CN105939320A - Message processing method and device - Google Patents
Message processing method and device Download PDFInfo
- Publication number
- CN105939320A CN105939320A CN201510874597.7A CN201510874597A CN105939320A CN 105939320 A CN105939320 A CN 105939320A CN 201510874597 A CN201510874597 A CN 201510874597A CN 105939320 A CN105939320 A CN 105939320A
- Authority
- CN
- China
- Prior art keywords
- message
- message characteristic
- suspicious
- characteristic
- blacklist
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The invention provides a message processing method and device. The method comprises the steps of analyzing a received hyper text transfer protocol HTTP request message, thereby obtaining message features; searching a pre-stored blacklist according to the message features, determining that the HTTP request message is an attack message if the message features are searched from the blacklist, blocking the HTTP request message, otherwise discarding the HTTP request message, wherein the blacklist is a blacklist updated based on suspicious message features; carrying out statistics according to the message features if the message features are not searched from the blacklist, and obtaining the suspicious message features according to a statistic result. Through application of the method and the device of the embodiment, the attack message can be identified effectively, and a DDoS (Distributed Denial of Service) attack is prevented.
Description
Technical field
The application relates to network communication technology field, particularly relates to process the method and device of message.
Background technology
DDoS (Distributed Denial of Service, distributed denial of service attack) refers to by means of client
Multiple computers are joined together, as Attack Platform, to initiate to attack to one or more targets by/server technology
Hit, thus improve the power of Denial of Service attack exponentially.Ddos attack takies by sending substantial amounts of message
A large amount of Internet resources, to reach to make the purpose of network paralysis, the most common attack pattern includes following four:
Normal network communication is blocked, by submitting a large amount of request to server by making network over loading disturb even
Make server over loading, block a certain user access server, block certain service and particular system or individual
Communication.In prior art, when taking precautions against ddos attack, according to the transmission rate of message as aggressive behavior
Basis of characterization, after message is identified as attack message, such message is shielded, can reach take precautions against DDoS
The purpose attacked.
But, logical in the case of relatively low or to normal message the transmission rate of transmission rate of message is similar
Cross the usual None-identified of such scheme and go out attack message, thus ddos attack cannot be taken precautions against.
Summary of the invention
In view of this, the application provides a kind of method and device processing message, to solve the transmission at message
Speed relatively low or similar to normal message transmission rate in the case of be difficult to take precautions against ddos attack problem.
Specifically, the application is achieved by the following technical solution:
First aspect according to the embodiment of the present application, it is provided that the method processing message, described method is applied and attacked
Hitting on identification equipment, described method includes:
Resolve the HTTP request message received, it is thus achieved that message characteristic;
The blacklist pre-saved is searched, if finding described from described blacklist according to described message characteristic
Message characteristic, it is determined that described HTTP request message is attack message, blocks described HTTP request message,
Otherwise, described HTTP request message of letting pass, wherein, described blacklist is for carry out based on suspicious message characteristic
The blacklist updated;
If not finding described message characteristic from described blacklist, then add up according to described message characteristic,
And draw suspicious message characteristic according to statistical result.
Second aspect according to the embodiment of the present application, it is provided that processing the device of message, described device is applied and attacked
Hitting on identification equipment, described device includes:
Resolution unit, for resolving the HTTP request message received, it is thus achieved that message characteristic;
Search unit, for searching the blacklist pre-saved, described blacklist according to described message characteristic
For the blacklist being updated based on suspicious message characteristic;
Blocking unit, for when finding described message characteristic from described blacklist, determines described
HTTP request message is attack message, blocks described HTTP request message;
Clearance unit, for when not finding described message characteristic from described blacklist, lets pass described
HTTP request message;
Statistic unit, for when not finding described message characteristic, according to described from described blacklist
Message characteristic carries out adding up and drawing suspicious message characteristic according to statistical result.
Application above-described embodiment, owing to the access times of message can be added up according to message characteristic,
And according to the access times identification attack message of message, thus relatively low in the transmission rate of message or with just
In the case of often the transmission rate of message is similar, effectively identify attack message, accomplish to take precautions against DDoS
Attack.
