CN105959290A - Detection method and device of attack message - Google Patents
Detection method and device of attack message Download PDFInfo
- Publication number
- CN105959290A CN105959290A CN201610398605.XA CN201610398605A CN105959290A CN 105959290 A CN105959290 A CN 105959290A CN 201610398605 A CN201610398605 A CN 201610398605A CN 105959290 A CN105959290 A CN 105959290A
- Authority
- CN
- China
- Prior art keywords
- attack
- message
- feature database
- protocol characteristic
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a detection method and device of an attack message. The method is applied to IPS equipment. The method comprises a step of receiving a message and determining the protocol characteristic of the message, a step of judging whether an application characteristic database has the protocol characteristic or not, a step of obtaining all attack characteristics corresponding to the protocol characteristic if so and judging whether the message has the attack characteristic in the all attack characteristics, and a step of determining the message as the attack message if so and using the execution mode corresponding to the attack characteristic to process the message. By applying thee embodiment of the present invention, whether the message needs to be detected is determined through the application characteristic database, the message only needs to be matched with all attack characteristic corresponding to the protocol characteristic, the matching with all attack characteristics in the attack characteristic database is not needed, thus the accuracy of the attack detection can be improved, and the occupation of an IPS equipment memory can be reduced.
Description
Technical field
The application relates to network communication technology field, particularly relates to detection method and the device of a kind of attack message.
Background technology
IPS (Intrusion Prevention System, intrusion prevention system) equipment is for attack
Detect and defend, i.e. when IPS equipment receives message, by message and record in intrusion feature database
Attack signature mates, if matching attack signature, it is determined that this message is attack message, and to this report
Literary composition performs to block or alarm.But, owing to the kind of network attack has a lot, therefore right in intrusion feature database
Should have huge attack signature quantity, when IPS equipment receives a large amount of message, need by each message with
All attack signatures in intrusion feature database mate, and so, will certainly take IPS equipment substantial amounts of interior
Deposit, affect the matching speed of message, thus reduce the treatment effeciency of IPS equipment, cause Consumer's Experience the best.
Summary of the invention
In view of this, the application provides detection method and the device of a kind of attack message, to solve existing inspection
Survey mode is easily reduced the treatment effeciency of IPS equipment, causes the problem that Consumer's Experience is the best.
First aspect according to the embodiment of the present application, it is provided that the detection method of a kind of attack message, described method
It is applied on intrusion prevention system IPS equipment, described IPS equipment is configured with intrusion feature database, described attack
The each attack signature correspondence protocols having feature recorded in feature database and executive mode, described method includes:
Receive message, and determine the protocol characteristic of described message;
Judge to apply in feature database whether there is described protocol characteristic;Wherein, record in described application feature database
Protocols having feature;
If existing, then obtain all attack signatures corresponding with described protocol characteristic, and judge that described message is
Attack signature in these all attack signatures of no existence;
If, it is determined that described message is attack message, and utilizes the executive mode that described attack signature is corresponding
Process described message.
Second aspect according to the embodiment of the present application, it is provided that the detection device of a kind of attack message, described device
It is applied on intrusion prevention system IPS equipment, described IPS equipment is configured with intrusion feature database, described attack
The each attack signature correspondence protocols having feature recorded in feature database and executive mode, described device includes:
Receive unit, be used for receiving message;
First determines unit, for determining the protocol characteristic of described message;
First judging unit, is used for judging to apply in feature database whether there is described protocol characteristic;Wherein, institute
State in application feature database and record protocols having feature;
First acquiring unit, in the presence of judged result is, obtains the institute corresponding with described protocol characteristic
There is attack signature;
Second judging unit, for judging whether described message exists the attack signature in these all attack signatures;
Second determines unit, for when judged result is for being, determines that described message is attack message, and profit
The executive mode corresponding with described attack signature processes described message.
