CN109474636B - Network attack detection method and device - Google Patents
Network attack detection method and device Download PDFInfo
- Publication number
- CN109474636B CN109474636B CN201811637378.7A CN201811637378A CN109474636B CN 109474636 B CN109474636 B CN 109474636B CN 201811637378 A CN201811637378 A CN 201811637378A CN 109474636 B CN109474636 B CN 109474636B
- Authority
- CN
- China
- Prior art keywords
- attack
- detection
- channels
- messages
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
Abstract
The application provides a method and a device for detecting various network attacks, wherein the method comprises the following steps: selecting a detection module of any one channel from the plurality of channels as an integral detection end; respectively receiving messages through receiving ports of a plurality of channels; based on the integral detection end, according to an attack detection strategy, carrying out attack detection on the messages respectively received by the receiving ports of the plurality of channels; and in response to the detection of the attack message by the integral detection terminal, discarding the attack message. By applying the embodiment of the application, the missed detection of the attack message can be avoided.
Description
Technical Field
The application relates to the technical field of network communication, in particular to a network attack detection method and device.
Background
With the rapid development of computer network technology, network technology has been widely used in various fields. The computer network provides convenience and benefits for people, and meanwhile, network attacks also provide great challenges for information security. In some environments with large network traffic, the probability of network attacks is higher due to the larger bandwidth.
In order to protect against network attacks, devices for detecting and protecting against attacks can be placed at an Internet access, data entering an intranet can be detected in real time, for example, a high-performance hardware firewall is used, various security strategies of the firewall are set, and the high-performance hardware firewall is matched with a network intrusion detection system to block attacks of hackers.
The existing scheme is to detect the message of each data channel, and the detection modules of each channel are independent. This results in that if the attack packet is distributed to each receiving port, the above scheme may have a detection hole, resulting in missed detection of the attack packet.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for detecting a network attack, which can avoid missed detection of an attack packet.
Specifically, the method is realized through the following technical scheme:
in a first aspect, an embodiment of the present invention provides a network attack detection method, where the method includes:
selecting a detection end of any one channel from the plurality of channels as an integral detection end;
respectively receiving messages through receiving ports of a plurality of channels;
based on the integral detection end, according to an attack detection strategy, carrying out attack detection on the messages respectively received by the receiving ports of the plurality of channels;
and in response to the detection of the attack message by the integral detection terminal, discarding the attack message.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the performing attack detection on the packets respectively received by the receiving ports of the multiple channels according to an attack detection policy based on the overall detection end includes:
based on the integral detection end, detecting source IPs of messages respectively received by receiving ports of the plurality of channels;
and when responding to the source IP with the number larger than the preset threshold value, all messages corresponding to the source IP are used as attack messages.
With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the preset threshold values of the channels corresponding to the multiple channels are different, and a minimum value of the preset threshold values of the channels corresponding to the multiple channels is used as the preset threshold value.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the method further includes:
and responding to the integral detection end to detect a non-attack message, and transmitting the non-attack message to the sending ports of the channels.
With reference to the first aspect, in a fourth possible implementation manner of the first aspect, the method further includes:
and responding to the attack message detected by the integral detection end, and adding an attack mark in the attack message.
In a second aspect, an embodiment of the present invention provides a network attack detection apparatus, including:
the selection module is used for selecting the detection end of any one channel from the plurality of channels as an integral detection end;
the receiving module is used for respectively receiving the messages through receiving ports of a plurality of channels;
the detection module is used for carrying out attack detection on the messages respectively received by the receiving ports of the channels according to an attack detection strategy based on the integral detection end;
and the discarding module is used for responding to the attack message detected by the integral detection end and discarding the attack message.
With reference to the second aspect, in a first possible implementation manner of the second aspect,
the detection module is further configured to detect, based on the integral detection end, source IPs of the messages respectively received by the receiving ports of the multiple channels; and when responding to the source IP with the number larger than the preset threshold value, all messages corresponding to the source IP are used as attack messages.
