CN105871834B - A kind of method and apparatus calculating malice index - Google Patents

A kind of method and apparatus calculating malice index Download PDF

Info

Publication number
CN105871834B
CN105871834B CN201610187740.XA CN201610187740A CN105871834B CN 105871834 B CN105871834 B CN 105871834B CN 201610187740 A CN201610187740 A CN 201610187740A CN 105871834 B CN105871834 B CN 105871834B
Authority
CN
China
Prior art keywords
attack
malice index
period
malice
index
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610187740.XA
Other languages
Chinese (zh)
Other versions
CN105871834A (en
Inventor
沈明星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Langhe Technology Co Ltd
Original Assignee
Hangzhou Langhe Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Langhe Technology Co Ltd filed Critical Hangzhou Langhe Technology Co Ltd
Priority to CN201610187740.XA priority Critical patent/CN105871834B/en
Publication of CN105871834A publication Critical patent/CN105871834A/en
Application granted granted Critical
Publication of CN105871834B publication Critical patent/CN105871834B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

Embodiments of the present invention provide a kind of method and apparatus for calculating malice index: when detecting attack, determining the corresponding internet protocol address of the attack;The malice index of the corresponding record of the IP address is obtained according to the IP address;And the malice index based on record calculates and updates the corresponding malice index of the IP address, this method calculates the calculating of malice index iteratively according only to the malice index of record and the attack situation in current attack situation such as this period or in the short time and updates malice index, in this way, it does not need largely to store log, therefore, reduce the occupancy to memory space, simultaneously, by the way that one or many attacks in the predetermined time are denoted as an attack, it can all level off to 1 to avoid each malice index, and then improve the accuracy for distinguishing the malice index of each IP.

