CN110071941A - A kind of network attack detecting method, equipment, storage medium and computer equipment - Google Patents

A kind of network attack detecting method, equipment, storage medium and computer equipment Download PDF

Info

Publication number
CN110071941A
CN110071941A CN201910379112.5A CN201910379112A CN110071941A CN 110071941 A CN110071941 A CN 110071941A CN 201910379112 A CN201910379112 A CN 201910379112A CN 110071941 A CN110071941 A CN 110071941A
Authority
CN
China
Prior art keywords
access
uri
time period
preset time
determined
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910379112.5A
Other languages
Chinese (zh)
Other versions
CN110071941B (en
Inventor
王巍巍
殷昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing QIYI Century Science and Technology Co Ltd
Original Assignee
Beijing QIYI Century Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing QIYI Century Science and Technology Co Ltd filed Critical Beijing QIYI Century Science and Technology Co Ltd
Priority to CN201910379112.5A priority Critical patent/CN110071941B/en
Publication of CN110071941A publication Critical patent/CN110071941A/en
Application granted granted Critical
Publication of CN110071941B publication Critical patent/CN110071941B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of network attack detecting method, equipment, storage medium and computer equipments, can be by determining that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access side of preset quantity;The each URI at least one URI accessed the determining access side: the quantity that the access side of the URI is accessed in the preset time period is determined, when the quantity of the access side is more than first threshold, it obtains and accesses the access information group that each access request of the URI carries in the preset time period, the most access information group of frequency of occurrence in each access request is determined as high-risk access information group, and the high-risk access information group will be carried and access the access request of the URI and be determined as network attack.The present invention can effectively improve detection and recognition capability for network attack, promote the defence capability for network attack.