With reference to the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect,
the preset threshold values of the channels corresponding to the channels are different, and the minimum value of the preset threshold values of the channels corresponding to the channels is used as the preset threshold value of the detection module.
With reference to the second aspect, in a third possible implementation manner of the second aspect, the apparatus further includes:
and the transmission module is used for responding to the detection of the non-attack message by the integral detection end and transmitting the non-attack message to the sending ports of the channels.
With reference to the second aspect, in a fourth possible implementation manner of the second aspect, the apparatus further includes:
and the attack module is used for responding to the attack message detected by the integral detection end and adding an attack mark in the attack message.
According to the technical scheme provided by the application, the detection module of any one channel is selected from the plurality of channels and used as an integral detection end; respectively receiving messages through receiving ports of a plurality of channels; based on the integral detection end, according to an attack detection strategy, carrying out attack detection on the messages respectively received by the receiving ports of the plurality of channels; and in response to the detection of the attack message by the integral detection terminal, discarding the attack message. The method can collect the messages received by each channel, uniformly carry out attack detection on all the messages, and avoid missing detection of the attack messages caused by independent detection among the channels, thereby improving the accuracy of the attack detection.
Drawings
Fig. 1 is a flowchart of a network attack detection method shown in the present application;
fig. 2a is a flowchart of another network attack detection method shown in the present application;
FIG. 2b is a block diagram of a testing device according to the present application;
fig. 3 is a schematic structural diagram of a network attack detection apparatus shown in the present application;
fig. 4 is a schematic structural diagram of another network attack detection apparatus shown in the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
An embodiment of the present invention provides a offloading method based on link aggregation, please refer to fig. 1, which may be used for detecting and protecting a device of network attack, and detecting data entering an intranet in real time, for example, a firewall using high-performance hardware may be specifically used, where the method includes:
step 101, selecting a detection end of any one channel from the plurality of channels as an integral detection end.
And 102, receiving the messages through receiving ports of a plurality of channels respectively.
And 103, based on the integral detection end, according to an attack detection strategy, carrying out attack detection on the messages respectively received by the receiving ports of the channels.
The attack detection policy may be configured by default for the device, or may be performed by the user based on the requirement, and the embodiment of the present invention is not limited.
And 104, responding to the attack message detected by the integral detection end, and discarding the attack message.
For the embodiment of the invention, when the attack message is detected based on the attack detection strategy, all relevant attack messages are discarded; and when the non-attack message is detected based on the attack detection strategy, the non-attack detection message is continuously transmitted backwards.
Compared with the prior art, the embodiment of the invention can collect the messages received by each channel, uniformly carry out attack detection on all the messages, and avoid missing detection of the attack messages caused by independent detection among the channels, thereby improving the accuracy of the attack detection.
Still another embodiment of the present invention provides a offloading method based on link aggregation, please refer to fig. 2a, which can be used for detecting and protecting a device of network attack, and detecting data entering an intranet in real time, for example, a firewall using high-performance hardware may be specifically used, where the method includes:
step 201, selecting a detection end of any one channel from the plurality of channels as an integral detection end.
Step 202, receiving the messages through the receiving ports of the plurality of channels respectively.
And 203, detecting the source IP of the message respectively received by the receiving ports of the plurality of channels based on the integral detection end.
The detection of the source IP of the packet received by the receiving port of each channel means to obtain the source IP address of each packet, and count the number of packets corresponding to the same source IP address in a certain period of time.
Optionally, the preset threshold values of the channels corresponding to the multiple channels are different, and a minimum value of the preset threshold values of the channels corresponding to the multiple channels is used as the preset threshold value.
For example, there are currently 5 channels, the preset thresholds of the packets of the same source IP address corresponding to the 5 channels are 150, 200, 100, 120, and 150, respectively, that is, the preset threshold of the overall detection is the minimum value of 100, and when the total number of a certain source IP address of the 5 channels reaches 100, the packets corresponding to the source IP address are considered to be attack packets.