Description

A kind of method and apparatus calculating malice index
Technical field
Embodiments of the present invention are related to field of computer technology, more specifically, embodiments of the present invention are related to one kind The method and apparatus for calculating malice index.
Background technique
Background that this section is intended to provide an explanation of the embodiments of the present invention set forth in the claims or context.Herein Description recognizes it is the prior art not because not being included in this section.
In existing DDoS (Distributed Denial of Service, distributed denial of service) system of defense, There are blacklist IP (Internet Protocol, Internet protocol), white list IP and gray list IP, in which: blacklist IP exists It can refer to that the access behavior for the malice IP, these IP that manual confirmation is crossed can be abandoned directly in DDoS system of defense;White list IP exists It can refer to that the access behavior for the good will IP, these IP that manual confirmation is crossed can directly let pass in DDoS system of defense, for example cooperate partner The IP of companion;Gray list IP can refer to once the IP for having attack in DDoS system of defense.
IP only one grade in existing gray list IP, the malice that cannot accurately distinguish each IP in gray list IP refer to Number, wherein malice index can refer to the size of the degree of malice of the IP in gray list IP, be worth attack before bigger this IP of expression Number it is more.For example, the name for being the people of bad thing is the IP in gray list IP, the people for doing bad thing is treated in the prior art Mode be the same.
In order to accurately distinguish the malice index of the different IP in gray list IP, in the prior art it is also proposed that some calculating malice The method of index is generallyd use based on access log or abnormal access amount/total amount of access mode and is calculated.
Summary of the invention
But need to store the data accessed every time by the way of based on access log, a large amount of memory space is occupied, And often a large amount of attacks centralized in short time when due to attack, it is calculated by the way of abnormal access amount/total amount of access It is obtaining the result is that one level off to 1 number, the malice index of each IP cannot be accurately distinguished, for example, in anti-spam postal In part, every spam of hair remembers an abnormal behaviour, and every normal email of hair remembers a normal behaviour, in anti-spam postal The malice index of IP in part is abnormal access amount/total amount of access, even if normal access time is far longer than the abnormal access time, But a large amount of access times are generated since abnormal access was often in the short time, each had the IP of such abnormal access Malice index all tend to 1, cannot accurately distinguish the malice index of each IP, this is very bothersome process.
Thus, it is also very desirable to a kind of improved method and apparatus for calculating malice index reduce the occupancy to memory space, And accurately distinguish the malice index of different IP.
In the present context, embodiments of the present invention are intended to provide a kind of method and apparatus for calculating malice index.
In the first aspect of embodiment of the present invention, a kind of method for calculating malice index is provided, comprising:
When detecting n-th attack, Internet protocol IP corresponding to the determining and n-th attack Location calculates the first time point current affiliated period 1 when n-th attack occurs;
Calculate second week belonging to the second time point when the N-1 times attack relevant to the IP address occurs Phase, and the first malice index obtained when the N-1 times attack has executed, second time point are located at described the Before one time point;
According to the first malice index, the period 1 and the second round, calculates to attack in the n-th and go The the second malice index obtained when being completed to execute.
In one embodiment, the method described according to the abovementioned embodiments of the present invention, in the given time primary or Multiple attack is denoted as an attack.
In some embodiments, method described in any of the above-described embodiment according to the present invention calculates the n-th attack First time point current affiliated period 1 when behavior occurs, comprising:
The period 1 being calculated meets following rule:
M1=(t1-T0)/T+1;
Wherein, the m1 is the period 1, and the t1 is the first time point, and the T0 is detection attack Starting time point, the T be preset value ,/indicate divide exactly;
Calculate second round belonging to the second time point when the N-1 times attack occurs, comprising:
The second round being calculated meets following rule:
M2=(t2-T0)/T+1;
Wherein, the m2 is the second round, and the t2 is second time point.
In some embodiments, method described in any of the above-described embodiment according to the present invention, if the period 1 with The second round is the different period, according to the first malice index, the period 1 and the second round, is calculated The the second malice index obtained when the n-th attack is executed and completed, comprising:
The second malice index being calculated meets following rule:
EI1=EI2* (1/2) ^ (m1-m2)+1
Wherein, the EI1 is the second malice index, and the EI2 is the first malice index, and the m1 is described Period 1, the m2 are the second round.
In some embodiments, method described in any of the above-described embodiment according to the present invention, if the period 1 with The second round is the identical period, and the second malice index is equal to the first malice index and adds 1.
In some embodiments, method described in any of the above-described embodiment according to the present invention, calculating are attacked in the n-th It hits after the second malice index obtained when behavior execution is completed, the method also includes:
The first malice index recorded in the second malice index replacement system, is replaced with the period 1 Change the second round recorded in system.
In the second aspect of embodiment of the present invention, a kind of device for calculating malice index is provided, comprising:
Detection unit, for detecting attack;
Determination unit, for internet protocol address corresponding to determining and n-th attack;
Computing unit, for calculating the n-th and attacking when the detection unit detects the n-th attack Hit first time point current affiliated period 1 when behavior occurs;
The computing unit is also used to, and calculates second when the N-1 times attack relevant to the IP address occurs Second round belonging to time point, and the first malice index obtained when the N-1 times attack has executed, described Two time points were located at before the first time point;
The computing unit is also used to, according to the first malice index, the period 1 and the second round, meter Calculate the second malice index obtained when the n-th attack is executed and completed.
In one embodiment, the device described according to the abovementioned embodiments of the present invention, in the given time primary or Multiple attack is denoted as an attack.
In some embodiments, device described in any of the above-described embodiment according to the present invention, the computing unit calculate When period 1 belonging to first time point when the n-th attack occurs is current, specifically:
The period 1 that the computing unit is calculated meets following rule:
M1=(t1-T0)/T+1;
Wherein, the m1 is the period 1, and the t1 is the first time point, and the T0 is detection attack Starting time point, the T be preset value ,/indicate divide exactly;
When the computing unit calculates second round belonging to the second time point when the N-1 times attack occurs, tool Body are as follows:
The second round that the computing unit is calculated meets following rule:
M2=(t2-T0)/T+1;
Wherein, the m2 is the second round, and the t2 is second time point.
In some embodiments, device described in any of the above-described embodiment according to the present invention, if the period 1 with The second round is the different period, and the computing unit is according to the first malice index, period 1 and described Second round, when calculating the second malice index obtained when the n-th attack is executed and completed, specifically:
The second malice index that the computing unit is calculated meets following rule:
EI1=EI2* (1/2) ^ (m1-m2)+1
Wherein, the EI1 is the second malice index, and the EI2 is the first malice index, and the m1 is described Period 1, the m2 are the second round.
In some embodiments, device described in any of the above-described embodiment according to the present invention, if the period 1 with The second round is the identical period, and the second malice index is equal to the first malice index and adds 1.
In some embodiments, device described in any of the above-described embodiment according to the present invention, described device further includes replacing Unit is changed, for the first malice index recorded in the second malice index replacement system, with described first week The second round recorded in phase replacement system.
In the third aspect of embodiment of the present invention, a kind of method for calculating malice index is provided, comprising:
When detecting attack, the corresponding internet protocol address of the attack is determined;
The malice index of the corresponding record of the IP address is obtained according to the IP address;And
Malice index based on record calculates and updates the corresponding malice index of the IP address.
In one embodiment, the method, the calculating simultaneously update the IP according to the abovementioned embodiments of the present invention The corresponding malice index in address, comprising:
It is further added by a constant after the malice index of the record is decayed at any time, generates new malice index;
Using the new malice index as updated malice index.
In some embodiments, method described in any of the above-described embodiment according to the present invention, the method also includes:
Calculating detects corresponding current period m1 when the attack;
Obtain the corresponding record period m2 of malice index of the record.
In some embodiments, method described in any of the above-described embodiment according to the present invention, if the current period with The record period is the same period m 1=m2, and the calculating simultaneously updates the corresponding malice index of the IP address, comprising:
It is after the IP address updates that the malice index of the record, which is increased by constant an a:EI1=EI2+a, the EI1, Corresponding malice index, the EI2 are the malice index of foregoing description record;
If the current period and the record period are different cycles m1 ≠ m2, the calculating simultaneously updates the IP address Corresponding malice index, comprising:
Constant a, EI1=EI2*b^ (m1-m2)+a, institute are further added by after the malice index of the record is decayed at any time Stating b is the positive number less than 1.
In some embodiments, method described in any of the above-described embodiment according to the present invention, wherein in the given time One or many attacks be denoted as an attack.
In some embodiments, method described in any of the above-described embodiment according to the present invention, the method also includes:
In the system of initialization, the corresponding malice index of the IP address is set as 0.
In the fourth aspect of embodiment of the present invention, a kind of device for calculating malice index is provided, comprising:
Detection unit, for detecting attack;
Determination unit, for when the detection unit detects attack, determining that the attack is corresponding mutually Networking protocol IP address;
Acquiring unit, for obtaining the malice index of the corresponding record of the IP address according to the IP address;And
Computing unit calculates for the malice index based on record and updates the corresponding malice index of the IP address.
In one embodiment, the device, the computing unit are specifically used for according to the abovementioned embodiments of the present invention:
It is further added by a constant after the malice index of the record is decayed at any time, generates new malice index;
Using the new malice index as updated malice index.
In some embodiments, device described in any of the above-described embodiment according to the present invention, the computing unit are also used In calculating detects corresponding current period m1 when the attack;
The acquiring unit is also used to, and obtains the corresponding record period m2 of malice index of the record.
In some embodiments, device described in any of the above-described embodiment according to the present invention, if the current period with The record period is the same period m 1=m2, and the computing unit calculates and updates the corresponding malice index of the IP address When, specifically:
It is after the IP address updates that the malice index of the record, which is increased by constant an a:EI1=EI2+a, the EI1, Corresponding malice index, the EI2 are the malice index of foregoing description record;
