CN101321171A - Method and apparatus for detecting distributed refusal service attack - Google Patents
Method and apparatus for detecting distributed refusal service attack Download PDFInfo
- Publication number
- CN101321171A CN101321171A CNA2008101161965A CN200810116196A CN101321171A CN 101321171 A CN101321171 A CN 101321171A CN A2008101161965 A CNA2008101161965 A CN A2008101161965A CN 200810116196 A CN200810116196 A CN 200810116196A CN 101321171 A CN101321171 A CN 101321171A
- Authority
- CN
- China
- Prior art keywords
- network
- distributed denial
- data
- service attack
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a method and device for detecting distributed denial of service attack. The device is disposed at an entrance of an Internet interprovincial main line for detecting a data packet on the interprovincial Internet main line with a bypass mode, and analyzing the data packet. The analyzed data is compared with characteristics of the control protocol data packet of given distributed denial of service attack network to obtain the control protocol data packet of existing distributed denial of service attack network. The control protocol data packet is analyzed to find out the communication data packet which controls the distributed denial of service attack network. Information about the distributed denial of service attack network is extracted from the communication data packet. An active defence is performed to the distributed denial of service attack according to obtained information. The invention is capable of effectively tracing real DDOS attack initiators, directly stopping the initiating DDOS attack, unloading the program initiating the DDOS attack mounted on a puppet computer, and completely removing hidden troubles brought by DDOS attack.
Description
Technical field
The invention belongs to computer safety field, a kind of specifically detection DDOS attacks the method and apparatus of (distributed denial of service attack).
Background technology
Denial of Service attack, English Denial of Service (DOS), as a kind of attack means on the Internet, very long history has been arranged, it mainly is the defective of utilizing ICP/IP protocol, the resource exhaustion of the network of service will be provided, cause normal service can not be provided, be a kind of to the huge malicious attack of network harm, some Denial of Service attack is a bandwidth consumed, and some is the cpu and the internal memory of consumption network equipment, and some are also arranged is to cause system crash, wherein representative attack means comprises SYN flood, ICMP flood, UDP flood etc.
At first, attack and generally launch a offensive to target based on the separate unit computer, it is the dos attack (as Fig. 1) that we often say, development along with technology, present attack technology by the DOS mode development to the DDOS pattern, promptly, use distributed computing technology by the multiple computers of unified control, initiate Denial of Service attack to target of attack simultaneously, be called distributed denial of service attack (as Fig. 2).
Up to the present, also there is not a kind of good technology can thoroughly detect also defending against denial-of-service attacks.Present main detection means is to arrange that in protected server front end the DDOS checkout equipment reaches the purpose (as Fig. 3) of protection server, and the equipment of detection and defence mainly adopts following several technology:
1, carries out the strick precaution of dos attack by flow limiting technology, send the data flow of equipment on promptly in the restricted unit time, to reach the purpose of protection equipment.
Though this technology can effectively be alleviated the influence that dos attack brings the network equipment, this upper limit threshold values is that the attendant rule of thumb is provided with by hand, therefore has a lot of limitation:
(1), in case attacked, upper limit flow reaches threshold values, when network equipment is lost attack traffic, also normal data traffic can be lost.
(2), can't to discern be that DDOS attacks to equipment, still the normal visit of uprushing because of some reason, the network traffics that cause increase severely, and no matter are the sort of situations, as long as upper limit flow reaches threshold values, the partial discharge of uprushing all can be taken as DDOS attack data flow and lose.
(3), when attacking, only, can not find the source of launching a offensive, promptly can not attack and trace to the source by the mode protecting network equipment of lost data packets.
(4), attack and just can find after coming true, can not accomplish to prevent in advance.
2, carry out the equipment traffic sampling by disposing NETSTREAM (network traffics sampling) relevant device, and sampled data is analyzed to realize that DOS traces to the source, reach the purpose of taking precautions against dos attack.Though the protection effect of this method increases, weak point is arranged still.
(1), after the network equipment begins NETSTREAM sampling, can cause bigger influence to equipment performance.In addition, need take the physical port Connection Service device of equipment, the waste Internet resources.
(2), launch a offensive after, could find, and take measures,
(3), the promptness of data analysis and accuracy are not high.