And 204, responding to the source IP with the number larger than the preset threshold value, and taking each message corresponding to the source IP as an attack message.
For the embodiment of the invention, if the number of messages from a certain source IP address exceeds the preset threshold value within a period of time, the source IP address can be considered to be used for sending attack messages.
Step 205, in response to the detection of the attack packet by the integral detection terminal, discarding the attack packet.
Optionally, step 205 may further include: and responding to the attack message detected by the integral detection end, and adding an attack mark in the attack message.
Step 206, responding to the detection of the non-attack packet by the integral detection terminal, and transmitting the non-attack packet to the sending ports of the plurality of channels.
For the embodiment of the present invention, an optional specific implementation manner is:
(1) a receiving port receives an external message;
(2) the detection module detects the message once according to the strategy set by the user, compared with the integral detection module, the strategy set by the detection module is stricter so as to realize the detection of suspected attack, if the detected message is the suspected attack message, the message is forwarded to the integral detection module, otherwise, the message is forwarded to the sending port;
(3) the overall detection module carries out secondary detection on the suspected attack message, the detection is carried out according to a detection strategy set for a user, after the secondary detection, if the suspected attack message is determined, a mark is added, otherwise, the mark is not added;
(4) processing the message;
(5) if the message is a non-attack message, the sending port continuously transmits the message backwards;
(6) if the message is an attack message, the processing module discards the message to realize the interception function.
(7) And (3) directly detecting the message entering the channel where the integral detection module is located without primary detection, wherein the detection is based on a detection strategy set by the user in the step (3).
In the embodiment of the present invention, the number of messages of the message source IP address is taken as an example of an attack detection policy, and one example of a specific implementation manner is: the protection device is provided with two channels, wherein a detection module of the channel 1 is an integral detection module and is responsible for detecting attacks of the channel 1 and the channel 2, a processing module of the channel 1 processes a message, if the message is an attack message, the processing module discards the message, and if the message is a non-attack message, the processing module transmits the message to a sending port. The detected policy is set by the user. The invention takes the message source IP address as an example for detection, supposing that the message with the detection source IP address of 10.10.0.2 has detection threshold values of channel 1 and channel 2 respectively, the threshold value of channel 1 is set to be 200 per second, and the threshold value of channel 2 is set to be 100 per second. When the attack packet is sent to the channel 1 and the channel 2 at a flow rate of 150 data packets per second, the channel 2 recognizes the packet of the ip address as a suspected attack packet and sends the suspected attack packet to the channel 1 because the flow rate of the attack packet is greater than the preset threshold value of the channel 2. At this time, the channel 1 detection module receives all the messages from the ip address, the flow rate of the messages is 300 per second, and the messages exceed the preset threshold value of the channel 1, so that the detection module of the channel 1 marks the messages from the ip address as attack messages, and the attack messages are discarded by the processing module, so that the attack protection is realized.
The structure of the technical solution provided in the embodiment of the present invention is as shown in fig. 2b, each receiving port is connected with one detection module, and the detection module of one channel is selected as the detection module of the whole device, that is, the whole detection end of the embodiment of the present invention is responsible for detecting attacks of the channel where the detection end is located and other channels, the detection modules of the other channels are connected with the detection module, the detection module is connected with the processing module, the message is processed, and the processing module is not configured for the other channels.
Compared with the prior art, the embodiment of the invention can collect the messages received by each channel, uniformly carry out attack detection on all the messages, and avoid missing detection of the attack messages caused by independent detection among the channels, thereby improving the accuracy of the attack detection.
Referring to fig. 3, fig. 3 is a network attack detecting apparatus shown in the present application, which includes: a selection module 310, a receiving module 320, a detection module 330, and a discarding module 340. Wherein:
a selecting module 310, configured to select a detection end of any one of the plurality of channels as an overall detection end;
a receiving module 320, configured to receive messages through receiving ports of multiple channels respectively;
a detection module 330, configured to perform attack detection on the packets respectively received by the receiving ports of the multiple channels according to an attack detection policy based on the overall detection end;
a discarding module 340, configured to discard the attack packet in response to the attack packet being detected by the overall detection end.