If the current period and the record period are different cycles m1 ≠ m2, the computing unit calculates and updates institute When stating the corresponding malice index of IP address, specifically:
Constant a, EI1=EI2*b^ (m1-m2)+a, institute are further added by after the malice index of the record is decayed at any time Stating b is the positive number less than 1.
In some embodiments, device described in any of the above-described embodiment according to the present invention, wherein in the given time One or many attacks be denoted as an attack.
In some embodiments, device described in any of the above-described embodiment according to the present invention, described device further include disliking Mean several setting units, in the system of initialization, the corresponding malice index of the IP address to be set as 0.
In the 5th aspect of embodiment of the present invention, a kind of method for updating malice index is provided, comprising:
Malice index is set to decay at any time;And
When having detected attack, increase malice index.
In one embodiment, the method described according to the abovementioned embodiments of the present invention, wherein in the given time one Secondary or multiple attack is denoted as an attack.
In the 6th aspect of embodiment of the present invention, a kind of device for updating malice index is provided, comprising:
Malice exponential damping unit, for making malice index decay at any time;
Detection unit, for detecting attack;
Malice index adding unit, for when having detected attack increasing, malice index.
In one embodiment, the device described according to the abovementioned embodiments of the present invention, wherein in the given time one Secondary or multiple attack is denoted as an attack.
The present invention proposes a kind of method for calculating malice index: when detecting attack, determining the attack Corresponding internet protocol address;The malice index of the corresponding record of the IP address is obtained according to the IP address;And Malice index based on record calculates and updates the corresponding malice index of the IP address, in this scenario, the meter of malice index Calculate the attack record for being no longer based on record, and malice index according only to record and in current attack situation such as this period Or the attack situation in the short time calculates iteratively and updates malice index, this way it is not necessary to a large amount of record logs, reduction pair The occupancy of memory space, meanwhile, it, can be with by the way that one or many attacks in the predetermined time are denoted as an attack It avoids each malice index from all leveling off to 1, improves the accuracy for distinguishing the malice index of each IP.
Detailed description of the invention
The following detailed description is read with reference to the accompanying drawings, above-mentioned and other mesh of exemplary embodiment of the invention , feature and advantage will become prone to understand.In the accompanying drawings, if showing by way of example rather than limitation of the invention Dry embodiment, in which:
Fig. 1 schematically shows a kind of flow chart of the method for the calculating malice index of embodiment according to the present invention;
Fig. 2 schematically shows the another flow charts of the method for the calculating malice index of embodiment according to the present invention;
Fig. 3 schematically shows the flow chart of the method for the update malice index of embodiment according to the present invention;
Fig. 4 schematically shows a kind of schematic diagrames of the device of the calculating malice index of embodiment according to the present invention;
Fig. 5 schematically shows another signal of the device of the calculating malice index of embodiment according to the present invention Figure;
Fig. 6 schematically shows a kind of schematic diagram of the device of the update malice index of embodiment according to the present invention;
Fig. 7 schematically shows the calculating of embodiment according to the present invention or updates the another kind of the device of malice index Schematic diagram;
Fig. 8 schematically shows the calculating of embodiment according to the present invention or updates the another kind of the device of malice index Schematic diagram;
In the accompanying drawings, identical or corresponding label indicates identical or corresponding part.
Specific embodiment
The principle and spirit of the invention are described below with reference to several illustrative embodiments.It should be appreciated that providing this A little embodiments are used for the purpose of making those skilled in the art can better understand that realizing the present invention in turn, and be not with any Mode limits the scope of the invention.On the contrary, these embodiments are provided so that this disclosure will be more thorough and complete, and energy It is enough that the scope of the present disclosure is completely communicated to those skilled in the art.
Those skilled in the art will understand that embodiments of the present invention can be implemented as a kind of system, device, equipment, Method or computer program product.Therefore, the present disclosure may be embodied in the following forms, it may be assumed that complete hardware, complete soft The form that part (including firmware, resident software, microcode etc.) or hardware and software combine.
Embodiment according to the present invention proposes a kind of method and apparatus for calculating malice index.
Herein, any number of elements in attached drawing is used to example rather than limitation and any name are only used for It distinguishes, without any restrictions meaning.
Technical term involved in the present invention is briefly described below.
DDoS: can refer to attacker using a large amount of distributed puppet's machines as Attack Platform, while it is to one or more A target sends a large amount of request, so that can not provide the attack of normal service by target of attack paralysis.
HTTP (HyperText Transfer Protocol, hypertext transfer protocol) Flood: it can refer to numerous DDoS One of attack type, it is directed to the attack initiated in layer 7 agreement of Web service, have attack pattern simply, defendd Filter is difficult, host influences the features such as big.
Below with reference to several representative embodiments of the invention, the principle and spirit of the present invention are explained in detail.
Summary of the invention
The inventors discovered that calculating the mode of malice index not only according to abnormal access amount/total amount of access mode at present The malice index for occupying a large amount of memory space, and being calculated all tends to 1, cannot accurately distinguish the malice of each IP in this way Index, it is therefore proposed that a kind of scheme of new calculating malice index when detecting attack, determines institute in this scenario State the corresponding internet protocol address of attack;The malice of the corresponding record of the IP address is obtained according to the IP address Index;And the malice index based on record, the corresponding malice index of the IP address is calculated and updates, this method makes malice The calculating of index is no longer based on the attack record of record, and the malice index and current attack situation according only to record are for example Attack situation in this period or in the short time calculates iteratively and updates malice index, in this way, it is a large amount of to avoid storage Access record, improves the utilization rate of memory space.Meanwhile by the way that one or many attacks in the predetermined time are denoted as once Attack avoids each malice index from all leveling off to 1, improves the accuracy for distinguishing the malice index of each IP.
After introduced the basic principles of the present invention, lower mask body introduces various non-limiting embodiment party of the invention Formula.
Application scenarios overview
With reference to foregoing description, for example, determining the corresponding IP address of attack for the first IP when detecting attack Location, and the malice index for obtaining the corresponding record of the first IP address is the first malice index, then, the first malice based on record Index calculates and updates the first malice index, in this way, avoiding a large amount of access record of storage, improves the benefit of memory space With rate.In one embodiment, it by the way that one or many attacks in the predetermined time are denoted as an attack, avoids each Malice index all levels off to 1, improves the accuracy for distinguishing the malice index of each IP.
It should be noted that the equipment of attack occurred can be Netease's server in the embodiment of the present invention, it can also With other servers or equipment, it is not specifically limited herein.
Illustrative methods
Below with reference to application described above scene, illustrative embodiments according to the present invention are described with reference to Fig. 1, Fig. 2 The method for calculating malice index.And it is further, exemplary embodiment party according to the present invention can also be described with reference to Figure 3 The method for being used to update malice index of formula.
It should be noted which is shown only for the purpose of facilitating an understanding of the spirit and principles of the present invention for above-mentioned application scenarios, this The embodiment of invention is unrestricted in this regard.On the contrary, embodiments of the present invention can be applied to it is applicable any Scene.
The process that Fig. 1 schematically shows the method 10 for calculating malice index of embodiment according to the present invention is shown It is intended to.As shown in Figure 1, this method 10 may include step 100,110,120.
Method 10 starts from step 100: when detecting attack, determining the corresponding Internet protocol IP of the attack Address.
In the embodiment of the present invention, optionally, one or many attacks in the given time are denoted as an attack.Example Such as, 1 attack has occurred in the given time, then is denoted as and an attack has occurred within the predetermined time.In another example 10000 attacks have occurred in a certain predetermined time, such as extensive aggression is then still denoted as to have occurred within the predetermined time and once attack Behavior is hit, by the way that one or many attacks in the predetermined time are denoted as an attack, it is possible to prevente effectively from each Malice index all levels off to 1, and then improves the accuracy for distinguishing the malice index of each IP, certainly, in practical applications, and It is not limited to aforesaid way, the number of the attack in the predetermined time can also be denoted as to time of the attack actually occurred Number.
After step 100, step 110 can also be performed: the corresponding note of the IP address is obtained according to the IP address The malice index of record.
After step 110, step 120 can also be performed: the malice index based on record calculates and with updating the IP The corresponding malice index in location.
The attack that this method makes the calculating of malice index be no longer based on record records, and according only to the malice index of record And the attack situation in current attack situation such as this period or in the short time calculates iteratively and updates malice index. In one embodiment, attack of every increase, updates primary malice index.Attack record will not need a large amount of in this way Record, improve the utilization rate of memory space.
In the embodiment of the present invention, the calculating and when updating the corresponding malice index of the IP address, it is alternatively possible to adopt With such as under type:
It is further added by a constant after the malice index of the record is decayed at any time, generates new malice index;
Using the new malice index as updated malice index.
In this way, certain attack malice in rigid occur is maximum, decaying malice is gradually decreased at any time.
In the embodiment of the present invention, further, the method also includes operating as follows:
Calculating detects corresponding current period m1 when the attack;
Obtain the corresponding record period m2 of malice index of the record.
For example, the attack occurred in certain IP lower 1 hour is denoted as 1 attack, it was used as a cycle by 1 day, in this way 24 attacks at most occur in a cycle.
Wherein, if the current period and the record period are the same period m 1=m2, the calculating simultaneously updates institute When stating the corresponding malice index of IP address, it is alternatively possible in the following way:
It is after the IP address updates that the malice index of the record, which is increased by constant an a:EI1=EI2+a, the EI1, Corresponding malice index, the EI2 are the malice index of foregoing description record;
If the current period and the record period are different cycles m1 ≠ m2, the calculating simultaneously updates the IP address When corresponding malice index, it is alternatively possible in the following way:
Constant a, EI1=EI2*b^ (m1-m2)+a, institute are further added by after the malice index of the record is decayed at any time Stating b is the positive number less than 1.
That is, the EI1 is directly equal to EI2 and adds a if m1=m2, if m1 ≠ m2, the EI1 is equal to the EI2 and declines Value additive constant a after subtracting.
In the embodiment of the present invention, further, the method also includes operating as follows:
In the system of initialization, the corresponding malice index of the IP address is set as 0.
The present invention proposes a kind of method for calculating malice index: when detecting attack, determining the attack pair The internet protocol address answered;The malice index of the corresponding record of the IP address is obtained according to the IP address;And base In the malice index of record, calculates and update the corresponding malice index of the IP address, in this scenario, for a certain IP, no The attack record based on record calculates malice index again, according only to recorded malice index and current attack situation, The corresponding malice index of the IP address is updated, this way it is not necessary to a large amount of record logs, reduction accounts for memory space.Meanwhile By the way that one or many attacks in the predetermined time are denoted as an attack, can all become to avoid each malice index It is bordering on 1, improves the accuracy for distinguishing the malice index of each IP.
The present invention also proposes another method for calculating malice index, and Fig. 2 schematically shows implement according to the present invention The flow diagram of the method 20 for calculating malice index of mode.As shown in Fig. 2, this method 20 may include step 200, 210、220。
Method 20 starts from step 200: when detecting n-th attack, corresponding to the determining and n-th attack Internet protocol address, calculate first time point when the n-th attack occurs it is current belonging to period 1.
In the embodiment of the present invention, optionally, one or many attacks in predetermined amount of time are denoted as primary attack row For.For example, 1 attack has occurred between certain day 7:00-8:00, then it is denoted as and an attack has occurred within the time; 10000 attacks have occurred between 7:00-8:00, is also denoted as and an attack has occurred within the time;In 9:00-10: The one or many attacks occurred between 00, which are also denoted as, has occurred an attack.
In the embodiment of the present invention, optionally, one or many attacks in the given time are denoted as an attack.Example Such as, 1 attack has occurred within a certain period, then is denoted as and an attack has occurred within the period.In another example a certain 10000 attacks have occurred in period, then is still denoted as within the period and an attack has occurred.
It, can be with by the way that one or many attacks in a time zone or in the predetermined time are denoted as an attack It effectively avoids each malice index from all leveling off to 1, and then improves the accuracy for distinguishing the malice index of each IP.
Certainly, in practical applications, it is not limited to aforesaid way, it can also be by the number of the attack in the period It is denoted as the number of the attack actually occurred.
In the embodiment of the present invention, calculate first time point when the n-th attack occurs it is current belonging to first When the period, it is alternatively possible in the following way:
The period 1 being calculated meets following rule, such as formula one:
M1=(t1-T0)/T+1 (formula one)
Wherein, the m1 is the period 1, and the t1 is the first time point, and the T0 is detection attack Starting time point, the T be preset value ,/indicate divide exactly.
After step 200, step 210 can also be performed: calculating the N-1 times attack relevant to the IP address Second round belonging to the second time point when generation, and the first evil obtained when the N-1 times attack has executed Mean to count, second time point is located at before the first time point.
In the embodiment of the present invention, when calculating second round belonging to the second time point when the N-1 times attack occurs, It is alternatively possible in the following way:
The second round being calculated meets following rule, such as formula two:
M2=(t2-T0)/T+1 (formula two)
Wherein, the m2 is the second round, and the t2 is second time point.
After step 210, step 220 can also be performed: according to the first malice index, the period 1 and institute Second round is stated, the second malice index obtained when the n-th attack is executed and completed is calculated.
In the embodiment of the present invention, if the period 1 is the different periods from the second round, according to described first Malice index, the period 1 and the second round calculate the obtained when the n-th attack is executed and completed When two malice indexes, it is alternatively possible in the following way:
The second malice index being calculated meets following rule, such as formula three:
EI1=EI2* (1/2) ^ (m1-m2)+1 (formula three)
Wherein, the EI1 is the second malice index, and the EI2 is the first malice index, and the m1 is described Period 1, the m2 are the second round.
In the embodiment of the present invention, optionally, if the period 1 and the second round are the identical period, described the Two malice indexes are equal to the first malice index and add 1.
That is, the second malice index is straight if the period 1 and the second round are the identical period It connects and is equal to the first malice index and adds 1, if the period 1 and the second round are the different period, described second Malice index adds 1 equal to the value after the first malice exponential damping.
In the embodiment of the present invention, further, refer to calculate the malice of the attack after n-th attack Number, after calculating the second malice index obtained when the n-th attack is executed and completed, the method also includes as follows Operation:
The first malice index recorded in the second malice index replacement system, is replaced with the period 1 Change the second round recorded in system.
In this way, when calculating the third malice index for the attack after n-th attack, if the n-th First time point current affiliated period 1 when attack occurs and the attack row after the n-th attack When the current affiliated period 3 at third time point when to occur is the identical period, the third malice index is directly equal to The second malice index adds 1;If the first time point current affiliated period 1 when n-th attack occurs, The current affiliated period 3 at third time point when occurring with the attack after the n-th attack is not identical Period when, using formula four calculate third malice index, wherein third time point is located at before first time point:
EI3=EI1* (1/2) ^ (m3-m1)+1 (formula four)
Wherein, the EI1 is the second malice index, and the EI3 is the third malice index, and the m1 is described Period 1, the m3 are the period 3.
Such as: T=3600 seconds, whole system started for 10 seconds 10 minutes 2 points of January 20 in 2016, recorded T0= 1453227010, when 5: 10 20: on the 20th January in 2016, i.e. t=1453238410 detected some IP=1.1.1.1 First time attack when, at this time calculate current point in time belonging to period m 1=(1453238410-1453227010)/ 3600+1=4, i.e. period are 4, and calculate EI1 using EI1=EI2* (1/2) ^ (m1-m2)+1 (formula three), since EI2 is 0, Therefore, the EI1=1 being calculated;When 12: 10 20: on the 20th January in 2016, i.e. t=1453263610 was detected again To second of attack of IP=1.1.1.1, period m 2=(1453263610-belonging to current point in time is calculated at this time 1453227010)/3600+1=11 in i.e. the 11st period, and uses EI1=EI2* (1/2) ^ (m1-m2)+1 (formula three) EI1 is calculated, at this point, since EI2 is 1, m1=11, m2=4, therefore, EI1=1* (1/2) the ^7+1 ≈ 1 being calculated;Into one Step, the EI1 being calculated and period can be updated to 1 and 11 respectively, so as to subsequent calculating malice index.
The present invention proposes a kind of method for calculating malice index: when detecting n-th attack, the determining and N Internet protocol address corresponding to secondary attack calculates the first time point when n-th attack occurs and works as Period 1 belonging to preceding;It calculates belonging to the second time point when the N-1 times attack relevant to the IP address occurs Second round, and the first malice index obtained when the N-1 times attack has executed, the second time point Before the first time point;According to the first malice index, the period 1 and the second round, calculate in institute It states n-th attack and executes the second malice index obtained when completing, in this scenario, for execution n-th attack A certain IP, the attack record for being no longer based on record calculates malice index, according only to the n-th attack of the IP corresponding the One period, the N-1 times attack corresponding second round and obtained when the N-1 times attack has executed first Malice index calculates n-th attack and executes the second malice index obtained when completing, this way it is not necessary to largely record day Will reduces the occupancy to memory space, meanwhile, by the way that one or many attacks within a period are denoted as primary attack row To avoid each malice index from all leveling off to 1, and then improve the accuracy for distinguishing the malice index of each IP.
The process that Fig. 3 schematically shows the method 30 for updating malice index of embodiment according to the present invention is shown It is intended to.As shown in figure 3, this method 30 may include step 300,310.
Method 30 starts from step 300: malice index being made to decay at any time;
After step 300, step 310 can also be performed: when having detected attack, increasing malice index.
In one embodiment, when attack is not detected, malice index is decayed in real time at any time, so that certain The malice of attack decays at any time.When detecting attack, malice index increases by a constant, later again at any time Decay in real time.
In the embodiment of the present invention, optionally, one or many attacks in the given time are denoted as an attack.Example Such as, 1 attack has occurred within a certain predetermined time, then is denoted as and an attack has occurred within the predetermined time.Example again Such as, 10000 attacks have occurred within a certain predetermined time, then is still denoted as and primary attack row has occurred within the predetermined time For by the way that one or many attacks in the predetermined time are denoted as an attack, it is possible to prevente effectively from each malice Index all levels off to 1, and then improves the accuracy for distinguishing the malice index of each IP, certainly, in practical applications, and it is unlimited Due to aforesaid way, the number of the attack in the predetermined time can also be denoted as to the number of the attack actually occurred.
The present invention proposes a kind of method for updating malice index: malice index being made to decay at any time;When having detected attack When behavior, increases malice index, in this scenario, malice index is made to decay at any time;When having detected attack, make Malice index increases, and this method makes the update of malice index be no longer based on the attack record of record, but attacks when having detected When hitting behavior, increased according to the malice index of decaying and realize update, this way it is not necessary to which a large amount of record logs, are reduced empty to storage Between occupancy, meanwhile, can be to avoid each by the way that one or many attacks in the predetermined time are denoted as an attack A malice index all levels off to 1, improves the accuracy for distinguishing the malice index of each IP.
Example devices
After describing the method for exemplary embodiment of the invention, next, exemplary with reference to Fig. 4,5 couples of present invention Embodiment, for calculate malice index device describe, and with reference to Fig. 6 to exemplary embodiment of the invention, be used for Update the device description of malice index.
Fig. 4 schematically shows the signals of the device 40 for calculating malice index of embodiment according to the present invention Figure.As shown in figure 4, the device 40 may include:
Detection unit 400, for detecting attack;
Determination unit 410, for determining the attack pair when the detection unit 400 detects attack The internet protocol address answered;
Acquiring unit 420, for obtaining the malice index of the corresponding record of the IP address according to the IP address;And
Computing unit 430 calculates for the malice index based on record and updates the corresponding malice of the IP address and refer to Number.
The attack that this method makes the calculating of malice index be no longer based on record records, and according only to the malice index of record And the attack situation in current attack situation such as this period or in the short time calculates iteratively and updates malice index. In one embodiment, attack of every increase, updates primary malice index.Attack record will not need a large amount of in this way Record, improve the utilization rate of memory space.
In the embodiment of the present invention, optionally, one or many attacks in the given time are denoted as an attack.Example Such as, 1 attack has occurred in the given time, then is denoted as and an attack has occurred within the predetermined time.In another example 10000 attacks have occurred in a certain predetermined time, such as extensive aggression is then still denoted as to have occurred within the predetermined time and once attack Behavior is hit, by the way that one or many attacks in the predetermined time are denoted as an attack, it is possible to prevente effectively from each Malice index all levels off to 1, and then improves the accuracy for distinguishing the malice index of each IP, certainly, in practical applications, and It is not limited to aforesaid way, the number of the attack in the predetermined time can also be denoted as to time of the attack actually occurred Number.
In the embodiment of the present invention, optionally, the computing unit 430 is specifically used for:
It is further added by a constant after the malice index of the record is decayed at any time, generates new malice index;
Using the new malice index as updated malice index.
In this way, certain attack malice in rigid occur is maximum, decaying malice is gradually decreased at any time.
In the embodiment of the present invention, further, the computing unit 430 is also used to, and calculating detects the attack When corresponding current period m1;
The acquiring unit 420 is also used to, and obtains the corresponding record period m2 of malice index of the record.
For example, the attack occurred in certain IP lower 1 hour is denoted as 1 attack, it was used as a cycle by 1 day, in this way 24 attacks at most occur in a cycle.
In the embodiment of the present invention, optionally, if the current period and the record period are the same period m 1=m2, When the computing unit 430 calculates and updates the IP address corresponding malice index, specifically:
It is after the IP address updates that the malice index of the record, which is increased by constant an a:EI1=EI2+a, the EI1, Corresponding malice index, the EI2 are the malice index of foregoing description record;
If the current period and the record period are different cycles m1 ≠ m2, the computing unit 430 is calculated and more When the corresponding malice index of the new IP address, specifically:
Constant a, EI1=EI2*b^ (m1-m2)+a, institute are further added by after the malice index of the record is decayed at any time Stating b is the positive number less than 1.
That is, the EI1 is directly equal to EI2 and adds a if m1=m2, if m1 ≠ m2, the EI1 is equal to the EI2 and declines Value additive constant a after subtracting.
In the embodiment of the present invention, further, described device further includes malice index setting unit 440, for initial When change system, the corresponding malice index of the IP address is set as 0.
The present invention proposes a kind of device for calculating malice index: detection unit, for detecting attack;Determination unit, For determining the corresponding internet protocol address of the attack when the detection unit detects attack;It obtains Unit is taken, for obtaining the malice index of the corresponding record of the IP address according to the IP address;And computing unit, it is used for Malice index based on record calculates and updates the corresponding malice index of the IP address, in this scenario, for a certain IP, The attack record for being no longer based on record calculates malice index, according only to recorded malice index and current attack shape Condition updates the corresponding malice index of the IP address, this way it is not necessary to a large amount of record logs, reduce the occupancy to memory space, Meanwhile by the way that one or many attacks in the predetermined time are denoted as an attack, can refer to avoid each malice Number all levels off to 1, improves the accuracy for distinguishing the malice index of each IP.
The present invention also proposes another device for calculating malice index, and Fig. 5 is schematically shown to be implemented according to the present invention The schematic diagram of the device 50 for calculating malice index of mode.As shown in figure 5, the device 50 may include:
Detection unit 500, for detecting attack;
Determination unit 510, for internet protocol address corresponding to determining and n-th attack;
Computing unit 520 calculates described for when the detection unit 500 detects the n-th attack First time point current affiliated period 1 when n times attack occurs;
The computing unit 520 is also used to, and calculates the when the N-1 times attack relevant to IP address generation It is second round belonging to two time points, and the first malice index obtained when the N-1 times attack has executed, described Second time point was located at before the first time point;
The computing unit 520 is also used to, according to the first malice index, the period 1 and the second week Phase calculates the second malice index obtained when the n-th attack is executed and completed.
In the embodiment of the present invention, optionally, one or many attacks in predetermined amount of time are denoted as primary attack row For.For example, 1 attack has occurred between certain day 7:00-8:00, then it is denoted as and an attack has occurred within the time; 10000 attacks have occurred between 7:00-8:00, is also denoted as and an attack has occurred within the time;In 9:00-10: The one or many attacks occurred between 00, which are also denoted as, has occurred an attack.
In the embodiment of the present invention, optionally, one or many attacks in the given time are denoted as an attack.Example Such as, 1 attack has occurred within a certain period, then is denoted as and an attack has occurred within the period.In another example a certain 10000 attacks have occurred in period, then is still denoted as within the period and an attack has occurred.
It, can be with by the way that one or many attacks in a time zone or in the predetermined time are denoted as an attack It effectively avoids each malice index from all leveling off to 1, and then improves the accuracy for distinguishing the malice index of each IP.
Certainly, in practical applications, it is not limited to aforesaid way, it can also be by the number of the attack in the period It is denoted as the number of the attack actually occurred.
In the embodiment of the present invention, optionally, the computing unit 520 calculates the when the n-th attack occurs When period 1 belonging to one time point is current, specifically:
The period 1 that the computing unit 520 is calculated meets following rule, such as formula one:
M1=(t1-T0)/T+1 (formula one)
Wherein, the m1 is the period 1, and the t1 is the first time point, and the T0 is detection attack Starting time point, the T be preset value ,/indicate divide exactly;
When the computing unit 520 calculates second round belonging to the second time point when the N-1 times attack occurs, Specifically:
The second round that the computing unit 520 is calculated meets following rule, such as formula two:
M2=(t2-T0)/T+1 (formula two)
Wherein, the m2 is the second round, and the t2 is second time point.
In the embodiment of the present invention, optionally, if the period 1 is different periods, the meter from the second round Unit 520 is calculated according to the first malice index, the period 1 and the second round, calculates and is attacked in the n-th When behavior executes the second malice index obtained when completing, specifically:
The second malice index that the computing unit 520 is calculated meets following rule, such as formula three:
EI1=EI2* (1/2) ^ (m1-m2)+1 (formula three)
Wherein, the EI1 is the second malice index, and the EI2 is the first malice index, and the m1 is described Period 1, the m2 are the second round.
In the embodiment of the present invention, optionally, if the period 1 and the second round are the identical period, described the Two malice indexes are equal to the first malice index and add 1.
That is, the second malice index is straight if the period 1 and the second round are the identical period It connects and is equal to the first malice index and adds 1, if the period 1 and the second round are the different period, described second Malice index adds 1 equal to the value after the first malice exponential damping.
In the embodiment of the present invention, further, refer to calculate the malice of the attack after n-th attack Number, described device further includes replacement unit 530, for described first recorded in the second malice index replacement system Malice index, the second round recorded in the period 1 replacement system.
In this way, when computing unit 520 calculates the third malice index for the attack after n-th attack, If period 1 and the n-th attack belonging to first time point when the n-th attack occurs is current it When the current affiliated period 3 at third time point when attack afterwards occurs is the identical period, the third maliciously refers to Number is directly equal to the second malice index and adds 1;If belonging to first time point when the n-th attack occurs is current Current affiliated third week at third time point when attack after period 1 and the n-th attack occurs Phase be the different period when, using formula four calculate third malice index, wherein third time point be located at first time point it Before:
EI3=EI1* (1/2) ^ (m3-m1)+1 (formula four)
Wherein, the EI1 is the second malice index, and the EI3 is the third malice index, and the m1 is described Period 1, the m3 are the period 3.
Such as: T=3600 seconds, whole system started for 10 seconds 10 minutes 2 points of January 20 in 2016, recorded T0= 1453227010, when 5: 10 20: on the 20th January in 2016, i.e. t=1453238410 detected some IP=1.1.1.1 First time attack when, at this time calculate current point in time belonging to period m 1=(1453238410-1453227010)/ 3600+1=4, i.e. period are 4, and calculate EI1 using EI1=EI2* (1/2) ^ (m1-m2)+1 (formula three), since EI2 is 0, Therefore, the EI1=1 being calculated;When 12: 10 20: on the 20th January in 2016, i.e. t=1453263610 was detected again To second of attack of IP=1.1.1.1, period m 2=(1453263610-belonging to current point in time is calculated at this time 1453227010)/3600+1=11 in i.e. the 11st period, and uses EI1=EI2* (1/2) ^ (m1-m2)+1 (formula three) EI1 is calculated, at this point, since EI2 is 1, m1=11, m2=4, therefore, EI1=1* (1/2) the ^7+1 ≈ 1 being calculated;Into one Step, the EI1 being calculated and period can be updated to 1 and 11 respectively, so as to subsequent calculating malice index.
The present invention proposes a kind of device for calculating malice index: detection unit, for detecting attack;Determination unit, For internet protocol address corresponding to determining and n-th attack;Computing unit, for being examined in the detection unit When measuring the n-th attack, calculate first time point when the n-th attack occurs it is current belonging to first Period;The computing unit is also used to, and calculates the second time when the N-1 times attack relevant to the IP address occurs Second round belonging to point, and the first malice index obtained when the N-1 times attack has executed, when described second Between point be located at the first time point before;The computing unit is also used to, according to the first malice index, first week described Phase and the second round calculate the second malice index obtained when the n-th attack is executed and completed, in the program In, for a certain IP for executing n-th attack, the attack record for being no longer based on record calculates malice index, according only to this N-th attack corresponding period 1 of IP, the N-1 times attack corresponding second round and at described the N-1 times The the first malice index obtained when attack has executed calculates n-th attack and executes the second malice obtained when completing Index reduces the occupancy to memory space this way it is not necessary to a large amount of record logs, meanwhile, by by one within a period Secondary or multiple attack is denoted as an attack, and each malice index is avoided all to level off to 1, and then improves and distinguish each IP's The accuracy of malice index.
Fig. 6 schematically shows the signal of the device 60 for updating malice index of embodiment according to the present invention Figure.As shown in fig. 6, the device 60 may include:
Malice exponential damping unit 600, for making malice index decay at any time;
Detection unit 610, for detecting attack;
Malice index adding unit 620, for when having detected attack increasing, malice index.
In one embodiment, when attack is not detected, malice index is decayed in real time at any time, so that certain The malice of attack decays at any time.When detecting attack, malice index increases by a constant, later again at any time Decay in real time.
In the embodiment of the present invention, optionally, one or many attacks in the given time are denoted as an attack.Example Such as, 1 attack has occurred within a certain predetermined time, then is denoted as and an attack has occurred within the predetermined time.Example again Such as, 10000 attacks have occurred within a certain predetermined time, then is still denoted as and primary attack row has occurred within the predetermined time For, meanwhile, by the way that one or many attacks in the predetermined time are denoted as an attack, it is possible to prevente effectively from each Malice index all levels off to 1, and then improves the accuracy for distinguishing the malice index of each IP, certainly, in practical applications, and It is not limited to aforesaid way, the number of the attack in the predetermined time can also be denoted as to time of the attack actually occurred Number.
The present invention proposes a kind of device for updating malice index: malice exponential damping unit, for making malice index at any time Between decay;Detection unit, for detecting attack;Malice index adding unit, for making when having detected attack Malice index increases, and this method makes the update of malice index be no longer based on the attack record of record, but attacks when having detected When hitting behavior, increased according to the malice index of decaying and realize update, this way it is not necessary to which a large amount of record logs, are reduced empty to storage Between occupancy, meanwhile, can be to avoid each by the way that one or many attacks in the predetermined time are denoted as an attack A malice index all levels off to 1, improves the accuracy for distinguishing the malice index of each IP.
Example devices
After describing the method and apparatus of exemplary embodiment of the invention, next, introducing according to the present invention Another exemplary embodiment is used to calculate malice index or update the device of malice index.
Person of ordinary skill in the field it is understood that various aspects of the invention can be implemented as system, method or Program product.Therefore, various aspects of the invention can be embodied in the following forms, it may be assumed that complete hardware embodiment, complete The embodiment combined in terms of full Software Implementation (including firmware, microcode etc.) or hardware and software, can unite here Referred to as circuit, " module " or " system ".
In some possible embodiments, according to the present invention for calculating malice index or updating malice index Device can include at least at least one processing unit and at least one storage unit.Wherein, the storage unit is stored with Program code, when said program code is executed by the processing unit, so as to execute this specification above-mentioned for the processing unit Described in " illustrative methods " part according to the present invention various illustrative embodiments for calculating malice index or more Step in new malice index method.
For example, the processing unit can execute step 100 as shown in fig. 1: when detecting attack, determining institute State the corresponding internet protocol address of attack;Step 110: the corresponding note of the IP address is obtained according to the IP address The malice index of record;And step 120: the malice index based on record calculates and updates the corresponding malice of the IP address and refers to Number.
In another example the processing unit can also execute step 200 as shown in Figure 2: detecting n-th attack When, it is determining with internet protocol address corresponding to the n-th attack, it calculates the n-th attack and occurs When first time point it is current belonging to period 1;Step 210: calculating the N-1 times attack row relevant to the IP address For occur when the second time point belonging to second round, and obtained when the N-1 times attack has executed first Malice index, second time point are located at before the first time point;Step 220: according to the first malice index, institute Period 1 and the second round are stated, the second malice index obtained when the n-th attack is executed and completed is calculated.
In another example step 300 as shown in Figure 3 can also be performed in the processing unit: malice index being made to decline at any time Subtract;Step 310: when having detected attack, increasing malice index.
Disliking for calculating malice index or updating for this embodiment according to the present invention is described referring to Fig. 7 Mean several devices 70.What Fig. 7 was shown only shows for one for calculating malice index or updating the device 70 of malice index Example, should not function to the embodiment of the present invention and use scope bring any restrictions.
As shown in fig. 7, for calculating malice index or updating the device 70 of malice index with the shape of universal computing device Formula performance.Can include but is not limited to for calculating malice index or updating the component of device 70 of malice index: it is above-mentioned extremely A few processing unit 716, at least one above-mentioned storage unit 728, the different system components of connection (including 728 He of storage unit Processing unit 716) bus 718.
Bus 718 indicates one of a few class bus structures or a variety of, including memory bus or Memory Controller, Peripheral bus, graphics acceleration port, processor or the local bus using any bus structures in a variety of bus structures.
Storage unit 728 may include the readable medium of form of volatile memory, such as random access memory (RAM) 730 and/or cache memory 732, it can also further read-only memory (ROM) 734.
Storage unit 728 can also include program/utility 740 with one group of (at least one) program module 742, Such program module 742 includes but is not limited to: operating system, one or more application program, other program modules and It may include the realization of network environment in program data, each of these examples or certain combination.
Device 70 for calculating malice index or update malice index can also be with one or more external equipments 714 (such as keyboard, sensing equipment, bluetooth equipment etc.) communication, can also enable a user to be used to calculate evil with this with one or more Mean number or update malice index device 70 interaction equipment communication, and/or with make this be used to calculate malice index or Any equipment that the device 70 that person updates malice index can be communicated with one or more of the other calculating equipment (such as routes Device, modem etc.) communication.This communication can be carried out by input/output (I/O) interface 722.Also, based on The device 70 for calculating malice index or update malice index can also pass through network adapter 720 and one or more network (such as local area network (LAN), wide area network (WAN) and/or public network, such as internet) communication.As shown, network adapter 720 are communicated by bus 718 with other modules of the device 70 for calculating malice index or update malice index.It should be bright It is white, although not shown in the drawings, can be used in conjunction with the device 70 for calculating malice index or update malice index other hard Part and/or software module, including but not limited to: microcode, device driver, redundant processing unit, external disk drive array, RAID system, tape drive and data backup storage system etc..
Exemplary process product
In some possible embodiments, various aspects of the invention are also implemented as a kind of shape of program product Formula comprising program code, when described program product is run on the terminal device, said program code is for making the terminal Equipment executes described in above-mentioned " illustrative methods " part of this specification the use of various illustrative embodiments according to the present invention Step in the method for calculating malice index or update malice index,
For example, the processing unit can execute step 100 as shown in fig. 1: when detecting attack, determining institute State the corresponding internet protocol address of attack;Step 110: the corresponding note of the IP address is obtained according to the IP address The malice index of record;And step 120: the malice index based on record calculates and updates the corresponding malice of the IP address and refers to Number.
In another example the terminal device can also execute step 200 as shown in Figure 2: detecting n-th attack When, it is determining with internet protocol address corresponding to the n-th attack, it calculates the n-th attack and occurs When first time point it is current belonging to period 1;Step 210: calculating the N-1 times attack row relevant to the IP address For occur when the second time point belonging to second round, and obtained when the N-1 times attack has executed first Malice index, second time point are located at before the first time point;Step 220: according to the first malice index, institute Period 1 and the second round are stated, the second malice index obtained when the n-th attack is executed and completed is calculated.
In another example step 300 as shown in Figure 3 can also be performed in the processing unit: malice index being made to decline at any time Subtract;Step 310: when having detected attack, increasing malice index.
Described program product can be using any combination of one or more readable mediums.Readable medium can be readable letter Number medium or readable storage medium storing program for executing.Readable storage medium storing program for executing for example may be-but not limited to-electricity, magnetic, optical, electromagnetic, red The system of outside line or semiconductor, device or device, or any above combination.The more specific example of readable storage medium storing program for executing (non exhaustive list) includes: the electrical connection with one or more conducting wires, portable disc, hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disc Read memory (CD-ROM), light storage device, magnetic memory device or above-mentioned any appropriate combination.
As shown in figure 8, describing maliciously referring to for calculating malice index or updating for embodiment according to the present invention Several program products 80, can be using portable compact disc read only memory (CD-ROM) and including program code, and can be with It is run on terminal device, such as PC.However, program product of the invention is without being limited thereto, it is in this document, readable to deposit Storage media can be any tangible medium for including or store program, which can be commanded execution system, device or device Part use or in connection.
Readable signal medium may include in a base band or as the data-signal that carrier wave a part is propagated, wherein carrying Readable program code.The data-signal of this propagation can take various forms, including --- but being not limited to --- electromagnetism letter Number, optical signal or above-mentioned any appropriate combination.Readable signal medium can also be other than readable storage medium storing program for executing it is any can Read medium, the readable medium can send, propagate or transmit for by instruction execution system, device or device use or Program in connection.
The program code for including on readable medium can transmit with any suitable medium, including --- but being not limited to --- Wirelessly, wired, optical cable, RF etc. or above-mentioned any appropriate combination.
The program for executing operation of the present invention can be write with any combination of one or more programming languages Code, described program design language include object oriented program language-Java, C++ etc., further include conventional Procedural programming language-such as " C " language or similar programming language.Program code can be fully in user It calculates and executes in equipment, partly executes on a user device, being executed as an independent software package, partially in user's calculating Upper side point is executed on a remote computing or is executed in remote computing device or server completely.It is being related to far Journey calculates in the situation of equipment, and remote computing device can pass through the network of any kind --- including local area network (LAN) or extensively Domain net (WAN)-be connected to user calculating equipment, or, it may be connected to external computing device (such as utilize Internet service Provider is connected by internet).
It should be noted that although being referred in the above detailed description for calculating malice index or updating malice index The several devices or sub-devices of equipment, but this division is only not enforceable.In fact, embodiment party according to the present invention The feature and function of formula, two or more above-described devices can embody in one apparatus.Conversely, above-described The feature and function of one device can be to be embodied by multiple devices with further division.
In addition, although describing the operation of the method for the present invention in the accompanying drawings with particular order, this do not require that or Hint must execute these operations in this particular order, or have to carry out shown in whole operation be just able to achieve it is desired As a result.Additionally or alternatively, it is convenient to omit multiple steps are merged into a step and executed by certain steps, and/or by one Step is decomposed into execution of multiple steps.
Although detailed description of the preferred embodimentsthe spirit and principles of the present invention are described by reference to several, it should be appreciated that, this It is not limited to the specific embodiments disclosed for invention, does not also mean that the feature in these aspects cannot to the division of various aspects Combination is benefited to carry out, this to divide the convenience merely to statement.The present invention is directed to cover appended claims spirit and Included various modifications and equivalent arrangements in range.

Claims (20)

1. a kind of method for calculating malice index, comprising:
When detecting n-th attack, internet protocol address corresponding to the determining and n-th attack, meter Calculate the first time point current affiliated period 1 when n-th attack occurs;
Second round belonging to the second time point when the N-1 times attack relevant to the IP address occurs is calculated, and The the first malice index obtained when the N-1 times attack has executed, when second time point is located at described first Between put before;
According to the first malice index, the period 1 and the second round, calculating is held in the n-th attack The second malice index that row obtains when completing.
2. the method as described in claim 1, one or many attacks in the given time are denoted as an attack.
3. the method as described in claim 1, calculate first time point when the n-th attack occurs it is current belonging to Period 1, comprising:
The period 1 being calculated meets following rule:
M1=(t1-T0)/T+1;
Wherein, the m1 is the period 1, and the t1 is the first time point, and the T0 is to detect opening for attack Dynamic time point, the T are preset value ,/indicate to divide exactly;
Calculate second round belonging to the second time point when the N-1 times attack occurs, comprising:
The second round being calculated meets following rule:
M2=(t2-T0)/T+1;
Wherein, the m2 is the second round, and the t2 is second time point.
4. the method as described in claim 1, if the period 1 is the different periods from the second round, according to described First malice index, the period 1 and the second round calculate and obtain when the n-th attack is executed and completed The second malice index, comprising:
The second malice index being calculated meets following rule:
EI1=EI2* (1/2) ^ (m1-m2)+1
Wherein, the EI1 is the second malice index, and the EI2 is the first malice index, and the m1 is described first Period, the m2 are the second round.
5. method according to any of claims 1-4, if the period 1 and the second round are the identical period, The second malice index is equal to the first malice index and adds 1.
6. the method as described in claim 1 calculates the second malice obtained when the n-th attack is executed and completed and refers to After number, the method also includes:
The first malice index recorded in the second malice index replacement system replaces system with the period 1 The second round recorded in system.
7. a kind of device for calculating malice index, comprising:
Detection unit, for detecting attack;
Determination unit, for internet protocol address corresponding to determining and n-th attack;
Computing unit, for when the detection unit detects the n-th attack, calculating the n-th attack row First time point current affiliated period 1 when to occur;
The computing unit is also used to, and calculates the second time when the N-1 times attack relevant to the IP address occurs Second round belonging to point, and the first malice index obtained when the N-1 times attack has executed, when described second Between point be located at the first time point before;
The computing unit is also used to, and according to the first malice index, the period 1 and the second round, is calculated The n-th attack executes the second malice index obtained when completing.
8. device as claimed in claim 7, one or many attacks in the given time are denoted as an attack.
9. device as claimed in claim 7, the computing unit calculates the first time when n-th attack occurs When putting the currently affiliated period 1, specifically:
The period 1 that the computing unit is calculated meets following rule:
M1=(t1-T0)/T+1;
Wherein, the m1 is the period 1, and the t1 is the first time point, and the T0 is to detect opening for attack Dynamic time point, the T are preset value ,/indicate to divide exactly;
When the computing unit calculates second round belonging to the second time point when the N-1 times attack occurs, specifically:
The second round that the computing unit is calculated meets following rule:
M2=(t2-T0)/T+1;
Wherein, the m2 is the second round, and the t2 is second time point.
10. device as claimed in claim 7, if the period 1 is different periods, the meter from the second round Unit is calculated according to the first malice index, the period 1 and the second round, is calculated in the n-th attack When executing the second malice index obtained when completing, specifically:
The second malice index that the computing unit is calculated meets following rule:
EI1=EI2* (1/2) ^ (m1-m2)+1
Wherein, the EI1 is the second malice index, and the EI2 is the first malice index, and the m1 is described first Period, the m2 are the second round.
11. such as the described in any item devices of claim 7-10, if the period 1 and the second round are identical week Phase, the second malice index are equal to the first malice index and add 1.
12. device as claimed in claim 7, described device further includes replacement unit, for being replaced with the second malice index Change the first malice index recorded in system, the second week recorded in the period 1 replacement system Phase.
13. a kind of method for calculating malice index, comprising:
When detecting attack, the corresponding internet protocol address of the attack is determined;
The malice index of the corresponding record of the IP address is obtained according to the IP address;And
Malice index based on record calculates and updates the corresponding malice index of the IP address;
The method also includes:
Calculating detects corresponding current period m1 when the attack;
Obtain the corresponding record period m2 of malice index of the record;
Wherein, if the current period and the record period are the same period m 1=m2, the calculating simultaneously updates the IP The corresponding malice index in address, comprising: the malice index of the record, which is increased by constant an a:EI1=EI2+a, the EI1, is The corresponding updated malice index of the IP address, the EI2 are the malice index of foregoing description record;
Wherein, if the current period and the record period are different cycles m1 ≠ m2, the calculating and with updating the IP The corresponding malice index in location a, comprising: constant a, EI1=EI2* is further added by after the malice index of the record is decayed at any time B^ (m1-m2)+a, the b are the positive number less than 1.
14. method as claimed in claim 13, the calculating simultaneously updates the corresponding malice index of the IP address, comprising:
It is further added by a constant after the malice index of the record is decayed at any time, generates new malice index;
Using the new malice index as updated malice index.
15. method as claimed in claim 13, wherein one or many attacks in the given time are denoted as primary attack row For.
16. method as claimed in claim 13, the method also includes:
In the system of initialization, the corresponding malice index of the IP address is set as 0.
17. a kind of device for calculating malice index, comprising:
Detection unit, for detecting attack;
Determination unit, for determining the corresponding internet of the attack when the detection unit detects attack Protocol IP address;
Acquiring unit, for obtaining the malice index of the corresponding record of the IP address according to the IP address;And
Computing unit calculates for the malice index based on record and updates the corresponding malice index of the IP address;
The computing unit is also used to, and calculating detects corresponding current period m1 when the attack;
The acquiring unit is also used to, and obtains the corresponding record period m2 of malice index of the record;
Wherein, if the current period and the record period are the same period m 1=m2, the computing unit is calculated and more When the corresponding malice index of the new IP address, specifically: the malice index of the record is increased by a constant a:EI1=EI2+ A, the EI1 are the corresponding updated malice index of the IP address, and the EI2 is the malice index of foregoing description record;
Wherein, if the current period and the record period are different cycles m1 ≠ m2, the computing unit is calculated and is updated When the corresponding malice index of the IP address, specifically: one is further added by after the malice index of the record is decayed at any time often Number a, EI1=EI2*b^ (m1-m2)+a, the b are the positive number less than 1.
18. device as claimed in claim 17, the computing unit is specifically used for:
It is further added by a constant after the malice index of the record is decayed at any time, generates new malice index;
Using the new malice index as updated malice index.
19. device as claimed in claim 17, wherein one or many attacks in the given time are denoted as primary attack row For.
20. device as claimed in claim 17, described device further includes malice index setting unit, in initialization system When, the corresponding malice index of the IP address is set as 0.
CN201610187740.XA 2016-03-29 2016-03-29 A kind of method and apparatus calculating malice index Active CN105871834B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610187740.XA CN105871834B (en) 2016-03-29 2016-03-29 A kind of method and apparatus calculating malice index