Accompanying drawing explanation
Fig. 1 is the application scenarios schematic diagram that the embodiment of the present application realization processes the method for message.
Fig. 2 is the embodiment flow chart that the application processes the method for message.
Fig. 3 is a kind of hardware structure diagram that the application processes the device place equipment of message.
Fig. 4 is the embodiment block diagram that the application processes the device of message.
Detailed description of the invention
Here will illustrate exemplary embodiment in detail, its example represents in the accompanying drawings.Following retouches
Stating when relating to accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous key element.
Embodiment described in following exemplary embodiment does not represent all embodiment party consistent with the application
Formula.On the contrary, they only with describe in detail in appended claims, the application some in terms of mutually one
The example of the apparatus and method caused.
It is only merely for describing the purpose of specific embodiment at term used in this application, and is not intended to be limiting this
Application." a kind of ", " described " of singulative used in the application and appended claims
" it is somebody's turn to do " be also intended to include most form, unless context clearly shows that other implications.It is also understood that
Term "and/or" used herein refer to and comprise any of one or more project of listing being associated or
Likely combine.
Although should be appreciated that may use term first, second, third, etc. to describe various letter in the application
Breath, but these information should not necessarily be limited by these terms.These terms are only used for same type of information district each other
Separately.Such as, in the case of without departing from the application scope, the first information can also be referred to as the second information,
Similarly, the second information can also be referred to as the first information.Depend on linguistic context, word as used in this
" if " can be construed to " ... time " or " when ... time " or " in response to determining ".
In prior art, server can be attacked by assailant to use ddos attack mode, in order to anti-
Model is attacked, generally using the transmission rate of message as the basis of characterization of attack message, when transmission rate is bigger
Such message is identified as attack message, and blocks attack message, thus reach to take precautions against the mesh of ddos attack
's.But, in the case of relatively low or to normal message the transmission rate of transmission rate of message is similar,
Go out attack message by the usual None-identified of said method, thus ddos attack cannot be taken precautions against.
Refer to Fig. 1, process the application scenarios schematic diagram of the method for message for the embodiment of the present application realization.Wherein
(n is for being more than to attacking terminal n to control end control multiple attack terminals, such as the attack terminal 1 shown in Fig. 1
The natural number of 1), the attack terminal to server substantial amounts of HTTP of transmission (Hyper Text Transfer Protocol,
HTML (Hypertext Markup Language)) request message, the HTTP request message that attack terminal and normal terminal are sent is all
To first be transferred to attack recognition equipment, attack recognition equipment interconnection the message received resolves, and identifies
Attack message also blocks, and normal message is then let pass to server, thus accomplishes to take precautions against ddos attack.
The attack terminal being understandable that in the present embodiment only illustrates with normal terminal as a example by computer, actual
Attack terminal in application and normal terminal can be mobile phone, panel computer etc. other possess network resource accession
The terminal of function.
Referring to Fig. 2, process an embodiment flow chart of the method for message for the application, described method is applied
On attack recognition equipment, comprise the following steps:
Step S201: resolve the HTTP request message received, it is thus achieved that message characteristic.
See Fig. 1, normal terminal and attack terminal all same server to be conducted interviews, arrange in a network and attack
When hitting identification equipment, normal terminal and attack terminal to server transmission HTTP request message, these HTTP
Request message all will be transmitted to attack recognition equipment, and attack recognition equipment can be to these HTTP request messages
Resolve, identify its safety.
The HTTP request message that attack recognition equipment interconnection receives resolves, it is possible to obtain HTTP request
Source IP (Internet Protocol, the agreement of interconnection between the network) address of message and URI (Uniform
Resource Identifier, Uniform Resource Identifier) address is as message characteristic, and URI address is for unique
Identify the resource on this server.
Step S202: search the blacklist that pre-saves according to described message characteristic, described blacklist be based on
The blacklist that suspicious message characteristic is updated, if finding described message characteristic, then performs step S203;
If not finding described message characteristic, perform step S204 and step S205 the most respectively.
In an optional implementation, blacklist can be pre-set, described blacklist initially includes
The message characteristic of the attack message identified, special when obtaining suspicious message by the execution result of follow-up flow process
After levying, it is also possible to be based further on described suspicious message characteristic and update this blacklist, thus realize blacklist
Dynamic Maintenance.
When the source IP address that message characteristic is HTTP request message obtained in step S201, described black
List is IP address list, and this step can search described blacklist according to this source IP address, if finding institute
State source IP address, then perform step S203;If not finding described source IP address, perform step the most respectively
S204 and step S205.
Step S203: determine that described HTTP request message is attack message, block described HTTP request report
Literary composition;Terminate flow process.
Described in step S202, blacklist includes the IP address of the attack terminal identified, according to HTTP
The source IP address of request message searches described blacklist, if finding described source IP address, then may determine that this
HTTP request message is to attack the attack message that terminal sends, and blocks this HTTP request message, thus accomplishes
Take precautions against ddos attack.
Step S204: described HTTP request message of letting pass;Terminate flow process.
Step S205: carry out adding up and drawing suspicious message according to described statistical result according to described message characteristic
Feature.
When step S202 searches the blacklist pre-saved according to message characteristic, do not find described message characteristic
Time, can not determine that described HTTP request message is not the most attack message, in order to more effectively take precautions against DDoS
Attack, the above-mentioned HTTP request message not finding message characteristic can be added up.
In general, when normal terminal accesses server, send HTTP request message to server, these
URI address in HTTP request message can be different, when such as accessing Web page, and normal terminal
Multiple HTTP request message including different URI address can be sent, respectively in order to obtain Web to server
HTML (Hyper Text Markup Language, the HTML) file of webpage, CSS
(Cascading Style Sheets, CSS) file, JS (JavaScript, java script language)
A series of associated documents such as file and picture, and when attacking terminal access server, the HTTP sent please
Message is asked the most only to comprise same URI address.Therefore, it can within a period of time, such as 1 hour, 5
Hour, even 24 hours, the source IP address according to HTTP request message please to HTTP with URI address
The access times seeking message are added up.
In an optional implementation, can pre-set statistics list, this statistics list can include
Message characteristic and the corresponding relation of statistic, wherein message characteristic can include IP address and URI address,
The statistic of its correspondence receives the number of times of the HTTP request message including this message characteristic for representing.
See shown in table 1 below, for adding up the example of list:
Table 1
When step S202 searches the blacklist pre-saved according to message characteristic, do not find described message characteristic
Time, then can search statistics list as shown in table 1 according to message characteristic, if finding described message characteristic,
Illustrate that attack recognition equipment receives the HTTP request message including this message characteristic first, can be by
The statistic that described message characteristic is corresponding adds 1;Otherwise, illustrate that attack recognition equipment receives first and include this
The HTTP request message of message characteristic, can add to described message characteristic in described statistics list, and
The statistic of its correspondence is set to 1, in order to subsequent statistical receives the HTTP request including this message characteristic
The number of times of message.From the above mentioned, can add up to receive within a period of time according to message characteristic and include this report
The number of times of the HTTP request message of literary composition feature, can draw suspicious message characteristic according to this number of times.
In an optional implementation, a threshold value can be pre-set, be used for representing in a period of time
In, it is allowed to attack recognition equipment receives the number of times of the HTTP request message including identical message characteristic, can
To judge whether the statistic added up in list reaches described threshold value, if so, illustrate that this statistic is corresponding
Message characteristic be suspicious message characteristic, including the HTTP request message of this message characteristic probably for attacking
Hit message.
Further, after showing that message characteristic is suspicious message characteristic, can be in the way of employing pre-sets
This message characteristic is designated suspicious message characteristic.
In an optional implementation, described statistics list can also include message characteristic and suspicious mark
Corresponding relation, described suspicious mark is used for representing whether this message characteristic is suspicious message characteristic.See down
Shown in table 2, for adding up another example of list:
Table 2
In above-mentioned table 2, it is assumed that suspicious when being designated " 0 ", represent the message characteristic that this suspicious mark is corresponding
It not suspicious message characteristic, suspicious when being designated " 1 ", represent that message characteristic corresponding to this suspicious mark is can
Doubt message characteristic.
After showing that message characteristic is suspicious message characteristic, and suspicious mark corresponding to this message characteristic is not
Time " 1 ", then suspicious mark corresponding for this message characteristic can be set to " 1 ", thus realize message characteristic
It is designated suspicious message characteristic.
In another optional implementation, suspicious list can be pre-set, when showing that message characteristic is
After suspicious message characteristic, the corresponding relation of this message characteristic and statistic can be added in suspicious list.
Further, described suspicious message characteristic can be as the foundation of renewal blacklist, attack recognition equipment
Selected suspicious message characteristic can be added in blacklist.
In an optional implementation, suspicious message characteristic can be shown on web interface in real time, should
Can include on web interface selecting/cancel field, so that network manager can pass through this selection/cancellation field
Choose or cancel the suspicious message characteristic chosen in web interface, if suspicious message characteristic is selected, then attacking
Hit identification equipment can be added in blacklist by selected suspicious message characteristic.
In another optional implementation, according to statistic, suspicious message characteristic can be ranked up,
Concrete, statistic can be ranked up with order from big to small, thus realize suspicious message special
The sequence levied, it is also possible to arrange to attack (such as every five minutes or every 10 minutes) at set intervals and know
Other equipment just performs the most above-mentioned sequence.Afterwards, can show at web interface be positioned at according to ranking results
The suspicious message characteristic (N is the natural number more than or equal to 1) of top N, this web interface can include
Select/cancel field, so that network manager can be chosen or cancel chosen by this selection/cancellation field
Suspicious message characteristic in web interface, selected suspicious message characteristic can be added by attack recognition equipment
To blacklist.
Application above-described embodiment, owing to the access times of message can be added up according to message characteristic, and
Access times identification attack message according to message, thus relatively low in the transmission rate of message or with normal report
In the case of civilian transmission rate is similar, effectively identify attack message, accomplish to take precautions against ddos attack.
Corresponding with the embodiment of the method for aforementioned processing message, present invention also provides the device processing message
Embodiment.
The application processes the embodiment of the device of message and can apply on attack recognition equipment.Device embodiment
Can be realized by software, it is also possible to realize by the way of hardware or software and hardware combining.Implemented in software
As a example by, as the device on a logical meaning, it is that the processor by its place attack recognition equipment is by non-
Computer program instructions corresponding in volatile memory reads and runs formation in internal memory.From hardware view
For, as it is shown on figure 3, process a kind of hardware structure diagram of the device place equipment of message for the application, remove
Outside processor shown in Fig. 3, internal memory, network interface and nonvolatile memory, in embodiment
The attack recognition equipment at device place is generally according to the actual functional capability of this attack recognition equipment, it is also possible to include it
His hardware, repeats no more this.
Refer to Fig. 4, process an embodiment block diagram of the device of message for the application, described device is applied
On attack recognition equipment, described device includes: resolution unit 410, search unit 420, blocking unit 430,
Clearance unit 440, statistic unit 450.
Wherein, described resolution unit 410, for resolving the HTTP request message received, it is thus achieved that message is special
Levy;
Search unit 420, for searching the blacklist pre-saved, described blacklist according to described message characteristic
For the blacklist being updated based on suspicious message characteristic;
Blocking unit 430, for when finding described message characteristic from described blacklist, determines described
HTTP request message is attack message, blocks described HTTP request message;
Clearance unit 440, for when not finding described message characteristic from described blacklist, lets pass described
HTTP request message;
Statistic unit 450, for when not finding described message characteristic, according to described from described blacklist
Message characteristic carries out adding up and drawing suspicious message characteristic according to statistical result.
In an optional implementation, described statistic unit 450 includes (not shown in Fig. 4): look into
Look for subelement, increase subelement, interpolation subelement.
Wherein, described lookup subelement, for searching the statistics list pre-saved according to described message characteristic,
Described statistics list includes the corresponding relation of message characteristic and statistic;
Described increase subelement, for when finding described message characteristic, by institute from described statistics list
The statistic stating message characteristic corresponding adds 1;
Described interpolation subelement, is used for when not finding described message characteristic from described statistics list, will
Described message characteristic adds in described statistics list, and statistic corresponding for described message characteristic is set to 1.
In another optional implementation, described statistic unit 450 also includes: (not shown in Fig. 4):
Judgment sub-unit, mark subelement.
Wherein, described judgment sub-unit, for judging whether the numerical value in described statistics list reaches to set in advance
The threshold value put;
In judgement, described mark subelement, for showing that the statistic in described statistics list reaches to set in advance
During the threshold value put, message characteristic corresponding for described statistic is designated suspicious message characteristic.
In another optional implementation, described device also includes (not shown in Fig. 4): display is single
Unit, adding device.
Wherein, described display unit, for showing described suspicious message characteristic at web interface;
Described adding device, described for suspicious message characteristic selected in described web interface is added to
Blacklist.
In another optional implementation, described display unit includes (not shown in Fig. 4): sequence
Subelement, display subelement.
Wherein, described sequence subelement, for by described suspicious message characteristic according to corresponding statistic with
Order from big to small is ranked up;
Display subelement, for showing the suspicious message characteristic coming top N at web interface, described N is
Natural number more than 1.
In said apparatus, the function of unit and the process that realizes of effect specifically refer to corresponding step in said method
Rapid realizes process, does not repeats them here.
For device embodiment, owing to it corresponds essentially to embodiment of the method, so relevant part sees
The part of embodiment of the method illustrates.Device embodiment described above is only schematically, wherein
The described unit illustrated as separating component can be or may not be physically separate, as unit
The parts of display can be or may not be physical location, i.e. may be located at a place, or also may be used
To be distributed on multiple NE.Some or all of module therein can be selected according to the actual needs
Realize the purpose of the application scheme.Those of ordinary skill in the art in the case of not paying creative work,
I.e. it is appreciated that and implements.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, all in this Shen
Within spirit please and principle, any modification, equivalent substitution and improvement etc. done, should be included in this Shen
Within the scope of please protecting.
Claims (10)
1. the method processing message, it is characterised in that described method is applied on attack recognition equipment,
Described method includes:
Resolve the HTTP request message received, it is thus achieved that message characteristic;
The blacklist pre-saved is searched, if finding described from described blacklist according to described message characteristic
Message characteristic, it is determined that described HTTP request message is attack message, blocks described HTTP request message,
Otherwise, described HTTP request message of letting pass, wherein, described blacklist is for carry out based on suspicious message characteristic
The blacklist updated;
If not finding described message characteristic from described blacklist, then add up according to described message characteristic,
And draw suspicious message characteristic according to statistical result.
Method the most according to claim 1, it is characterised in that described carry out according to described message characteristic
Statistics includes:
Search the statistics list pre-saved according to described message characteristic, described statistics list includes message characteristic
Corresponding relation with statistic;
If finding described message characteristic from described statistics list, then by statistics corresponding for described message characteristic
Numerical value adds 1;
If not finding described message characteristic from described statistics list, then add described message characteristic to institute
State in statistics list, and statistic corresponding for described message characteristic is set to 1.
Method the most according to claim 2, it is characterised in that described draw according to statistical result suspicious
Message characteristic includes:
Judge whether the statistic in described statistics list reaches the threshold value pre-set, the most then by institute
State message characteristic corresponding to statistic and be designated suspicious message characteristic.
Method the most according to claim 3, it is characterised in that described method also includes:
Described suspicious message characteristic is shown at web interface;
Add suspicious message characteristic selected in described web interface to described blacklist.
Method the most according to claim 4, it is characterised in that described web interface show institute
State suspicious message characteristic to include:
Described suspicious message characteristic is ranked up with order from big to small according to corresponding statistic;
Show the suspicious message characteristic coming top N at described web interface, described N is the nature more than 1
Number.
6. the device processing message, it is characterised in that described device is applied on attack recognition equipment,
Described device includes:
Resolution unit, for resolving the HTTP request message received, it is thus achieved that message characteristic;
Search unit, for searching the blacklist pre-saved, described blacklist according to described message characteristic
For the blacklist being updated based on suspicious message characteristic;
Blocking unit, for when finding described message characteristic from described blacklist, determines described
HTTP request message is attack message, blocks described HTTP request message;
Clearance unit, for when not finding described message characteristic from described blacklist, lets pass described
HTTP request message;
Statistic unit, for when not finding described message characteristic, according to described from described blacklist
Message characteristic carries out adding up and drawing suspicious message characteristic according to statistical result.
Device the most according to claim 6, it is characterised in that described statistic unit includes:
Search subelement, for searching the statistics list pre-saved, described system according to described message characteristic
Meter list includes the corresponding relation of message characteristic and statistic;
Increase subelement, for when finding described message characteristic from described statistics list, by described
The statistic that message characteristic is corresponding adds 1;
Add subelement, for when not finding described message characteristic from described statistics list, by institute
State message characteristic to add in described statistics list, and statistic corresponding for described message characteristic is set to
1。
Device the most according to claim 7, it is characterised in that described statistic unit also includes:
Judgment sub-unit, whether the statistic for judging in described statistics list reaches to pre-set
Threshold value;
In judgement, mark subelement, for showing that the statistic in described statistics list reaches to pre-set
Threshold value time, message characteristic corresponding for described statistic is designated suspicious message characteristic.
Device the most according to claim 8, it is characterised in that described device also includes:
Display unit, for showing described suspicious message characteristic at web interface;
Adding device, for adding to described black by suspicious message characteristic selected in described web interface
List.
Device the most according to claim 9, it is characterised in that described display unit includes:
Sequence subelement, for by described suspicious message characteristic according to corresponding statistic with from big to small
Order be ranked up;
Display subelement, for showing the suspicious message characteristic coming top N, described N at web interface
For the natural number more than 1.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510874597.7A CN105939320A (en) | 2015-12-02 | 2015-12-02 | Message processing method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510874597.7A CN105939320A (en) | 2015-12-02 | 2015-12-02 | Message processing method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105939320A true CN105939320A (en) | 2016-09-14 |
Family
ID=57152791
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510874597.7A Pending CN105939320A (en) | 2015-12-02 | 2015-12-02 | Message processing method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105939320A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107332839A (en) * | 2017-06-28 | 2017-11-07 | 杭州迪普科技股份有限公司 | A kind of message transmitting method and device |
CN107864156A (en) * | 2017-12-18 | 2018-03-30 | 东软集团股份有限公司 | Ssyn attack defence method and device, storage medium |
CN109413091A (en) * | 2018-11-20 | 2019-03-01 | 中国联合网络通信集团有限公司 | A kind of network security monitoring method and apparatus based on internet-of-things terminal |
CN109547427A (en) * | 2018-11-14 | 2019-03-29 | 平安普惠企业管理有限公司 | Black list user's recognition methods, device, computer equipment and storage medium |
CN114928476A (en) * | 2022-04-27 | 2022-08-19 | 北京天融信网络安全技术有限公司 | Target file security detection method and detection device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103442018A (en) * | 2013-09-17 | 2013-12-11 | 网宿科技股份有限公司 | Dynamic defense method and system for CC (Challenge Collapsar) attack |
WO2014040292A1 (en) * | 2012-09-17 | 2014-03-20 | 华为技术有限公司 | Protection method and device against attacks |
CN104333529A (en) * | 2013-07-22 | 2015-02-04 | 中国电信股份有限公司 | Detection method and system of HTTP DOS (Denial of Service) attack under cloud computing environment |
CN104348816A (en) * | 2013-08-07 | 2015-02-11 | 华为数字技术(苏州)有限公司 | Method for protecting Cookie information and front gateway of Web server |
CN104580216A (en) * | 2015-01-09 | 2015-04-29 | 北京京东尚科信息技术有限公司 | System and method for limiting access requests |
-
2015
- 2015-12-02 CN CN201510874597.7A patent/CN105939320A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014040292A1 (en) * | 2012-09-17 | 2014-03-20 | 华为技术有限公司 | Protection method and device against attacks |
CN104333529A (en) * | 2013-07-22 | 2015-02-04 | 中国电信股份有限公司 | Detection method and system of HTTP DOS (Denial of Service) attack under cloud computing environment |
CN104348816A (en) * | 2013-08-07 | 2015-02-11 | 华为数字技术(苏州)有限公司 | Method for protecting Cookie information and front gateway of Web server |
CN103442018A (en) * | 2013-09-17 | 2013-12-11 | 网宿科技股份有限公司 | Dynamic defense method and system for CC (Challenge Collapsar) attack |
CN104580216A (en) * | 2015-01-09 | 2015-04-29 | 北京京东尚科信息技术有限公司 | System and method for limiting access requests |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107332839A (en) * | 2017-06-28 | 2017-11-07 | 杭州迪普科技股份有限公司 | A kind of message transmitting method and device |
CN107864156A (en) * | 2017-12-18 | 2018-03-30 | 东软集团股份有限公司 | Ssyn attack defence method and device, storage medium |
CN107864156B (en) * | 2017-12-18 | 2020-06-23 | 东软集团股份有限公司 | SYN attack defense method and device and storage medium |
CN109547427A (en) * | 2018-11-14 | 2019-03-29 | 平安普惠企业管理有限公司 | Black list user's recognition methods, device, computer equipment and storage medium |
CN109413091A (en) * | 2018-11-20 | 2019-03-01 | 中国联合网络通信集团有限公司 | A kind of network security monitoring method and apparatus based on internet-of-things terminal |
CN114928476A (en) * | 2022-04-27 | 2022-08-19 | 北京天融信网络安全技术有限公司 | Target file security detection method and detection device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10922377B2 (en) | Internet-based proxy service to limit internet visitor connection speed | |
US9654494B2 (en) | Detecting and marking client devices | |
US8707429B2 (en) | DNS resolution, policies, and views for large volume systems | |
US9038181B2 (en) | Prioritizing malicious website detection | |
US8443452B2 (en) | URL filtering based on user browser history | |
US10148681B2 (en) | Automated identification of phishing, phony and malicious web sites | |
US8533581B2 (en) | Optimizing security seals on web pages | |
US9817969B2 (en) | Device for detecting cyber attack based on event analysis and method thereof | |
US20140331319A1 (en) | Method and Apparatus for Detecting Malicious Websites | |
EP2755157B1 (en) | Detecting undesirable content | |
EP2053555A1 (en) | Method and apparatus for detecting click fraud | |
US20130007882A1 (en) | Methods of detecting and removing bidirectional network traffic malware | |
US20130007870A1 (en) | Systems for bi-directional network traffic malware detection and removal | |
CN105939320A (en) | Message processing method and device | |
US20150135253A1 (en) | Source request monitoring | |
CN105939361A (en) | Method and device for defensing CC (Challenge Collapsar) attack | |
US10097511B2 (en) | Methods and systems for identification of a domain of a command and control server of a botnet | |
CN105635064A (en) | CSRF attack detection method and device | |
CN110392032B (en) | Method, device and storage medium for detecting abnormal URL | |
Leita et al. | HARMUR: Storing and analyzing historic data on malicious domains | |
KR100655492B1 (en) | Web server vulnerability detection system and method of using search engine | |
US20230269226A1 (en) | Method and apparatus for providing ip address filtering | |
CN111385248B (en) | Attack defense method and attack defense device | |
Yaacob et al. | Moving towards positive security model for web application firewall | |
JP6278934B2 (en) | Server apparatus, server apparatus control method, and program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant before: Hangzhou Dipu Technology Co., Ltd. |
|
CB02 | Change of applicant information | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160914 |
|
RJ01 | Rejection of invention patent application after publication |