The detection module 330 is further configured to detect, based on the overall detection end, source IPs of the messages respectively received by the receiving ports of the multiple channels; and when responding to the source IP with the number larger than the preset threshold value, all messages corresponding to the source IP are used as attack messages.
Optionally, the preset threshold values of the channels corresponding to the multiple channels are different, and a minimum value of the preset threshold values of the channels corresponding to the multiple channels is used as the preset threshold value of the detection module.
Referring to fig. 4, the apparatus may further include: a transmission module 410 and an attack module 420.
A transmission module 410, configured to respond to the detection of a non-attack packet by the overall detection end, and transmit the non-attack packet to the sending ports of the multiple channels.
The attack module 420 is configured to add an attack mark to the attack packet in response to the attack packet being detected by the overall detection end.
Compared with the prior art, the embodiment of the invention can collect the messages received by each channel, uniformly carry out attack detection on all the messages, and avoid missing detection of the attack messages caused by independent detection among the channels, thereby improving the accuracy of the attack detection.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. A network attack detection method, the method comprising:
selecting a detection end of any one channel from the plurality of channels as an integral detection end;
respectively receiving messages through receiving ports of a plurality of channels, and detecting the messages by detecting ends of the plurality of channels according to a strategy set by a user;
if the message is detected to be a suspected attack message, forwarding the suspected attack message to the integral detection end;
based on the overall detection end, according to an attack detection strategy, carrying out attack detection on messages respectively received by receiving ports of the plurality of channels, wherein the messages subjected to the attack detection are the suspected attack messages;
and in response to the detection of the attack message by the integral detection terminal, discarding the attack message.
2. The method according to claim 1, wherein the performing attack detection on the packets respectively received by the receiving ports of the plurality of channels according to an attack detection policy based on the overall detection end comprises:
based on the integral detection end, detecting source IPs of messages respectively received by receiving ports of the plurality of channels;
and when responding to the source IP with the number larger than the preset threshold value, all messages corresponding to the source IP are used as attack messages.
3. The method according to claim 2, wherein the preset threshold values of the channels corresponding to the plurality of channels are different, and a minimum value of the preset threshold values of the channels corresponding to the plurality of channels is used as the preset threshold value.
4. The method of claim 1, further comprising:
and responding to the integral detection end to detect a non-attack message, and transmitting the non-attack message to the sending ports of the channels.
5. The method of claim 1, further comprising:
and responding to the attack message detected by the integral detection end, and adding an attack mark in the attack message.
6. A cyber attack detecting apparatus, the apparatus comprising:
the selection module is used for selecting the detection end of any one channel from the plurality of channels as an integral detection end;
the receiving module is used for respectively receiving the messages through receiving ports of the channels, detecting the messages by detecting ends of the channels according to a strategy set by a user, and forwarding the messages to the integral detecting end if the messages are detected to be suspected attack messages;
a detection module, configured to perform attack detection on the messages respectively received by the receiving ports of the multiple channels according to an attack detection policy based on the overall detection end, where the messages subjected to attack detection are the suspected attack messages;
and the discarding module is used for responding to the attack message detected by the integral detection end and discarding the attack message.
7. The apparatus of claim 6,
the detection module is further configured to detect, based on the integral detection end, source IPs of the messages respectively received by the receiving ports of the multiple channels; and when responding to the source IP with the number larger than the preset threshold value, all messages corresponding to the source IP are used as attack messages.
8. The apparatus according to claim 7, wherein the preset threshold values of the channels corresponding to the plurality of channels are different, and a minimum value of the preset threshold values of the channels corresponding to the plurality of channels is used as the preset threshold value of the detection module.
9. The apparatus of claim 6, further comprising:
and the transmission module is used for responding to the detection of the non-attack message by the integral detection end and transmitting the non-attack message to the sending ports of the channels.