Description

A kind of network attack detecting method, equipment, storage medium and computer equipment
Technical field
The present invention relates to network safety prevention field more particularly to a kind of network attack detecting method, equipment, storage mediums And computer equipment.
Background technique
With the development of science and technology, network security becomes particularly important, and current Website server is often subject to various Rogue attacks.CC (Challenge Collapsar, Challenging black hole) attack is one of common attack.CC is attacked Hit be DDoS (distributed denial of service, Distributed Denial of Service) one kind, CC attack passes through access URI (Uniform Resource Identifier, uniform resource identifier) constantly sends access request to Website server and causes Make Website server that can not handle access of the legitimate user for proper network resource, to form the purpose of refusal service.
Existing network attack detection technology is by counting access of the single IP within the unit time in web site server end The number of the URI of the Website server detects network attack.When access of some IP within the unit time Website server URI number be more than threshold value when, the access behavior of the IP can be determined as network and attacked by existing network attack detection technology It hits.
But with the development of technology, currently occur carrying out the event of network attack by multiple and different IP.Example Such as, the attacker for mobilizing CC to attack can repeatedly modify IP, access the URI of Website server to website service by different IP Device transmission occupies a large amount of process resources and the page request of time (one kind of access request), causes Website server process resource Waste, Website server CPU is in 100% use state for a long time, and such CPU just has no idea processing from legitimate user Normal request.
As it can be seen that attacker can access to the URI attacked by multiple and different IP, each IP to URI into The number of row access does not all exceed threshold value, this, which allows for existing network attack detection technology, can not detect that this network is attacked It hits.
Summary of the invention
In view of the above problems, it proposes on the present invention overcomes the above problem or at least be partially solved in order to provide one kind Network attack detecting method, equipment, storage medium and the computer equipment of problem are stated, technical solution is as follows:
A kind of network attack detecting method, which comprises
Determine that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access side of preset quantity;
Each URI at least one URI that the determining access side is accessed: it determines in the preset time period The quantity for accessing the access side of the URI is obtained when the quantity of the access side is more than first threshold in the preset time period The access information group that the interior each access request for accessing the URI carries, by the most access of frequency of occurrence in each access request Information group is determined as high-risk access information group, and by carry the high-risk access information group and access the URI access request it is true It is set to network attack.
Optionally, the access information group includes: device-fingerprint, user identifier, user agent UA and HTTP_Referer At least one of access information.
Optionally, the quantity of the uniform resource identifier URI accessed in the determining preset time period is lower than preset quantity Access side, comprising:
Obtain the access request that access side within a preset period of time accesses to uniform resource identifier URI, the visit Ask the IP address that access side is also carried in request;
The information combination that the IP address and the access information group are constituted is determined as access side's mark, by the institute of carrying It states access side and identifies the access request that identical access request is determined as same access side;
To each access side: obtaining each access request that the access side accesses to URI in the preset time period The quantity for the URI of middle carrying accessed determines the access side are as follows: when described default when the quantity is lower than preset quantity Between the quantity of URI that accesses in section be lower than the access side of preset quantity.
Optionally, the quantity of the access side of the URI is accessed in the determination preset time period, comprising:
According to the access side mark carried in each access request for carrying the URI, the preset time period is determined The quantity of the interior access side for accessing the URI.
Optionally, it is described will carry the high-risk access information group and access the access request of the URI be determined as network and attack It hits, comprising:
By carry the high-risk access information group and access the URI access request be determined as distributed network attack.
Optionally, the method also includes:
It will be determined as in the preset time period by the URI that the number summation that all access sides access is more than second threshold By attack URI;
To each by attack URI: that identified access side is issued, access this in the preset time period and attacked URI number is more than that the access request of third threshold value is determined as network attack.
Optionally, described to be attacked URI to each: it is super by URI number of attack that this will be accessed in the preset time period Cross third threshold value, identified access side accesses the access request by attack URI and is determined as network attack, comprising:
To each by attack URI: that identified access side is issued, access this in the preset time period and attacked URI number is more than that the access request of third threshold value is determined as high frequency type network attack.
A kind of network attack detection equipment, the network attack detection equipment include access side's determination unit and first network Attack determination unit, in which:
Access side's determination unit, for determining the quantity of the uniform resource identifier URI accessed in preset time period Lower than the access side of preset quantity;
The first network attacks determination unit, at least one URI for being accessed the determining access side Each URI: determine the quantity for accessing the access side of the URI in the preset time period, be more than in the quantity of the access side When first threshold, obtains and access the access information group that each access request of the URI carries in the preset time period, it will be described The most access information group of frequency of occurrence is determined as high-risk access information group in each access request, and will carry the high-risk access The information group and access request for accessing the URI is determined as network attack.
Optionally, access side's determination unit, specifically includes: access request obtains subelement, access request determines son Unit and quantity determine subelement, in which:
The access request obtains subelement, for obtaining access side within a preset period of time to uniform resource identifier The access request that URI accesses also carries the IP address of access side in the access request;
The access request determines subelement, for combining the information of the IP address and access information group composition It is determined as access side's mark, the access side of carrying is identified into identical access request is determined as the access of same access side and ask It asks;
The quantity determines subelement, for each access side: it is right in the preset time period to obtain the access side The quantity of the URI accessed carried in each access request that URI accesses, when the quantity is lower than preset quantity, by this Access side determines are as follows: the quantity of the URI accessed in the preset time period is lower than the access side of preset quantity.
Optionally, the network attack detection equipment further includes URI determination unit and the second network attack determination unit, In:
The URI determination unit, for will be surpassed in the preset time period by the number summation that all access sides access The URI for crossing second threshold is determined as being attacked URI;
The second network attack determination unit, for being attacked URI to each: that identified access side is issued, This is accessed in the preset time period, and network attack is determined as by the access request that URI number of attack is more than third threshold value.
A kind of storage medium is stored with computer executable instructions in the storage medium, and the computer is executable to be referred to When order is loaded and executed by processor, any network attack detecting method is realized.
A kind of computer equipment, including processor, memory and be stored on the memory and can be in the processor The program of upper operation, the processor at least perform the steps of when executing program
Determine that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access side of preset quantity;
Each URI at least one URI that the determining access side is accessed: it determines in the preset time period The quantity for accessing the access side of the URI is obtained when the quantity of the access side is more than first threshold in the preset time period The access information group that the interior each access request for accessing the URI carries, by the most access of frequency of occurrence in each access request Information group is determined as high-risk access information group, and by carry the high-risk access information group and access the URI access request it is true It is set to network attack.
By above-mentioned technical proposal, network attack detecting method, equipment, storage medium and computer provided by the invention are set It is standby, it can be by determining that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access side of preset quantity; The each URI at least one URI accessed the determining access side: determine that access should in the preset time period The quantity of the access side of URI, when the quantity of the access side is more than first threshold, acquisition accesses in the preset time period The access information group that each access request of the URI carries, by the most access information group of frequency of occurrence in each access request It is determined as high-risk access information group, and the high-risk access information group will be carried and access the access request of the URI and be determined as net Network attack.The present invention can effectively improve detection and recognition capability for network attack, promote the defence for network attack Ability.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of flow chart of network attack detecting method provided in an embodiment of the present invention;
Fig. 2 shows the flow charts of another network attack detecting method provided in an embodiment of the present invention;
Fig. 3 shows a kind of structural schematic diagram of network attack detection equipment provided in an embodiment of the present invention;
Fig. 4 shows the structural schematic diagram of another network attack detection equipment provided in an embodiment of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure It is fully disclosed to those skilled in the art.
The embodiment of the invention provides a kind of network attack detecting methods, as shown in Figure 1, this method may include following step It is rapid:
S100, determine that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access of preset quantity Side;
Optionally, technical staff can need to be configured preset time period according to actually detected.In practical applications, The quantity of preset time period in the present invention can be one, or multiple.Such as: 0 point from certain year in such a month, and on such a day 0 minute Start within 0 second, every 10 seconds are a preset time period, and multiple preset time periods thus can be set.Certainly, work as preset time period When being multiple, it might not be sequentially connected between each preset time period, it can also be sometimes between two adjacent preset time periods Between be spaced, the present invention is it is not limited here.To each preset time period present invention can be carried out each step shown in FIG. 1 with It determines in the preset time period with the presence or absence of network attack, it may be assumed that in once holding for network attack detecting method provided by the present application Preset time period in step involved in during row is same preset time period.