Application the embodiment of the present application, IPS equipment, when receiving message, determines the protocol characteristic of message, and profit
Determine whether to this message is carried out attack signature detection with this protocol characteristic, if desired, then judge this message
Whether there is the attack signature in all attack signatures that this protocol characteristic is corresponding, if, it is determined that this message
For attack message, and the executive mode that this attack signature is corresponding is utilized to process this message.Owing to this message only needs
To mate by all attack signatures corresponding with this protocol characteristic, it is not necessary to owning in intrusion feature database
Attack signature mates, and therefore, it can reduce taking IPS device memory, improves the process effect of IPS equipment
Rate.As again due to the protocol characteristic of this message protocol characteristic corresponding with the attack signature matched, therefore
May insure that the accuracy of attack detecting.
Accompanying drawing explanation
Fig. 1 is the application enforcement according to the detection method of a kind of attack message shown in an exemplary embodiment
Example flow chart;
Fig. 2 is the application hardware structure diagram according to a kind of IPS equipment shown in an exemplary embodiment;
Fig. 3 is the application enforcement according to the detection device of a kind of attack message shown in an exemplary embodiment
Example structure chart.
Detailed description of the invention
Here will illustrate exemplary embodiment in detail, its example represents in the accompanying drawings.Following retouches
Stating when relating to accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous key element.
Embodiment described in following exemplary embodiment does not represent all embodiment party consistent with the application
Formula.On the contrary, they only with describe in detail in appended claims, the application some in terms of mutually one
The example of the apparatus and method caused.
It is only merely for describing the purpose of specific embodiment at term used in this application, and is not intended to be limiting this
Application." a kind of ", " described " of singulative used in the application and appended claims
" it is somebody's turn to do " be also intended to include most form, unless context clearly shows that other implications.It is also understood that
Term "and/or" used herein refer to and comprise any of one or more project of listing being associated or
Likely combine.
Although should be appreciated that may use term first, second, third, etc. to describe various letter in the application
Breath, but these information should not necessarily be limited by these terms.These terms are only used for same type of information district each other
Separately.Such as, in the case of without departing from the application scope, the first information can also be referred to as the second information,
Similarly, the second information can also be referred to as the first information.Depend on linguistic context, word as used in this
" if " can be construed to " ... time " or " when ... time " or " in response to determining ".
Fig. 1 is the application enforcement according to the detection method of a kind of attack message shown in an exemplary embodiment
Example flow chart, as it is shown in figure 1, this embodiment is applied on IPS equipment, in the embodiment of the present application, IPS
Being provided with intrusion feature database on equipment in advance, in this intrusion feature database, record has attack signature, and each attack is special
Levy corresponding protocols having feature and executive mode.This embodiment comprises the following steps:
Step 101: receive message, and determine the protocol characteristic of this message.
Generally, IPS equipment is arranged on the network exit of company and enterprise or tissue, either internal customer
Hold and send message to outside Website server, or external website server internally client sends message,
All can be through IPS equipment.
For the process of the protocol characteristic determining this message, IPS equipment can obtain the port numbers that this message carries,
And utilize this port numbers to determine the protocol characteristic of this message.
Wherein, header carries port numbers, the corresponding different protocol characteristic of different port numbers,
Table 1 is the mapping table of a kind of exemplary port numbers and protocol characteristic.
Port numbers | Protocol characteristic |
21 | FTP |
23 | TELNET |
25 | SMTP |
53 | DNS |
69 | TFTP |
80 | HTTP |
Table 1
Step 102: judge to apply in feature database whether there is this protocol characteristic, if not existing, then perform step
103, if existing, then perform step 104.
Wherein, IPS equipment is configured with application feature database, this application feature database records protocols having feature, than
Such as HTTP (Hyper Text Transfer Protocol, HTML (Hypertext Markup Language)), FTP (File Transfer
Protocol, file transfer protocol (FTP)), TELNET (Telecommunication Network Protocol, electricity
Communication network agreement), SMTP (Simple Mail Transfer Protocol, Simple Mail Transfer protocol),
TFTP (Trivial File Transfer Protocol, TFTP) etc..Application feature database is remembered
The protocol characteristic of record be all network attack possibly also with protocol characteristic.
Step 103: this message is forwarded.
If there is not the protocol characteristic of this message in application feature database, then it represents that need not this message is carried out
Attack detecting, or, if not matching attack signature, then it represents that this message is normal message, and IPS equipment can
This message is forwarded according to existing forwarding process, repeat no more.
Step 104: obtain all attack signatures corresponding with this protocol characteristic, and judge whether this message exists
Attack signature in these all attack signatures, if it is not, then perform step 103, the most then performs step 105.
Specifically, if there is the protocol characteristic of this message in application feature database, then it represents that need this message
Carrying out attack signature coupling, IPS equipment can obtain own corresponding with this protocol characteristic from intrusion feature database
Attack signature, then this message is mated with these all attack signatures, if not matching attack signature, then
Performing step 103, if matching attack signature, then performing step 105.
It should be noted that due to the corresponding protocols having feature of each attack signature, if IPS equipment is direct
The message received is carried out attack signature coupling, it is possible to the protocol characteristic that the attack signature that matches is corresponding
Different from the protocol characteristic of this message, so, this message should be normal message, and according to existing detection
Mode, can be mistakenly considered attack message by this message, thus, reduce the accuracy of attack detecting.
Understanding based on foregoing description, IPS equipment, when receiving message, needs the protocol characteristic by this message
Determine whether to this message is carried out attack signature coupling, additionally, this message has only to and this protocol characteristic pair
The all attack signatures answered mate, it is not necessary to mate with all attack signatures in intrusion feature database, from
And, it is possible to reduce IPS device memory is taken, improves the treatment effeciency of IPS equipment.Again due to this message
The protocol characteristic protocol characteristic corresponding with the attack signature matched as, it is hereby ensured attack detecting
Accuracy.
Step 105: determine that this message is attack message, and utilize the executive mode that this attack signature is corresponding to process
This message.
Wherein, executive mode can be to alert, block, abandon, for the more serious attack signature of ratio,
Causing service operation to interrupt than if possible, executive mode can be to block or abandon, for common attack
Feature, such as Port Scan Attacks, executive mode can be warning.
It should be noted that IPS equipment is after determining that this message is attack message, attack signature can be obtained
Corresponding attack mark, and obtain the attack type that this attack mark is corresponding, then by this attack message and should
Attack type sends to managing equipment, so that this this attack message of management equipment utilization extracts further and belongs to this
The attack signature of attack type.
Wherein, each attack signature is to there being one to attack mark, and this attack mark can be numeral, it is possible to
To be character, the most not limiting, each attack type includes multiple mark of attacking, and such as, attacks
Type A includes attacking mark 1 and attacking mark 10;Attack type B includes attacking mark 5, attacking mark
6 and attack mark 19 etc..Management equipment can be according to preset time period, according to receiving attack message
And attack type, obtain all features in the attack message belonging to same attack type, every for obtain
Individual feature, is subordinated to count in same type of attack message the quantity of the attack message with this feature,
If quantity is more than predetermined threshold value, such as 50, then this feature is defined as attack signature, and determines attack spy
The protocol characteristic levied and executive mode.
Further, for safeguarding the process of intrusion feature database, IPS equipment can receive Self management equipment
Attack signature, protocol characteristic and executive mode, and by this attack signature, this protocol characteristic and this execution
Mode updates in intrusion feature database.Or, technical staff can also obtain attack likelihood ratio relatively from network
High attack message, and analyze the attack signature of extracting attack message, protocol characteristic, and executive mode is set,
Then attack signature, protocol characteristic, executive mode are added in intrusion feature database, to defend some networks
Attack.
Yet further, for the process of maintenance application feature database, IPS equipment is receiving Self management equipment
After attack signature, protocol characteristic and executive mode, it can be determined that whether application feature database exists this association
View feature, if not existing, then updates this protocol characteristic in application feature database.
From above-described embodiment, IPS equipment, when receiving message, determines the protocol characteristic of message, and profit
Determine whether to this message is carried out attack signature detection with this protocol characteristic, if desired, then judge this message
Whether there is the attack signature in all attack signatures that this protocol characteristic is corresponding, if, it is determined that this message
For attack message, and the executive mode that this attack signature is corresponding is utilized to process this message.Owing to this message only needs
To mate by all attack signatures corresponding with this protocol characteristic, it is not necessary to owning in intrusion feature database
Attack signature mates, and therefore, it can reduce taking IPS device memory, improves the process effect of IPS equipment
Rate.As again due to the protocol characteristic of this message protocol characteristic corresponding with the attack signature matched, therefore
May insure that the accuracy of attack detecting.
Corresponding with the embodiment of the detection method of aforementioned attack message, present invention also provides attack message
The embodiment of detection device.
The embodiment of the detection device of the application attack message can be applied on IPS equipment.Device embodiment
Can be realized by software, it is also possible to realize by the way of hardware or software and hardware combining.Implemented in software
As a example by, as the device on a logical meaning, it is that the processor by its place equipment is deposited non-volatile
Computer program instructions corresponding in reservoir reads and runs formation in internal memory.For hardware view, as
Shown in Fig. 2, for the application according to the hardware structure diagram of a kind of IPS equipment shown in an exemplary embodiment,
In addition to the processor shown in Fig. 2, internal memory, network interface and nonvolatile memory, embodiment
The equipment at middle device place is generally according to the actual functional capability of this equipment, it is also possible to include other hardware, to this not
Repeat again.
Fig. 3 is the application enforcement according to the detection device of a kind of attack message shown in an exemplary embodiment
Example structure chart, as it is shown on figure 3, this embodiment is applied on IPS equipment, IPS equipment is configured with attack spy
Levy storehouse, each attack signature correspondence protocols having feature recorded in intrusion feature database and executive mode, this device
Including: receive unit 310, first determine unit the 320, first judging unit the 330, first acquiring unit 340,
Second judging unit 350, second determine unit 360.
Receive unit 310, be used for receiving message;
First determines unit 320, for determining the protocol characteristic of described message;
First judging unit 330, is used for judging to apply in feature database whether there is described protocol characteristic;Wherein,
Described application feature database records protocols having feature;
First acquiring unit 340, in the presence of judged result is, obtains corresponding with described protocol characteristic
All attack signatures;
Second judging unit 350, special for judging the attack whether described message exists in these all attack signatures
Levy;
Second determines unit 360, for when judged result is for being, determines that described message is attack message, and
The executive mode that described attack signature is corresponding is utilized to process described message.
In an optional implementation, first determines unit 320, carries specifically for obtaining described message
Port numbers;Described port numbers is utilized to determine the protocol characteristic of described message.
In another optional implementation, described device also includes (not shown in Fig. 3):
Second acquisition unit, is used for after second determines that unit 360 determines that described message is attack message,
Obtain the attack mark that described attack signature is corresponding;Obtain the described attack type attacking mark correspondence;
Transmitting element, for described attack message and described attack type are sent to managing equipment, so that institute
State attack message described in management equipment utilization and extract the attack signature belonging to described attack type further.
In another optional implementation, described device also includes (not shown in Fig. 3):
Intrusion feature database maintenance unit, specifically for receiving from the attack signature of described management equipment, agreement
Feature and executive mode;Described attack signature, described protocol characteristic and described executive mode are updated
In described intrusion feature database.
In another optional implementation, described device also includes (not shown in Fig. 3):
Application feature database maintenance unit, specifically for receiving from described pipe at intrusion feature database maintenance unit
After the attack signature of reason equipment, protocol characteristic and executive mode, it is judged that in described application feature database whether
There is described protocol characteristic;If not existing, then described protocol characteristic is updated in described application feature database.
In said apparatus, the function of unit and the process that realizes of effect specifically refer to corresponding step in said method
Rapid realizes process, does not repeats them here.
For device embodiment, owing to it corresponds essentially to embodiment of the method, so relevant part sees
The part of embodiment of the method illustrates.Device embodiment described above is only schematically, wherein
The described unit illustrated as separating component can be or may not be physically separate, as unit
The parts of display can be or may not be physical location, i.e. may be located at a place, or also may be used
To be distributed on multiple NE.Some or all of module therein can be selected according to the actual needs
Realize the purpose of the application scheme.Those of ordinary skill in the art in the case of not paying creative work,
I.e. it is appreciated that and implements.
From above-described embodiment, IPS equipment, when receiving message, determines the protocol characteristic of message, and profit
Determine whether to this message is carried out attack signature detection with this protocol characteristic, if desired, then judge this message
Whether there is the attack signature in all attack signatures that this protocol characteristic is corresponding, if, it is determined that this message
For attack message, and the executive mode that this attack signature is corresponding is utilized to process this message.Owing to this message only needs
To mate by all attack signatures corresponding with this protocol characteristic, it is not necessary to owning in intrusion feature database
Attack signature mates, and therefore, it can reduce taking IPS device memory, improves the process effect of IPS equipment
Rate.As again due to the protocol characteristic of this message protocol characteristic corresponding with the attack signature matched, therefore
May insure that the accuracy of attack detecting.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, all in this Shen
Within spirit please and principle, any modification, equivalent substitution and improvement etc. done, should be included in this Shen
Within the scope of please protecting.
Claims (10)
1. the detection method of an attack message, it is characterised in that described method is applied to intrusion prevention system
On IPS equipment, described IPS equipment being configured with intrusion feature database, in described intrusion feature database, record is each
Attack signature correspondence protocols having feature and executive mode, described method includes:
Receive message, and determine the protocol characteristic of described message;
Judge to apply in feature database whether there is described protocol characteristic;Wherein, record in described application feature database
Protocols having feature;
If existing, then obtain all attack signatures corresponding with described protocol characteristic, and judge that described message is
Attack signature in these all attack signatures of no existence;
If, it is determined that described message is attack message, and utilizes the executive mode that described attack signature is corresponding
Process described message.
Method the most according to claim 1, it is characterised in that special for the agreement determining described message
The process levied, specifically includes:
Obtain the port numbers that described message carries;
Described port numbers is utilized to determine the protocol characteristic of described message.
Method the most according to claim 1, it is characterised in that described determine described message for attack report
After literary composition, described method also includes:
Obtain the attack mark that described attack signature is corresponding;
Obtain the described attack type attacking mark correspondence;
Described attack message and described attack type are sent to managing equipment, so that described management equipment utilization
Described attack message extracts the attack signature belonging to described attack type further.
Method the most according to claim 3, it is characterised in that for safeguarding described intrusion feature database
Process, specifically includes:
Receive attack signature, protocol characteristic and executive mode from described management equipment;
Described attack signature, described protocol characteristic and described executive mode are updated described intrusion feature database
In.
Method the most according to claim 4, it is characterised in that for safeguarding described application feature database
Process, specifically includes:
Receiving after attack signature, protocol characteristic and the executive mode of described management equipment, it is judged that
Whether described application feature database exists described protocol characteristic;
If not existing, then described protocol characteristic is updated in described application feature database.
6. the detection device of an attack message, it is characterised in that described device is applied to intrusion prevention system
On IPS equipment, described IPS equipment being configured with intrusion feature database, in described intrusion feature database, record is each
Attack signature correspondence protocols having feature and executive mode, described device includes:
Receive unit, be used for receiving message;
First determines unit, for determining the protocol characteristic of described message;
First judging unit, is used for judging to apply in feature database whether there is described protocol characteristic;Wherein, institute
State in application feature database and record protocols having feature;
First acquiring unit, in the presence of judged result is, obtains the institute corresponding with described protocol characteristic
There is attack signature;
Second judging unit, for judging whether described message exists the attack signature in these all attack signatures;
Second determines unit, for when judged result is for being, determines that described message is attack message, and profit
The executive mode corresponding with described attack signature processes described message.
Device the most according to claim 6, it is characterised in that described first determines unit, specifically uses
In obtaining the port numbers that described message carries;Described port numbers is utilized to determine the protocol characteristic of described message.
Device the most according to claim 6, it is characterised in that described device also includes:
Second acquisition unit, for after second determines that unit determines that described message is attack message, obtains
The attack mark that described attack signature is corresponding;Obtain the described attack type attacking mark correspondence;
Transmitting element, for described attack message and described attack type are sent to managing equipment, so that institute
State attack message described in management equipment utilization and extract the attack signature belonging to described attack type further.
Device the most according to claim 8, it is characterised in that described device also includes:
Intrusion feature database maintenance unit, specifically for receiving from the attack signature of described management equipment, agreement
Feature and executive mode;Described attack signature, described protocol characteristic and described executive mode are updated
In described intrusion feature database.
Device the most according to claim 9, it is characterised in that described device also includes:
Application feature database maintenance unit, specifically for receiving from described pipe at intrusion feature database maintenance unit
After the attack signature of reason equipment, protocol characteristic and executive mode, it is judged that in described application feature database whether
There is described protocol characteristic;If not existing, then described protocol characteristic is updated in described application feature database.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610398605.XA CN105959290A (en) | 2016-06-06 | 2016-06-06 | Detection method and device of attack message |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610398605.XA CN105959290A (en) | 2016-06-06 | 2016-06-06 | Detection method and device of attack message |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105959290A true CN105959290A (en) | 2016-09-21 |
Family
ID=56907972
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610398605.XA Pending CN105959290A (en) | 2016-06-06 | 2016-06-06 | Detection method and device of attack message |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105959290A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106534100A (en) * | 2016-11-07 | 2017-03-22 | 深圳市楠菲微电子有限公司 | Distributed attack detection method and device based on custom field for use in switch chip |
CN106790313A (en) * | 2017-03-31 | 2017-05-31 | 杭州迪普科技股份有限公司 | Intrusion prevention method and device |
CN107968791A (en) * | 2017-12-15 | 2018-04-27 | 杭州迪普科技股份有限公司 | A kind of detection method and device of attack message |
CN108566384A (en) * | 2018-03-23 | 2018-09-21 | 腾讯科技(深圳)有限公司 | A kind of flow attacking means of defence, device, protection server and storage medium |
CN109413016A (en) * | 2018-04-28 | 2019-03-01 | 武汉思普崚技术有限公司 | A kind of rule-based message detecting method and device |
CN109561090A (en) * | 2018-11-30 | 2019-04-02 | 杭州安恒信息技术股份有限公司 | A kind of web intelligence defence method, device, equipment and readable storage medium storing program for executing |
CN110290124A (en) * | 2019-06-14 | 2019-09-27 | 杭州迪普科技股份有限公司 | A kind of interchanger inbound port blocking-up method and device |
CN110519273A (en) * | 2019-08-28 | 2019-11-29 | 杭州迪普科技股份有限公司 | Intrusion prevention method and apparatus |
CN110611683A (en) * | 2019-09-29 | 2019-12-24 | 国家计算机网络与信息安全管理中心 | Method and system for alarming attack source |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1738257A (en) * | 2004-12-31 | 2006-02-22 | 北京大学 | Network intrusion detection system and method based on application protocol detection engine |
CN101707601A (en) * | 2009-11-23 | 2010-05-12 | 成都市华为赛门铁克科技有限公司 | Invasion defence detection method and device and gateway equipment |
CN101834760A (en) * | 2010-05-20 | 2010-09-15 | 杭州华三通信技术有限公司 | IPS (Intrusion Prevention System)device based attack detecting method and IPS device |
CN104065644A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Method and apparatus for recognizing CC attacks based on log analysis |
KR101453728B1 (en) * | 2013-09-17 | 2014-10-22 | 주식회사 윈스 | Method and apparatus for providing network security policy based nat ip process |
CN105357166A (en) * | 2014-08-18 | 2016-02-24 | 中国移动通信集团公司 | Next-generation firewall system and packet detection method thereof |
-
2016
- 2016-06-06 CN CN201610398605.XA patent/CN105959290A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1738257A (en) * | 2004-12-31 | 2006-02-22 | 北京大学 | Network intrusion detection system and method based on application protocol detection engine |
CN101707601A (en) * | 2009-11-23 | 2010-05-12 | 成都市华为赛门铁克科技有限公司 | Invasion defence detection method and device and gateway equipment |
CN101834760A (en) * | 2010-05-20 | 2010-09-15 | 杭州华三通信技术有限公司 | IPS (Intrusion Prevention System)device based attack detecting method and IPS device |
KR101453728B1 (en) * | 2013-09-17 | 2014-10-22 | 주식회사 윈스 | Method and apparatus for providing network security policy based nat ip process |
CN104065644A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Method and apparatus for recognizing CC attacks based on log analysis |
CN105357166A (en) * | 2014-08-18 | 2016-02-24 | 中国移动通信集团公司 | Next-generation firewall system and packet detection method thereof |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106534100A (en) * | 2016-11-07 | 2017-03-22 | 深圳市楠菲微电子有限公司 | Distributed attack detection method and device based on custom field for use in switch chip |
CN106790313A (en) * | 2017-03-31 | 2017-05-31 | 杭州迪普科技股份有限公司 | Intrusion prevention method and device |
CN107968791B (en) * | 2017-12-15 | 2021-08-24 | 杭州迪普科技股份有限公司 | Attack message detection method and device |
CN107968791A (en) * | 2017-12-15 | 2018-04-27 | 杭州迪普科技股份有限公司 | A kind of detection method and device of attack message |
CN108566384A (en) * | 2018-03-23 | 2018-09-21 | 腾讯科技(深圳)有限公司 | A kind of flow attacking means of defence, device, protection server and storage medium |
CN108566384B (en) * | 2018-03-23 | 2021-09-28 | 腾讯科技(深圳)有限公司 | Traffic attack protection method and device, protection server and storage medium |
CN109413016A (en) * | 2018-04-28 | 2019-03-01 | 武汉思普崚技术有限公司 | A kind of rule-based message detecting method and device |
CN109561090A (en) * | 2018-11-30 | 2019-04-02 | 杭州安恒信息技术股份有限公司 | A kind of web intelligence defence method, device, equipment and readable storage medium storing program for executing |
CN109561090B (en) * | 2018-11-30 | 2022-04-26 | 杭州安恒信息技术股份有限公司 | Web intelligent defense method, device, equipment and readable storage medium |
CN110290124A (en) * | 2019-06-14 | 2019-09-27 | 杭州迪普科技股份有限公司 | A kind of interchanger inbound port blocking-up method and device |
CN110519273A (en) * | 2019-08-28 | 2019-11-29 | 杭州迪普科技股份有限公司 | Intrusion prevention method and apparatus |
CN110519273B (en) * | 2019-08-28 | 2021-11-02 | 杭州迪普科技股份有限公司 | Intrusion prevention method and device |
CN110611683A (en) * | 2019-09-29 | 2019-12-24 | 国家计算机网络与信息安全管理中心 | Method and system for alarming attack source |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105959290A (en) | Detection method and device of attack message | |
US10867034B2 (en) | Method for detecting a cyber attack | |
US10855718B2 (en) | Management of actions in a computing environment based on asset classification | |
AU2018301781B2 (en) | Cyberanalysis workflow acceleration | |
US9154516B1 (en) | Detecting risky network communications based on evaluation using normal and abnormal behavior profiles | |
US9203856B2 (en) | Methods, systems, and computer program products for detecting communication anomalies in a network based on overlap between sets of users communicating with entities in the network | |
EP2180660A1 (en) | Method and system for statistical analysis of botnets | |
CN102594825A (en) | Method and device for detecting intranet Trojans | |
US11818151B2 (en) | Identification of malicious domain campaigns using unsupervised clustering | |
US20030083847A1 (en) | User interface for presenting data for an intrusion protection system | |
EP3242240B1 (en) | Malicious communication pattern extraction device, malicious communication pattern extraction system, malicious communication pattern extraction method and malicious communication pattern extraction program | |
CN108063833B (en) | HTTP DNS analysis message processing method and device | |
CN110417747B (en) | Method and device for detecting violent cracking behavior | |
CN110113350A (en) | A kind of monitoring of Internet of things system security threat and system of defense and method | |
CN106921671B (en) | network attack detection method and device | |
US11546356B2 (en) | Threat information extraction apparatus and threat information extraction system | |
CN106470203B (en) | Information acquisition method and device | |
CN105939328A (en) | Method and device for updating network attack feature library | |
US11863584B2 (en) | Infection spread attack detection device, attack origin specification method, and program | |
US20220182401A1 (en) | Automated identification of false positives in dns tunneling detectors | |
CN105939321A (en) | DNS (Domain Name System) attack detection method and device | |
CN107332856B (en) | Address information detection method and device, storage medium and electronic device | |
US10075467B2 (en) | Systems, devices, and methods for improved network security | |
US11863577B1 (en) | Data collection and analytics pipeline for cybersecurity | |
US9015300B2 (en) | Method, computer program product, and device for network reconnaissance flow identification |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant before: Hangzhou Dipu Technology Co., Ltd. |
|
CB02 | Change of applicant information | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160921 |
|
RJ01 | Rejection of invention patent application after publication |