10. The apparatus of claim 6, further comprising:
and the attack module is used for responding to the attack message detected by the integral detection end and adding an attack mark in the attack message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811637378.7A CN109474636B (en) | 2018-12-29 | 2018-12-29 | Network attack detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811637378.7A CN109474636B (en) | 2018-12-29 | 2018-12-29 | Network attack detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109474636A CN109474636A (en) | 2019-03-15 |
| CN109474636B true CN109474636B (en) | 2021-06-29 |
Family
ID=65677469
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811637378.7A Active CN109474636B (en) | 2018-12-29 | 2018-12-29 | Network attack detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109474636B (en) |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101388885B (en) * | 2008-07-23 | 2012-04-25 | 成都市华为赛门铁克科技有限公司 | Detection method and system for distributed denial of service |
| TWI553502B (en) * | 2015-03-05 | 2016-10-11 | 緯創資通股份有限公司 | Protection method and computer system thereof for firewall apparatus disposed to application layer |
| KR101914028B1 (en) * | 2017-04-28 | 2018-11-01 | 삼성에스디에스 주식회사 | Apparatus and method for performing operation being secure against side channel attack |
| CN107403091A (en) * | 2017-07-06 | 2017-11-28 | 华中科技大学 | A kind of combination is traced to the source path and the system for real-time intrusion detection of figure of tracing to the source |
-
2018
- 2018-12-29 CN CN201811637378.7A patent/CN109474636B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN109474636A (en) | 2019-03-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3304853B1 (en) | Detection of malware and malicious applications | |
| CN106416171B (en) | Characteristic information analysis method and device | |
| WO2021008028A1 (en) | Network attack source tracing and protection method, electronic device and computer storage medium | |
| US20130160122A1 (en) | Two-stage intrusion detection system for high-speed packet processing using network processor and method thereof | |
| US20140189867A1 (en) | DDoS ATTACK PROCESSING APPARATUS AND METHOD IN OPENFLOW SWITCH | |
| US20130074183A1 (en) | Method and apparatus for defending distributed denial-of-service (ddos) attack through abnormally terminated session | |
| US10693908B2 (en) | Apparatus and method for detecting distributed reflection denial of service attack | |
| KR101219796B1 (en) | Apparatus and Method for protecting DDoS | |
| US8689326B2 (en) | Device for analyzing and diagnosing network traffic, a system for analyzing and diagnosing network traffic, and a system for tracing network traffic | |
| US20080127324A1 (en) | DDoS FLOODING ATTACK RESPONSE APPROACH USING DETERMINISTIC PUSH BACK METHOD | |
| Pandey | Prevention of ARP spoofing: A probe packet based technique | |
| TW202019127A (en) | Abnormal flow detection device and abnormal flow detection method thereof | |
| CN108616488B (en) | Attack defense method and defense equipment | |
| US7854003B1 (en) | Method and system for aggregating algorithms for detecting linked interactive network connections | |
| KR101380015B1 (en) | Collaborative Protection Method and Apparatus for Distributed Denial of Service | |
| US11895146B2 (en) | Infection-spreading attack detection system and method, and program | |
| CN109474636B (en) | Network attack detection method and device | |
| JP2006164038A (en) | Method for coping with dos attack or ddos attack, network device and analysis device | |
| KR102211503B1 (en) | Harmful ip determining method | |
| CN102546387B (en) | Method, device and system for processing data message | |
| Hayashi et al. | Method for detecting low-rate attacks on basis of burst-state duration using quick packet-matching function | |
| JP4391455B2 (en) | Unauthorized access detection system and program for DDoS attack | |
| US9742699B2 (en) | Network apparatus and selective information monitoring method using the same | |
| JP5009200B2 (en) | Network attack detection device and defense device | |
| KR20140090123A (en) | Hardward Engine for High-capacity Packet Processing of Network Data Loss Prevention Appliance |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |