquiring first flow data generated by current web application, carrying out normalization processing on the first flow data, and acquiring a first data flow containing user identity information; extracting historical service safety behavior records of the current web application of the terminal equipment according to the user identity information, and establishing a normal behavior model of the user accessing the web application; the first data stream containing the user identity information is input into the normal behavior model, the behavior deviation degree of the current behavior of the user accessing the web application system and the normal behavior is determined, and the problem that the existing method for analyzing the database access records according to the security configuration rule and classifying the database access records by alarm/non-alarm can not meet the requirement of effectively detecting the illegal business behaviors can be solved.)

1. A web service behavior logic detection method based on middleware flow analysis technology is characterized by comprising the following steps: the detection method comprises the following steps:

acquiring first flow data generated by a current web application, and carrying out normalization processing on the first flow data to obtain a first data flow containing user identity information;

extracting historical service safety behavior records of the current web application of the terminal equipment according to the user identity information, and establishing a normal behavior model of the user accessing the web application; and inputting the first data stream containing the user identity information into the normal behavior model, and determining the behavior deviation degree of the current behavior of the user accessing the web application system and the normal behavior.

2. The method for detecting web service behavior logic based on middleware traffic analysis technology according to claim 1, wherein the step of acquiring the first traffic data generated by the current web application specifically includes:

the method comprises the steps of collecting first traffic data accessed by a user at the current web application within a preset time period, wherein the collection of the first traffic data accessed by the user at the current web application is carried out in a proxy and/or instrumentation mode.

3. The method for detecting web service behavior logic based on the middleware traffic analysis technology as claimed in claim 2, wherein the step of normalizing the first traffic data specifically comprises:

storing the first flow data according to a vFlow format, wherein the vFlow format comprises header data and data part data; the first flow data stored according to the vFlow format includes user identity information.

4. The method for detecting web service behavior logic based on middleware traffic analysis technology according to any one of claims 1 to 3, wherein the step of extracting the historical service security behavior record of the current web application of the terminal device according to the user identity information specifically comprises:

extracting a unique identifier of the user identity information;

and calling a historical service safety behavior record corresponding to the user identity information from a historical service safety behavior record library of the current web application based on the identifier, wherein the historical service safety behavior record is behavior record data in a target starting and stopping time period.

5. The method for detecting the web service behavior logic based on the middleware traffic analysis technology as claimed in claim 4, wherein the step of establishing the normal behavior model of the user accessing the web application specifically comprises:

determining a behavior object and a corresponding behavior object type thereof;

selecting starting and stopping time of a self-learning stage of a preset behavior model;

training historical business safety behavior records within set starting and stopping time, counting business behavior information of a behavior object according to the behavior object and the type of the behavior object, and establishing a normal behavior model.

6. The middleware traffic analysis technology based web service behavior logic detection method according to claim 3, characterized in that the step of determining the behavior deviation degree of the behavior of the current user accessing the web application system from the normal behavior is preceded;

the detection method further comprises the following steps:

carrying out marking processing and identity replacement processing on the first streaming data to obtain second streaming data;

accessing the terminal equipment by using the second streaming data, and acquiring a second data stream formed in the accessing process;

a data stream match between the first data stream and the second data stream is determined.

7. The middleware traffic analysis technology-based web service behavior logic detection method according to claim 6, characterized in that the detection method further comprises; determining a business behavior health index, wherein the step of determining the business behavior health index specifically comprises:

and determining the business behavior health index through a weighting calculation formula according to the behavior deviation degree and the data flow matching degree.

8. The middleware traffic analysis technology-based web service behavior logic detection method according to claim 7, wherein the weighting calculation formula is:

C＝a*M+(1-a)*D；

in the above formula: a is a weight coefficient, the value range of a is [0, 1], C is a behavior health index, M is a matching degree, and D is a deviation degree.

9. The middleware traffic analysis technology-based web business behavior logic detection method according to claim 7 or 8, wherein after the step of determining the business behavior health index through a weighted calculation formula, the detection method further comprises: and sending alarm information to the terminal equipment when the health index is abnormal.

10. The middleware traffic analysis technology based web service behavior logic detection method according to claim 9, wherein after the step of sending alarm information to the terminal device, the detection method further comprises:

and the terminal equipment performs exception control based on the alarm information.