Wherein, uniform resource identifier (URI, Uniform Resource Identifier) can be one for marking Know the character string of a certain Internet resources (including the page, multimedia file etc.) title.In practical applications, access direction service When device sends specific access request, such as the access request for a certain page is sent, can carried in the access request pair Should the page URI, server after receiving the access request, can by identify the URI carried in the access request will The resource (such as: the page) of the address of the corresponding URI is back to access side.Optionally, access side can be computer, mobile phone or iPad Etc. the equipment for the Internet resources for being able to access that server.Server can be Website server etc..Method shown in Fig. 1 of the present invention can To be applied in server, it also can be applied to the equipment that safeguard protection is provided for server or what is connect with server communication set In standby.
Optionally, preset quantity can be smaller, such as: technical staff can set 2 for preset quantity.Correspondingly, if Some access side only has accessed 1 URI within a preset period of time, then, which is to be determined in step S100 Access side.If preset quantity can also be arranged 3 by technical staff, if some access side only has accessed 1 or 2 within a preset period of time A URI, then, which is access side to be determined in step S100.Certainly, technical staff can also be by present count Amount is set as other quantity.The embodiment of the present invention to the setting of preset quantity without limitation.
In practical applications, the access side for carrying out network attack usually has the feature of a small amount of URI of central access, that is, carries out The access side of network attack usually sends the access request for one or a few URI to destination server, without asking Seek other resources.When certain access side has the feature of a small amount of URI of central access, this access side can be determined as by the present invention The doubtful access side for carrying out network attack.For this feature, setting steps S100 of the present invention is to lock doubtful carry out network attack Access side.Further, the purpose of the doubtful access side for carrying out network attack, present count are locked for preferably realization step S100 Amount can be set to smaller.Specifically, only accessing the network attack of a URI if you need to detect, preset quantity is set as 2 can With the doubtful access side for carrying out network attack of determination.
Wherein, access information group can be carried in access request.Optionally, the access information group may include: to set Standby at least one of fingerprint, user identifier, user agent UA and HTTP_Referer access information.Specifically, the access It does not include IP address in information group.
Wherein, device-fingerprint can be the device identification for going out some equipment for unique identification, which can be Equipment is intrinsic and is difficult to tamper with, such as international mobile equipment identification number (IMEI, the International Mobile of mobile phone Equipment Identity), it can be used as the device-fingerprint for uniquely determining certain mobile phone;Such as the media interviews of computer network interface card It controls address (MAC, Media Access Control Address), can be used as the equipment for uniquely determining some computer network interface card Fingerprint.The present invention can identify different access sides by identifying the device-fingerprint of distinct device.
Wherein, used user name (example when user identifier can be a certain Internet resources in user access server Such as: Zhang San, zhangsan123 and zhangsan-123), it is also possible to the identity users body such as phone number used by a user The information of part.The present invention can identify different access sides by user identifier.
Wherein, user agent (UserAgent, UA) can be a special string head.Server is receiving access After the access request just sent, operating system and version, CPU used in access side can be identified by the UA in access request Type, browser and version, browser rendering engine, browser language, browser plug-in etc..
Wherein, HTTP_Referer can be a part in HTTP request head.Specifically, when access side is by a certain clear When device of looking at sends the access request for a certain page to server, include in the HTTP request head information in the access request The HTTP_Referer of the corresponding browser.By the HTTP_Referer, server is it can be seen that access side requests the page Page source.For example, Zhang San directly accesses Baidu's official website homepage by sogou browser https: // 123.sogou.com After www.baidu.com, the link www.baidu.com occurred in clicking sogou browser, the received visit of Baidu's server Ask in the request header information of request just there is HTTP_Referer=https: the information of // 123.sogou.com.
Optionally, step S100 can be specifically included:
Obtain the access request that access side within a preset period of time accesses to uniform resource identifier URI, the visit Ask the IP address that access side is also carried in request;
The information combination that the IP address and the access information group are constituted is determined as access side's mark, by the institute of carrying It states access side and identifies the access request that identical access request is determined as same access side;
To each access side: obtaining each access request that the access side accesses to URI in the preset time period The quantity for the URI of middle carrying accessed determines the access side are as follows: when described default when the quantity is lower than preset quantity Between the quantity of URI that accesses in section be lower than the access side of preset quantity.
Optionally, the access information group may include: device-fingerprint.Due to the repetitive rate of device-fingerprint lower (million / mono-), therefore the present invention can be true by the IP address of the device-fingerprint of carrying and access side access request all the same It is set to the access request of same access side.Certainly, the present invention can also be by user identifier, user agent UA and HTTP_Referer At least one of access information and device-fingerprint together as access information group.Such as: by user agent UA, HTTP_ Referer and device-fingerprint are together as access information group.In this way, the present invention can by the IP address of the access side of carrying, UA, HTTP_Referer and device-fingerprint access request all the same are determined as the access request of same access side.
Optionally, the access information group may include: user identifier.Since user identifier has uniqueness, this The IP address of the user identifier of carrying and access side access request all the same can be determined as same access side by invention Access request.It is understood that carrying user identifier in not all access request.Certainly, the present invention Can by least one of device-fingerprint, user agent UA and HTTP_Referer access information and user identifier together as Access information group.
Optionally, the access information group may include: user agent UA and HTTP_Referer.The present invention can will take The IP address of the access side of band, the UA and HTTP_Referer access request all the same are determined as the access of same access side Request.Certainly, the present invention can also be by least one of user identifier and device-fingerprint access information and " UA and HTTP_ Referer " is together as access information group.
Optionally, IP address, UA and HTTP_Referer can be determined as access side's mark by the present invention, by the institute of carrying It states access side and identifies the access request that identical access request is determined as same access side.Such as: it obtains within a preset period of time First access request and the second access request carry in the first access request: IP1, URI1, UA1 and HTTP_ Referer1 is carried in the second access request: IP1, URI2, UA1 and HTTP_Referer1, then since the two access are asked The identical access side's mark for asking IP address, UA and the HTTP_Referer of middle carrying to constitute (is IP1, UA1 and HTTP_ Referer1), therefore present invention may determine that the two access requests are the access request of same access side, the visit of the access side The side of asking identifies are as follows: IP1, UA1 and HTTP_Referer1.Due to the URI carried in the first access request and the second access request Difference, thus may determine that the URI that the corresponding access side of IP1, UA1 and HTTP_Referer1 accesses within a preset period of time Quantity is 2, when the preset quantity in step S100 is 3, can determine that the access side is to access in preset time period The quantity of URI is lower than the access side of preset quantity.
Each URI in S200, at least one URI accessed the determining access side: when determining described default Between the URI is accessed in section the quantity of access side obtain when the quantity of the access side is more than first threshold described default The access information group that each access request of the URI carries is accessed in period, frequency of occurrence in each access request is most Access information group be determined as high-risk access information group, and the high-risk access information group will be carried and accesses the access of the URI Request is determined as network attack.
Optionally, the quantity that the access side of the URI is accessed in the determination preset time period may include:
According to the access side mark carried in each access request for carrying the URI, the preset time period is determined The quantity of the interior access side for accessing the URI.
Specifically, after carrying N kind access side mark in determining each access request for carrying the URI, so that it may really The quantity for determining to access the access side of the URI in preset time period is N.
It is illustrated below by citing 1 (IP address, UA and HTTP_Referer constitute access side's mark in the example).
Citing 1: the server of certain website obtains 9 access requests in a preset time period, is respectively as follows:
First access request (carries: IP1, URI1, UA1 and HTTP_Referer1);
Second access request (carries: IP1, URI1, UA1 and HTTP_Referer1);
Third access request (carries: IP1, URI1, UA1 and HTTP_Referer1);
4th access request (carries: IP2, URI1, UA1 and HTTP_Referer1);
5th access request (carries: IP2, URI1, UA1 and HTTP_Referer1);
6th access request (carries: IP2, URI1, UA1 and HTTP_Referer1);
7th access request (carries: IP3, URI1, UA1 and HTTP_Referer1);
8th access request (carries: IP3, URI1, UA1 and HTTP_Referer1);
9th access request (carries: IP3, URI1, UA1 and HTTP_Referer1).
It is that same access side (is set as access side according to the first access request of step S100 to third access request First) issue access request, the 4th access request to the 6th access request be same access side (being set as access side's second) issue Access request, the 7th access request to the 9th access request be same access side (being set as access side the third) issue access ask It asks.When the preset quantity in step S100 is 2, it is known that access side's first, second, third only have accessed a URI, i.e. URI1, because This is lower than the access side of preset quantity for the quantity of the URI accessed in preset time period.Since first, second, third only access URI1, Then from the point of view of the URI1, the quantity for accessing the access side of the URI1 within a preset period of time is three, respectively access side First, second, third.
Optionally, the first threshold is corresponding with URI, the corresponding first threshold of different UIR can it is identical or It is different.For certain URI, the setting process of the corresponding first threshold of the URI may include: to obtain at least one historical time section The quantity of the interior access side for accessing the URI determines first threshold corresponding with the URI according to the quantity of the access side of acquisition.
Wherein, the length of historical time section can be identical with preset time period, also may include certain in historical time section The preset time period of quantity.
First threshold in step S200 can be obtained according to statistics, such as: for certain website, the server of the website Several URI of oneself key monitoring can be counted in accessed situation usually, so that it is determined that first threshold.Such as to URI1, net Site server can (period includes multiple preset times in the longer historical time section that network attack does not occur for some Section) count the quantity for accessing the access side of URI1 in the historical time section in multiple preset time periods.If preset time period is 1 point Clock, the longer historical time section that network attack does not occur is 1 hour, then Website server can obtain the 1st in this 1 hour Access URI1 in the corresponding 1 minute duration of minute, the 11st minute, the 21st minute, the 31st minute, the 41st minute, the 51st minute The quantity of access side, such as be respectively as follows: 1,0,0,2,1,0, then its average value can be determined by average algorithm, and according to average It is worth and determines first threshold, such as first threshold is some multiple or first threshold of average value are as follows:+3 standard deviation of average value.When So, the method for determination of first threshold also there are many, the present invention is it is not limited here.
