CN108521413A - A kind of network of Future Information war is resisted and defence method and system - Google Patents
A kind of network of Future Information war is resisted and defence method and system Download PDFInfo
- Publication number
- CN108521413A CN108521413A CN201810284068.5A CN201810284068A CN108521413A CN 108521413 A CN108521413 A CN 108521413A CN 201810284068 A CN201810284068 A CN 201810284068A CN 108521413 A CN108521413 A CN 108521413A
- Authority
- CN
- China
- Prior art keywords
- unit
- data packet
- network
- hash
- traffic statistics
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of resistance of the network of Future Information war and defence methods, include the following steps:S1, source port and source IP pass through protocol access destination interface and destination IP;S2, traffic statistics unit count data and flow;S3, traffic statistics cellular convection amount are handled, and cryptographic Hash is obtained;Cryptographic Hash is inserted into Hash bucket by S4, traffic statistics unit, and information and flow are passed to assessment unit;S5, assessment unit carry out statistical estimation to data traffic;S6, execution unit can be handled and alerted to the network equipment of destination IP according to assessment result;Network is resisted and system of defense, including traffic statistics unit, traffic statistics unit communication are connected with master pattern unit, and master pattern unit communication is connected with assessment unit, and assessment unit communication link is connected to execution unit.The invention enables systems of defense with more intelligence, automatic decision can cope with complicated network attack with various defense schemes are disposed on network.
Description
Technical field
The present invention relates to field of computer technology more particularly to a kind of network of Future Information war is resisted and defence method
And system.
Background technology
Botnet has the characteristics that attack method is simple, is affected and is difficult to trace so that distribution refusal clothes
Business attack (Distributed Denial of Service, DDoS) obtains quickly growing and increasingly spreading unchecked.Thousands of hosts
The Botnet of composition provides required bandwidth and host for ddos attack, forms huge attack and network flow
Amount, to causing great injury by attacking network.Since the harm of DDOS attack is huge, can not only make to be attacked soon
The server hit can not normally provide service, or even also whole network can be caused congestion occur, and network but will be enabled to fall into when serious
Enter paralysis, influence other servers being in together in the network, is even more important so the timely attack found out in network seems.
Current attack detection method is generally using fixed threshold or the method for establishing flow dynamics baseline, both sides
Method has the shortcomings that apparent.Fixed threshold can be because the setting of threshold value be excessive or too small cause to judge by accident and fail to judge;And if
Using flow dynamics baseline, the target of original flow very little causes to miss because of radix small the case where being easy to will appear burst
Sentence, the big target of flow can may less fail to judge again because of amplitude of variation.For reporting the burst flow of regular traffic by mistake, it is
The common defects of both methods.And flow dynamics baseline is in the starting stage established for each fresh target, is that can not detect
Attack, and if establishing baseline with the flow of attack, in some instances it may even be possible to will appear can not all detect generation herein again backward
Attack in target proposes more computer network defense at present in the fast changing network environment of computer network defense
Big challenge is based particularly on the defence method of artificial intelligence and provides more strategies and method for defence, i.e., on network certainly
The various defense schemes of decisions and arrangements are moved to cope with complicated network attack.
Invention content
The purpose of the present invention is to solve disadvantages existing in the prior art, and a kind of Future Information war proposed
Network resistance and defence method and system.
To achieve the goals above, present invention employs following technical solutions:
A kind of network of Future Information war is resisted and defence method, includes the following steps:
S1, source port and source IP can be flowed by protocol access destination interface and destination IP, destination interface and destination IP
Measure data;
S2, traffic statistics unit count the data and flow that access destination interface and destination IP, extract source port
Characteristic information;
S3, traffic statistics unit are handled flow by Hash operation, obtain the cryptographic Hash of data packet messages, Hash
The process of operation is:The depth for presetting Hash bucket, according to source IP, source port, destination IP, destination interface and agreement to Hash
The depth complementation operation of bucket obtains the cryptographic Hash of the data packet messages, a data packet messages is often received in the unit interval, then
Its corresponding counter values cumulative 1;
The cryptographic Hash of data packet messages is inserted into the corresponding position of Hash bucket by S4, traffic statistics unit within the unit interval,
And corresponding information and flow are passed into assessment unit;
S5, assessment unit carry out statistical estimation to data traffic, and assessment result are sent to execution unit, evaluation process
It is:After counter values are more than the threshold value of setting, assessment unit judges the corresponding destination IP of data packet messages and destination interface
Generate abnormal flow;
S6, execution unit can according to assessment result to data to generate abnormal flow data source port locating source IP, and
The network equipment of destination IP is handled and alerted.