(4) though can realize in theory tracing to the source, but in practice, because attacking the source address of packet all forges, and sending the computer of attacking packet during the DDOS pattern is attacked not is to be the source effector who launches a offensive, so be difficult to realize real tracing to the source by the analytical attack packet.
Summary of the invention
The invention provides a kind of method and apparatus that can detect the real DDOS person of launching a offensive and carry out initiatively defending DDOS to attack.
Technical scheme of the present invention is summarized as follows:
1, a kind of method that detects distributed denial of service attack, its step comprises:
1), detect the packet on the inter-provincial network backbone, and packet is resolved;
2), the data after resolving, compare with the feature of known distribution formula Denial of Service attack Network Control Protocol packet, obtain the control protocol packet of existing distributed denial of service attack network;
3), resolve the control protocol packet, find the communication data packets of control distributed denial of service attack network;
4), from the packet that step 3) is obtained, extract the information of distributed denial of service attack network.
Described step 1) bypass detects the packet on the inter-provincial network backbone, and packet is resolved according to the protocol layer of TCP/IP, extracts the data of application layer.
The content that described step 3) is resolved comprises: the position of the computer of " sending control command ", and the position of the computer of " reception control command ", " content of control command " understands the content of control command.
Described step 3) is decrypted encrypted data packet is arranged.
Described step 4) according to obtain information, send warning message, and write daily record.
5), after detecting distributed denial of service attack, can take the initiative the defence measure, comprising:
According to " positional information of the computer of ' sending control command ' ", locate the physical location of the computer of launching a offensive;
According to " positional information of the computer of ' reception control command ' ", the physical location of location Be Controlled computer;
According to the information that obtains the control data bag, initiatively construct the control data bag, the distributed denial of service attack network is controlled.
Further, described control to the distributed denial of service attack network comprises:
Obtain the information of all controlled computers, to understand the scale of target distribution formula Denial of Service attack network;
Send instruction and stop ongoing distributed denial of service attack;
Remove the service end of control program on all controlled computers.
2, a kind of equipment that detects distributed denial of service attack comprises initiatively defense module of a data access module, a protocol analysis module, a network communication protocol data analysis module,, wherein:
Described data access module realizes the data bypass on the inter-provincial trunk optical fiber is linked into function on the equipment;
Described protocol analysis module is carried out protocol analysis to the data flow that inserts, and finds the data of distributed denial of service network communication protocol;
Described network communication protocol data analysis module is further analyzed the distributed denial of service attack network communication protocol data of intercepting and capturing, and obtains the details of distributed denial of service network.
Described equipment also comprises initiatively defense module, according to the information of the distributed denial of service network that obtains, initiatively sends the control data bag of forging to distributed denial of service network, realizes initiatively defence; The safe early warning module gives warning in advance to the security threat that may cause; Generate the security log module, with the state in other each module runnings, and the information of obtaining writes journal file.
Described equipment bypass section is deployed on the interface of inter-provincial network backbone, according to the difference of backbone flow, disposes one or more equipment.
Compare with traditional network communication pattern, the present invention has characteristics and the advantage of himself:
1), take precautions against wider that DDOS attacks, traditional DDOS checkout equipment generally is installed in the front end of the server of being defendd, the object of detection is confined to this server (as Fig. 3).And use equipment of the present invention, as long as the control end computer in the DDOS networking is distributed in (this situation is very general) in the different inter-provincial nets with controlled puppet's computer, where no matter finally initiate target that DDOS attacks and be, can effectively detect and protect.
2), can initiate before DDOS attacks, also do not have to make effective protection damnous the time.Traditional DDOS checkout equipment, after attacking packet, detected DDOS takes measures, so only after attack comes true, just can take appropriate measures and be on the defensive, and use equipment of the present invention, then can before attack, launched DDOS find potential attack by the control protocol data of analyzing in the DDOS network, and make effective defence.
3), have the initiatively characteristic of defence, can directly stop the DDOS that puppet's machine starting and attack, can also be further, unloading is installed in the program of mobilizing DDOS to attack on puppet's machine, thoroughly removes the hidden danger that DDOS attacks.
4), can effectively track the real DDOS person of launching a offensive.
5), because equipment is that bypass is on network, so can the performance of network not impacted.
Description of drawings
Fig. 1 is the dos attack schematic diagram;
Fig. 2 attacks schematic diagram for DDOS;
Fig. 3 is traditional DDOS checkout equipment topological diagram;
Fig. 4 is the topological diagram of DDOS checkout equipment of the present invention;
Fig. 5 is assay device structures figure of the present invention;
Fig. 6 is a checkout equipment operational flow diagram of the present invention.
Embodiment
Below in conjunction with the drawings and specific embodiments the present invention is described in further detail:
Traditional DDOS checkout equipment detect to as if be directly used in the mass data bag of initiating dos attack, by the analysis of attacking packet being discerned and being stoped dos attack (as Fig. 3).The present invention changes traditional thinking that DDOS is detected, and does not detect attacking packet, finish and the control data bag of controlling each puppet's computer discerned and handle, and to the earlier detection that DDOS attacks, early stage defence (as Fig. 4).
1, apparatus arrangement position.
DDOS checkout equipment in the past generally can be deployed in protected server front end (as Fig. 3), is used for directly detecting the protected data in server stream of coming in and going out.
And equipment of the present invention can be deployed in the porch of the inter-provincial backbone of the Internet, all is carried out bypass by the data flow of inter-provincial backbone detect (as Fig. 4).Advantage is that the scope of protecting is bigger, more can attack DDOS and make comprehensive reaction.
The equipment bypass section is deployed to the interface of inter-provincial network backbone, can disposes one or more equipment according to the difference of backbone flow.For the data flow of the both direction that flows out and flow into, can on an equipment, handle, also can insert a plurality of equipment respectively and handle respectively, main foundation is the data traffic on the network.
As (shown in Figure 5) equipment by forming with lower module:
(1), data access module
Realization is linked into function on the equipment with the data bypass on the inter-provincial trunk optical fiber,
(2), protocol analysis module.
The data flow that inserts is carried out protocol analysis, data are successively resolved, thereby find the data of DDOS network communication protocol wherein according to the order of physical layer, data link layer, network layer, transport layer, application layer.
(3), DDOS network communication protocol data analysis module.
The DDOS network communication protocol data of intercepting and capturing are further analyzed.Thereby obtain the details of DDOS network.
(4), active defense module.
According to the information of the DDOS network that obtains, initiatively send the control data bag of forging, to realize the initiatively function of defence to the DDOS network.
(5), safe early warning module.
The security threat that may cause future is carried out early warning in advance.
(6), generate the security log module.
With the state in other each module runnings, and the information of obtaining writes journal file.
2, the handling process (as Fig. 6) of concrete equipment
(1), after equipment receives bypass data on the inter-provincial backbone network, gives the protocol analysis module with data.Come network packet is carried out data parsing layer by layer by the protocol analysis module, the packet of bypass is resolved according to the protocol layer of TCP/IP, extracts the data of application layer.Find the communication data packets of specific protocol in the DDOS network in the multidata of finally the comforming bag.
(2), equipment is with the communication data packets of specific protocol in the DDOS network that finds, hand to DDOS protocol data analysis module, these data that find are further processed, comprise the DDOS communication data packets is further resolved, the content of resolving comprises: the position of the computer of " sending control command ", the position of the computer of " reception control command ", " content of control command " understands the content of control command; If data are encrypted, also to be decrypted data, from packet, extract relevant information at last.
(3), according to the information of the DDOS network that obtains, generate the security log module according to certain rule invocation and write daily record.
(4), according to the information of the DDOS network that obtains, judge the urgency level of the state of affairs, call alarm module according to urgency level and give the alarm.
(5), judge whether to have obtained enough information about this DDOS network,, call " initiatively defense module " if obtained enough information, by forging the control data bag, carry out active and defend.
Concrete active defence comprises:
A. active is constructed and is sent the packet that halts attacks, and stops ongoing DDOS attack action.
B. the packet of all controlled computer information is obtained in active structure and transmission, obtains all controlled puppet's computers.
C. initiatively structure and send deletion controlled terminal puppet computer on, the packet of DDOS attacker is thoroughly eliminated the attack hidden danger of this network.
Claims (10)
1, a kind of method that detects distributed denial of service attack, its step comprises:
1) detects packet on the inter-provincial network backbone, and packet is resolved;
2) data after resolving compare with the feature of known distribution formula Denial of Service attack Network Control Protocol packet, obtain the control protocol packet of existing distributed denial of service attack network;
3) resolve the control protocol packet, find the communication data packets of control distributed denial of service attack network;
4) information of extraction distributed denial of service attack network from the packet that step 3) is obtained.
2, the method for claim 1 is characterized in that, described step 1) bypass detects the packet on the inter-provincial network backbone, and packet is resolved according to the protocol layer of TCP/IP, extracts the data of application layer.
3, the method for claim 1, it is characterized in that, the content that described step 3) is resolved comprises: the position of the computer of " sending control command ", and the position of the computer of " reception control command ", " content of control command " understands the content of control command.
4, the method for claim 1 is characterized in that, described step 3) is decrypted encrypted data packet is arranged.
5, the method for claim 1 is characterized in that, described step 4) according to obtain information, send warning message, and write daily record.
6, the method for claim 1 is characterized in that, detect distributed denial of service attack after, the defensive measure of taking the initiative comprises:
According to " positional information of the computer of ' sending control command ' ", locate the physical location of the computer of launching a offensive;
According to " positional information of the computer of ' reception control command ' ", the physical location of location Be Controlled computer;
According to the information that obtains the control data bag, initiatively construct the control data bag, the distributed denial of service attack network is controlled.
7, method as claimed in claim 6 is characterized in that, described control to the distributed denial of service attack network comprises:
Obtain the information of all controlled computers, to understand the scale of target distribution formula Denial of Service attack network;
Send instruction and stop ongoing distributed denial of service attack;
Remove the service end of control program on all controlled computers.
8, a kind of equipment that detects distributed denial of service attack is characterized in that, comprises a data access module, a protocol analysis module, a network communication protocol data analysis module, wherein:
Described data access module realizes the data bypass on the inter-provincial trunk optical fiber is linked into function on the equipment;
Described protocol analysis module is carried out protocol analysis to the data flow that inserts, and finds the data of distributed denial of service network communication protocol;
Described network communication protocol data analysis module is further analyzed the distributed denial of service attack network communication protocol data of intercepting and capturing, and obtains the details of distributed denial of service network.
9, equipment as claimed in claim 8 is characterized in that, also comprises initiatively defense module, according to the information of the distributed denial of service network that obtains, initiatively sends the control data bag of forging to distributed denial of service network, realizes initiatively defence; The safe early warning module gives warning in advance to the security threat that may cause; Generate the security log module, with the state in other each module runnings, and the information of obtaining writes journal file.
10, equipment as claimed in claim 8 is characterized in that, bypass section is deployed on the interface of inter-provincial network backbone, according to the difference of backbone flow, disposes one or more equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101161965A CN101321171A (en) | 2008-07-04 | 2008-07-04 | Method and apparatus for detecting distributed refusal service attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101161965A CN101321171A (en) | 2008-07-04 | 2008-07-04 | Method and apparatus for detecting distributed refusal service attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101321171A true CN101321171A (en) | 2008-12-10 |
Family
ID=40180990
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008101161965A Pending CN101321171A (en) | 2008-07-04 | 2008-07-04 | Method and apparatus for detecting distributed refusal service attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101321171A (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101510826B (en) * | 2008-12-17 | 2010-12-22 | 天津大学 | DDoS aggression detection method based on visualization |
| CN102026199A (en) * | 2010-12-03 | 2011-04-20 | 中兴通讯股份有限公司 | WiMAX system as well as device and method for defending DDoS attack |
| WO2011047600A1 (en) * | 2009-10-20 | 2011-04-28 | 成都市华为赛门铁克科技有限公司 | Method, apparatus and system for detecting botnet |
| WO2011075922A1 (en) * | 2009-12-22 | 2011-06-30 | 北京锐安科技有限公司 | Method for detecting distributed denial of service attack |
| CN101540761B (en) * | 2009-04-24 | 2012-02-01 | 成都市华为赛门铁克科技有限公司 | Method and equipment for monitoring distributed denial of service attack |
| CN102025483B (en) * | 2009-09-17 | 2012-07-04 | 国基电子(上海)有限公司 | Wireless router and method for preventing malicious scanning by using same |
| CN103679015A (en) * | 2012-09-04 | 2014-03-26 | 江苏中科慧创信息安全技术有限公司 | Attacking control method for protecting kernel system |
| CN104954864A (en) * | 2015-06-19 | 2015-09-30 | 中国人民解放军信息工程大学 | Two-way set top box intrusion detection system and detection method thereof |
| CN105227515A (en) * | 2014-05-28 | 2016-01-06 | 腾讯科技(深圳)有限公司 | Network intrusions blocking-up method, Apparatus and system |
| CN105791220A (en) * | 2014-12-22 | 2016-07-20 | 中国电信股份有限公司 | Method and system for actively defending distributed denial of service attacks |
| WO2017107804A1 (en) * | 2015-12-24 | 2017-06-29 | 阿里巴巴集团控股有限公司 | Method and device for ddos attack identification |
| CN107172085A (en) * | 2017-06-30 | 2017-09-15 | 江苏华信区块链产业研究院有限公司 | Active defense method and node based on the intelligent contract of block chain |
| CN107306266A (en) * | 2016-04-25 | 2017-10-31 | 阿里巴巴集团控股有限公司 | Scan the method and device of control server |
| CN107454043A (en) * | 2016-05-31 | 2017-12-08 | 阿里巴巴集团控股有限公司 | The monitoring method and device of a kind of network attack |
| CN110198251A (en) * | 2019-04-02 | 2019-09-03 | 腾讯科技(深圳)有限公司 | A kind of method and device obtaining client address |
| CN112416976A (en) * | 2020-11-18 | 2021-02-26 | 简和网络科技(南京)有限公司 | Distributed denial of service attack monitoring system and method based on distributed multi-level cooperation |
| CN112738032A (en) * | 2020-12-17 | 2021-04-30 | 公安部第三研究所 | Communication system for preventing IP deception |
-
2008
- 2008-07-04 CN CNA2008101161965A patent/CN101321171A/en active Pending
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101510826B (en) * | 2008-12-17 | 2010-12-22 | 天津大学 | DDoS aggression detection method based on visualization |
| CN101540761B (en) * | 2009-04-24 | 2012-02-01 | 成都市华为赛门铁克科技有限公司 | Method and equipment for monitoring distributed denial of service attack |
| CN102025483B (en) * | 2009-09-17 | 2012-07-04 | 国基电子(上海)有限公司 | Wireless router and method for preventing malicious scanning by using same |
| US8904532B2 (en) | 2009-10-20 | 2014-12-02 | Chengdu Huawei Symantec Technologies Co., Ltd. | Method, apparatus and system for detecting botnet |
| WO2011047600A1 (en) * | 2009-10-20 | 2011-04-28 | 成都市华为赛门铁克科技有限公司 | Method, apparatus and system for detecting botnet |
| CN102045214A (en) * | 2009-10-20 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Botnet detection method, device and system |
| CN102045214B (en) * | 2009-10-20 | 2013-06-26 | 成都市华为赛门铁克科技有限公司 | Botnet detection method, device and system |
| WO2011075922A1 (en) * | 2009-12-22 | 2011-06-30 | 北京锐安科技有限公司 | Method for detecting distributed denial of service attack |
| CN102026199B (en) * | 2010-12-03 | 2016-01-13 | 中兴通讯股份有限公司 | The apparatus and method of a kind of WiMAX system and defending DDoS (Distributed Denial of Service) attacks thereof |
| CN102026199A (en) * | 2010-12-03 | 2011-04-20 | 中兴通讯股份有限公司 | WiMAX system as well as device and method for defending DDoS attack |
| CN103679015A (en) * | 2012-09-04 | 2014-03-26 | 江苏中科慧创信息安全技术有限公司 | Attacking control method for protecting kernel system |
| CN105227515A (en) * | 2014-05-28 | 2016-01-06 | 腾讯科技(深圳)有限公司 | Network intrusions blocking-up method, Apparatus and system |
| CN105791220A (en) * | 2014-12-22 | 2016-07-20 | 中国电信股份有限公司 | Method and system for actively defending distributed denial of service attacks |
| CN104954864A (en) * | 2015-06-19 | 2015-09-30 | 中国人民解放军信息工程大学 | Two-way set top box intrusion detection system and detection method thereof |
| CN104954864B (en) * | 2015-06-19 | 2019-03-01 | 中国人民解放军信息工程大学 | Bi-directional set-top box intruding detection system and its detection method |
| WO2017107804A1 (en) * | 2015-12-24 | 2017-06-29 | 阿里巴巴集团控股有限公司 | Method and device for ddos attack identification |
| CN106921612A (en) * | 2015-12-24 | 2017-07-04 | 阿里巴巴集团控股有限公司 | It was found that the method and device of ddos attack |
| CN107306266A (en) * | 2016-04-25 | 2017-10-31 | 阿里巴巴集团控股有限公司 | Scan the method and device of control server |
| CN107306266B (en) * | 2016-04-25 | 2020-08-04 | 阿里巴巴集团控股有限公司 | Method and device for scanning central control server |
| CN107454043A (en) * | 2016-05-31 | 2017-12-08 | 阿里巴巴集团控股有限公司 | The monitoring method and device of a kind of network attack |
| CN107172085B (en) * | 2017-06-30 | 2018-06-22 | 浙江华信区块链科技服务有限公司 | Active defense method and node based on block chain intelligence contract |
| CN107172085A (en) * | 2017-06-30 | 2017-09-15 | 江苏华信区块链产业研究院有限公司 | Active defense method and node based on the intelligent contract of block chain |
| CN110198251A (en) * | 2019-04-02 | 2019-09-03 | 腾讯科技(深圳)有限公司 | A kind of method and device obtaining client address |
| CN112416976A (en) * | 2020-11-18 | 2021-02-26 | 简和网络科技(南京)有限公司 | Distributed denial of service attack monitoring system and method based on distributed multi-level cooperation |
| CN112738032A (en) * | 2020-12-17 | 2021-04-30 | 公安部第三研究所 | Communication system for preventing IP deception |
| CN112738032B (en) * | 2020-12-17 | 2022-10-11 | 公安部第三研究所 | Communication system for preventing IP deception |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101321171A (en) | Method and apparatus for detecting distributed refusal service attack | |
| CN107659583B (en) | Method and system for detecting attack in fact | |
| CN107426242B (en) | Network security protection method, device and storage medium | |
| CN106909847B (en) | Malicious code detection method, device and system | |
| EP3195124B1 (en) | Malicious relay detection on networks | |
| US20180063187A1 (en) | Adaptive self-optimzing ddos mitigation | |
| CN112788034B (en) | Processing method and device for resisting network attack, electronic equipment and storage medium | |
| KR101219796B1 (en) | Apparatus and Method for protecting DDoS | |
| CN111464526A (en) | Network intrusion detection method, device, equipment and readable storage medium | |
| CN109922048A (en) | One kind serially dispersing concealed threat Network Intrusion detection method and system | |
| CN110401638A (en) | A kind of network flow analysis method and device | |
| CN111083172A (en) | Link communication monitoring view construction method based on data packet analysis | |
| CN111565203A (en) | Method, device and system for protecting service request and computer equipment | |
| CN113572730A (en) | Implementation method for actively and automatically trapping honeypots based on web | |
| CN114363080A (en) | Monitoring analysis method, device, equipment and storage medium of network terminal | |
| JP3652661B2 (en) | Method and apparatus for preventing denial of service attack and computer program therefor | |
| CN112671736B (en) | Attack flow determination method, device, equipment and storage medium | |
| CN113810423A (en) | Industrial control honey pot | |
| Subbulakshmi et al. | A unified approach for detection and prevention of DDoS attacks using enhanced support vector machines and filtering mechanisms | |
| CN101453363A (en) | Network intrusion detection system | |
| Haris et al. | TCP SYN flood detection based on payload analysis | |
| JP2004054330A (en) | Illicit command/data detecting system, illicit command/data detecting method and illicit command/data detecting program | |
| CN115396167A (en) | Network information security protection method based on big data | |
| Hsu et al. | Scalable network-based buffer overflow attack detection | |
| Silalahi et al. | Rule generator for IPS by using honeypot to fight polymorphic worm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20081210 |