CN105959250A - Network attack black list management method and device - Google Patents
Network attack black list management method and device Download PDFInfo
- Publication number
- CN105959250A CN105959250A CN201510690099.7A CN201510690099A CN105959250A CN 105959250 A CN105959250 A CN 105959250A CN 201510690099 A CN201510690099 A CN 201510690099A CN 105959250 A CN105959250 A CN 105959250A
- Authority
- CN
- China
- Prior art keywords
- attack
- source
- network
- characteristic information
- blacklist
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a network attack black list management method and device. The method is applied to an intrusion defense system (IPS) device, and comprises: analyzing the network attack log according to a presetting rule, and determining a network attack source from the network source of the network attack log, wherein the network attack log includes the characteristic information of the network source; extracting the characteristic information of the network attack source from the network attack log, and adding the characteristic information of the network attack source to a network attack black list; and performing grading management of the network attack black list according to the presetting management strategy. According to the embodiment of the invention, the network attack black list is subjected to grading management through a presetting management strategy to allow the IPS device to realize timely, effective and reasonable network attack protection functions through the network attack black list.
Description
Technical field
The application relates to network communication technology field, particularly relates to a kind of network attack method for managing black list
And device.
Background technology
Along with the life of people is goed deep in network application, network attack emerges in an endless stream, especially at some important nets
Network node, such as large enterprise's unit, government organs, operator etc., be often faced with various network attack prestige
The side of body.In this case, people are to IPS (Intrusion Prevention System, intrusion prevention system)
The attack protection effect of equipment is had higher requirement.
In the prior art, the network attack daily record that attendant is produced by periodic analysis IPS equipment, sieve
Select possible Attack Source, the characteristic information of this Attack Source added in network attack blacklist,
So that IPS equipment performs blocking-up by described network attack blacklist to Attack Source.But, due to net
Network is attacked some Attack Source in blacklist and is probably the client remotely controlled by hacker, and these networks are attacked
Can lose efficacy after hitting source certain time, but simple dependence manually cannot differentiate the Attack Source of inefficacy, from
And cause IPS equipment by network attack blacklist cannot realize rationally, timely and effectively network attack protect
Function.
Summary of the invention
In view of this, the application provides a kind of network attack method for managing black list and device, existing to solve
Have IPS equipment in technology cannot realize rationally, the problem of network attack safeguard function timely and effectively.
First aspect according to the embodiment of the present application, it is provided that a kind of network attack method for managing black list, institute
The method of stating is applied on the IPS equipment that communicates with destination client with Attack Source respectively, described method
Including:
Analyze network attack daily record according to preset rules, determine from the network source of described network attack daily record
Attack Source, described network attack daily record includes the characteristic information of network source;
From described network attack daily record, extract the characteristic information of described Attack Source, add network to and attack
Hit blacklist;
According to default management strategy, described network attack blacklist is carried out administration by different levels.
Second aspect according to the embodiment of the present application, it is provided that a kind of network attack blacklist managing device, institute
State on the IPS equipment that device is applied to communicate with destination client with Attack Source respectively, described device
Including:
Determine unit, for analyzing network attack daily record according to preset rules, from described network attack daily record
Network source in determine that Attack Source, described network attack daily record include the characteristic information of network source;
Adding device, for extracting the characteristic information of described Attack Source from described network attack daily record,
Add network attack blacklist to;
Administrative unit, for carrying out administration by different levels according to default management strategy to described network attack blacklist.
Application the embodiment of the present application, when on IPS equipment, opening network attacks safeguard function, IPS sets
For automatically network attack daily record being analyzed according to preset rules, from the network of described network attack daily record
Source determines Attack Source, and the characteristic information of described Attack Source is added to the black name of network attack
Single, and according to default management strategy, described network attack blacklist is carried out administration by different levels, so that IPS
Equipment realizes network attack safeguard function timely and effective, rational by network attack blacklist.
Accompanying drawing explanation
Fig. 1 is that the application manages application according to a kind of network attack blacklist shown in an exemplary embodiment
Scene schematic diagram;
Fig. 2 is that the application is according to a kind of network attack method for managing black list shown in an exemplary embodiment
Embodiment flow chart;
Fig. 3 is that the application is according to a kind of network attack blacklist managing device shown in an exemplary embodiment
A kind of hardware structure diagram of place equipment;
Fig. 4 is that the application is according to a kind of network attack blacklist managing device shown in an exemplary embodiment
Example structure figure.
Detailed description of the invention
Here will illustrate exemplary embodiment in detail, its example represents in the accompanying drawings.Following retouches
Stating when relating to accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous key element.
Embodiment described in following exemplary embodiment does not represent all embodiment party consistent with the application
Formula.On the contrary, they only with describe in detail in appended claims, the application some in terms of mutually one
The example of the apparatus and method caused.
It is only merely for describing the purpose of specific embodiment at term used in this application, and is not intended to be limiting this
Application." a kind of ", " described " of singulative used in the application and appended claims and
" it is somebody's turn to do " be also intended to include most form, unless context clearly shows that other implications.It is also understood that
Term "and/or" used herein refer to and comprise any of one or more project of listing being associated or
Likely combine.
Although should be appreciated that may use term first, second, third, etc. to describe various letter in the application
Breath, but these information should not necessarily be limited by these terms.These terms are only used for same type of information district each other
Separately.Such as, in the case of without departing from the application scope, the first information can also be referred to as the second information,
Similarly, the second information can also be referred to as the first information.Depend on linguistic context, word as used in this
" if " can be construed to " ... time " or " when ... time " or " in response to determining ".
It will be appreciated by persons skilled in the art that the IPS equipment for protecting network attack is blocking network
Can produce network attack daily record while attack, substantial amounts of data message has been contained in network attack daily record, according to
These data messages just can reappear network environment, the application IPS equipment by analyze network attack daily record,
Network attack blacklist is updated, and according to default management strategy, described network attack blacklist is carried out
Administration by different levels, attacks so that IPS equipment realizes network timely and effective, rational by network attack blacklist
Hit safeguard function.
Shown in Figure 1, for the application according to a kind of network attack blacklist shown in an exemplary embodiment
Management application scenarios schematic diagram:
In application scenarios as shown in Figure 1, including Attack Source, IPS equipment, destination client.Wherein,
IPS equipment is between Attack Source and destination client, by the network attack blacklist safeguarded, to net
The network attack that network attack source sends blocks, with objective of defense client not by network attack.At Fig. 1
In, using destination client as example, in actual applications, it is also possible to be protected server, described mesh
Mark client can be PC (Personal Computer, personal computer), mobile phone etc..Concrete, at IPS
On equipment, opening network is attacked after safeguard function, IPS equipment according to preset rules automatically to network attack daily record
It is analyzed, from the network source of described network attack daily record, determines Attack Source, all-network is attacked
The characteristic information (such as IP address) in source adds network attack blacklist to, and according to default management strategy pair
Described network attack blacklist carries out administration by different levels, so that IPS equipment is real by network attack blacklist
The most rationally, network attack safeguard function timely and effectively.
Shown in Figure 2, for the application according to a kind of network attack blacklist shown in an exemplary embodiment
Management method embodiment flow chart, this embodiment is applied to communicate with destination client with Attack Source respectively
IPS equipment on, comprise the following steps:
Step S201: analyze network attack daily record according to preset rules, from the network of described network attack daily record
Source determines Attack Source.
When on IPS equipment, opening network attacks safeguard function, described IPS equipment is according to preset rules analysis
Network attack daily record, determines Attack Source from the network source of described network attack daily record.In real network
In application, when the network equipment is by IPS device transmission message, the attack protection module in IPS equipment can basis
Described message is analyzed by strategy in real time that be pre-configured with, if described message is judged as exception message,
Then described message is performed blocking-up, and the network source belonging to described message is added in network attack daily record,
Described network attack daily record includes that the characteristic information of network source, described characteristic information can include IP (Internet
Protocol, Internet protocol) address.
In the optional implementation of one, IPS equipment can be from network attack daily record, with time and attack
Number of times calculates whether the attack frequency of network source exceedes predeterminated frequency as judging the rule of Attack Source, i.e.
First the attack frequency that the number of times that statistical unit time or certain time period network source are launched a offensive obtains, then
Judge that gained attacks whether frequency exceedes predeterminated frequency, such as add up some net in described network attack daily record
Network source, the IP address of its correspondence is respectively IP1, IP2, IP3, IP4, IP5,12:00 to 12:05 this
In one time period, the number of times of attack that each network source is launched a offensive is respectively 1000,85,60,1500,55,
Be calculated its attack frequency be respectively f1=1000/5=200 time/min, f2=85/5=17 time/min,
F3=60/5=12 time/min, f4=1500/5=300 time/min, f5=55/5=11 time/min, if predeterminated frequency f
It is 145 times/min, may determine that from above-mentioned result of calculation, attack frequency f1 and f4 has exceeded predeterminated frequency
F, then the network source that corresponding respectively for f1 and f4 IP address is corresponding is Attack Source.
It should be noted that described above is merely possible to example, and do not cause protection scope of the present invention
Restriction, the value of its predeterminated frequency can be configured according to actual application conditions and network environment, attack frequency
The statistics of rate is also not necessarily limited to the above results, only need to meet above-mentioned Statistics.
In the optional implementation of another kind, IPS equipment can be added up according to described network attack daily record
Whether the number of times of attack that preset time period internal object client is attacked by preset kind is more than the first preset times
As judging the rule of Attack Source, when number of times of attack is more than the first preset times, determine that initiation is preset
The network source of type flaw attack is Attack Source.Unlike aforementioned implementation, in this implementation,
Can first select one or more destination client and (such as, represent this visitor with the IP address of this client
Family end), the number of times of attack then attacked its preset kind being subject to is added up, when preset kind attack
When number of times of attack has exceeded the first preset times, determine that the network source initiating preset kind attack is network attack
Source.Such as, the IP address of certain destination client is 218.30.13.36, it is assumed that preset kind is attacked and swept for port
Scanning attack and address scan are attacked, wherein, in preset time period, by the attack time of Port Scan Attacks
Number is 28 times, and the number of times of attack attacked by address scan is 55 times, if described first preset times is
10, then the number of times of attack of the network attack of above two type is all more than the first preset times, it is determined that initiate
The all-network source of this two classes network attack is Attack Source.
Need it is further noted that in this optional implementation, described destination client can also be passed through
The network port, procotol etc. carry out selecting or limiting, such as, by the procotol to destination client
Be defined, specifically, it is assumed that to the HTTP of destination client (Hypertext Transfer Protocol,
HTML (Hypertext Markup Language)) agreement carries out network attack protection, during the number of times of attack that statistics preset kind is attacked,
Can only add up the number of times of attack that preset kind under this agreement is attacked, and not under procotol to other
The number of times of attack that preset kind is attacked is added up, such as, SMTP (Simple Mail Transfer Protocol,
Simple Mail Transfer protocol).
Step S202: extract the characteristic information of Attack Source from described network attack daily record, add net to
Blacklist attacked by network.
The characteristic information of Attack Source can uniquely determine Attack Source, in the embodiment of the present application, permissible
Updating network attack blacklist with the characteristic information of Attack Source, this blacklist can include fixed net
The characteristic information of network attack source.
It will be appreciated by persons skilled in the art that IP address is a kind of side to main frame addressing in the Internet
Formula, every main frame (such as computer) has unique IP address, therefore can be using IP address as network
The characteristic information of attack source.In an optional implementation, all networks that is confirmed as can be extracted and attack
Hit the IP address of the network source in source, IP address is updated in described network attack blacklist.So, IPS
Equipment, by the IP address in network attack blacklist, just can identify Attack Source, and attack at network
Time launching a offensive in the source of hitting, it is performed blocking-up.
Step S203: described network attack blacklist is carried out administration by different levels according to default management strategy.
Owing in network attack blacklist, some Attack Source is probably the client remotely controlled by hacker,
Certain period can continual initiation network attack, and these Attack Sources be not malice network
Attack source, for these Attack Sources, if joining in network attack blacklist for a long time, can cause
Some use the validated user of this client cannot normally use network, therefore can when adding Attack Source
Attack Source in described network attack blacklist is managed arranging management strategy, such as, is adding
When adding the characteristic information of Attack Source to network attack blacklist, for the characteristic information of each Attack Source
Arranging ageing time, in IPS equipment Inspection network attack blacklist, the characteristic information of all-network attack source is old
The change time, when the most expired Attack Source of ageing time being detected from described network attack blacklist,
The most described Attack Source is as inefficacy Attack Source, by the characteristic information of this inefficacy Attack Source from institute
State in network attack blacklist and delete.
On the other hand, can there are some fixing malicious network attacks sources in network attack blacklist, these are disliked
Can be launched a offensive in destination client by meaning Attack Source frequently, can repeatedly be added to the black name of network attack
Therefore these Attack Sources can be forever added in network attack blacklist, and only allow by managing by Dan Zhong
Reason person manually deletes, and can be realized by following management strategy, and such as, IPS equipment is adding Attack Source
Characteristic information to time in network attack blacklist, can be the interpolation time of the characteristic information of this Attack Source
Number arranges enumerator, and initial count value is set to 1, often adds once, and the count value of enumerator adds 1.Then
IPS equipment can be according to each Attack Source in the very first time cycle detection network attack blacklist arranged
The interpolation number of times of characteristic information whether more than the second default value, when detecting that having more than described second presets
During the Attack Source of numerical value, the most described Attack Source, now can be for institute as fixing Attack Source
The characteristic information stating fixing Attack Source arranges solidification mark, identifies according to this solidification, and IPS equipment cannot be certainly
Dynamic deletion fixes Attack Source, can manually be deleted fixing Attack Source by manager.
Described in above-described embodiment, when on IPS equipment, opening network attacks safeguard function, IPS equipment root
Automatically network attack daily record is analyzed according to preset rules, from the network source of described network attack daily record really
Determine Attack Source, and the characteristic information of described Attack Source is added to network attack blacklist, and root
According to default management strategy, described network attack blacklist is carried out administration by different levels, so that IPS equipment passes through net
Network is attacked blacklist and is realized network attack safeguard function timely and effective, rational.
Corresponding with the embodiment that aforementioned network attacks method for managing black list, present invention also provides network
Attack the embodiment of blacklist managing device.
The embodiment of the application network attack blacklist managing device can be applied on IPS equipment.Device
Embodiment can be realized by software, it is also possible to realizes by the way of hardware or software and hardware combining.With
As a example by software realizes, as the device on a logical meaning, it is will by the processor of its place equipment
Computer program instructions corresponding in nonvolatile memory reads and runs formation in internal memory.From hardware
For aspect, as it is shown on figure 3, be the one of the application network attack blacklist managing device place equipment
Hardware structure diagram, except the processor shown in Fig. 3, internal memory, network interface and non-volatile memories
Outside device, in embodiment, the equipment at device place is generally according to the actual functional capability of this equipment, it is also possible to include
Other hardware, repeat no more this.
Shown in Figure 4, for the application according to the black name of a kind of network attack shown in an exemplary embodiment
Menu manager structure drawing of device, this embodiment is applied to communicate with destination client with Attack Source respectively
On IPS equipment, described device comprises determining that unit 410, adding device 420, administrative unit 430.
Wherein, described determine unit 410, for analyzing network attack daily record according to preset rules, from institute
Stating and determine Attack Source in the network source of network attack daily record, described network attack daily record includes network source
Characteristic information;
Described adding device 420, for extracting described Attack Source from described network attack daily record
Characteristic information, adds network attack blacklist to;
Described administrative unit 430, for carrying out described network attack blacklist according to default management strategy
Administration by different levels.
In an optional implementation, described determine that unit 410 can include (not shown in Fig. 4):
Computation subunit, for according to described network attack daily record, by network in statistics preset time period
The number of times of attack launched a offensive in source, calculates the attack frequency that described network source is launched a offensive;
First judgment sub-unit, is used for judging whether described attack frequency exceedes predeterminated frequency;
First determines subelement, for when described attack frequency exceedes described predeterminated frequency, determines described
Network source is Attack Source.
In another optional implementation, described determine that unit 410 can include (not showing in Fig. 4
Go out):
Statistics subelement, for according to described network attack daily record, protected visitor in statistics preset time period
The number of times of attack that family end is attacked by preset kind;
Second judgment sub-unit, is used for judging that whether described number of times of attack is more than the first preset times;
Second determines subelement, for when described number of times of attack exceedes described first preset times, determines
The network source initiating the attack of described preset kind is Attack Source.
In another optional implementation, described adding device 420 can include (not showing in Fig. 4
Go out):
Extract subelement, for extracting the Internet protocol IP of the network source being confirmed as described Attack Source
Address;
Add subelement, for adding described IP address to described network attack blacklist.
In another optional implementation, described administrative unit 430 can include (not showing in Fig. 4
Go out):
Subelement is set, for arranging for the characteristic information of Attack Source in described network attack blacklist
Ageing time;
First detection sub-unit, for detecting the ageing time of the characteristic information of described Attack Source;
Delete subelement, for when the characteristic information that the most expired Attack Source of ageing time be detected
Time, the most described Attack Source is as inefficacy Attack Source, by the feature of described inefficacy Attack Source
Information is deleted from described network attack blacklist.
In another optional implementation, described administrative unit 430 can include (not showing in Fig. 4
Go out):
Count sub-element, for adding network attack blacklist for the first time to when the characteristic information of Attack Source
Time middle, the interpolation number of times for the characteristic information of this Attack Source arranges enumerator, and initial count value is arranged
Being 1, often add once, the count value of enumerator adds 1;
Second detection sub-unit, for according to the black name of network attack described in the very first time cycle detection arranged
In list, whether the count value of the characteristic information of each Attack Source is more than the second default value;
Solidification subelement, is used for when exceeding described second default value, the most described Attack Source conduct
Fixing Attack Source, the characteristic information for described fixing Attack Source arranges solidification mark, described solid
Change mark to be used for forbidding that described IPS equipment is automatically deleted described fixing Attack Source.
In said apparatus, the function of unit and the process that realizes of effect specifically refer in said method corresponding
Step realize process, do not repeat them here.
For device embodiment, owing to it corresponds essentially to embodiment of the method, so relevant part ginseng
See that the part of embodiment of the method illustrates.Device embodiment described above is only schematically,
The wherein said unit illustrated as separating component can be or may not be physically separate, makees
The parts shown for unit can be or may not be physical location, i.e. may be located at a place,
Or can also be distributed on multiple NE.Can select according to the actual needs part therein or
The whole module of person realizes the purpose of the application scheme.Those of ordinary skill in the art are not paying creativeness
In the case of work, i.e. it is appreciated that and implements.
Described in above-described embodiment, when on IPS equipment, opening network attacks safeguard function, IPS equipment
Automatically network attack daily record is analyzed according to preset rules, from the network source of described network attack daily record
Determine Attack Source, and the characteristic information of described Attack Source is added to network attack blacklist, and
According to default management strategy, described network attack blacklist is carried out administration by different levels, so that IPS equipment passes through
Network attack blacklist realizes network attack safeguard function timely and effective, rational.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, all at this
Within the spirit of application and principle, any modification, equivalent substitution and improvement etc. done, should be included in
Within the scope of the application protection.
Claims (12)
1. a network attack method for managing black list, described method be applied to respectively with Attack Source with
On the intrusion prevention system IPS equipment of destination client communication, it is characterised in that described method includes:
Analyze network attack daily record according to preset rules, determine from the network source of described network attack daily record
Attack Source, described network attack daily record includes the characteristic information of network source;
From described network attack daily record, extract the characteristic information of described Attack Source, add network to and attack
Hit blacklist;
According to default management strategy, described network attack blacklist is carried out administration by different levels.
Method the most according to claim 1, it is characterised in that described according to preset rules analysis net
Network attack logs, determines Attack Source from the network source of described network attack daily record, including:
According to described network attack daily record, the attack launched a offensive by network source in statistics preset time period
Number of times, calculates the attack frequency that described network source is launched a offensive;
Judge whether described attack frequency exceedes predeterminated frequency;
When described attack frequency exceedes described predeterminated frequency, determine that described network source is Attack Source.
Method the most according to claim 1, it is characterised in that described according to preset rules analysis net
Network attack logs, determines Attack Source from the network source of described network attack daily record, including:
According to described network attack daily record, in statistics preset time period, protected client is by preset kind
The number of times of attack attacked;
Judge that whether described number of times of attack is more than the first preset times;
When described number of times of attack exceedes described first preset times, determine that the described preset kind of initiation is attacked
Network source be Attack Source.
Method the most according to claim 1, it is characterised in that described from described network attack daily record
The characteristic information of the described Attack Source of middle extraction, adds network attack blacklist to, including:
Extract the Internet protocol IP address of the network source being confirmed as described Attack Source;
Described IP address is added to described network attack blacklist.
Method the most according to claim 1, it is characterised in that described basis presets management strategy pair
Described network attack blacklist carries out administration by different levels, including:
For the characteristic information of Attack Source in described network attack blacklist, ageing time is set;
Detect the ageing time of the characteristic information of described Attack Source;
When the characteristic information of the most expired Attack Source of ageing time being detected, the most described network is attacked
The characteristic information of described inefficacy Attack Source, as inefficacy Attack Source, is attacked by source of hitting from described network
Hit in blacklist and delete.
Method the most according to claim 1, it is characterised in that described basis presets management strategy pair
Described network attack blacklist carries out administration by different levels, including:
When the characteristic information of Attack Source adds in network attack blacklist for the first time, for this network attack
The interpolation number of times of the characteristic information in source arranges enumerator, and initial count value is set to 1, when described network attack
The characteristic information in source exists in network attack blacklist, then the count value of enumerator adds 1;
According to each Attack Source in network attack blacklist described in the very first time cycle detection arranged
Whether the count value of characteristic information is more than the second default value;
When exceeding described second default value, the most described Attack Source as fixing Attack Source,
Characteristic information for described fixing Attack Source arranges solidification mark, and described solidification mark is used for forbidding institute
State IPS equipment and be automatically deleted described fixing Attack Source.
7. a network attack blacklist managing device, described device be applied to respectively with Attack Source with
On the intrusion prevention system IPS equipment of destination client communication, it is characterised in that described device includes:
Determine unit, for analyzing network attack daily record according to preset rules, from described network attack daily record
Network source in determine that Attack Source, described network attack daily record include the characteristic information of network source;
Adding device, for extracting the characteristic information of described Attack Source from described network attack daily record,
Add network attack blacklist to;
Administrative unit, for carrying out administration by different levels according to default management strategy to described network attack blacklist.
Device the most according to claim 7, it is characterised in that described determine unit, including:
Computation subunit, for according to described network attack daily record, by network in statistics preset time period
The number of times of attack launched a offensive in source, calculates the attack frequency that described network source is launched a offensive;
First judgment sub-unit, is used for judging whether described attack frequency exceedes predeterminated frequency;
First determines subelement, for when described attack frequency exceedes described predeterminated frequency, determines described
Network source is Attack Source.
Device the most according to claim 7, it is characterised in that described determine unit, including:
Statistics subelement, for according to described network attack daily record, protected visitor in statistics preset time period
The number of times of attack that family end is attacked by preset kind;
Second judgment sub-unit, is used for judging that whether described number of times of attack is more than the first preset times;
Second determines subelement, for when described number of times of attack exceedes described first preset times, determines
The network source initiating the attack of described preset kind is Attack Source.
Device the most according to claim 7, it is characterised in that described adding device, including:
Extract subelement, for extracting the Internet protocol IP of the network source being confirmed as described Attack Source
Address;
Add subelement, for adding described IP address to described network attack blacklist.
11. devices according to claim 7, it is characterised in that described administrative unit, including:
Subelement is set, for arranging for the characteristic information of Attack Source in described network attack blacklist
Ageing time;
First detection sub-unit, for detecting the ageing time of the characteristic information of described Attack Source;
Delete subelement, for when the characteristic information that the most expired Attack Source of ageing time be detected
Time, the most described Attack Source is as inefficacy Attack Source, by the spy of described inefficacy Attack Source
Reference breath is deleted from described network attack blacklist.
12. devices according to claim 7, it is characterised in that described administrative unit, including:
Count sub-element, for adding to for the first time in network attack blacklist when the characteristic information of Attack Source
Time, the interpolation number of times for the characteristic information of this Attack Source arranges enumerator, and initial count value is set to 1;
When the characteristic information of described Attack Source exists in network attack blacklist, then the counting of enumerator
Value adds 1;
Second detection sub-unit, for according to the black name of network attack described in the very first time cycle detection arranged
In list, whether the count value of the characteristic information of each Attack Source is more than the second default value;
Solidification subelement, is used for when exceeding described second default value, the most described Attack Source conduct
Fixing Attack Source, the characteristic information for described fixing Attack Source arranges solidification mark, described solid
Change mark to be used for forbidding that described IPS equipment is automatically deleted described fixing Attack Source.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510690099.7A CN105959250A (en) | 2015-10-22 | 2015-10-22 | Network attack black list management method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510690099.7A CN105959250A (en) | 2015-10-22 | 2015-10-22 | Network attack black list management method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105959250A true CN105959250A (en) | 2016-09-21 |
Family
ID=56917078
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510690099.7A Pending CN105959250A (en) | 2015-10-22 | 2015-10-22 | Network attack black list management method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105959250A (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790313A (en) * | 2017-03-31 | 2017-05-31 | 杭州迪普科技股份有限公司 | Intrusion prevention method and device |
| CN107704761A (en) * | 2017-09-27 | 2018-02-16 | 北京小度信息科技有限公司 | Data processing method, device, electronic equipment and storage medium |
| CN109302401A (en) * | 2018-10-25 | 2019-02-01 | 国家电网有限公司 | Protecting information safety method and device |
| CN109413091A (en) * | 2018-11-20 | 2019-03-01 | 中国联合网络通信集团有限公司 | A kind of network security monitoring method and apparatus based on internet-of-things terminal |
| CN109696892A (en) * | 2018-12-21 | 2019-04-30 | 上海瀚之友信息技术服务有限公司 | A kind of Safety Automation System and its control method |
| CN109756456A (en) * | 2017-11-06 | 2019-05-14 | 中兴通讯股份有限公司 | A kind of method, the network equipment and readable storage medium storing program for executing improving network equipment safety |
| CN109831461A (en) * | 2019-03-29 | 2019-05-31 | 新华三信息安全技术有限公司 | A kind of distributed denial of service ddos attack defence method and device |
| CN110784471A (en) * | 2019-10-30 | 2020-02-11 | 深圳前海环融联易信息科技服务有限公司 | Blacklist collection management method and device, computer equipment and storage medium |
| CN110958261A (en) * | 2019-12-13 | 2020-04-03 | 微创(上海)网络技术股份有限公司 | Network attack comprehensive detection and coping method |
| CN111083157A (en) * | 2019-12-25 | 2020-04-28 | 杭州迪普科技股份有限公司 | Method and device for processing message filtering rules |
| CN111131192A (en) * | 2019-12-10 | 2020-05-08 | 杭州迪普科技股份有限公司 | Bypass protection method and device |
| CN111614629A (en) * | 2020-04-29 | 2020-09-01 | 浙江德迅网络安全技术有限公司 | Dynamic defense system and method for CC attack |
| CN112182570A (en) * | 2019-07-03 | 2021-01-05 | 北京智明星通科技股份有限公司 | Data processing method and device for mobile phone game and electronic equipment |
| CN113965403A (en) * | 2021-11-02 | 2022-01-21 | 北京天融信网络安全技术有限公司 | Method and device for processing IP (Internet protocol) blacklist and storage medium |
| CN115150129A (en) * | 2022-06-06 | 2022-10-04 | 阿里云计算有限公司 | Container safety control method, container processing method, electronic device, and storage medium |
| CN115208672A (en) * | 2022-07-15 | 2022-10-18 | 北京天融信网络安全技术有限公司 | Blacklist adjusting method and device, electronic equipment and computer readable storage medium |
| CN117118753A (en) * | 2023-10-23 | 2023-11-24 | 深圳市科力锐科技有限公司 | Network attack protection method, device, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1968280A (en) * | 2006-11-23 | 2007-05-23 | 华为技术有限公司 | System and method for detecting and filtering invalid header field |
| US20110296186A1 (en) * | 2010-06-01 | 2011-12-01 | Visto Corporation | System and method for providing secured access to services |
| CN102932370A (en) * | 2012-11-20 | 2013-02-13 | 华为技术有限公司 | Safety scanning method, equipment and system |
| CN103077347A (en) * | 2012-12-21 | 2013-05-01 | 中国电力科学研究院 | Combined type intrusion detecting method on basis of data fusion of improved core vector machine |
| CN104753862A (en) * | 2013-12-27 | 2015-07-01 | 华为技术有限公司 | Method and device for improving network security |
-
2015
- 2015-10-22 CN CN201510690099.7A patent/CN105959250A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1968280A (en) * | 2006-11-23 | 2007-05-23 | 华为技术有限公司 | System and method for detecting and filtering invalid header field |
| US20110296186A1 (en) * | 2010-06-01 | 2011-12-01 | Visto Corporation | System and method for providing secured access to services |
| CN102932370A (en) * | 2012-11-20 | 2013-02-13 | 华为技术有限公司 | Safety scanning method, equipment and system |
| CN103077347A (en) * | 2012-12-21 | 2013-05-01 | 中国电力科学研究院 | Combined type intrusion detecting method on basis of data fusion of improved core vector machine |
| CN104753862A (en) * | 2013-12-27 | 2015-07-01 | 华为技术有限公司 | Method and device for improving network security |
Non-Patent Citations (1)
| Title |
|---|
| 卢先锋 等: "《基于动态IP黑名单的入侵防御系统模型》", 《计算机工程与设计》 * |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790313A (en) * | 2017-03-31 | 2017-05-31 | 杭州迪普科技股份有限公司 | Intrusion prevention method and device |
| CN107704761A (en) * | 2017-09-27 | 2018-02-16 | 北京小度信息科技有限公司 | Data processing method, device, electronic equipment and storage medium |
| CN107704761B (en) * | 2017-09-27 | 2020-09-01 | 北京星选科技有限公司 | Data processing method and device, electronic equipment and storage medium |
| CN109756456B (en) * | 2017-11-06 | 2021-12-03 | 中兴通讯股份有限公司 | Method for improving network equipment safety, network equipment and readable storage medium |
| CN109756456A (en) * | 2017-11-06 | 2019-05-14 | 中兴通讯股份有限公司 | A kind of method, the network equipment and readable storage medium storing program for executing improving network equipment safety |
| CN109302401A (en) * | 2018-10-25 | 2019-02-01 | 国家电网有限公司 | Protecting information safety method and device |
| CN109302401B (en) * | 2018-10-25 | 2021-07-09 | 国家电网有限公司 | Information security protection method and device |
| CN109413091A (en) * | 2018-11-20 | 2019-03-01 | 中国联合网络通信集团有限公司 | A kind of network security monitoring method and apparatus based on internet-of-things terminal |
| CN109696892A (en) * | 2018-12-21 | 2019-04-30 | 上海瀚之友信息技术服务有限公司 | A kind of Safety Automation System and its control method |
| CN109831461A (en) * | 2019-03-29 | 2019-05-31 | 新华三信息安全技术有限公司 | A kind of distributed denial of service ddos attack defence method and device |
| CN109831461B (en) * | 2019-03-29 | 2021-10-26 | 新华三信息安全技术有限公司 | Distributed denial of service (DDoS) attack defense method and device |
| CN112182570A (en) * | 2019-07-03 | 2021-01-05 | 北京智明星通科技股份有限公司 | Data processing method and device for mobile phone game and electronic equipment |
| CN110784471A (en) * | 2019-10-30 | 2020-02-11 | 深圳前海环融联易信息科技服务有限公司 | Blacklist collection management method and device, computer equipment and storage medium |
| CN111131192A (en) * | 2019-12-10 | 2020-05-08 | 杭州迪普科技股份有限公司 | Bypass protection method and device |
| CN110958261A (en) * | 2019-12-13 | 2020-04-03 | 微创(上海)网络技术股份有限公司 | Network attack comprehensive detection and coping method |
| CN111083157B (en) * | 2019-12-25 | 2022-01-25 | 杭州迪普科技股份有限公司 | Method and device for processing message filtering rules |
| CN111083157A (en) * | 2019-12-25 | 2020-04-28 | 杭州迪普科技股份有限公司 | Method and device for processing message filtering rules |
| CN111614629A (en) * | 2020-04-29 | 2020-09-01 | 浙江德迅网络安全技术有限公司 | Dynamic defense system and method for CC attack |
| CN113965403A (en) * | 2021-11-02 | 2022-01-21 | 北京天融信网络安全技术有限公司 | Method and device for processing IP (Internet protocol) blacklist and storage medium |
| CN113965403B (en) * | 2021-11-02 | 2023-11-14 | 北京天融信网络安全技术有限公司 | Processing method and device of IP blacklist and storage medium |
| CN115150129A (en) * | 2022-06-06 | 2022-10-04 | 阿里云计算有限公司 | Container safety control method, container processing method, electronic device, and storage medium |
| CN115208672A (en) * | 2022-07-15 | 2022-10-18 | 北京天融信网络安全技术有限公司 | Blacklist adjusting method and device, electronic equipment and computer readable storage medium |
| CN115208672B (en) * | 2022-07-15 | 2024-01-23 | 北京天融信网络安全技术有限公司 | Blacklist adjustment method, blacklist adjustment device, electronic equipment and computer readable storage medium |
| CN117118753A (en) * | 2023-10-23 | 2023-11-24 | 深圳市科力锐科技有限公司 | Network attack protection method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105959250A (en) | Network attack black list management method and device | |
| EP1995929B1 (en) | Distributed system for the detection of eThreats | |
| CN106534195B (en) | A kind of network attack person's behavior analysis method based on attack graph | |
| CN103634306B (en) | The safety detection method and safety detection server of network data | |
| Bhattacharyya et al. | Met: An experimental system for malicious email tracking | |
| Vukalović et al. | Advanced persistent threats-detection and defense | |
| US20080098476A1 (en) | Method and Apparatus for Defending Against Zero-Day Worm-Based Attacks | |
| CN106657025A (en) | Network attack behavior detection method and device | |
| KR100732689B1 (en) | Web Security Method and apparatus therefor | |
| CN105376245A (en) | Rule-based detection method of ATP attack behavior | |
| CN105991628A (en) | Network attack identification method and network attack identification device | |
| US20040030931A1 (en) | System and method for providing enhanced network security | |
| CN105024976A (en) | Advanced persistent threat attack recognition method and device | |
| Joshi et al. | Fundamentals of Network Forensics | |
| CN113014597A (en) | Honeypot defense system | |
| CN113726790B (en) | Network attack source identification and blocking method, system, device and medium | |
| CN106713358A (en) | Attack detection method and device | |
| CN104486320B (en) | Intranet sensitive information leakage evidence-obtaining system and method based on sweet network technology | |
| Bollinger et al. | Crafting the InfoSec playbook: security monitoring and incident response master plan | |
| Aickelin et al. | Rule generalisation in intrusion detection systems using SNORT | |
| CN105939328A (en) | Method and device for updating network attack feature library | |
| JP4309102B2 (en) | Illegal command / data detection method, illegal command / data detection method, and illegal command / data detection program | |
| Farinholt et al. | Dark matter: uncovering the DarkComet RAT ecosystem | |
| Ng et al. | Advanced persistent threat detection based on network traffic noise pattern and analysis | |
| Jacob | Automatic XSS detection and Snort signatures/ACLs generation by the means of a cloud-based honeypot system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant before: Hangzhou Dipu Technology Co., Ltd. |
|
| COR | Change of bibliographic data | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160921 |
|
| RJ01 | Rejection of invention patent application after publication |