Preferably, the agreement includes Transmission Control Protocol, one kind in three kinds of agreements of udp protocol and ICMP agreements.
Preferably, the process of the counter values cumulative 1 is:Worked as according to the header packet information of current data packet voice
The cryptographic Hash of preceding data packet messages, by the cryptographic Hash of current data packet voice compared with the cryptographic Hash of historical data packet voice, if
When the cryptographic Hash of current data packet voice is identical as one of the cryptographic Hash of historical data packet voice, history is found in Hash bucket
The unique corresponding data packet messages of the cryptographic Hash of data packet messages, the cryptographic Hash of the historical data packet voice in Hash bucket is unique
The counter of corresponding data packet messages cumulative 1.
Preferably, the unit interval is 1s, and updates a Hash bucket per unit time.
The invention also provides a kind of network of Future Information war is resisted and system of defense, including traffic statistics unit,
The traffic statistics unit communication is connected with master pattern unit, and master pattern unit communication is connected with assessment unit, and assessment is single
First communication link is connected to execution unit.
Preferably, the traffic statistics unit carries out traffic statistics using raw data packets header information.
Preferably, the master pattern unit establishes each Business Stream the master pattern formation Hash of standard data stream
Bucket, and utilize the cryptographic Hash of Hash bucket store historical data packet voice.
The beneficial effects of the invention are as follows:
1, of the invention, pass through the processing of comparison and assessment unit between counter values and fixed threshold so that defence
System automatic decision can cope with complicated network attack on network with more intelligence with various defense schemes are disposed.
2, of the invention, by the way that the flow of access is converted to cryptographic Hash vertically and compared with the cryptographic Hash in Hash bucket, is made
Last data result has a uniqueness, and process safety is simply and conveniently, and the reliability of data is high.
Description of the drawings
Fig. 1 is the flow chart of the network resistance and defence method and system of a kind of Future Information war proposed by the present invention.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.
Embodiment:Referring to Fig.1, a kind of network resistance of Future Information war and defence method, include the following steps:
S1, source port and source IP can be flowed by protocol access destination interface and destination IP, destination interface and destination IP
Data are measured, agreement includes Transmission Control Protocol, one kind in three kinds of agreements of udp protocol and ICMP agreements;
S2, traffic statistics unit count the data and flow that access destination interface and destination IP, extract source port
Characteristic information;
S3, traffic statistics unit are handled flow by Hash operation, obtain the cryptographic Hash of data packet messages, Hash
The process of operation is:The depth for presetting Hash bucket, according to source IP, source port, destination IP, destination interface and agreement to Hash
The depth complementation operation of bucket obtains the cryptographic Hash of the data packet messages, a data packet messages is often received in the unit interval, then
The process of its corresponding counter values cumulative 1, counter values cumulative 1 is obtained according to the header packet information of current data packet voice
The cryptographic Hash for obtaining current data packet messages, by the cryptographic Hash ratio of the cryptographic Hash of current data packet voice and historical data packet voice
Compared with if the cryptographic Hash of current data packet voice is identical as one of the cryptographic Hash of historical data packet voice, being searched in Hash bucket
To the unique corresponding data packet messages of cryptographic Hash of historical data packet voice, by the Hash of the historical data packet voice in Hash bucket
The counter cumulative 1 of the unique corresponding data packet messages of value;
The cryptographic Hash of data packet messages is inserted into the corresponding position of Hash bucket by S4, traffic statistics unit within the unit interval,
And corresponding information and flow are passed into assessment unit, unit interval 1s, and a Hash bucket is updated per unit time;
S5, assessment unit carry out statistical estimation to data traffic, and assessment result are sent to execution unit, evaluation process
It is:After counter values are more than the threshold value of setting, assessment unit judges the corresponding destination IP of data packet messages and destination interface
Generate abnormal flow;
S6, execution unit can according to assessment result to data to generate abnormal flow data source port locating source IP, and
The network equipment of destination IP is handled and alerted.
A kind of network of Future Information war is resisted and system of defense, including traffic statistics unit, traffic statistics unit profit
Traffic statistics are carried out with raw data packets header information, traffic statistics unit communication is connected with master pattern unit, standard
The master pattern that model unit establishes each Business Stream standard data stream forms Hash bucket, and stores history number using Hash bucket
According to the cryptographic Hash of packet voice, master pattern unit communication is connected with assessment unit, and assessment unit communication link is connected to execution unit.