Technical Field

The embodiment of the invention belongs to the technical field of network information security, and particularly relates to a web service behavior logic detection method based on a middleware flow analysis technology.

Background

With the development of network technology, the progress of network information technology has a great influence on the development of people and society, and various aspects of people and society life, especially web application, are deeply changed. A web application is application software written in a Language supported by a browser, such as JavaScript (an interpreted scripting Language), HTML (hypertext Markup Language), CSS (Cascading Style Sheets), etc., which runs in a browser environment and is used to support web services.

The web application program using the web browser as the client can be conveniently deployed to various platforms, such as desktop platforms (Windows operating system) and the like and mobile platforms (Android (an operating system mainly used for mobile equipment) and the like. Because the web application is simple and convenient to use and rich in functions, the applications of e-mails, e-commerce, online dictionaries and the like are basically completed based on the web application, so that the web application becomes a very important part in daily life of people.

With the development of information technology, a database server is taken as a core, and an internet-oriented service system is increasingly widely applied, such as web applications of an online banking system, an electronic ticket booking system and the like. The key data of the business system are stored in the database server and are closely related to the whole business process, so that the information security of the database server is guaranteed. Once a violating access activity is discovered (e.g., unauthenticated access, unauthorized access), the violating activity needs to be blocked. In the prior art, some solutions analyze the database access records according to the security configuration rules, and classify the database access records by alarm/non-alarm. The scheme can detect the abnormity of partial business behaviors, but the complete set of safety configuration rules established by the manager are too complicated, and once the attack behaviors which are not contained in the rules occur, the attack behaviors are not reported; some attack behaviors cannot be found from database access behavior records once or several times, so that the existing method for analyzing the database access records according to the security configuration rule and classifying the database access records by alarm/non-alarm cannot meet the effective detection of illegal service behaviors.

Disclosure of Invention

The invention aims to provide a web service behavior logic detection method based on a middleware flow analysis technology, and aims to solve the problem that the existing method for analyzing database access records according to security configuration rules and classifying the database access records by alarm/non-alarm cannot meet the requirement of effectively detecting illegal service behaviors.

The purpose of the invention is realized by the following technical scheme:

a web service behavior logic detection method based on middleware flow analysis technology comprises the following steps:

acquiring first flow data generated by a current web application, and carrying out normalization processing on the first flow data to obtain a first data flow containing user identity information;

extracting historical service safety behavior records of the current web application of the terminal equipment according to the user identity information, and establishing a normal behavior model of the user accessing the web application; and inputting the first data stream containing the user identity information into the normal behavior model, and determining the behavior deviation degree of the current behavior of the user accessing the web application system and the normal behavior.

In a preferred embodiment provided by the present invention, the step of acquiring the first traffic data generated by the current web application specifically includes:

the method comprises the steps of collecting first traffic data accessed by a user at the current web application within a preset time period, wherein the collection of the first traffic data accessed by the user at the current web application is carried out in a proxy and/or instrumentation mode.

In a preferred embodiment of the present invention, the step of normalizing the first traffic data specifically includes:

storing the first flow data according to a vFlow format, wherein the vFlow format comprises header data and data part data; the first flow data stored according to the vFlow format includes user identity information.

In a preferred embodiment provided by the present invention, the step of extracting the historical service security behavior record of the current web application of the terminal device according to the user identity information specifically includes:

extracting a unique identifier of the user identity information;

and calling a historical service safety behavior record corresponding to the user identity information from a historical service safety behavior record library of the current web application based on the identifier, wherein the historical service safety behavior record is behavior record data in a target starting and stopping time period.

In a preferred embodiment provided by the present invention, the step of establishing a normal behavior model of a user accessing a web application specifically includes:

determining a behavior object and a corresponding behavior object type thereof;

selecting starting and stopping time of a self-learning stage of a preset behavior model;

training historical business safety behavior records within set starting and stopping time, counting business behavior information of a behavior object according to the behavior object and the type of the behavior object, and establishing a normal behavior model.

In a preferred embodiment of the present invention, the step of determining the behavior deviation degree of the behavior of the current user accessing the web application system from the normal behavior is preceded;

the detection method further comprises the following steps:

carrying out marking processing and identity replacement processing on the first streaming data to obtain second streaming data;

accessing the terminal equipment by using the second streaming data, and acquiring a second data stream formed in the accessing process;

a data stream match between the first data stream and the second data stream is determined.

In a preferred embodiment of the present invention, the detection method further comprises; determining a business behavior health index, wherein the step of determining the business behavior health index specifically comprises:

and determining the business behavior health index through a weighting calculation formula according to the behavior deviation degree and the data flow matching degree.

In a preferred embodiment of the present invention, the weighted calculation formula is:

C＝a*M+(1-a)*D；

in the above formula: a is a weight coefficient, the value range of a is [0, 1], C is a behavior health index, M is a matching degree, and D is a deviation degree.

In a preferred embodiment of the present invention, after the step of determining the business behavior health index through the weighted calculation formula, the detection method further includes:

and sending alarm information to the terminal equipment when the health index is abnormal.

In a preferred embodiment provided by the present invention, after the step of sending the warning information to the terminal device, the detection method further includes:

and the terminal equipment performs exception control based on the alarm information.

Compared with the prior art, the invention has the beneficial effects that:

in the invention, a first data stream containing user identity information is obtained by acquiring first traffic data generated by a current web application and carrying out normalization processing on the first traffic data; extracting historical service safety behavior records of the current web application of the terminal equipment according to the user identity information, and establishing a normal behavior model of the user accessing the web application; the first data stream containing the user identity information is input into the normal behavior model, the behavior deviation degree of the current behavior of the user accessing the web application system and the normal behavior is determined, and the problems that the existing method for analyzing the database access records according to the security configuration rule and classifying the database access records by alarm/non-alarm cannot meet the requirement of effectively detecting the illegal business behaviors can be solved

Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the present invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

Drawings

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail with reference to the accompanying drawings, in which:

fig. 1 is a system architecture diagram illustrating a web service behavior logic detection method based on middleware traffic analysis technology according to an embodiment of the present invention;

fig. 2 is a flowchart illustrating an implementation of a web service behavior logic detection method based on a middleware traffic analysis technology according to an embodiment of the present invention;

fig. 3 is a sub-flowchart of a web service behavior logic detection method based on middleware traffic analysis technology according to a second embodiment of the present invention;

fig. 4 shows another sub-flowchart of the web service behavior logic detection method based on the middleware traffic analysis technology according to the third embodiment of the present invention;

fig. 5 is a block diagram of a web service behavior logic detection system based on a middleware traffic analysis technology according to a fourth embodiment of the present invention;

fig. 6 is a block diagram of a computer device according to an embodiment of the present invention.

Detailed Description

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. It should be understood that the preferred embodiments are illustrative of the invention only and are not limiting upon the scope of the invention.

It will be understood by those skilled in the art that, unless otherwise defined, all terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.

At present, with the development of information technology, a database server is taken as a core, and an internet-oriented service system is increasingly widely applied. Once a violating access activity is discovered (e.g., unauthenticated access, unauthorized access), the violating activity needs to be blocked.

In the prior art, some solutions analyze the database access records according to the security configuration rules, and classify the database access records by alarm/non-alarm. The scheme can detect the abnormity of partial business behaviors, but the complete set of safety configuration rules established by the manager are too complicated, and once the attack behaviors which are not contained in the rules occur, the attack behaviors are not reported; some attack behaviors cannot be found from database access behavior records once or several times, so that the existing method for analyzing the database access records according to the security configuration rule and classifying the database access records by alarm/non-alarm cannot meet the effective detection of illegal service behaviors.

In order to solve the above problem, an embodiment of the present invention provides a web service behavior logic detection method based on a middleware traffic analysis technology, where the detection method obtains first traffic data generated by a current web application, and performs normalization processing on the first traffic data to obtain a first data stream containing user identity information; extracting historical service safety behavior records of the current web application of the terminal equipment according to the user identity information, and establishing a normal behavior model of the user accessing the web application; the first data stream containing the user identity information is input into the normal behavior model, the behavior deviation degree of the current behavior of the user accessing the web application system and the normal behavior is determined, and the problem that the existing method for analyzing the database access records according to the security configuration rule and classifying the database access records by alarm/non-alarm can not meet the requirement of effectively detecting the illegal business behaviors can be solved.

It should be noted that, in the present disclosure, the embodiments and features of the embodiments may be combined with each other without conflict. The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.

Referring to fig. 1, fig. 1 illustrates an exemplary system architecture 100 to which embodiments of the middleware traffic analysis technology-based web business behavior logic detection method of the present disclosure may be applied.

As shown in fig. 1, system architecture 100 may include terminal device 101, network 102, and server 103. Network 102 may be the medium used to provide a communication link between terminal device 101 and server 103. Network 102 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.

The terminal device 101 interacts with the server 103 through the network 102 to effect the transfer of data. Various web applications may be installed on the terminal device 101.

The terminal apparatus 101 may be hardware or software. When the terminal device 101 is hardware, it may be various electronic devices having a communication function, including but not limited to a smart phone, a tablet computer, an e-book reader, an MP3 player, an MP4 player, a laptop portable computer, a desktop computer, and the like. When the terminal apparatus 101 is software, it can be installed in the electronic apparatuses listed above. It may be implemented as multiple pieces of software or software modules, or as a single piece of software or software module. And is not particularly limited herein.

The server 103 may be a server providing various services, such as a background server supporting web applications on the terminal device 101. The server 103 may receive an access request transmitted by the terminal apparatus 101. The server 103 may then process the access request data and build a normal behavior model.

It should be noted that the web service behavior logic detection method based on the middleware traffic analysis technology provided in the embodiment of the present disclosure is generally executed by the server 103, and accordingly, the web service behavior logic detection system based on the middleware traffic analysis technology is generally disposed in the server 103.

Optionally, the web service behavior logic detection method based on the middleware traffic analysis technology provided in the embodiment of the present disclosure may also be executed by the terminal device 101.

The server may be hardware or software. When the server is hardware, it may be implemented as a distributed server cluster formed by multiple servers, or may be implemented as a single server. When the server is software, it may be implemented as a plurality of software or software modules, or may be implemented as a single software or software module. And is not particularly limited herein.

It should be understood that the number of terminal devices 101, networks 102, and servers 103 in fig. 1 is merely illustrative. There may be any number of terminal devices 101, networks 102, and servers 103, as desired for implementation.

The following describes in detail a specific implementation of the web service behavior logic detection method based on the middleware traffic analysis technology according to the embodiment of the present invention with reference to a specific embodiment.

The first embodiment is as follows:

fig. 2 shows a flowchart of an implementation of a web service behavior logic detection method based on middleware traffic analysis technology according to an embodiment of the present invention, and although a logic sequence is shown in the flowchart, in some cases, the steps shown or described may be performed in a different sequence from that here.

The embodiment of the invention is realized as follows, and the web service behavior logic detection method based on the middleware flow analysis technology comprises the following steps of:

step S201: acquiring first flow data generated by a current web application, and carrying out normalization processing on the first flow data to obtain a first data flow containing user identity information;

specifically, in a specific implementation of step S201 provided in the embodiment of the present invention, the first traffic data accessed by the user at the current web application is collected within a preset time period, where the collection of the first traffic data accessed by the user at the current web application is performed in a proxy and/or instrumentation manner. In the step of normalizing the first traffic data, storing the first traffic data in a vFlow format, wherein the vFlow format includes header data and data portion data; the first flow data stored according to the vFlow format includes user identity information.

Step S202: extracting historical service safety behavior records of the current web application of the terminal equipment according to the user identity information, and establishing a normal behavior model of the user accessing the web application;

specifically, in the specific implementation of step S202 provided in the embodiment of the present invention, in order to extract the historical service security behavior record of the current web application of the terminal device according to the user identity information, first, the unique identifier of the user identity information is extracted; and then calling a historical service safety behavior record corresponding to the user identity information from a historical service safety behavior record library of the current web application based on the identifier, wherein the historical service safety behavior record is behavior record data in a target starting and stopping time period.

Further, in the preferred embodiment provided by the present invention, in the step of establishing the normal behavior model of the user accessing the web application, firstly, the behavior object and the corresponding behavior object type are determined; then selecting the starting and ending time of a self-learning stage of a preset behavior model according to the requirement; and training historical business safety behavior records within the set starting and stopping time, counting business behavior information of the behavior object according to the behavior object and the behavior object type, and establishing a normal behavior model.

Further, in the embodiment of the present invention, please continue to refer to fig. 2, the detecting method further includes:

step S203: and inputting the first data stream containing the user identity information into the normal behavior model, and determining the behavior deviation degree of the current behavior of the user accessing the web application system and the normal behavior.

With continued reference to fig. 2, in a preferred embodiment of the present invention, the step of determining the behavior deviation degree of the behavior of the current user accessing the web application system from the normal behavior is preceded;

the detection method further comprises the following steps:

step S204: carrying out marking processing and identity replacement processing on the first streaming data to obtain second streaming data;

step S205: accessing the terminal equipment by using the second streaming data, and acquiring a second data stream formed in the accessing process;

step S206: a data stream match between the first data stream and the second data stream is determined.

Further, with continuing reference to fig. 2, in a preferred embodiment of the present invention, the detecting method further includes;

step S207: determining a business behavior health index;

in a preferred embodiment provided by the present invention, the step of determining the business behavior health index specifically includes:

step S2071: and determining the business behavior health index through a weighting calculation formula according to the behavior deviation degree and the data flow matching degree.

Specifically, in a preferred embodiment provided by the present invention, the weighted calculation formula is:

C＝a*M+(1-a)*D；

in the above formula: a is a weight coefficient, the value range of a is [0, 1], C is a behavior health index, M is a matching degree, and D is a deviation degree.

Further, in a preferred embodiment of the present invention, after the step of determining the business behavior health index through the weighted calculation formula, the detection method further includes: step S208: and sending alarm information to the terminal equipment when the health index is abnormal.

In addition, in a preferred embodiment provided by the present invention, after the step of sending the warning information to the terminal device, the detection method further includes step S209, and in a specific implementation in step S209, the terminal device performs exception control based on the warning information.

Example two:

fig. 3 is a sub-flowchart of a web service behavior logic detection method based on middleware traffic analysis technology according to a second embodiment of the present invention;

in a preferred embodiment provided by the present invention, the step of acquiring the first traffic data generated by the current web application specifically includes:

step S2011: the method comprises the steps of collecting first traffic data accessed by a user at the current web application within a preset time period, wherein the collection of the first traffic data accessed by the user at the current web application is carried out in a proxy and/or instrumentation mode.

In a preferred embodiment of the present invention, the step of normalizing the first traffic data specifically includes:

step S2012: storing the first flow data according to a vFlow format; the first flow data stored according to the vFlow format includes user identity information.

Specifically, in the embodiment of the present invention, after the flow data is collected, the flow data is normalized into a uniform format, so that the subsequent storage and further analysis of the flow data are facilitated.

Further, in a preferred embodiment of the present invention, the flow data is stored according to a vFlow format, where the vFlow format includes header data and data portion data, where the header data includes a version, a flow record number, a system startup time to date, a system time, a flow sequence number, and the like; and the data part data may include a source IP address, a destination IP address, an IP address of a router, an input interface index, an output interface index, and the like.

Example three:

fig. 4 is a sub-flowchart of a web service behavior logic detection method based on middleware traffic analysis technology according to a third embodiment of the present invention;

in a preferred embodiment provided by the present invention, the step of extracting the historical service security behavior record of the current web application of the terminal device according to the user identity information specifically includes:

step S2021: extracting a unique identifier of the user identity information;

step S2022: and calling a historical service safety behavior record corresponding to the user identity information from a historical service safety behavior record library of the current web application based on the identifier, wherein the historical service safety behavior record is behavior record data in a target starting and stopping time period.

In a preferred embodiment provided by the present invention, the step of establishing a normal behavior model of a user accessing a web application specifically includes:

step S2023: determining a behavior object and a corresponding behavior object type thereof;

step S2024: selecting starting and stopping time of a self-learning stage of a preset behavior model;

step S2025: training historical business safety behavior records within set starting and stopping time, counting business behavior information of a behavior object according to the behavior object and the type of the behavior object, and establishing a normal behavior model.