Wherein, the quantity that the access side of the URI is accessed in each historical time section can pass through the history stream of destination server Log is measured to obtain.Amount of access of the information for including in historical traffic log not just for each URI within each period also include Other information, such as access the information carried in access request transmitted by the access side of each URI (for example including access side IP address, the URI, the UA and the HTTP_Referer of access side of access side etc. that are accessed), access side be sent to server The access time section etc. of HTTP request head and access side for URI.Certainly, pre- before preset time period is current time If when the period, the various information that each access request in preset time period carries can also be obtained from historical traffic log.
Optionally, historical traffic log can (can be to real time data by Stream Processing system spark streaming Stream carries out high-throughput, fault-tolerant processing Stream Processing system) from kafka, (a kind of distributed post of high-throughput subscribes to message System) in collect and be stored in hdfs (Hadoop distributed file system) acquisition.
It should be noted that when determining that the quantity for accessing the access side of certain URI in preset time period is more than first threshold, Illustrate that the quantity that the access side of the URI is accessed in the preset time period is more, it may be possible to due to attacker pass through it is multiple and different IP to the URI carry out network attack caused by.In this case, the present invention can be obtained further in the preset time The access information group (such as user agent UA and HTTP_Referer) that each access request of the URI carries is accessed in section, it will be described A kind of most access information group of frequency of occurrence is determined as high-risk access information group in each access request.Although attacker can repair Change IP, but will not generally modify the access information in access information group.This is because the access letter in modification access information group Breath is more difficult and spends the time more.Such as: if modification UA, needs to modify operating system, CPU, browser, browser At least one of plug-in unit, and this modification or it is unable to complete (such as modification CPU) or more difficult, therefore attacker one As will not modify.Therefore, the most access information group of frequency of occurrence in each access request is determined as height by the present invention Danger access information group.For convenience of understanding, still using 1 explanation of citing:
For 9 access requests of citing 1, if access information group is made of UA and HTTP_Referer.From the angle of URI1 Degree sees that the quantity for accessing the access side of the URI1 within a preset period of time is three, respectively access side's first, second, third.When first When threshold value is 2, can obtain and count the UA that is carried in 9 access requests for access within a preset period of time the URI1 and The access information group that HTTP_Referer is constituted, it is known that access information group only has one kind: UA1 and HTTP_Referer1, the UA1 With HTTP_Referer1 constitute access information group in this 9 access requests frequency of occurrence it is most, therefore for high-risk access letter Breath group.Then step S200 can will carry the high-risk access information group and access the access request of the URI1 and be determined as network and attack It hits, i.e., the first access request to the 9th access request is all determined as network attack.
Optionally, it is described will carry the high-risk access information group and access the access request of the URI be determined as network and attack It hits, comprising:
By carry the high-risk access information group and access the URI access request be determined as distributed network attack.
In practical applications, the present invention can will carry the high-risk access information group and access the access request of the URI It is determined as distributed network attack.By the analysis of the above-mentioned determination process for network attack it is found that when one default Between the URI of certain access sides' access is more concentrated, and is accessed in the preset time period by the URI of central access in section visit When the side of asking is also more, present invention may determine that network attack has occurred, and by access in the preset time period by central access The access request that the most access information group of frequency of occurrence is carried in the access request of URI is determined as network attack.Due to this The IP of attack may change, therefore attack for distributed network.
In embodiments of the present invention, the network attack that step S200 is determined removes can attack for the network carried out by modification IP It hits outer, or the network attack carried out by multiple and different IP is realized by control broiler chicken.
Network attack detecting method disclosed by the embodiments of the present invention, can be by determining the unification accessed in preset time period The quantity of resource identifiers, URIs is lower than the access side of preset quantity;At least one URI that the determining access side is accessed In each URI: determine the quantity that the access side of the URI is accessed in the preset time period, it is super in the quantity of the access side When crossing first threshold, obtains and access the access information group that each access request of the URI carries in the preset time period, by institute It states the most access information group of frequency of occurrence in each access request and is determined as high-risk access information group, and the high-risk visit will be carried It asks information group and accesses the access request of the URI and be determined as network attack, improve detection and knowledge of the server for network attack Other ability.
Present inventor in the implementation of the present invention the study found that existing network attack detection technology there is also Following problem: since existing network attack detection technology is only by counting single IP within the unit time in web site server end The number of URI of the access Website server detect network attack, therefore when webpage Caton, user may be in short-term Interior multiple refreshing webpage, this electronic equipment for allowing for the user are repeatedly sent out to the Website server of the webpage in a short time Send the access request to same URI.In this case, when the access request to same URI issued in user's short time is super When crossing threshold value, the access request which is issued is determined as network attack by existing network attack detection technology, to go out Existing " manslaughtering " situation.In order to solve this problem, the embodiment of the present invention additionally provides another network based on step shown in FIG. 1 and attacks Detection method is hit, as shown in Fig. 2, after step sloo, this method may also comprise the following steps::
S300, the URI by the number summation accessed in the preset time period by all access sides more than second threshold It is determined as being attacked URI;
S400, to it is each by attack URI: it is that identified access side is issued, in the preset time period access should Network attack is determined as by the access request that URI number of attack is more than third threshold value.
Wherein, without limitation, step S300 can be prior to by the execution sequence present invention of step S300 and step S100, S200 Or at least one of be later than step S100 and S200 and execute, step S300 can also be executed between step S100 and S200, Step S300 can also be executed parallel with step S100, and step S300 can also be executed parallel with S200.
Wherein, step S400 is executed after step S300, and step S400 is executed after step sloo.
Specifically, step S400 can be to each by attack URI: that identified access side is issued, described default This is accessed in period, and high frequency type network attack is determined as by the access request that URI number of attack is more than third threshold value.
Wherein, the number summation accessed in the preset time period by all access sides as certain URI is more than second threshold When, illustrate that the accessed number of the URI is more, it is possible to just under attack.In this case, then by access may be attacked The more access side of number of URI be determined as attacker, the access request for the URI that attacker's access may be attacked is determined For network attack.
As it can be seen that the embodiment of the present invention is reduced to a certain extent by increasing the condition in step S300 more than second threshold " manslaughtering " situation.Such as: although certain user repeatedly refreshes same webpage in a short time, currently accessed time of the webpage Number summations simultaneously be less than second threshold, then the user issue access request will not be erroneously interpreted as network attack, also it is avoided that " manslaughter ".
Optionally, the second threshold is corresponding with URI, the corresponding second threshold of different URI can it is identical or It is different.For certain URI, the setting process of the corresponding second threshold of the URI may include:
The number summation that all access sides at least one historical time section access the URI is obtained, according to the access of acquisition Number summation determines second threshold corresponding with the URI.
Wherein, the length of historical time section can be identical with preset time period, also may include certain in historical time section The preset time period of quantity.
Specifically, when the length of length and preset time period that historical time section is multiple and each historical time section is homogeneous Whens equal, the present embodiment, can be according to height after all access sides access the number summation of the URI in each historical time section of acquisition Differentiate that the triple standard difference method of abnormal data determines second threshold in this distribution.It is of course also possible to by twice standard deviation method into Row determines.
Wherein, the number summation that all access sides access the URI in each historical time section can be by destination server Historical traffic log obtains.
Specifically, the number that all access sides in each historical time section access the URI can be extracted in historical traffic Summation, and determine according to number summation the numerical value of second threshold.For example, the duration of preset time period and historical time section is 4 Minute, with 4 minutes for the unit time, in historical traffic log, extract in every day of the last week on the same day in the unit time Interior all access sides access the number summation of the URI, further, determine all visits within the unit time in daily in this seven days The side of asking accesses the maximum value of the number summation of the URI, such as maximum value is followed successively by 62,71,58,73,65,67 and 59.Later, will Seven data carry out mean value calculation to obtain mean value A, which is carried out standard deviation and is calculated to obtain standard deviation B, it Afterwards, according to triple standard difference method calculation formula, A is added into the value of 3 times of B as the second threshold of corresponding URI.
Optionally, the third threshold value is corresponding with URI, the corresponding third threshold value of different URI can it is identical or It is different.
Network attack detecting method shown in Fig. 2 disclosed by the embodiments of the present invention, can be by high frequency type network attack Identification, effectively avoid " manslaughtering " situation occurred during network attack detection.
Corresponding with method shown in Fig. 1, the embodiment of the invention provides a kind of network attack detection equipment, as shown in figure 3, The network attack detection equipment may include: access side's determination unit 100 and first network attack determination unit 200, in which:
Access side's determination unit 100, for determining the number of the uniform resource identifier URI accessed in preset time period Amount is lower than the access side of preset quantity;
Optionally, technical staff can need to be configured preset time period according to actually detected.In practical applications, The quantity of preset time period in the present invention can be one, or multiple.Such as: 0 point from certain year in such a month, and on such a day 0 minute Start within 0 second, every 10 seconds are a preset time period, and multiple preset time periods thus can be set.Certainly, work as preset time period When being multiple, it might not be sequentially connected between each preset time period, it can also be sometimes between two adjacent preset time periods Between be spaced, the present invention is it is not limited here.To each preset time period present invention can determine in the preset time period whether There are network attacks.
The first network attacks determination unit 200, at least one URI for being accessed the determining access side In each URI: determine the quantity that the access side of the URI is accessed in the preset time period, it is super in the quantity of the access side When crossing first threshold, obtains and access the access information group that each access request of the URI carries in the preset time period, by institute It states the most access information group of frequency of occurrence in each access request and is determined as high-risk access information group, and the high-risk visit will be carried It asks information group and accesses the access request of the URI and be determined as network attack.
Optionally, the access information group may include: device-fingerprint, user identifier, user agent UA and HTTP_ At least one of Referer access information.Specifically, not including IP address in the access information group.
Wherein, access side's determination unit 100, can specifically include: it is true that access request obtains subelement, access request Stator unit and quantity determine subelement, in which:
The access request obtains subelement, for obtaining access side within a preset period of time to uniform resource identifier The access request that URI accesses also carries the IP address of access side in the access request;
The access request determines subelement, for combining the information of the IP address and access information group composition It is determined as access side's mark, the access side of carrying is identified into identical access request is determined as the access of same access side and ask It asks;
The quantity determines subelement, for each access side: it is right in the preset time period to obtain the access side The quantity of the URI accessed carried in each access request that URI accesses, when the quantity is lower than preset quantity, by this Access side determines are as follows: the quantity of the URI accessed in the preset time period is lower than the access side of preset quantity.
Optionally, the first network attack determination unit 200 determines the access that the URI is accessed in the preset time period The quantity of side is specifically configured to:
According to the access side mark carried in each access request for carrying the URI, the preset time period is determined The quantity of the interior access side for accessing the URI.
Specifically, first network, which attacks determination unit 200, carries N in determining each access request for carrying the URI After kind access side's mark, so that it may determine that the quantity for accessing the access side of the URI in preset time period is N.
Optionally, the first threshold is corresponding with URI, the corresponding first threshold of different UIR can it is identical or It is different.
Optionally, the first network attack determination unit 200 will carry the high-risk access information group and access the URI Access request be determined as network attack, be specifically configured to:
By carry the high-risk access information group and access the URI access request be determined as distributed network attack.
In practical applications, the present invention can will carry the high-risk access information group and access the access request of the URI It is determined as distributed network attack.By the analysis of the above-mentioned determination process for network attack it is found that when one default Between the URI of certain access sides' access is more concentrated, and is accessed in the preset time period by the URI of central access in section visit When the side of asking is also more, present invention may determine that network attack has occurred, and by access in the preset time period by central access The access request that the most access information group of frequency of occurrence is carried in the access request of URI is determined as network attack.Due to this The IP of attack may change, therefore attack for distributed network.
In embodiments of the present invention, the network attack that first network attack determination unit 200 determines removes can be for by repairing Outside the network attack for changing IP progress, or realize the network attack carried out by multiple and different IP by control broiler chicken.
Network attack detection equipment disclosed by the embodiments of the present invention, can be by determining the unification accessed in preset time period The quantity of resource identifiers, URIs is lower than the access side of preset quantity;At least one URI that the determining access side is accessed In each URI: determine the quantity that the access side of the URI is accessed in the preset time period, it is super in the quantity of the access side When crossing first threshold, obtains and access the access information group that each access request of the URI carries in the preset time period, by institute It states the most access information group of frequency of occurrence in each access request and is determined as high-risk access information group, and the high-risk visit will be carried It asks information group and accesses the access request of the URI and be determined as network attack, improve detection and knowledge of the server for network attack Other ability.
It is corresponding with method shown in Fig. 2, as shown in figure 4, the embodiment of the invention provides another network attack detections to set It is standby, it further include URI determination unit 300 and the second network attack determination unit in network attack detection Equipment Foundations shown in Fig. 3 400, in which:
The URI determination unit 300, the number summation for will be accessed in the preset time period by all access sides URI more than second threshold is determined as being attacked URI;
The second network attack determination unit 400, for being attacked URI to each: identified access side is issued , access in the preset time period this network attack be determined as more than the access request of third threshold value by URI number of attack.
Wherein, the number summation accessed in the preset time period by all access sides as certain URI is more than second threshold When, illustrate that the accessed number of the URI is more, it is possible to just under attack.In this case, then by access may be attacked The more access side of number of URI be determined as attacker, the access request for the URI that attacker's access may be attacked is determined For network attack.
As it can be seen that the embodiment of the present invention passes through the condition increased in URI determination unit 300 more than second threshold, to a certain degree On reduce " manslaughtering " situation.Such as: although certain user repeatedly refreshes same webpage in a short time, which is currently interviewed The number summation asked simultaneously is less than second threshold, then the access request that the user issues will not be erroneously interpreted as network attack, Avoid " manslaughtering ".
Optionally, the second threshold is corresponding with URI, the corresponding second threshold of different URI can it is identical or It is different.
Optionally, the second network attack determination unit 400, can be specifically used for it is each by attack URI: by really It is that fixed access side issues, the access request by URI number of attack more than third threshold value is accessed in the preset time period It is determined as high frequency type network attack.
Optionally, the third threshold value is corresponding with URI, the corresponding third threshold value of different URI can it is identical or It is different.
Network attack detection equipment shown in Fig. 4 disclosed by the embodiments of the present invention, can be by high frequency type network attack Identification, effectively avoid " manslaughtering " situation occurred during network attack detection.
The network attack detection equipment includes processor and memory, above-mentioned access side's determination unit 100 and the first net Network is attacked determination unit 200 etc. and is stored in memory as program unit, is executed by processor stored in memory Above procedure unit realizes corresponding function.
Include kernel in processor, is gone in memory to transfer corresponding program unit by kernel.Kernel can be set one Or more, network attack is detected by adjusting kernel parameter.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/ Or the forms such as Nonvolatile memory, if read-only memory (ROM) or flash memory (flash RAM), memory include that at least one is deposited Store up chip.
The embodiment of the invention provides a kind of storage medium, computer executable instructions are stored in the storage medium, When the computer executable instructions are loaded and executed by processor, network attack detection side provided in an embodiment of the present invention is realized Method.
The embodiment of the invention provides a kind of processor, the processor is for running program, wherein described program operation Network attack detecting method described in Shi Zhihang.
The embodiment of the invention provides a kind of computer equipments, which is characterized in that including processor, memory and is stored in On the memory and the program that can run on the processor, following step is at least realized when the processor executes program It is rapid:
Determine that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access side of preset quantity;
Each URI at least one URI that the determining access side is accessed: it determines in the preset time period The quantity for accessing the access side of the URI is obtained when the quantity of the access side is more than first threshold in the preset time period The access information group that the interior each access request for accessing the URI carries, by the most access of frequency of occurrence in each access request Information group is determined as high-risk access information group, and by carry the high-risk access information group and access the URI access request it is true It is set to network attack.
Computer equipment herein can be server, PC, PAD, mobile phone etc..
Present invention also provides a kind of computer program products, when executing on data processing equipment, suitable at least holding The program of row initialization there are as below methods step:
Determine that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access side of preset quantity;
Each URI at least one URI that the determining access side is accessed: it determines in the preset time period The quantity for accessing the access side of the URI is obtained when the quantity of the access side is more than first threshold in the preset time period The access information group that the interior each access request for accessing the URI carries, by the most access of frequency of occurrence in each access request Information group is determined as high-risk access information group, and by carry the high-risk access information group and access the URI access request it is true It is set to network attack.
It should be understood by those skilled in the art that, embodiments herein can provide as method, equipment (system) or calculate Machine program product.Therefore, the application can be used complete hardware embodiment, complete software embodiment or combine software and hardware side The form of the embodiment in face.Moreover, it wherein includes computer usable program code that the application, which can be used in one or more, The computer implemented in computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of program product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/ Or the forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable Jie The example of matter.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM), Digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices Or any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, it calculates Machine readable medium does not include temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability It include so that the process, method, commodity or the equipment that include a series of elements not only include those elements, but also to wrap Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including element There is also other identical elements in process, method, commodity or equipment.
It will be understood by those skilled in the art that embodiments herein can provide as method, equipment (system) or computer journey Sequence product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.
The above is only embodiments herein, are not intended to limit this application.To those skilled in the art, Various changes and changes are possible in this application.It is all within the spirit and principles of the present application made by any modification, equivalent replacement, Improve etc., it should be included within the scope of the claims of this application.