The foregoing is only a preferred embodiment of the present invention, but scope of protection of the present invention is not limited thereto,
Any one skilled in the art in the technical scope disclosed by the present invention, according to the technique and scheme of the present invention and its
Inventive concept is subject to equivalent substitution or change, should be covered by the protection scope of the present invention.
Claims (7)
1. a kind of network of Future Information war is resisted and defence method, which is characterized in that include the following steps:
S1, source port and source IP can obtain flow number by protocol access destination interface and destination IP, destination interface and destination IP
According to;
S2, traffic statistics unit count the data and flow that access destination interface and destination IP, extract the spy of source port
Reference ceases;
S3, traffic statistics unit are handled flow by Hash operation, obtain the cryptographic Hash of data packet messages, Hash operation
Process be:The depth for presetting Hash bucket, according to source IP, source port, destination IP, destination interface and agreement to Hash bucket
Depth complementation operation obtains the cryptographic Hash of the data packet messages, and a data packet messages are often received in the unit interval, then its is right
The counter values cumulative 1 answered;
The cryptographic Hash of data packet messages is inserted into the corresponding position of Hash bucket by S4, traffic statistics unit within the unit interval, and will
Corresponding information passes to assessment unit with flow;
S5, assessment unit carry out statistical estimation to data traffic, and assessment result are sent to execution unit, and evaluation process is:
After counter values are more than the threshold value of setting, assessment unit judges that the corresponding destination IP of data packet messages and destination interface generate
Abnormal flow;
S6, execution unit can according to assessment result to data to generating the data source port locating source IP of abnormal flow, and to mesh
The network equipment of IP handled and alerted.
2. a kind of network of Future Information war according to claim 1 is resisted and defence method, which is characterized in that described
Agreement includes Transmission Control Protocol, one kind in three kinds of agreements of udp protocol and ICMP agreements.
3. a kind of network of Future Information war according to claim 1 is resisted and defence method, which is characterized in that described
The process of counter values cumulative 1 is:The Hash of current data packet voice is obtained according to the header packet information of current data packet voice
Value, by the cryptographic Hash of current data packet voice compared with the cryptographic Hash of historical data packet voice, if the Kazakhstan of current data packet voice
When uncommon value is identical as one of the cryptographic Hash of historical data packet voice, the cryptographic Hash of historical data packet voice is found in Hash bucket
Unique corresponding data packet messages, by the unique corresponding data packet messages of the cryptographic Hash of the historical data packet voice in Hash bucket
Counter cumulative 1.
4. a kind of network of Future Information war according to claim 1 is resisted and defence method, which is characterized in that described
Unit interval is 1s, and updates a Hash bucket per unit time.
5. a kind of network of Future Information war is resisted and system of defense, including traffic statistics unit, which is characterized in that the stream
Amount statistic unit communication link is connected to master pattern unit, and master pattern unit communication is connected with assessment unit, assessment unit communication
It is connected with execution unit.
6. a kind of network of Future Information war according to claim 5 is resisted and system of defense, which is characterized in that described
Traffic statistics unit carries out traffic statistics using raw data packets header information.
7. a kind of network of Future Information war according to claim 5 is resisted and system of defense, which is characterized in that described
The master pattern that master pattern unit establishes each Business Stream standard data stream forms Hash bucket, and is gone through using Hash bucket storage
The cryptographic Hash of history data packet messages.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810284068.5A CN108521413A (en) | 2018-04-02 | 2018-04-02 | A kind of network of Future Information war is resisted and defence method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810284068.5A CN108521413A (en) | 2018-04-02 | 2018-04-02 | A kind of network of Future Information war is resisted and defence method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108521413A true CN108521413A (en) | 2018-09-11 |
Family
ID=63431558
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810284068.5A Pending CN108521413A (en) | 2018-04-02 | 2018-04-02 | A kind of network of Future Information war is resisted and defence method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108521413A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111145037A (en) * | 2018-11-03 | 2020-05-12 | 广州市明领信息科技有限公司 | Big data analysis system |
| CN117857222A (en) * | 2024-03-07 | 2024-04-09 | 国网江西省电力有限公司电力科学研究院 | Dynamic IP-based network dynamic defense system and method for new energy centralized control station |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101729389A (en) * | 2008-10-21 | 2010-06-09 | 北京启明星辰信息技术股份有限公司 | Flow control device and method based on flow prediction and trusted network address learning |
| JP2011176586A (en) * | 2010-02-24 | 2011-09-08 | Nippon Telegr & Teleph Corp <Ntt> | Packet sampling apparatus and method, and program |
| CN105553974A (en) * | 2015-12-14 | 2016-05-04 | 中国电子信息产业集团有限公司第六研究所 | Prevention method of HTTP slow attack |
| US9705908B1 (en) * | 2016-06-12 | 2017-07-11 | Apple Inc. | Emoji frequency detection and deep link frequency |
| CN107231384A (en) * | 2017-08-10 | 2017-10-03 | 北京科技大学 | A kind of ddos attack detection defence method cut into slices towards 5g networks and system |
| CN107770113A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of accurate flood attack detection method for determining attack signature |
-
2018
- 2018-04-02 CN CN201810284068.5A patent/CN108521413A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101729389A (en) * | 2008-10-21 | 2010-06-09 | 北京启明星辰信息技术股份有限公司 | Flow control device and method based on flow prediction and trusted network address learning |
| JP2011176586A (en) * | 2010-02-24 | 2011-09-08 | Nippon Telegr & Teleph Corp <Ntt> | Packet sampling apparatus and method, and program |
| CN105553974A (en) * | 2015-12-14 | 2016-05-04 | 中国电子信息产业集团有限公司第六研究所 | Prevention method of HTTP slow attack |
| US9705908B1 (en) * | 2016-06-12 | 2017-07-11 | Apple Inc. | Emoji frequency detection and deep link frequency |
| CN107770113A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of accurate flood attack detection method for determining attack signature |
| CN107231384A (en) * | 2017-08-10 | 2017-10-03 | 北京科技大学 | A kind of ddos attack detection defence method cut into slices towards 5g networks and system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111145037A (en) * | 2018-11-03 | 2020-05-12 | 广州市明领信息科技有限公司 | Big data analysis system |
| CN117857222A (en) * | 2024-03-07 | 2024-04-09 | 国网江西省电力有限公司电力科学研究院 | Dynamic IP-based network dynamic defense system and method for new energy centralized control station |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8966627B2 (en) | Method and apparatus for defending distributed denial-of-service (DDoS) attack through abnormally terminated session | |
| CN108063765B (en) | SDN system suitable for solving network security | |
| Li et al. | Distinguishing DDoS attacks from flash crowds using probability metrics | |
| CN104836702B (en) | Mainframe network unusual checking and sorting technique under a kind of large traffic environment | |
| Shamsolmoali et al. | Statistical-based filtering system against DDOS attacks in cloud computing | |
| CN109587167B (en) | Message processing method and device | |
| CN104135474B (en) | Intrusion Detection based on host goes out the Network anomalous behaviors detection method of in-degree | |
| CN106534068B (en) | Method and device for cleaning counterfeit source IP in DDOS defense system | |
| CN106357685A (en) | Method and device for defending distributed denial of service attack | |
| Akilandeswari et al. | Probabilistic neural network based attack traffic classification | |
| US11190543B2 (en) | Method and system for detecting and mitigating a denial of service attack | |
| Ireland | Intrusion detection with genetic algorithms and fuzzy logic | |
| CN111092900A (en) | Method and device for monitoring abnormal connection and scanning behavior of server | |
| CN106357660A (en) | Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system | |
| Aizuddin et al. | DNS amplification attack detection and mitigation via sFlow with security-centric SDN | |
| Andropov et al. | Network anomaly detection using artificial neural networks | |
| KR20110037645A (en) | Apparatus and method for protecting ddos | |
| CN110213254A (en) | A kind of method and apparatus that Internet protocol IP packet is forged in identification | |
| Song et al. | Flow-based statistical aggregation schemes for network anomaly detection | |
| CN106487790A (en) | Cleaning method and system that a kind of ACK FLOOD is attacked | |
| CN108521413A (en) | A kind of network of Future Information war is resisted and defence method and system | |
| Shamsolmoali et al. | C2DF: High rate DDOS filtering method in cloud computing | |
| CN104883362A (en) | Method and device for controlling abnormal access behaviors | |
| RU2307392C1 (en) | Method (variants) for protecting computer networks | |
| CN107864110A (en) | Botnet main control end detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180911 |
|
| RJ01 | Rejection of invention patent application after publication |