In summary, in the web service behavior logic detection method provided in the embodiment of the present invention, a first data stream including user identity information is obtained by obtaining first traffic data generated by a current web application and performing normalization processing on the first traffic data; extracting historical service safety behavior records of the current web application of the terminal equipment according to the user identity information, and establishing a normal behavior model of the user accessing the web application; and inputting the first data stream containing the user identity information into the normal behavior model, and determining the behavior deviation degree of the current behavior of the user accessing the web application system and the normal behavior.

Therefore, the detection method provided by the embodiment of the invention can solve the problem that the existing method for analyzing the database access records according to the security configuration rule and classifying the database access records by alarm/non-alarm cannot meet the requirement of effectively detecting the illegal business behaviors.

Example four:

in addition, fig. 5 is a block diagram of a structure of a web service behavior logic detection system based on a middleware traffic analysis technology according to a fourth embodiment of the present invention;

as shown in fig. 5, in the preferred embodiment provided by the present invention, the embodiment of the present invention further provides a web service behavior logic detection system based on the middleware traffic analysis technology;

specifically, in this embodiment, the detection system 300 includes:

a data information obtaining unit 301, configured to obtain first traffic data generated by a current web application, and perform normalization processing on the first traffic data to obtain a first data stream including user identity information;

a behavior model establishing unit 302, configured to extract a historical service security behavior record of a current web application of a terminal device according to user identity information, and establish a normal behavior model of a user accessing the web application;

and the service behavior analysis unit 303 is configured to input the first data stream containing the user identity information into the normal behavior model, and determine a behavior deviation degree between a behavior of the current user accessing the web application system and the normal behavior.

Example five:

fig. 6 is a schematic structural diagram of a computer device according to a fifth embodiment of the present invention. The computer device 400 provided in the embodiment of the present invention may execute the processing flow provided in the web service behavior logic detection method embodiment based on the middleware traffic analysis technology, as shown in fig. 6, the computer device 400 includes a memory 401, a processor 402, and a computer program; wherein a computer program is stored in the memory 401 and configured to execute a web service behavior logic detection method based on middleware traffic analysis techniques by the processor 403.

In the embodiment of the present invention, the web service behavior logic detection method based on the middleware traffic analysis technology and configured to be executed by the processor 402 includes the following steps:

step S201: acquiring first flow data generated by a current web application, and carrying out normalization processing on the first flow data to obtain a first data flow containing user identity information;

step S202: extracting historical service safety behavior records of the current web application of the terminal equipment according to the user identity information, and establishing a normal behavior model of the user accessing the web application;

step S203: and inputting the first data stream containing the user identity information into the normal behavior model, and determining the behavior deviation degree of the current behavior of the user accessing the web application system and the normal behavior.

Furthermore, the computer device 400 may also have a communication interface 403 for receiving control instructions.

Fig. 6 shows a technical solution that can be used by the computer device of this embodiment to execute the above method embodiments, and the implementation principle and technical effect are similar and will not be described here again.

In addition, the present embodiment also provides a computer readable storage medium, which may be a non-transitory computer readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement a web service behavior logic detection method based on a middleware traffic analysis technology.

The web service behavior logic detection method based on the middleware traffic analysis technology executed by the processor comprises the following steps:

step S201: acquiring first flow data generated by a current web application, and carrying out normalization processing on the first flow data to obtain a first data flow containing user identity information;

step S202: extracting historical service safety behavior records of the current web application of the terminal equipment according to the user identity information, and establishing a normal behavior model of the user accessing the web application;

step S203: and inputting the first data stream containing the user identity information into the normal behavior model, and determining the behavior deviation degree of the current behavior of the user accessing the web application system and the normal behavior.

In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

In a typical configuration of an embodiment of the present invention, the terminal, the device serving the network, and the computing device include one or more processors (CPUs), input/output interfaces, network interfaces, and memories.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data.

Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media (transient media), such as modulated data signals and carrier waves.

It is obvious to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to perform all or part of the above described functions. For the specific working process of the device described above, reference may be made to the corresponding process in the foregoing method embodiment, which is not described herein again.

The above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. The embodiments of the disclosure are intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.