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610187740.XA CN105871834B (en) 2016-03-29 2016-03-29 A kind of method and apparatus calculating malice index

Publications (2)

Publication Number Publication Date
CN105871834A CN105871834A (en) 2016-08-17
CN105871834B true CN105871834B (en) 2019-08-30

Family

ID=56625186

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610187740.XA Active CN105871834B (en) 2016-03-29 2016-03-29 A kind of method and apparatus calculating malice index

Country Status (1)

Country Link
CN (1) CN105871834B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110061998B (en) * 2019-04-25 2022-03-22 新华三信息安全技术有限公司 Attack defense method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1692347A (en) * 2003-02-26 2005-11-02 智行科技有限公司 Security system and operating method thereof
CN1770700A (en) * 2004-11-01 2006-05-10 中兴通讯股份有限公司 Intimidation estimating method for computer attack
CN102137115A (en) * 2011-04-22 2011-07-27 南京邮电大学 Method for evaluating malicious code attack effect of communication network
CN102185858A (en) * 2011-05-06 2011-09-14 山东中创软件商用中间件股份有限公司 Web intrusion prevention method and system based on application layer
CN102739649A (en) * 2012-05-25 2012-10-17 北京神州绿盟信息安全科技股份有限公司 Method and device for determining network threat level
US9241007B1 (en) * 2013-07-18 2016-01-19 Blue Pillar, Inc. System, method, and computer program for providing a vulnerability assessment of a network of industrial automation devices

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2496779C (en) * 2002-08-26 2011-02-15 Guardednet, Inc. Determining threat level associated with network activity

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1692347A (en) * 2003-02-26 2005-11-02 智行科技有限公司 Security system and operating method thereof
CN1770700A (en) * 2004-11-01 2006-05-10 中兴通讯股份有限公司 Intimidation estimating method for computer attack
CN102137115A (en) * 2011-04-22 2011-07-27 南京邮电大学 Method for evaluating malicious code attack effect of communication network
CN102185858A (en) * 2011-05-06 2011-09-14 山东中创软件商用中间件股份有限公司 Web intrusion prevention method and system based on application layer
CN102739649A (en) * 2012-05-25 2012-10-17 北京神州绿盟信息安全科技股份有限公司 Method and device for determining network threat level
US9241007B1 (en) * 2013-07-18 2016-01-19 Blue Pillar, Inc. System, method, and computer program for providing a vulnerability assessment of a network of industrial automation devices

Also Published As

Publication number Publication date
CN105871834A (en) 2016-08-17

Similar Documents

Publication Publication Date Title
US11895150B2 (en) Discovering cyber-attack process model based on analytical attack graphs
US11042647B1 (en) Software assurance system for runtime environments
US11792229B2 (en) AI-driven defensive cybersecurity strategy analysis and recommendation system
US20220210200A1 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
CN104392175B (en) Cloud application attack processing method, apparatus and system in a kind of cloud computing system
US20220224723A1 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
CN107563203A (en) Integrated security strategy and incident management
CN110225104A (en) Data capture method, device and terminal device
CN103294947A (en) Program analysis system and method thereof
CN110572409A (en) Industrial Internet security risk prediction method, device, equipment and storage medium
CN108121716A (en) The approaches and problems uniprocesser system of process problem list
CN103617020A (en) Method and equipment for generating random number in application program
CN111903106A (en) Malware infection prediction
CN114915475A (en) Method, device, equipment and storage medium for determining attack path
CN110011955A (en) A kind of SSRF loophole or attack determination, processing method, device, equipment and medium
CN104375935B (en) The test method and device of SQL injection attack
CN109905366A (en) Terminal device safe verification method, device, readable storage medium storing program for executing and terminal device
CN105871834B (en) A kind of method and apparatus calculating malice index
CN106302347B (en) A kind of network attack treating method and apparatus
CN110099041A (en) A kind of Internet of Things means of defence and equipment, system
JP5700675B2 (en) Method, system, and computer program for determining whether a method of a computer program is a validator
CN113518086B (en) Network attack prediction method, device and storage medium
US20230012202A1 (en) Graph computing over micro-level and macro-level views
CN110110015A (en) Information point data processing method, processing unit and computer readable storage medium
CN109983746A (en) Speed event assessment system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant