CN101631026A - Method and device for defending against denial-of-service attacks - Google Patents
Method and device for defending against denial-of-service attacks Download PDFInfo
- Publication number
- CN101631026A CN101631026A CN200810116857A CN200810116857A CN101631026A CN 101631026 A CN101631026 A CN 101631026A CN 200810116857 A CN200810116857 A CN 200810116857A CN 200810116857 A CN200810116857 A CN 200810116857A CN 101631026 A CN101631026 A CN 101631026A
- Authority
- CN
- China
- Prior art keywords
- flow
- dos attack
- source
- information
- service attacks
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for defending against denial-of-service attacks in TCP/IP networks. The method comprises: randomly sampling TCP, UDP and ICMP flow; counting and calculating the rate of each flow; detecting flow proportion characteristics and flow distribution characteristics; verifying the credibility of corresponding source host computers; self-learning black-white lists and DoS-attack characteristic tables according to detection result and source-host-computer identity authentication result and utilizing the black-white lists and the DoS-attack characteristic tables to filter the flow, release normal flow and blocking denial-of-service attacks. By utilizing the invention, the denial-of-service attacks can be detected and blocked so as to guarantee network availability, prevent network denial of service attacks from occurring and provide network users with a secure network environment.
Description
Technical field
The present invention relates to network and field of information security technology, be specifically related to the method and the device of a kind of defending against denial-of-service attacks in the TCP/IP network.
Background technology
At present, fast development along with Internet and network application, people can carry out ecommerce, resource-sharing and recreation by network, network becomes people's indispensable part in work, living and studying gradually, simultaneously, people are more and more stronger to the demand of the high security of information in the network.The market demand of network security product is also more and more stronger.Current, on network and information security market, firewall product, intrusion detection product and anti-virus product are still main product.
In the method for defending against denial-of-service attacks of the present invention and device, relate generally to following technology: random sampling technology, the credible verification technique of source host, self study black and white lists technology, traffic statistics technology, threshold detection technique, flow proportional feature detection techniques, flow distribution feature detection techniques and DoS attack feature detection techniques.
The development of defending against denial-of-service attacks technology has three general orientation, and the one, traffic statistics and threshold detection technique; The 2nd, the credible verification technique of source host; The 3rd, distribute and feature detection techniques.For the technology of this three general orientation, their advantage is the technology comparative maturity, realizes simply can detecting and block Denial of Service attack more effectively; Defective is that technology is not integrated effectively, can not complete detection and block abnormal flow and attack, comprise distributed denial of service attack.The present invention has carried out integrating effectively to the technology of this three general orientation, and adopt self study black and white lists and DoS attack mark sheet technology that network traffics are filtered, overcome the shortcoming that exists in the method for above three general orientation, can defend denial of service and distributed denial of service attack.
Summary of the invention
The objective of the invention is to overcome the shortcoming of prior art, provide a kind of in the TCP/IP network method and the device of defending against denial-of-service attacks, make it possible to detect effectively and block Denial of Service attack,, give the network application environment of a safety of the network user to guarantee the fail safe of network application.
The objective of the invention is to be achieved through the following technical solutions:
A kind of method of defending against denial-of-service attacks may further comprise the steps:
A, preliminary treatment comprise catches and resolves network packet;
B, black and white lists and DoS attack mark sheet filter;
C, threshold value and flow proportional feature detection;
D, source host authentication;
E, flow distribution feature detection.
Described steps A comprises:
A1, catch network packet;
A2, parsing network packet;
The described information that is obtained by parsing comprises: the type and the code field of SYN, the ACK of TCP bag, FIN flag bit, UDP message bag, ICMP bag, comprising Echo, Replay and Unreach, and corresponding source and destination IP address, source and destination port.
Preferably, described step B comprises:
Filter according to the information in black and white lists and the DoS attack mark sheet, the trusted sources main frame in the white list is let pass, malicious source main frame in blacklist and the DoS attack mark sheet is blocked.
Information comprises in the described black and white lists: IP address, the DoS attack feature of credible and malicious source main frame.
Preferably, described step C comprises:
C1, calculated flow rate speed;
C2, carry out the comparison of flow rate and rate-valve value;
C3, the flow proportional feature is calculated;
C4, carry out the comprehensive judgement of threshold test and flow proportional feature detection.
Described threshold value and flow proportional feature detection information comprise: Echo, the Replay of the flow of the flow of the threshold size of flow rate, the SYN of TCP, SYN-ACK, ACK, FIN-ACK bag and speed thereof, UDP and speed thereof, ICMP and the flow and the speed thereof of Unreach bag.
Preferably, described step D comprises:
Identity to the source host of flow authenticates, and carries out authentication according to source host authentication state machine, and the trusted sources main frame is saved in the white list, and the malicious source main frame is saved in blacklist and the DoS attack mark sheet.
Described network traffics control information comprises: the IP address of source host, DoS attack feature.
Alternatively, described step e comprises:
The distribution characteristics of attacking is detected, at first count the distribution situation of source and destination IP address and destination interface, and add up their flow quantity, calculate the ratio of distribution number and flow quantity then;
Described network traffics detection of dynamic information comprises: the distribution situation information of source and destination IP address and destination interface, each flow quantity information.
A kind of device of defending against denial-of-service attacks comprises:
Apparatus for initializing comprises the buffering area of initialization threshold value and flow proportional feature detection, the buffering area of initialization flow distribution feature detection, the buffering area of initialization black and white lists, the buffering area of initialization DoS attack feature;
Pretreatment unit comprises and catches network packet, and carries out protocol analysis;
Checkout gear comprises threshold value and flow proportional feature is detected, and the identity of source host is authenticated, and the flow distribution characteristics is detected, and extract the DoS attack feature and put into the DoS attack mark sheet;
Filter comprises according to blacklist and filtering, and filters according to white list, filters according to the DoS attack feature.
Alarm device sends the information of Denial of Service attack to the display module of control end.
A kind of device of defending against denial-of-service attacks, at first, there is apparatus for initializing that the buffering area of storage flow information in this device is carried out initialization, catch and resolve network packet then by pretreatment unit, and carry out threshold value and flow proportional feature detection, source host authentication, flow distribution feature detection respectively and extract the DoS attack feature by checkout gear, at last, filter according to black and white lists and DoS attack mark sheet by filter, and attack information is notified to the user by alarm device.
By above technical scheme provided by the invention as can be seen, the present invention has overcome the shortcoming of prior art, provide a kind of in the TCP/IP network device of defending against denial-of-service attacks, make it possible to detect effectively and block Denial of Service attack, to guarantee the fail safe of network application, give the network application environment of a safety of the network user.
Description of drawings
Fig. 1 is the networking schematic diagram of defending against denial-of-service attacks device in the TCP/IP network;
Fig. 2 is the apparatus structure schematic diagram of the inventive method;
Fig. 3 is the main flow chart of the inventive method;
Fig. 4 is a source host state exchange schematic diagram among the present invention;
Fig. 5 is a black and white lists filtering process schematic diagram among the present invention;
Fig. 6 is threshold value and a flow proportional feature detection schematic flow sheet among the present invention;
Fig. 7 is a flow distribution feature detection schematic flow sheet among the present invention;
Fig. 8 is a source host identifying procedure schematic diagram among the present invention.
Embodiment
The core of the inventive method is to overcome the shortcoming of prior art, provide a kind of in the TCP/IP network device of defending against denial-of-service attacks, make it possible to detect effectively and block Denial of Service attack,, give the network application environment of a safety of the network user to guarantee the fail safe of network application.
The generic workflow of defending against denial-of-service attacks is:
Initial phase comprises the buffering area of initialization threshold value and flow proportional feature detection, the buffering area of initialization flow distribution feature detection, the buffering area of initialization black and white lists, the buffering area of initialization DoS attack mark sheet;
Pretreatment stage comprises and catches network packet, and carries out protocol analysis;
Detection-phase comprises threshold value and flow proportional feature are detected, and the identity of source host is authenticated, and the flow distribution characteristics is detected, and extract the DoS attack feature and put into the DoS attack mark sheet;
Filtration stage comprises according to blacklist and filtering, and filters according to white list and DoS attack mark sheet.
Alert phrase, send the information of Denial of Service attack to the display module of control end.
The device networking structure of defending against denial-of-service attacks as shown in Figure 1 in TCP/IP.Wherein,
Local area network (LAN) comprises the network user and the network service of local area network (LAN) inside;
The defending against denial-of-service attacks device is used to catch and resolve network packet, statistics and detection network traffics, blocking-up Denial of Service attack;
Internet comprises router, can transmit and routing network traffic.
Below with reference to Fig. 2 the apparatus structure of the inventive method is elaborated:
Apparatus for initializing comprises the buffering area of initialization threshold value and flow proportional feature detection, the buffering area of initialization flow distribution feature detection, the buffering area of initialization black and white lists, the buffering area of initialization DoS attack mark sheet;
Pretreatment unit comprises and catches network packet, and carries out protocol analysis;
Checkout gear comprises threshold value and flow proportional feature is detected, and the identity of source host is authenticated, and the flow distribution characteristics is detected, and extract the DoS attack feature and put into the DoS attack mark sheet;
Filter comprises according to blacklist and filtering, and filters according to white list, filters according to the DoS attack mark sheet.
Alarm device sends the information of Denial of Service attack to the display module of control end.
In order to make those skilled in the art person understand the present invention better, the present invention is described in further detail below in conjunction with flow chart shown in Figure 3.May further comprise the steps:
Step 301: the buffering area to flow information carries out initialization, for the defence of Denial of Service attack does homework;
Step 302: adopt grabber to catch network packet, and resolution data header packet information, comprise ACK, the SYN of source and destination IP address, source and destination port, TCP bag and type and the code field that FIN flag bit, UDP message bag, ICMP wrap, comprising Echo, Replay and Unreach.
Step 303: filter according to black and white lists and DoS attack mark sheet, if the IP address of source host is in white list, then confirm as trusted host and clearance, if the IP address of source host is in blacklist, or the feature of network packet then confirms as malicious host and blocking-up and alarm in the DoS attack mark sheet;
Step 304: calculate the time point of gathering flow, do homework for network traffics are carried out random sampling;
Step 305: if sampled point, the size of then sampling and adding up corresponding discharge, otherwise, let pass;
Step 306: check detection time,, then carry out the flow proportional feature detection if to detection time, otherwise, let pass;
Step 307: unusual if threshold value and flow proportional occur, then carry out threshold value and flow proportional feature detection;
Step 308:,, think that then it is ddos attack or scanning attack, otherwise think that it is a DoS attack if this source host exists if denial of service or scanning attack then carry out the source host authentication;
Step 309: for ddos attack or scanning attack, carry out the flow distribution feature detection,, then put it into blacklist if checking is ddos attack or scanning attack, and blocking-up and alarm, also let pass otherwise put it into white list;
Step 310: to DoS attack, obtain the constant feature of attacking in the network packet, and put it in the DoS attack mark sheet.
Be described further below by the above-mentioned flow process of an application example Fig. 3.
For example: what set a new packet that grabber captures is for information about
Source IP address: 192.168.6.100 purpose IP address: 218.25.41.110
Source port: 1691 destination interfaces: 80
The SYN flag bit: 1, all the other are 0
The source IP address of setting white list is as follows:
192.168.6.10 192.168.6.20 192.168.6.30
The source IP address of setting blacklist is as follows:
192.168.6.40 192.168.6.50 192.168.6.60
At first, parse the above information of packet; Retrieve the black and white lists of source host then, 192.168.6.100 neither in the black and white lists, also not in the DoS attack mark sheet, calculating sampling point then, judge and shown the sampling time, getting this flow is sampled data, this packet is added in the corresponding discharge bag number statistical variable, and check and to be found to detection time, then carry out the flow proportional feature detection, threshold value and abnormal proportion, then carry out threshold value and flow proportional feature detection, be denial of service or scanning attack, then carry out the flow distribution feature detection, and carry out the source host authentication subsequently, this source host exists, but be not distributed denial of service attack, judge then whether it is scanning attack, the result is that transversal scanning is attacked; Put it into blacklist and blocking-up and alarm at last.
With reference to Fig. 4 the state machine of source host among the present invention is elaborated:
A source host can be in suspicious state, trusted status or malice state.When receiving network traffics, the source host of this flow is in suspicious state, if this source host exists and non-DDoS and scanning, then enter trusted status, this source host is a trusted host, white list is put in the IP address of this source host, and when overtime, the state exchange of this source host is suspicious state; If this source host does not exist or source host exists and be DDoS and scanning, then enter the malice state, this source host is a malicious host, and blacklist is put in the IP address of this source host, when overtime, the state exchange of this source host is suspicious state.
Be described further below by the above-mentioned flow process of an application example Fig. 4.
Receiving the IP address is the SYN bag of 192.168.6.100, then its source host is in suspicious state, show through authentication, source host exists and the transversal scanning attack is arranged, then it enters the malice state, think that this source host is a malicious host, blacklist is put in the IP address of this source host, and the overtime time window of its state is set.
With reference to Fig. 5 flow process among the present invention is elaborated:
Step 501: the hashed value of calculating source host IP address;
Step 502: with this hashed value is the index search black and white lists, if this source host is in blacklist, and not overtime, then be labeled as malicious host, if overtime, then be labeled as suspicious main frame; If this source host is in white list, and not overtime, then be labeled as trusted host, if overtime, then be labeled as suspicious main frame; If this source host neither in blacklist, also not in white list, then is labeled as suspicious main frame.
Be described further below by the above-mentioned flow process of an application example Fig. 5.
Receive that the IP address is the SYN bag of 192.168.6.100, then its source host is in suspicious state, and the 192.168.6.100 hashed value of calculating is 41783, and through searching as can be known, it is and not overtime in blacklist, then is labeled as malicious host.
With reference to Fig. 6 flow process among the present invention is elaborated:
When arriving detection time, 1000 flows in the buffering area are detected at every turn, it is as follows to detect step:
Step 601: calculate the pps of SYN and SYN-ACK bag, and calculate the ratio of SYN-ACK and SYN bag, whether the pps that judges the SYN bag then is greater than threshold value, and whether the ratio of SYN-ACK and SYN bag is much smaller than 1, if then be labeled as ssyn attack;
Step 602: if not, then calculate the ratio of pps and the RST and the SYN bag of RST bag, whether the pps that judges the RST bag then is greater than threshold value, and whether the ratio of RST and SYN bag is much larger than 0, if then be labeled as vertical scanning;
Step 603: if not, then calculate the ratio of pps and the FIN and the SYN-ACK bag of FIN bag, whether the pps that judges the FIN bag then is greater than threshold value, and whether the ratio of FIN and SYN-ACK bag is near 1, if then be labeled as half connection or connect and attack;
Step 604: if not, then calculate the ratio of pps and the ICMP-Reply and the ICMP-Echo bag of ICMP-Reply and ICMP-Echo bag, whether the pps that judges the ICMP-Echo bag then is greater than threshold value, and whether the ratio of ICMP_Reply and ICMP-Echo bag is much smaller than 1, if then be labeled as ICMP attack;
Step 605: if not, then calculate the ratio of pps and the ICMP-Unreach and the UDP bag of ICMP-Unreach and UDP bag, whether the pps that judges the ICMP-Unreach bag then is greater than threshold value, and whether the ratio of ICMP-Unreach and UDP bag is much smaller than 1, if, then be labeled as UDP and attack, if not, then be labeled as normal discharge.
With reference to Fig. 7 flow process among the present invention is elaborated:
Step 701: calculate the hashed value of source IP address, make it possible to number less than 63356 buffering area in the information of managed source main frame;
Step 702: with the hashed value that calculates is index, and the relevant position is 1 in the IP distribution characteristics table of tax source;
Step 703: value in the Distribution Statistics mark sheet and the number of adding up source IP bag;
Step 704: calculate the ratio of source IP distribution characteristics number and source IP bag number, whether judge this ratio near 1, if, be labeled as and disperse, if not, be labeled as gathering;
Step 705: the hashed value of calculating purpose IP address;
Step 706: the relevant position is 1 in the tax purpose IP distribution characteristics table;
Step 707: value in the Distribution Statistics mark sheet and the number of adding up source IP bag;
Step 708: calculate the ratio of purpose IP distribution characteristics number and purpose IP bag number, if, be labeled as and disperse, if not, be labeled as gathering;
Step 709: the relevant position is 1 in the tax destination interface distribution characteristics table;
Step 710: value in the Distribution Statistics mark sheet and the number of adding up the destination interface bag;
Step 711: calculate the ratio of destination interface distribution characteristics number and destination interface bag number, if be labeled as and disperse, if not, be labeled as gathering, judge whether to be DoS attack, if, be labeled as DoS attack, if not, judge whether to be transversal scanning, if be labeled as transversal scanning, if not, judge whether to be longitudinal scanning, if be labeled as longitudinal scanning.
With reference to Fig. 8 flow process among the present invention is elaborated:
Step 801: read the secret of calculating cookie;
Step 802: the value of calculating cookie;
Step 803: SYN-ACK bag is sent to the source host of SYN bag, judge whether overtime, if then this main frame of mark does not exist;
Step 804: receive corresponding ACK bag;
Step 805: analyze the cookie value return, judge the cookie value whether this cookie value comprises in the SYN-ACK bag, if, then this main frame existence of mark, otherwise this main frame of mark does not exist.
Be described further below by the above-mentioned flow process of an application example Fig. 8.
The secret of setting cookie is 542332,984332 and 135726.The value of cookie is 874351, when surpassing 6 seconds time-out times, therefore draws this main frame and does not exist.
Though described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and do not break away from spirit of the present invention, wish that appended claim comprises these distortion and variation and do not break away from spirit of the present invention.
Claims (7)
1, a kind of method of defending against denial-of-service attacks is characterized in that may further comprise the steps:
A, preliminary treatment comprise catches and resolves network packet;
B, black and white lists and DoS attack mark sheet filter;
C, threshold value and flow proportional feature detection;
D, source host authentication;
E, flow distribution feature detection.
2, the method for a kind of defending against denial-of-service attacks according to claim 1 is characterized in that, described steps A comprises:
A1, catch network packet;
A2, parsing network packet;
The described information that is obtained by parsing comprises: the type and the code field of SYN, the ACK of TCP bag, FIN flag bit, UDP message bag, ICMP bag, comprising Echo, Replay and Unreach, and corresponding source and destination IP address, source and destination port.
3, the method for a kind of defending against denial-of-service attacks according to claim 1 is characterized in that, described step B comprises:
Filter according to the information in black and white lists and the DoS attack mark sheet, the trusted sources main frame in the white list is let pass, malicious source main frame in blacklist and the DoS attack mark sheet is blocked;
Information comprises in described black and white lists and the DoS attack mark sheet: IP address, the DoS attack feature of credible and malicious source main frame.
4, the method for a kind of defending against denial-of-service attacks according to claim 1 is characterized in that, described step C comprises:
C1, calculated flow rate speed;
C2, carry out the comparison of flow rate and rate-valve value;
C3, the flow proportional feature is calculated;
C4, carry out the comprehensive judgement of threshold test and flow proportional feature detection;
Described threshold value and flow proportional feature detection information comprise: Echo, the Replay of the flow of the flow of the threshold size of flow rate, the SYN of TCP, SYN-ACK, ACK, FIN-ACK bag and speed thereof, UDP and speed thereof, ICMP and the flow and the speed thereof of Unreach bag.
5, the method for a kind of defending against denial-of-service attacks according to claim 1 is characterized in that, described step D comprises:
Identity to the source host of flow authenticates, and carries out authentication according to source host authentication state machine, and the trusted sources main frame is saved in the white list, and the malicious source main frame is saved in blacklist and the DoS attack mark sheet;
Described network traffics control information comprises: the IP address of source host, DoS attack feature.
6, the method for a kind of defending against denial-of-service attacks according to claim 1 is characterized in that, described step e comprises:
The distribution characteristics of attacking is detected, at first count the distribution situation of source and destination IP address and destination interface, and add up their flow quantity, calculate the ratio of distribution number and flow quantity then;
Described network traffics detection of dynamic information comprises: the distribution situation information of source and destination IP address and destination interface, each flow quantity information.
7, a kind of device of defending against denial-of-service attacks is characterized in that comprising:
Apparatus for initializing comprises the buffering area of initialization threshold value and flow proportional feature detection, the buffering area of initialization flow distribution feature detection, the buffering area of initialization black and white lists, the buffering area of initialization DoS attack mark sheet;
Pretreatment unit comprises and catches network packet, and carries out protocol analysis;
Checkout gear comprises threshold value and flow proportional feature is detected, and the identity of source host is authenticated, and the flow distribution characteristics is detected, and extract the DoS attack feature and put into the DoS attack mark sheet;
Filter comprises according to blacklist and filtering, and filters according to white list, filters according to the DoS attack mark sheet;
Alarm device sends the information of Denial of Service attack to the display module of control end;
Apparatus for initializing carries out initialization to the buffering area of storage flow information in this device, catch and resolve network packet then by pretreatment unit, and carry out threshold value and flow proportional feature detection, source host authentication and flow distribution feature detection respectively by checkout gear, at last, filter according to black and white lists and DoS attack mark sheet by filter, and attack information is notified to the user by alarm device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200810116857A CN101631026A (en) | 2008-07-18 | 2008-07-18 | Method and device for defending against denial-of-service attacks |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200810116857A CN101631026A (en) | 2008-07-18 | 2008-07-18 | Method and device for defending against denial-of-service attacks |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101631026A true CN101631026A (en) | 2010-01-20 |
Family
ID=41575987
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN200810116857A Pending CN101631026A (en) | 2008-07-18 | 2008-07-18 | Method and device for defending against denial-of-service attacks |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101631026A (en) |
Cited By (36)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101873329A (en) * | 2010-06-29 | 2010-10-27 | 迈普通信技术股份有限公司 | Portal compulsory authentication method and access equipment |
CN101902461A (en) * | 2010-04-07 | 2010-12-01 | 北京星网锐捷网络技术有限公司 | Method and device for filtering data stream contents |
CN102291441A (en) * | 2011-08-02 | 2011-12-21 | 杭州迪普科技有限公司 | Method and security agent device for protecting against attack of synchronize (SYN) Flood |
CN102761500A (en) * | 2011-04-26 | 2012-10-31 | 国基电子(上海)有限公司 | Gateway and method for phishing defense |
CN103095723A (en) * | 2013-02-04 | 2013-05-08 | 中国科学院信息工程研究所 | Network security monitoring method and system |
CN103139246A (en) * | 2011-11-25 | 2013-06-05 | 百度在线网络技术(北京)有限公司 | Load balancing device and load balancing and defending method |
CN103561048A (en) * | 2013-09-02 | 2014-02-05 | 北京东土科技股份有限公司 | Method for determining TCP port scanning and device thereof |
CN103618730A (en) * | 2013-12-04 | 2014-03-05 | 天津大学 | Website DDOS attack defense system and method based on integral strategy |
CN103701793A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Method and device for identifying server broiler chicken |
CN103840971A (en) * | 2014-02-18 | 2014-06-04 | 汉柏科技有限公司 | Method and system for processing cloud cluster abnormities caused by private cloud viruses |
CN104361283A (en) * | 2014-12-05 | 2015-02-18 | 网宿科技股份有限公司 | Web attack protection method |
CN104468631A (en) * | 2014-12-31 | 2015-03-25 | 国家电网公司 | Network intrusion identification method based on anomaly flow and black-white list library of IP terminal |
CN104506559A (en) * | 2015-01-09 | 2015-04-08 | 重庆蓝岸通讯技术有限公司 | DDoS defense system and method based on Android system |
CN104660459A (en) * | 2015-01-15 | 2015-05-27 | 北京奥普维尔科技有限公司 | FPGA-based system and FPGA-based method for realizing online business scanning of 10 gigabit Ethernet |
CN105554016A (en) * | 2015-12-31 | 2016-05-04 | 山石网科通信技术有限公司 | Network attack processing method and device |
CN106131090A (en) * | 2016-08-31 | 2016-11-16 | 北京力鼎创软科技有限公司 | A kind of method and system of the customer access network under web authentication |
CN106453421A (en) * | 2016-12-08 | 2017-02-22 | 北京交通大学 | Smart identifier network service tampered DoS (denial of service) attack cooperative defense method integrating LTE (long term evolution) |
CN106453242A (en) * | 2016-08-29 | 2017-02-22 | 四川超腾达物联科技有限公司 | Network safety protection system |
CN106888196A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | A kind of coordinated defense system of unknown threat detection |
CN107465690A (en) * | 2017-09-12 | 2017-12-12 | 国网湖南省电力公司 | A kind of passive type abnormal real-time detection method and system based on flow analysis |
CN108933731A (en) * | 2017-05-22 | 2018-12-04 | 南京骏腾信息技术有限公司 | Intelligent gateway based on big data analysis |
CN110113336A (en) * | 2019-05-06 | 2019-08-09 | 四川英得赛克科技有限公司 | A kind of exception of network traffic analysis and recognition methods for substation network environment |
WO2019178966A1 (en) * | 2018-03-22 | 2019-09-26 | 平安科技(深圳)有限公司 | Network attack defense method and apparatus, and computer device and storage medium |
CN110352426A (en) * | 2017-02-28 | 2019-10-18 | 松下知识产权经营株式会社 | Control device, premises equipment and program |
CN110493230A (en) * | 2019-08-21 | 2019-11-22 | 北京云端智度科技有限公司 | One kind being based on network flow application layer ddos attack detection method |
CN110830494A (en) * | 2019-11-14 | 2020-02-21 | 深信服科技股份有限公司 | IOT attack defense method and device, electronic equipment and storage medium |
CN110858831A (en) * | 2018-08-22 | 2020-03-03 | 阿里巴巴集团控股有限公司 | Safety protection method and device and safety protection equipment |
CN111107069A (en) * | 2019-12-09 | 2020-05-05 | 烽火通信科技股份有限公司 | DoS attack protection method and device |
CN111241543A (en) * | 2020-01-07 | 2020-06-05 | 中国搜索信息科技股份有限公司 | Method and system for intelligently resisting DDoS attack by application layer |
WO2020143119A1 (en) * | 2019-01-08 | 2020-07-16 | 深圳大学 | Method, device and system for defending internet of things against ddos attack, and storage medium |
CN112152895A (en) * | 2020-09-02 | 2020-12-29 | 珠海格力电器股份有限公司 | Intelligent household equipment control method, device, equipment and computer readable medium |
CN112260885A (en) * | 2020-09-22 | 2021-01-22 | 武汉思普崚技术有限公司 | Industrial control protocol automatic test method, system, device and readable storage medium |
CN113179247A (en) * | 2021-03-23 | 2021-07-27 | 杭州安恒信息技术股份有限公司 | Denial-of-service attack protection method, electronic device and storage medium |
CN113259366A (en) * | 2021-05-27 | 2021-08-13 | 国网电力科学研究院有限公司 | Information and physics collaborative analysis and defense system for malicious attack |
CN113839912A (en) * | 2020-06-24 | 2021-12-24 | 极客信安(北京)科技有限公司 | Method, apparatus, medium, and device for performing abnormal host analysis by active and passive combination |
CN114006771A (en) * | 2021-12-30 | 2022-02-01 | 北京微步在线科技有限公司 | Flow detection method and device |
-
2008
- 2008-07-18 CN CN200810116857A patent/CN101631026A/en active Pending
Cited By (49)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101902461A (en) * | 2010-04-07 | 2010-12-01 | 北京星网锐捷网络技术有限公司 | Method and device for filtering data stream contents |
CN101902461B (en) * | 2010-04-07 | 2013-01-30 | 北京星网锐捷网络技术有限公司 | Method and device for filtering data stream contents |
CN101873329A (en) * | 2010-06-29 | 2010-10-27 | 迈普通信技术股份有限公司 | Portal compulsory authentication method and access equipment |
CN102761500A (en) * | 2011-04-26 | 2012-10-31 | 国基电子(上海)有限公司 | Gateway and method for phishing defense |
CN102761500B (en) * | 2011-04-26 | 2015-07-29 | 国基电子(上海)有限公司 | The gateway of protection against phishing and method |
CN102291441A (en) * | 2011-08-02 | 2011-12-21 | 杭州迪普科技有限公司 | Method and security agent device for protecting against attack of synchronize (SYN) Flood |
CN102291441B (en) * | 2011-08-02 | 2015-01-28 | 杭州迪普科技有限公司 | Method and security agent device for protecting against attack of synchronize (SYN) Flood |
CN103139246A (en) * | 2011-11-25 | 2013-06-05 | 百度在线网络技术(北京)有限公司 | Load balancing device and load balancing and defending method |
CN103139246B (en) * | 2011-11-25 | 2016-06-15 | 百度在线网络技术(北京)有限公司 | Load balancing equipment and load balancing and defence method |
CN103095723A (en) * | 2013-02-04 | 2013-05-08 | 中国科学院信息工程研究所 | Network security monitoring method and system |
CN103561048A (en) * | 2013-09-02 | 2014-02-05 | 北京东土科技股份有限公司 | Method for determining TCP port scanning and device thereof |
CN103561048B (en) * | 2013-09-02 | 2016-08-31 | 北京东土科技股份有限公司 | A kind of method and device determining that tcp port scans |
CN103618730A (en) * | 2013-12-04 | 2014-03-05 | 天津大学 | Website DDOS attack defense system and method based on integral strategy |
CN103701793A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Method and device for identifying server broiler chicken |
CN103840971A (en) * | 2014-02-18 | 2014-06-04 | 汉柏科技有限公司 | Method and system for processing cloud cluster abnormities caused by private cloud viruses |
CN104361283B (en) * | 2014-12-05 | 2018-05-18 | 网宿科技股份有限公司 | The method for protecting Web attacks |
CN104361283A (en) * | 2014-12-05 | 2015-02-18 | 网宿科技股份有限公司 | Web attack protection method |
CN104468631A (en) * | 2014-12-31 | 2015-03-25 | 国家电网公司 | Network intrusion identification method based on anomaly flow and black-white list library of IP terminal |
CN104506559A (en) * | 2015-01-09 | 2015-04-08 | 重庆蓝岸通讯技术有限公司 | DDoS defense system and method based on Android system |
CN104506559B (en) * | 2015-01-09 | 2018-01-23 | 重庆蓝岸通讯技术有限公司 | DDoS defense system and method based on Android system |
CN104660459A (en) * | 2015-01-15 | 2015-05-27 | 北京奥普维尔科技有限公司 | FPGA-based system and FPGA-based method for realizing online business scanning of 10 gigabit Ethernet |
CN106888196A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | A kind of coordinated defense system of unknown threat detection |
CN105554016A (en) * | 2015-12-31 | 2016-05-04 | 山石网科通信技术有限公司 | Network attack processing method and device |
CN106453242A (en) * | 2016-08-29 | 2017-02-22 | 四川超腾达物联科技有限公司 | Network safety protection system |
CN106131090A (en) * | 2016-08-31 | 2016-11-16 | 北京力鼎创软科技有限公司 | A kind of method and system of the customer access network under web authentication |
CN106453421A (en) * | 2016-12-08 | 2017-02-22 | 北京交通大学 | Smart identifier network service tampered DoS (denial of service) attack cooperative defense method integrating LTE (long term evolution) |
CN106453421B (en) * | 2016-12-08 | 2019-08-16 | 北京交通大学 | The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service |
CN110352426A (en) * | 2017-02-28 | 2019-10-18 | 松下知识产权经营株式会社 | Control device, premises equipment and program |
CN108933731A (en) * | 2017-05-22 | 2018-12-04 | 南京骏腾信息技术有限公司 | Intelligent gateway based on big data analysis |
CN108933731B (en) * | 2017-05-22 | 2022-04-12 | 南京骏腾信息技术有限公司 | Intelligent gateway based on big data analysis |
CN107465690A (en) * | 2017-09-12 | 2017-12-12 | 国网湖南省电力公司 | A kind of passive type abnormal real-time detection method and system based on flow analysis |
WO2019178966A1 (en) * | 2018-03-22 | 2019-09-26 | 平安科技(深圳)有限公司 | Network attack defense method and apparatus, and computer device and storage medium |
CN110858831A (en) * | 2018-08-22 | 2020-03-03 | 阿里巴巴集团控股有限公司 | Safety protection method and device and safety protection equipment |
WO2020143119A1 (en) * | 2019-01-08 | 2020-07-16 | 深圳大学 | Method, device and system for defending internet of things against ddos attack, and storage medium |
CN110113336A (en) * | 2019-05-06 | 2019-08-09 | 四川英得赛克科技有限公司 | A kind of exception of network traffic analysis and recognition methods for substation network environment |
CN110493230A (en) * | 2019-08-21 | 2019-11-22 | 北京云端智度科技有限公司 | One kind being based on network flow application layer ddos attack detection method |
CN110830494A (en) * | 2019-11-14 | 2020-02-21 | 深信服科技股份有限公司 | IOT attack defense method and device, electronic equipment and storage medium |
CN111107069A (en) * | 2019-12-09 | 2020-05-05 | 烽火通信科技股份有限公司 | DoS attack protection method and device |
CN111241543A (en) * | 2020-01-07 | 2020-06-05 | 中国搜索信息科技股份有限公司 | Method and system for intelligently resisting DDoS attack by application layer |
CN113839912A (en) * | 2020-06-24 | 2021-12-24 | 极客信安(北京)科技有限公司 | Method, apparatus, medium, and device for performing abnormal host analysis by active and passive combination |
CN113839912B (en) * | 2020-06-24 | 2023-08-22 | 极客信安(北京)科技有限公司 | Method, device, medium and equipment for analyzing abnormal host by active and passive combination |
CN112152895A (en) * | 2020-09-02 | 2020-12-29 | 珠海格力电器股份有限公司 | Intelligent household equipment control method, device, equipment and computer readable medium |
CN112260885A (en) * | 2020-09-22 | 2021-01-22 | 武汉思普崚技术有限公司 | Industrial control protocol automatic test method, system, device and readable storage medium |
CN112260885B (en) * | 2020-09-22 | 2022-06-24 | 武汉思普崚技术有限公司 | Industrial control protocol automatic test method, system, device and readable storage medium |
CN113179247A (en) * | 2021-03-23 | 2021-07-27 | 杭州安恒信息技术股份有限公司 | Denial-of-service attack protection method, electronic device and storage medium |
CN113259366A (en) * | 2021-05-27 | 2021-08-13 | 国网电力科学研究院有限公司 | Information and physics collaborative analysis and defense system for malicious attack |
CN113259366B (en) * | 2021-05-27 | 2024-04-26 | 国网电力科学研究院有限公司 | Information and physical collaborative analysis and defense system for malicious attack |
CN114006771A (en) * | 2021-12-30 | 2022-02-01 | 北京微步在线科技有限公司 | Flow detection method and device |
CN114006771B (en) * | 2021-12-30 | 2022-03-29 | 北京微步在线科技有限公司 | Flow detection method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101631026A (en) | Method and device for defending against denial-of-service attacks | |
US7478429B2 (en) | Network overload detection and mitigation system and method | |
CN103795709B (en) | Network security detection method and system | |
Srivastava et al. | A recent survey on DDoS attacks and defense mechanisms | |
CN101136922B (en) | Service stream recognizing method, device and distributed refusal service attack defending method, system | |
US7284272B2 (en) | Secret hashing for TCP SYN/FIN correspondence | |
US7930740B2 (en) | System and method for detection and mitigation of distributed denial of service attacks | |
Hofstede et al. | SSH compromise detection using NetFlow/IPFIX | |
US8634717B2 (en) | DDoS attack detection and defense apparatus and method using packet data | |
Haris et al. | Detecting TCP SYN flood attack based on anomaly detection | |
CN101888329B (en) | Address resolution protocol (ARP) message processing method, device and access equipment | |
Trabelsi et al. | Malicious sniffing systems detection platform | |
Sikora et al. | On detection and mitigation of slow rate denial of service attacks | |
KR102501372B1 (en) | AI-based mysterious symptom intrusion detection and system | |
JP2004140524A (en) | Method and apparatus for detecting dos attack, and program | |
Haris et al. | TCP SYN flood detection based on payload analysis | |
Etemad et al. | Real-time botnet command and control characterization at the host level | |
Salim et al. | Preventing ARP spoofing attacks through gratuitous decision packet | |
WO2005026872A2 (en) | Internal lan perimeter security appliance composed of a pci card and complementary software | |
Stanciu | Technologies, methodologies and challenges in network intrusion detection and prevention systems. | |
Hooper | An intelligent detection and response strategy to false positives and network attacks | |
Zeng | Intrusion detection system of ipv6 based on protocol analysis | |
KR100862321B1 (en) | Method and apparatus for detecting and blocking network attack without attack signature | |
Park et al. | An effective defense mechanism against DoS/DDoS attacks in flow-based routers | |
Yang et al. | Design of Win Pcap Based ARP Spoofing Defense System |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100120 |