Claims (10)

1. a kind of network attack detecting method, which is characterized in that the described method includes:
Determine that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access side of preset quantity;
The each URI at least one URI accessed the determining access side: access in the preset time period is determined The quantity of the access side of the URI, when the quantity of the access side is more than first threshold, acquisition is visited in the preset time period The access information group that each access request of the URI carries is asked, by the most access information of frequency of occurrence in each access request Group is determined as high-risk access information group, and will carry the high-risk access information group and access the access request of the URI and be determined as Network attack.
2. the method according to claim 1, wherein the access information group includes: device-fingerprint, Yong Hubiao At least one of knowledge, user agent UA and HTTP_Referer access information.
3. the method according to claim 1, wherein the unified resource mark accessed in the determining preset time period The quantity for knowing symbol URI is lower than the access side of preset quantity, comprising:
The access request that access side within a preset period of time accesses to uniform resource identifier URI is obtained, the access is asked The IP address of access side is also carried in asking;
The information combination that the IP address and the access information group are constituted is determined as access side's mark, by the visit of carrying The side of asking identifies the access request that identical access request is determined as same access side;
To each access side: obtaining and taken in each access request that the access side accesses to URI in the preset time period The quantity for the URI of band accessed determines the access side are as follows: the preset time period when the quantity is lower than preset quantity The quantity of the URI of interior access is lower than the access side of preset quantity.
4. according to the method described in claim 3, it is characterized in that, accessing the URI's in the determination preset time period The quantity of access side, comprising:
According to the access side mark carried in each access request for carrying the URI, determines in the preset time period and visit Ask the quantity of the access side of the URI.
5. method according to claim 1 to 4, which is characterized in that described to carry the high-risk access letter The breath group and access request for accessing the URI is determined as network attack, comprising:
By carry the high-risk access information group and access the URI access request be determined as distributed network attack.
6. the method according to claim 1, wherein the method also includes:
It will be determined as being attacked by the URI that the number summation that all access sides access is more than second threshold in the preset time period Hit URI;
To each by attack URI: that identified access side is issued, access in the preset time period this by attack URI Number is more than that the access request of third threshold value is determined as network attack.
7. according to the method described in claim 6, it is characterized in that, described attacked URI to each: will be in the preset time It is more than that third threshold value, identified access side accesses the access request by attack URI that this is accessed in section by URI number of attack It is determined as network attack, comprising:
To each by attack URI: that identified access side is issued, access in the preset time period this by attack URI Number is more than that the access request of third threshold value is determined as high frequency type network attack.
8. a kind of network attack detection equipment, which is characterized in that the network attack detection equipment includes access side's determination unit Determination unit is attacked with first network, in which:
Access side's determination unit, for determining that the quantity of the uniform resource identifier URI accessed in preset time period is lower than The access side of preset quantity;
The first network attacks determination unit, every at least one URI for being accessed the determining access side A URI: it determines the quantity for accessing the access side of the URI in the preset time period, is more than first in the quantity of the access side When threshold value, obtains and access the access information group that each access request of the URI carries in the preset time period, by each visit The access information group for asking that frequency of occurrence is most in request is determined as high-risk access information group, and will carry the high-risk access information The group and access request for accessing the URI is determined as network attack.
9. a kind of storage medium, which is characterized in that be stored with computer executable instructions, the computer in the storage medium When executable instruction is loaded and executed by processor, the described in any item network attack detection sides of claim 1 to 7 as above are realized Method.
10. a kind of computer equipment, which is characterized in that including processor, memory and be stored on the memory and can be The program run on the processor, the processor at least perform the steps of when executing program
Determine that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access side of preset quantity;
The each URI at least one URI accessed the determining access side: access in the preset time period is determined The quantity of the access side of the URI, when the quantity of the access side is more than first threshold, acquisition is visited in the preset time period The access information group that each access request of the URI carries is asked, by the most access information of frequency of occurrence in each access request Group is determined as high-risk access information group, and will carry the high-risk access information group and access the access request of the URI and be determined as Network attack.
CN201910379112.5A 2019-05-08 2019-05-08 Network attack detection method, equipment, storage medium and computer equipment Active CN110071941B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910379112.5A CN110071941B (en) 2019-05-08 2019-05-08 Network attack detection method, equipment, storage medium and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910379112.5A CN110071941B (en) 2019-05-08 2019-05-08 Network attack detection method, equipment, storage medium and computer equipment

Publications (2)

Publication Number Publication Date
CN110071941A true CN110071941A (en) 2019-07-30
CN110071941B CN110071941B (en) 2021-10-29

Family

ID=67370310

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910379112.5A Active CN110071941B (en) 2019-05-08 2019-05-08 Network attack detection method, equipment, storage medium and computer equipment

Country Status (1)

Country Link
CN (1) CN110071941B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111447228A (en) * 2020-03-27 2020-07-24 四川虹美智能科技有限公司 Intelligent household appliance access request processing method and system, cloud server and intelligent air conditioner
CN111917787A (en) * 2020-08-06 2020-11-10 北京奇艺世纪科技有限公司 Request detection method and device, electronic equipment and computer-readable storage medium
CN112202821A (en) * 2020-12-04 2021-01-08 北京优炫软件股份有限公司 Identification defense system and method for CC attack
CN113467314A (en) * 2021-07-15 2021-10-01 广州赛度检测服务有限公司 Information security risk assessment system and method based on big data and edge calculation
CN113810486A (en) * 2021-09-13 2021-12-17 珠海格力电器股份有限公司 Internet of things platform docking method and device, electronic equipment and storage medium
CN113992403A (en) * 2021-10-27 2022-01-28 北京知道创宇信息技术股份有限公司 Access speed limit interception method and device, defense server and readable storage medium
CN115102781A (en) * 2022-07-14 2022-09-23 中国电信股份有限公司 Network attack processing method, device, electronic equipment and medium
WO2023109046A1 (en) * 2021-12-14 2023-06-22 深圳前海微众银行股份有限公司 Anomaly detection method and apparatus, electronic device, and storage medium
CN116647412A (en) * 2023-07-26 2023-08-25 北京理想乡网络技术有限公司 Security defense method and system of Web server

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110107412A1 (en) * 2009-11-02 2011-05-05 Tai Jin Lee Apparatus for detecting and filtering ddos attack based on request uri type
CN103297435A (en) * 2013-06-06 2013-09-11 中国科学院信息工程研究所 Abnormal access behavior detection method and system on basis of WEB logs
CN104811349A (en) * 2015-03-26 2015-07-29 浪潮集团有限公司 Method and device of access statistics
CN104967629A (en) * 2015-07-16 2015-10-07 网宿科技股份有限公司 Network attack detection method and apparatus
CN105939361A (en) * 2016-06-23 2016-09-14 杭州迪普科技有限公司 Method and device for defensing CC (Challenge Collapsar) attack
WO2017218031A1 (en) * 2016-06-16 2017-12-21 Level 3 Communications, Llc Systems and methods for preventing denial of service attacks utilizing a proxy server
CN107707545A (en) * 2017-09-29 2018-02-16 深信服科技股份有限公司 A kind of abnormal web page access fragment detection method, device, equipment and storage medium
US20180063163A1 (en) * 2016-08-26 2018-03-01 Cisco Technology, Inc. Learning indicators of compromise with hierarchical models
CN108259425A (en) * 2016-12-28 2018-07-06 阿里巴巴集团控股有限公司 The determining method, apparatus and server of query-attack
CN109246064A (en) * 2017-07-11 2019-01-18 阿里巴巴集团控股有限公司 Safe access control, the generation method of networkaccess rules, device and equipment

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110107412A1 (en) * 2009-11-02 2011-05-05 Tai Jin Lee Apparatus for detecting and filtering ddos attack based on request uri type
CN103297435A (en) * 2013-06-06 2013-09-11 中国科学院信息工程研究所 Abnormal access behavior detection method and system on basis of WEB logs
CN104811349A (en) * 2015-03-26 2015-07-29 浪潮集团有限公司 Method and device of access statistics
CN104967629A (en) * 2015-07-16 2015-10-07 网宿科技股份有限公司 Network attack detection method and apparatus
WO2017218031A1 (en) * 2016-06-16 2017-12-21 Level 3 Communications, Llc Systems and methods for preventing denial of service attacks utilizing a proxy server
CN105939361A (en) * 2016-06-23 2016-09-14 杭州迪普科技有限公司 Method and device for defensing CC (Challenge Collapsar) attack
US20180063163A1 (en) * 2016-08-26 2018-03-01 Cisco Technology, Inc. Learning indicators of compromise with hierarchical models
CN108259425A (en) * 2016-12-28 2018-07-06 阿里巴巴集团控股有限公司 The determining method, apparatus and server of query-attack
CN109246064A (en) * 2017-07-11 2019-01-18 阿里巴巴集团控股有限公司 Safe access control, the generation method of networkaccess rules, device and equipment
CN107707545A (en) * 2017-09-29 2018-02-16 深信服科技股份有限公司 A kind of abnormal web page access fragment detection method, device, equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
J CHOI等: ""A method of DDoS attack detection using HTTP packet pattern and rule engine in cloud computing environment"", 《SPRINGER》 *
朱俚治等: ""一种检测网络流量异常和网络攻击的算法"", 《计算技术与自动化》 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111447228A (en) * 2020-03-27 2020-07-24 四川虹美智能科技有限公司 Intelligent household appliance access request processing method and system, cloud server and intelligent air conditioner
CN111917787B (en) * 2020-08-06 2023-07-21 北京奇艺世纪科技有限公司 Request detection method, request detection device, electronic equipment and computer readable storage medium
CN111917787A (en) * 2020-08-06 2020-11-10 北京奇艺世纪科技有限公司 Request detection method and device, electronic equipment and computer-readable storage medium
CN112202821A (en) * 2020-12-04 2021-01-08 北京优炫软件股份有限公司 Identification defense system and method for CC attack
CN113467314A (en) * 2021-07-15 2021-10-01 广州赛度检测服务有限公司 Information security risk assessment system and method based on big data and edge calculation
CN113467314B (en) * 2021-07-15 2022-04-26 广州赛度检测服务有限公司 Information security risk assessment system and method based on big data and edge calculation
CN113810486A (en) * 2021-09-13 2021-12-17 珠海格力电器股份有限公司 Internet of things platform docking method and device, electronic equipment and storage medium
CN113992403A (en) * 2021-10-27 2022-01-28 北京知道创宇信息技术股份有限公司 Access speed limit interception method and device, defense server and readable storage medium
WO2023109046A1 (en) * 2021-12-14 2023-06-22 深圳前海微众银行股份有限公司 Anomaly detection method and apparatus, electronic device, and storage medium
CN115102781A (en) * 2022-07-14 2022-09-23 中国电信股份有限公司 Network attack processing method, device, electronic equipment and medium
CN115102781B (en) * 2022-07-14 2024-01-09 中国电信股份有限公司 Network attack processing method, device, electronic equipment and medium
CN116647412A (en) * 2023-07-26 2023-08-25 北京理想乡网络技术有限公司 Security defense method and system of Web server
CN116647412B (en) * 2023-07-26 2024-01-26 深圳市鹿驰科技有限公司 Security defense method and system of Web server

Also Published As

Publication number Publication date
CN110071941B (en) 2021-10-29

Similar Documents

Publication Publication Date Title
CN110071941A (en) A kind of network attack detecting method, equipment, storage medium and computer equipment
US9154516B1 (en) Detecting risky network communications based on evaluation using normal and abnormal behavior profiles
US9462009B1 (en) Detecting risky domains
US10635817B2 (en) Targeted security alerts
CN104301302B (en) Go beyond one's commission attack detection method and device
Çeker et al. Deception-based game theoretical approach to mitigate DoS attacks
US11095671B2 (en) DNS misuse detection through attribute cardinality tracking
US9300684B2 (en) Methods and systems for statistical aberrant behavior detection of time-series data
US11647037B2 (en) Penetration tests of systems under test
CA2934627C (en) Communications security
CN104954384B (en) A kind of url mimicry methods of protection Web applications safety
Zhang et al. User intention-based traffic dependence analysis for anomaly detection
CN112165488A (en) Risk assessment method, device and equipment and readable storage medium
CN103905372A (en) Method and device for removing false alarm of phishing website
CN104901962B (en) A kind of detection method and device of web page attacks data
CN112350992A (en) Safety protection method, device, equipment and storage medium based on web white list
CN106685899A (en) Method and device for identifying malicious access
CN105262730B (en) Monitoring method and device based on enterprise domain name safety
Casalicchio et al. Measuring the global domain name system
CN112861132A (en) Cooperative protection method and device
Sree et al. HADM: detection of HTTP GET flooding attacks by using Analytical hierarchical process and Dempster–Shafer theory with MapReduce
CN105227532B (en) A kind of blocking-up method and device of malicious act
Tang et al. Mitigating HTTP flooding attacks with meta-data analysis
JP5743822B2 (en) Information leakage prevention device and restriction information generation device
Kumar et al. Analysis of network traffic and security through log aggregation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant