CN110266726B - Method and device for identifying DDOS attack data stream - Google Patents

Method and device for identifying DDOS attack data stream Download PDF

Info

Publication number
CN110266726B
CN110266726B CN201910610981.4A CN201910610981A CN110266726B CN 110266726 B CN110266726 B CN 110266726B CN 201910610981 A CN201910610981 A CN 201910610981A CN 110266726 B CN110266726 B CN 110266726B
Authority
CN
China
Prior art keywords
data stream
data
sampling
determining
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910610981.4A
Other languages
Chinese (zh)
Other versions
CN110266726A (en
Inventor
岳伟国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201910610981.4A priority Critical patent/CN110266726B/en
Publication of CN110266726A publication Critical patent/CN110266726A/en
Application granted granted Critical
Publication of CN110266726B publication Critical patent/CN110266726B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a method and a device for identifying DDOS attack data flow, which relate to the technical field of network security, wherein the method is applied to detection equipment and comprises the following steps: receiving an sFlow message sent by a network device, wherein the sFlow message carries data flow statistical information of each data flow, and sampling start time and sampling end time of each data flow; determining a time interval between sampling start time and sampling end time corresponding to each data stream, and determining a transmission rate corresponding to the data stream according to data stream statistical information of the data stream and the time interval; and if the transmission rate corresponding to the data stream exceeds a preset threshold value, determining that the data stream is a DDOS attack data stream. By adopting the method and the device, the misrecognition rate can be reduced.

Description

Method and device for identifying DDOS attack data stream
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for identifying a DDOS attack data stream.
Background
In a communication network, a Distributed Denial of Service (DDoS) attack is a common attack method. In DDoS attack, a plurality of network devices may be combined together as an attack platform to continuously send a large number of messages to a target device, thereby exhausting bandwidth resources or system resources of the target device and bringing great harm to the target device.
Currently, people usually adopt sampling flow (sFlow for short) as a network data flow monitoring technology based on message sampling to identify DDoS attacks. The specific process is as follows. The network is provided with network equipment with a message sampling function, and the network equipment can count characteristic information of each data stream. Specifically, a network device, such as a router, may parse a received packet to extract characteristic information of the packet, such as the heptad information, header information of the packet, and the like. The network device may determine the packets with the same seven-tuple information as packets belonging to the same data flow, and may count the number of packets in each data flow respectively. The network device may also count the total number of the received messages, and when the total number reaches a preset threshold, send an sFlow message to the detection device, where the sFlow message carries characteristic information of each data flow counted by the network device, such as seven-tuple information of the data flow and the number of messages included in the data flow. The detection device can obtain the number of messages carried by the sFlow message to determine the number of received messages. When the detection equipment determines that the number of the received messages in the preset statistical time is large, DDoS alarm is generated.
However, based on the above processing method, the detection device cannot analyze information that can represent the statistical traffic rate, and a false alarm of the detection device may be generated in some cases.
Disclosure of Invention
The embodiment of the application aims to provide a method and a device for identifying DDOS attack data streams so as to reduce the false identification rate. The specific technical scheme is as follows:
in a first aspect, a method for identifying a DDOS attack data flow is provided, where the method is applied to a detection device, and the method includes:
receiving an sFlow message sent by a network device, wherein the sFlow message carries data flow statistical information of each data flow, and sampling start time and sampling end time of each data flow;
determining a time interval between sampling start time and sampling end time corresponding to each data stream, and determining a transmission rate corresponding to the data stream according to data stream statistical information of the data stream and the time interval;
and if the transmission rate corresponding to the data stream exceeds a preset threshold value, determining that the data stream is a DDOS attack data stream.
Optionally, the data flow statistical information includes a message amount and/or a message data amount in the data flow;
determining the transmission rate corresponding to the data stream according to the data stream statistical information of the data stream and the time interval, including:
determining the total message quantity of the data stream in the time interval according to the message quantity of the data stream and a preset sampling frequency, and determining the ratio of the total message quantity to the time interval to obtain the packet transmission rate corresponding to the data stream; and/or
And determining the total message data volume of the data stream in the time interval according to the message data volume of the data stream and a preset sampling frequency, and determining the ratio of the total message data volume to the time interval to obtain the bit transmission rate corresponding to the data stream.
Optionally, when the data flow statistical information includes the number of packets in the data flow and the packet data volume, if the transmission rate corresponding to the data flow exceeds a preset threshold, determining that the data flow is a DDOS attack data flow, including:
and if the packet transmission rate corresponding to the data stream exceeds a first preset threshold value, or the bit transmission rate corresponding to the data stream exceeds a second preset threshold value, determining that the data stream is a DDOS attack data stream.
In a second aspect, a method for identifying DDOS attack data flow is provided, where the method is applied to a network device, and the method includes:
sampling the received message by a preset sampling strategy;
determining data streams to which the acquired messages belong, determining data stream statistical information corresponding to the data streams according to the messages belonging to the data streams for each data stream, determining the acquisition time of the first acquired message belonging to the data stream as the sampling start time corresponding to the data stream, and determining the acquisition time of the last acquired message belonging to the data stream as the sampling end time corresponding to the data stream;
and generating a sampling flow sFlow message carrying the data flow statistical information of each data flow and the sampling start time and the sampling end time of each data flow, and sending the sFlow message to a detection device.
In a third aspect, an apparatus for identifying a DDOS attack data flow is provided, where the apparatus is applied to a detection device, and the apparatus includes:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving an sFlow message sent by network equipment, and the sFlow message carries data flow statistical information of each data flow and sampling start time and sampling end time of each data flow;
a first determining module, configured to determine, for each data stream, a time interval between a sampling start time and a sampling end time corresponding to the data stream, and determine, according to data stream statistics information of the data stream and the time interval, a transmission rate corresponding to the data stream;
and the second determining module is used for determining that the data stream is a DDOS attack data stream if the transmission rate corresponding to the data stream exceeds a preset threshold value.
Optionally, the data flow statistical information includes a message amount and/or a message data amount in the data flow;
the first determining module is specifically configured to:
determining the total message quantity of the data stream in the time interval according to the message quantity of the data stream and a preset sampling frequency, and determining the ratio of the total message quantity to the time interval to obtain the packet transmission rate corresponding to the data stream; and/or
And determining the total message data volume of the data stream in the time interval according to the message data volume of the data stream and a preset sampling frequency, and determining the ratio of the total message data volume to the time interval to obtain the bit transmission rate corresponding to the data stream.
Optionally, when the data flow statistical information includes a packet amount and a packet data amount in the data flow, the second determining module is specifically configured to:
and if the packet transmission rate corresponding to the data stream exceeds a first preset threshold value, or the bit transmission rate corresponding to the data stream exceeds a second preset threshold value, determining that the data stream is a DDOS attack data stream.
In a fourth aspect, an apparatus for identifying a DDOS attack data flow is provided, where the apparatus is applied to a network device, and the apparatus includes:
the acquisition module is used for sampling the received message through a preset sampling strategy;
the determining module is used for determining data streams to which the acquired messages belong, determining data stream statistical information corresponding to the data streams according to the messages belonging to the data streams for each data stream, determining the acquired acquisition time of the first message belonging to the data stream as the sampling start time corresponding to the data stream, and determining the acquired acquisition time of the last message belonging to the data stream as the sampling end time corresponding to the data stream;
and the sending module is used for generating a sampling flow sFlow message carrying the data flow statistical information of each data flow and the sampling start time and the sampling end time of each data flow, and sending the sFlow message to the detection equipment.
In a fifth aspect, a detection device is provided, which includes a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of the first aspect when executing a program stored in the memory.
In a sixth aspect, a computer-readable storage medium is provided, having stored thereon a computer program which, when being executed by a processor, carries out the method steps of any of the first aspects.
In a seventh aspect, there is provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of any of the first aspects above.
In an eighth aspect, a network device is provided, which includes a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of the second aspect when executing the program stored in the memory.
In a ninth aspect, a computer-readable storage medium is provided, wherein a computer program is stored in the computer-readable storage medium, and when executed by a processor, implements the method steps of the second aspect.
In a tenth aspect, there is provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of the second aspect described above.
According to the method and the device for identifying the DDOS attack data flow, the detection device can receive an sFlow message sent by the network device, and the sFlow message carries data flow statistical information of each data flow and sampling start time and sampling end time of each data flow. For each data stream, the detection device may determine a time interval between a sampling start time and a sampling end time corresponding to the data stream, and determine a transmission rate corresponding to the data stream according to data stream statistical information and the time interval of the data stream. And if the transmission rate corresponding to the data stream exceeds a preset threshold value, determining that the data stream is a DDOS attack data stream. Compared with the prior art, when the number of the received messages is large in the preset statistical time, the scheme for generating the Ddos false alarm can accurately calculate the transmission rate corresponding to each data stream, and then identify the DDOS attack data stream according to the transmission rate, so that the DDOS attack data stream can be accurately identified, and the false alarm is avoided.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of a network system according to an embodiment of the present application;
fig. 2 is a flowchart of a method for identifying DDOS attack data flows according to an embodiment of the present application;
fig. 3a is a schematic diagram of an sFlow packet based on Flow sampling according to an embodiment of the present application;
fig. 3b is a schematic diagram of an sFlow packet based on Counter sampling according to an embodiment of the present application;
fig. 4 is a flowchart of a method for identifying DDOS attack data flow according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an apparatus for identifying a DDOS attack data flow according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an apparatus for identifying a DDOS attack data flow according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a detection apparatus according to an embodiment of the present application.
Fig. 8 is a schematic structural diagram of a network device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the invention provides a method for identifying DDOS attack data flow, which can be executed by network equipment and detection equipment. Fig. 1 is a schematic diagram of a network system provided in an embodiment of the present application, which includes a backbone network and a plurality of intranets (e.g., metropolitan intranet networks). Each intranet can be provided with a network device, and the backbone network is provided with a network device, a detection device, an Abnormal Traffic supervision System (ATIC) management center and a cleaning device. The network device may support an sFlow function (for example, configured with an sFlow Agent module), so as to collect a packet in a preset period, analyze the collected packet, and obtain data flow statistical information corresponding to each data flow. The network device may generate an sFlow message including the data flow statistics information, and send the sFlow message to the detection device. The detection device may be configured with an sFlow Collector module, and may determine whether a DDOS attack data flow exists in each data flow according to data flow statistical information in the sFlow message. If the detection device determines that a certain data stream is a DDOS attack data stream, the detection device may report alarm information to the management server, where the alarm information may carry seven-tuple information of the data stream, and the management server may send the alarm information to the cleaning device. Because each data stream in the network flows through the cleaning device and then reaches the device in the intranet, the cleaning device can filter the data stream (namely, DDOS attack data stream) containing the seven-element group information in each data stream, block the DDOS attack data stream, and ensure the security of the network.
In the embodiment of the application, the network device can collect the received messages and determine the data stream to which each collected message belongs. For each data stream, the network device not only determines the data stream statistical information corresponding to the data stream according to the message corresponding to the data stream, but also determines the acquisition time of the first message acquired to the data stream as the sampling start time corresponding to the data stream, and determines the acquisition time of the last message acquired to the data stream as the sampling end time corresponding to the data stream; and then, sending an sFlow message to the detection device, wherein the sFlow message carries the data flow statistical information of each data flow, and the sampling start time and the sampling end time of each data flow. In this way, for each data stream, the detection device may determine a time interval between a sampling start time and a sampling end time corresponding to the data stream, determine a transmission rate corresponding to the data stream according to data stream statistical information and the time interval of the data stream, and determine that the data stream is a DDOS attack data stream if the transmission rate corresponding to the data stream exceeds a preset threshold. Compared with the prior art, when the number of the received messages within the preset statistical time is large, the scheme for generating the Ddos false alarm improves the sFlow message, the sFlow message carries the sampling start time and the sampling end time corresponding to each data flow, the transmission rate corresponding to each data flow can be accurately calculated, and then the DDOS attack data flow is identified according to the transmission rate, so that the DDOS attack data flow can be accurately identified, and the false alarm is avoided.
For convenience of description, in the embodiments of the present application, a processing procedure of a network device is first described. As shown in fig. 2, the processing of the network device may include the following steps.
Step 201, sampling the received message by a preset sampling strategy.
In this embodiment of the present application, a sampling frequency may be preconfigured in the network device, the sampling frequency may be a ratio of the number of received packets to the number of acquired packets, and the sampling frequency may be greater than or equal to 1. For example, the sampling frequency may be 1000, which means that 1 packet is collected in every 1000 packets. The network device can collect the message in the received message according to the pre-configured sampling frequency.
Various sampling strategies can be preset in the network equipment.
In an implementation manner, the number of messages to be collected (i.e. the preset number) may be set, and the network device may perform step 202 and step 203 on the collected preset number of messages. In this way, the network device may send the sFlow message to the detection device once every time a preset number of messages are collected, and then perform sampling and counting again (i.e., perform steps 201 to 203). For example, if the preset number is 2000, the network device may send an sFlow message to the detection device once every 2000 messages are collected, where the sFlow message carries data flow statistical information of each data flow determined according to the 2000 collected messages.
In another implementation, a sampling period of the sFlow message may be set, and the network device may perform step 202 and step 203 on the message collected in the sampling period, so that the network device may send the sFlow message to the detection device once every time the preset sampling period is reached, and then perform sampling and statistics again (i.e., perform step 201 to step 203).
Alternatively, only the data stream flowing to the intranet may be concerned about whether there is a DDOS attack data stream. Correspondingly, the network device can only collect the message with the destination address being the intranet IP address. Subsequently, the detection device may only identify the data stream flowing to the intranet, so as to prevent DDOS from attacking the data stream flowing to the intranet, thereby improving the security of the intranet. In addition, the detection equipment does not need to identify the data stream flowing from the internal network to the external network, so that the resource occupancy rate of the detection equipment is reduced.
Step 202, determining a data stream to which each acquired message belongs, determining, for each data stream, data stream statistical information corresponding to the data stream according to the message corresponding to the data stream, determining the acquisition time of the first message acquired to the data stream as the sampling start time corresponding to the data stream, and determining the acquisition time of the last message acquired to the data stream as the sampling end time corresponding to the data stream.
The data flow statistics information may include a packet number and/or a packet data amount.
In the embodiment of the present application, for each collected packet, the network device may analyze the packet, extract packet information in the packet, and determine the packet with the same packet information as a packet belonging to the same data flow. The message information may be one of binary information, quadruple information, quintuple information and heptatuple information.
Specifically, the method comprises the following steps:
the binary information is a source IP address and a destination IP address;
the four-tuple information comprises a source IP address, a destination IP address, a source port and a destination port;
the quintuple information comprises a source IP address, a destination IP address, a protocol number, a source port and a destination port;
the seven-tuple information may include a source IP address, a destination IP address, a protocol number, a source port, a destination port, a service type, and an interface index.
In one implementation, after a network device collects each message, it may extract message information in the message, and then may determine whether a message identical to the message information of the message exists in the collected message. If the message does not exist, it indicates that the message is the first message of the data stream acquired in the message acquisition process, and the network device may record the message information and may use the message information as the data stream identifier of the data stream. Meanwhile, the network device may determine the data flow statistical information corresponding to the data flow according to the packet. For example, if the data volume of the packet is 50kb, the data volume of the packet is 50kb and the number of the packets is 1 in the statistical information of the data flow corresponding to the data flow. The network device may also establish a corresponding relationship between the data flow identifier and the data flow statistical information, so as to update the data flow statistical information of the data flow after subsequently acquiring the messages belonging to the data flow.
If there is a message in the collected message that is the same as the message information of the message, the network device may search for the data flow statistical information corresponding to the message information in the correspondence between the data flow identifier (i.e., the message information) and the data flow statistical information, and then may update the data flow statistical information according to the information of the message. For example, if the data volume of the packet is 50kb, the data volume of the packet is 60kb and the number of the packets is 2 in the found data stream statistical information, the data volume of the packet may be updated to 110kb and the number of the packets may be updated to 3.
In addition, the network device may further record the collection time of each packet, and when a preset condition is reached (for example, a preset number of packets are collected or a preset sampling period is reached), for each data stream, the network device may determine the collection time of a first packet collected and belonging to the data stream, as the sampling start time corresponding to the data stream, and determine the collection time of a last packet collected and belonging to the data stream, as the sampling end time corresponding to the data stream.
The network device may encapsulate the data flow statistical information of each data flow, and the sampling start time and the sampling end time of each data flow into an sFlow message for subsequent transmission. In one implementation, the sFlow message may be a User Datagram Protocol (UDP) message. The sFlow packet may include an sFlow data (sFlow data) field, and store data stream statistics information of each data stream, and a sampling start time and a sampling end time of each data stream through the sFlow data field.
Specifically, the sFlow packet may include sFlow data, where the sFlow data includes multiple Sample data (i.e., sampling data), and each Sample data is used to record statistical information (such as data stream statistical information, sampling start time, sampling end time, and the like) of one data stream. Therefore, the collected statistical information of all data flows can be sent to the detection equipment through one sFlow message. The Sample data can refer to Request For Comments (RFC) 3176 protocol.
In the embodiment of the present application, two fields may be added to Sample data (i.e. sampling data) in RFC3176 protocol: a start _ time (i.e., sample start time) field and an end _ time (i.e., sample end time) field, both of which are int type fields, having a length of 4 bytes. The start _ time field is used to record the collection time of the first packet (i.e. the sampling start time), and the end _ time field is used to record the collection time of the last packet (i.e. the sampling end time). The two fields may be added at any position in Sample data, and the embodiment of the present application is not limited.
At present, there are two sampling methods for sFlow messages: flow (data Flow) sampling and Counter (Counter) sampling. The Flow sampling is a sampling method (for example, a sampling frequency is greater than 1) for collecting 1 packet from every N (N is greater than 1) received packets, and the Counter sampling is a sampling method for collecting each received packet (that is, a sampling frequency is equal to 1).
As shown in table one, an example of Sampledata (sample data) in an sFlow message based on Flow sampling provided in the embodiment of the present application is provided.
Watch 1
Figure BDA0002122357950000101
Figure BDA0002122357950000111
Based on the first table, as shown in fig. 3a, an embodiment of the present application provides a schematic diagram of an sFlow packet based on Flow sampling.
As mentioned above, the Counter sampling is a sampling manner for collecting each received packet (i.e. the sampling frequency is equal to 1). As shown in table two, an example of Sample data (Sample data) in the sFlow message based on Counter sampling provided in the embodiment of the present application is provided.
Watch two
Figure BDA0002122357950000121
Based on the second table, as shown in fig. 3b, an exemplary diagram of an sFlow packet based on Counter sampling is provided in the embodiment of the present application.
The specific meanings of the fields in the first table and the second table except for the start _ time and the end _ time may refer to the existing RFC protocol, and are not described in detail in the embodiments of the present application. As can be seen from the above, the present embodiment improves the existing sFlow packet, so that the improved sFlow packet can carry the sampling start time and the sampling end time of each data stream. Based on the improved sFlow message, the transmission rate corresponding to each data flow can be accurately calculated by the scheme, and the DDOS attack data flow is identified according to the transmission rate, so that the DDOS attack data flow can be accurately identified, and false alarm is avoided.
Optionally, the Flow sampling and the Counter sampling are examples of sampling manners provided in the embodiments of the present application, and other sampling manners may also be applied in the embodiments of the present application. The technician can configure the sampling mode needed to be used in the network according to the actual requirement.
And 203, generating a sampling flow sFlow message and sending the sFlow message to the detection equipment.
The sFlow packet carries data flow statistical information of each data flow, and a sampling start time and a sampling end time of each data flow.
In this embodiment, the network device may encapsulate the data flow statistical information of each data flow, and the sampling start time and the sampling end time of each data flow into an sFlow message (that is, a UDP message), and then may send the sFlow message to the detection device. The sFlow message may be encapsulated in UDP format, i.e. a UDP message. Specifically, the sFlow message includes an ethernet header, an Internet Protocol (IP) header, a UDP header, and an sFlow data. As shown in table three, the format of the sFlow message may be as follows.
Watch III
Ethernet head IP header UDP header sFlow data
As shown in fig. 4, the processing procedure of the detection device in the embodiment of the present application may specifically include the following steps.
Step 401, receiving an sFlow message sent by a network device.
In this embodiment, the detection device may receive an sFlow message sent by the network device. The sFlow packet carries data flow statistical information of each data flow, and a sampling start time and a sampling end time of each data flow.
After receiving the sFlow message, the detection device may analyze the sFlow message to obtain an sFlow data, where the sFlow data includes multiple Sample data (i.e., sampling data). Each Sample data is used to record statistical information (such as data stream statistical information, sampling start time and sampling end time, etc.) of one data stream. In this way, the detection device performs parsing through the sFlow message, and can obtain data flow statistical information of each data flow, and a sampling start time and a sampling end time of each data flow.
Step 402, for each data stream, determining a time interval between a sampling start time and a sampling end time corresponding to the data stream, and determining a transmission rate corresponding to the data stream according to data stream statistical information and the time interval of the data stream.
In the embodiment of the application, for each data stream, after the detection device obtains the sampling start time and the sampling end time corresponding to the data stream, the time interval between the sampling start time and the sampling end time may be calculated. For example, if the sampling start time is 10:00 and the sampling end time is 10:05, the time interval is 5 min. The detection device may calculate a transmission rate corresponding to the data stream according to the data stream statistics and the time interval of the data stream.
Optionally, the data flow statistics information may include the number of packets and/or the data volume of the packets in the data flow. Accordingly, the process of step 402 may include: for each data stream, determining the total message quantity of the data stream in a time interval according to the message quantity of the data stream and a preset sampling frequency, and determining the ratio of the total message quantity to the time interval to obtain a packet transmission rate corresponding to the data stream; and/or determining the total message data volume of each data stream in a time interval according to the message data volume of the data stream and a preset sampling frequency, and determining the ratio of the total message data volume to the time interval to obtain the bit transmission rate corresponding to the data stream.
In this embodiment of the application, the detection device may store a sampling frequency of the network device in advance, for example, the sampling frequency may be 1000, which means that 1 packet is collected in every 1000 packets. For each data stream, the detection device calculates the product of the number of packets of the data stream and a preset sampling frequency to obtain the total number of packets of the data stream in a time interval, and then, may calculate and determine the ratio of the total number of packets to the time interval to obtain the packet transmission rate corresponding to the data stream. The specific calculation formula may be as follows.
Figure BDA0002122357950000141
The packets are the number of packets of a certain data flow in the sFlow packet, sampling _ rate is sampling frequency, end _ time is sampling end time, start _ time is sampling start time, and pps is the packet transmission rate of the data flow.
In one example, the sampling mode is Flow sampling, the sampling frequency is 1000, packets is 5, the sampling start time is 10:00, the sampling end time is 10:05, and the packet transmission rate is 1000/min.
In another example, the sampling mode is Counter sampling, the sampling frequency is 1, the packets is 500, the sampling start time is 10:00, the sampling end time is 10:05, and the packet transmission rate is 100/min.
In addition, for each data stream, the detection device may further calculate a product of a packet data amount of the data stream and a preset sampling frequency to obtain a total packet data amount of the data stream in a time interval, and then may calculate a ratio of the total packet data amount to the time interval to obtain a bit transmission rate corresponding to the data stream. The specific calculation formula may be as follows.
Figure BDA0002122357950000151
Wherein, the octets is the message data volume of a certain data flow in the sFlow message, the sampling _ rate is the sampling frequency, the end _ time is the sampling end time, the start _ time is the sampling start time, and the bps is the bit transmission rate of the data flow.
In one example, the sampling mode is Flow sampling, the sampling frequency is 1000, the octets is 50kb, the sampling start time is 10:00, the sampling end time is 10:05, and the bit transfer rate is 10000 kb/min.
In another example, the sampling mode is Counter sampling, the sampling frequency is 1, the octets is 5000kb, the sampling start time is 10:00, the sampling end time is 10:05, and the bit transfer rate is 1000 kb/min.
In step 403, for each data stream, if the transmission rate corresponding to the data stream exceeds a preset threshold, it is determined that the data stream is a DDOS attack data stream.
In this embodiment of the application, for each data stream, the detection device may determine whether a transmission rate corresponding to the data stream exceeds a preset threshold. If the transmission rate corresponding to the data stream exceeds a preset threshold value, determining that the data stream is a DDOS attack data stream; and if the transmission rate corresponding to the data stream does not exceed the preset threshold, determining that the data stream is not a DDOS attack data stream.
Optionally, when the data flow statistics information includes the number of packets and the data amount of the packets in the data flow, the transmission rate may include a packet transmission rate and a bit transmission rate, and accordingly, the processing procedure in step 403 may be as follows: and if the packet transmission rate corresponding to the data stream exceeds a first preset threshold value, or the bit transmission rate corresponding to the data stream exceeds a second preset threshold value, determining that the data stream is a DDOS attack data stream.
In this embodiment of the present application, a first preset threshold corresponding to a packet transmission rate and a second preset threshold corresponding to a bit transmission rate may be configured in the detection device. For each data stream, the detection device may determine whether a packet transmission rate corresponding to the data stream exceeds a first preset threshold and whether a bit transmission rate corresponding to the data stream exceeds a second preset threshold. And if the packet transmission rate corresponding to the data stream exceeds a first preset threshold value, or the bit transmission rate corresponding to the data stream exceeds a second preset threshold value, determining that the data stream is a DDOS attack data stream. And if the packet transmission rate corresponding to the data stream does not exceed the first preset threshold and the bit transmission rate corresponding to the data stream does not exceed the second preset threshold, determining that the data stream is not a DDOS attack data stream.
In this embodiment, the detection device may receive an sFlow packet sent by the network device, where the sFlow packet carries data flow statistical information of each data flow, and a sampling start time and a sampling end time of each data flow. For each data stream, the detection device may determine a time interval between a sampling start time and a sampling end time corresponding to the data stream, and determine a transmission rate corresponding to the data stream according to data stream statistical information and the time interval of the data stream. And if the transmission rate corresponding to the data stream exceeds a preset threshold value, determining that the data stream is a DDOS attack data stream. Compared with the prior art, when the number of the received messages is large in the preset statistical time, the scheme of Ddos false alarm is generated, the scheme can accurately calculate the transmission rate corresponding to each data stream, and then the DDOS attack data stream is identified according to the transmission rate, so that the DDOS attack data stream can be accurately identified, and the false alarm is avoided.
Based on the same technical concept, an embodiment of the present application further provides an apparatus for identifying a DDOS attack data stream, where the apparatus is applied to a detection device, and as shown in fig. 5, the apparatus includes:
a receiving module 510, configured to receive an sFlow packet sent by a network device, where the sFlow packet carries data flow statistics information of each data flow, and a sampling start time and a sampling end time of each data flow;
a first determining module 520, configured to determine, for each data stream, a time interval between a sampling start time and a sampling end time corresponding to the data stream, and determine a transmission rate corresponding to the data stream according to data stream statistics information and the time interval of the data stream;
a second determining module 530, configured to determine that the data stream is a DDOS attack data stream if a transmission rate corresponding to the data stream exceeds a preset threshold.
Optionally, the data flow statistical information includes the number of messages and/or the data volume of the messages in the data flow;
the first determining module 520 is specifically configured to:
determining the total message quantity of the data stream in a time interval according to the message quantity of the data stream and a preset sampling frequency, and determining the ratio of the total message quantity to the time interval to obtain a packet transmission rate corresponding to the data stream; and/or
And determining the total message data volume of the data stream in a time interval according to the message data volume of the data stream and a preset sampling frequency, and determining the ratio of the total message data volume to the time interval to obtain the bit transmission rate corresponding to the data stream.
Optionally, when the data flow statistics information includes the number of packets and the packet data amount in the data flow, the second determining module 530 is specifically configured to:
and if the packet transmission rate corresponding to the data stream exceeds a first preset threshold value, or the bit transmission rate corresponding to the data stream exceeds a second preset threshold value, determining that the data stream is a DDOS attack data stream.
Based on the same technical concept, an embodiment of the present application further provides an apparatus for identifying a DDOS attack data stream, where the apparatus is applied to a network device, and as shown in fig. 6, the apparatus includes:
the acquisition module 610 is configured to sample a received message according to a preset sampling strategy;
a determining module 620, configured to determine a data stream to which each acquired packet belongs, determine, for each data stream, data stream statistical information corresponding to the data stream according to the packet belonging to the data stream, determine, as a sampling start time corresponding to the data stream, a sampling time of a first acquired packet belonging to the data stream, and determine, as a sampling end time corresponding to the data stream, a sampling time of a last acquired packet belonging to the data stream;
a sending module 630, configured to generate a sFlow packet carrying the data flow statistical information of each data flow, and the sampling start time and the sampling end time of each data flow, and send the sFlow packet to a detection device.
In this embodiment, the detection device may receive an sFlow packet sent by the network device, where the sFlow packet carries data flow statistical information of each data flow, and a sampling start time and a sampling end time of each data flow. For each data stream, the detection device may determine a time interval between a sampling start time and a sampling end time corresponding to the data stream, and determine a transmission rate corresponding to the data stream according to data stream statistical information and the time interval of the data stream. And if the transmission rate corresponding to the data stream exceeds a preset threshold value, determining that the data stream is a DDOS attack data stream. Compared with the prior art, when the number of the received messages is large in the preset statistical time, the scheme of Ddos false alarm is generated, the scheme can accurately calculate the transmission rate corresponding to each data stream, and then the DDOS attack data stream is identified according to the transmission rate, so that the DDOS attack data stream can be accurately identified, and the false alarm is avoided.
The embodiment of the present application further provides a detection apparatus, as shown in fig. 7, including a processor 701, a communication interface 702, a memory 703 and a communication bus 704, where the processor 701, the communication interface 702, and the memory 703 complete mutual communication through the communication bus 704,
a memory 703 for storing a computer program;
the processor 701 is configured to implement the following steps when executing the program stored in the memory 703:
receiving an sFlow message sent by a network device, wherein the sFlow message carries data flow statistical information of each data flow, and sampling start time and sampling end time of each data flow;
determining a time interval between sampling start time and sampling end time corresponding to each data stream, and determining a transmission rate corresponding to the data stream according to data stream statistical information of the data stream and the time interval;
and if the transmission rate corresponding to the data stream exceeds a preset threshold value, determining that the data stream is a DDOS attack data stream.
Optionally, the data flow statistical information includes a message amount and/or a message data amount in the data flow;
determining the transmission rate corresponding to the data stream according to the data stream statistical information of the data stream and the time interval, including:
determining the total message quantity of the data stream in the time interval according to the message quantity of the data stream and a preset sampling frequency, and determining the ratio of the total message quantity to the time interval to obtain the packet transmission rate corresponding to the data stream; and/or
And determining the total message data volume of the data stream in the time interval according to the message data volume of the data stream and a preset sampling frequency, and determining the ratio of the total message data volume to the time interval to obtain the bit transmission rate corresponding to the data stream.
Optionally, when the data flow statistical information includes the number of packets in the data flow and the packet data volume, if the transmission rate corresponding to the data flow exceeds a preset threshold, determining that the data flow is a DDOS attack data flow, including:
and if the packet transmission rate corresponding to the data stream exceeds a first preset threshold value, or the bit transmission rate corresponding to the data stream exceeds a second preset threshold value, determining that the data stream is a DDOS attack data stream.
The embodiment of the present application further provides a network device, as shown in fig. 8, which includes a processor 801, a communication interface 802, a memory 803, and a communication bus 804, where the processor 801, the communication interface 802, and the memory 803 complete mutual communication through the communication bus 804,
a memory 803 for storing a computer program;
the processor 801 is configured to implement the following steps when executing the program stored in the memory 803:
sampling the received message by a preset sampling strategy;
determining data streams to which the acquired messages belong, determining data stream statistical information corresponding to the data streams according to the messages belonging to the data streams for each data stream, determining the acquisition time of the first acquired message belonging to the data stream as the sampling start time corresponding to the data stream, and determining the acquisition time of the last acquired message belonging to the data stream as the sampling end time corresponding to the data stream;
and generating a sampling flow sFlow message carrying the data flow statistical information of each data flow and the sampling start time and the sampling end time of each data flow, and sending the sFlow message to a detection device.
The communication bus mentioned above for the detection device and the network device may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the detection device and the network device and other devices.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, or discrete hardware components.
Based on the same technical concept, the embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements the method steps performed by the detection device for identifying a DDOS attack data stream.
Based on the same technical concept, the embodiment of the present application further provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the method steps performed by the detection device for identifying DDOS attack data streams.
Based on the same technical concept, embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements the method steps performed by the network device for identifying a DDOS attack data stream.
Based on the same technical concept, embodiments of the present application also provide a computer program product including instructions, which when run on a computer, cause the computer to perform the method steps performed by the network device for identifying a DDOS attack data flow.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (12)

1. A method of identifying a distributed denial of service, DDOS, attack data flow, the method being applied to a detection device, the method comprising:
receiving a sampling flow sFlow message sent by a network device, wherein the sFlow message carries data flow statistical information of each data flow, and sampling start time and sampling end time of each data flow;
determining a time interval between sampling start time and sampling end time corresponding to each data stream, and determining a transmission rate corresponding to the data stream according to data stream statistical information of the data stream and the time interval;
and if the transmission rate corresponding to the data stream exceeds a preset threshold value, determining that the data stream is a DDOS attack data stream.
2. The method of claim 1, wherein the data flow statistics comprise a number of packets and/or an amount of packet data in a data flow;
determining the transmission rate corresponding to the data stream according to the data stream statistical information of the data stream and the time interval, including:
determining the total message quantity of the data stream in the time interval according to the message quantity of the data stream and a preset sampling frequency, and determining the ratio of the total message quantity to the time interval to obtain the packet transmission rate corresponding to the data stream; and/or
And determining the total message data volume of the data stream in the time interval according to the message data volume of the data stream and a preset sampling frequency, and determining the ratio of the total message data volume to the time interval to obtain the bit transmission rate corresponding to the data stream.
3. The method according to claim 2, wherein when the data flow statistics information includes a number of packets in a data flow and a packet data amount, the determining that the data flow is a DDOS attack data flow if a transmission rate corresponding to the data flow exceeds a preset threshold includes:
and if the packet transmission rate corresponding to the data stream exceeds a first preset threshold value, or the bit transmission rate corresponding to the data stream exceeds a second preset threshold value, determining that the data stream is a DDOS attack data stream.
4. A method of identifying a distributed denial of service, DDOS, attack data flow, the method being applied to a network device, the method comprising:
sampling the received message by a preset sampling strategy;
determining data streams to which the acquired messages belong, determining data stream statistical information corresponding to the data streams according to the messages belonging to the data streams for each data stream, determining the acquisition time of the first acquired message belonging to the data stream as the sampling start time corresponding to the data stream, and determining the acquisition time of the last acquired message belonging to the data stream as the sampling end time corresponding to the data stream;
generating a sampling flow sFlow message carrying the data flow statistical information of each data flow and the sampling start time and the sampling end time of each data flow, and sending the sFlow message to detection equipment so that the detection equipment calculates the transmission rate corresponding to the data flow according to the sampling flow sFlow message; and determining whether the data stream is a DDOS attack data stream or not according to the transmission rate corresponding to the data stream.
5. An apparatus for identifying a distributed denial of service (DDOS) attack data flow, the apparatus being applied to a detection device, the apparatus comprising:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a sampling flow sFlow message sent by network equipment, and the sFlow message carries data flow statistical information of each data flow as well as sampling starting time and sampling finishing time of each data flow;
a first determining module, configured to determine, for each data stream, a time interval between a sampling start time and a sampling end time corresponding to the data stream, and determine, according to data stream statistics information of the data stream and the time interval, a transmission rate corresponding to the data stream;
and the second determining module is used for determining that the data stream is a DDOS attack data stream if the transmission rate corresponding to the data stream exceeds a preset threshold value.
6. The apparatus of claim 5, wherein the data flow statistics comprise a number of packets and/or an amount of packet data in a data flow;
the first determining module is specifically configured to:
determining the total message quantity of the data stream in the time interval according to the message quantity of the data stream and a preset sampling frequency, and determining the ratio of the total message quantity to the time interval to obtain the packet transmission rate corresponding to the data stream; and/or
And determining the total message data volume of the data stream in the time interval according to the message data volume of the data stream and a preset sampling frequency, and determining the ratio of the total message data volume to the time interval to obtain the bit transmission rate corresponding to the data stream.
7. The apparatus according to claim 6, wherein when the data flow statistics information includes a packet amount and a packet data amount in a data flow, the second determining module is specifically configured to:
and if the packet transmission rate corresponding to the data stream exceeds a first preset threshold value, or the bit transmission rate corresponding to the data stream exceeds a second preset threshold value, determining that the data stream is a DDOS attack data stream.
8. An apparatus for identifying a distributed denial of service (DDOS) attack data flow, the apparatus being applied to a network device, the apparatus comprising:
the acquisition module is used for sampling the received message through a preset sampling strategy;
the determining module is used for determining data streams to which the acquired messages belong, determining data stream statistical information corresponding to the data streams according to the messages belonging to the data streams for each data stream, determining the acquired acquisition time of the first message belonging to the data stream as the sampling start time corresponding to the data stream, and determining the acquired acquisition time of the last message belonging to the data stream as the sampling end time corresponding to the data stream;
the sending module is used for generating a sampling flow sFlow message carrying the data flow statistical information of each data flow and the sampling start time and the sampling end time of each data flow, and sending the sFlow message to the detection equipment so that the detection equipment can calculate the transmission rate corresponding to the data flow according to the sampling flow sFlow message; and determining whether the data stream is a DDOS attack data stream or not according to the transmission rate corresponding to the data stream.
9. The detection equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1 to 3 when executing a program stored in the memory.
10. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of the claims 1-3.
11. The network equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing the communication between the processor and the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of claim 4 when executing a program stored in the memory.
12. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method steps of claim 4.
CN201910610981.4A 2019-07-08 2019-07-08 Method and device for identifying DDOS attack data stream Active CN110266726B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910610981.4A CN110266726B (en) 2019-07-08 2019-07-08 Method and device for identifying DDOS attack data stream

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910610981.4A CN110266726B (en) 2019-07-08 2019-07-08 Method and device for identifying DDOS attack data stream

Publications (2)

Publication Number Publication Date
CN110266726A CN110266726A (en) 2019-09-20
CN110266726B true CN110266726B (en) 2021-07-20

Family

ID=67924990

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910610981.4A Active CN110266726B (en) 2019-07-08 2019-07-08 Method and device for identifying DDOS attack data stream

Country Status (1)

Country Link
CN (1) CN110266726B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113132262B (en) * 2020-01-15 2024-05-03 阿里巴巴集团控股有限公司 Data stream processing and classifying method, device and system
CN112511383A (en) * 2020-11-26 2021-03-16 杭州迪普信息技术有限公司 Network traffic monitoring method and device
CN113992421B (en) * 2021-11-03 2023-08-29 北京天融信网络安全技术有限公司 Message processing method and device and electronic equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102891829A (en) * 2011-07-18 2013-01-23 航天信息股份有限公司 Method and system for detecting and defending distributed denial of service attack
CN106341418A (en) * 2016-10-08 2017-01-18 中国科学院信息工程研究所 Domain name system (DNS) distributed reflection denial of service attack (DRDoS) detection and defense methods and systems
US9781157B1 (en) * 2013-07-16 2017-10-03 Go Daddy Operating Company, LLC Mitigating denial of service attacks
CN107800668A (en) * 2016-09-05 2018-03-13 华为技术有限公司 A kind of distributed refusal service attack defending method, apparatus and system
CN108282497A (en) * 2018-04-28 2018-07-13 电子科技大学 For the ddos attack detection method of SDN control planes
CN108390856A (en) * 2018-01-12 2018-08-10 北京奇艺世纪科技有限公司 A kind of ddos attack detection method, device and electronic equipment
CN109936557A (en) * 2018-11-12 2019-06-25 浙江工商大学 A kind of method and system based in ForCES framework using sFlow defending DDoS (Distributed Denial of Service) attacks

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102891829A (en) * 2011-07-18 2013-01-23 航天信息股份有限公司 Method and system for detecting and defending distributed denial of service attack
US9781157B1 (en) * 2013-07-16 2017-10-03 Go Daddy Operating Company, LLC Mitigating denial of service attacks
CN107800668A (en) * 2016-09-05 2018-03-13 华为技术有限公司 A kind of distributed refusal service attack defending method, apparatus and system
CN106341418A (en) * 2016-10-08 2017-01-18 中国科学院信息工程研究所 Domain name system (DNS) distributed reflection denial of service attack (DRDoS) detection and defense methods and systems
CN108390856A (en) * 2018-01-12 2018-08-10 北京奇艺世纪科技有限公司 A kind of ddos attack detection method, device and electronic equipment
CN108282497A (en) * 2018-04-28 2018-07-13 电子科技大学 For the ddos attack detection method of SDN control planes
CN109936557A (en) * 2018-11-12 2019-06-25 浙江工商大学 A kind of method and system based in ForCES framework using sFlow defending DDoS (Distributed Denial of Service) attacks

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SDN中基于流特征的DDoS攻击与闪拥事件检测;姜文醍等;《重庆邮电大学学报(自然科学版)》;20190615;全文 *

Also Published As

Publication number Publication date
CN110266726A (en) 2019-09-20

Similar Documents

Publication Publication Date Title
CN110266726B (en) Method and device for identifying DDOS attack data stream
CN108282497B (en) DDoS attack detection method for SDN control plane
US7729271B2 (en) Detection method for abnormal traffic and packet relay apparatus
JP4983671B2 (en) Traffic analysis device, traffic analysis method, and traffic analysis system
CN110324210B (en) Detection method and device for covert channel communication based on ICMP (Internet control protocol)
WO2019169928A1 (en) Traffic detection method and traffic detection device
CN111277570A (en) Data security monitoring method and device, electronic equipment and readable medium
US10735501B2 (en) System and method for limiting access request
CN106471778B (en) Attack detection device and attack detection method
CN106416171A (en) Method and device for feature information analysis
CA2430571A1 (en) Flow-based detection of network intrusions
US11621971B2 (en) Low-complexity detection of potential network anomalies using intermediate-stage processing
Wamser et al. Traffic characterization of a residential wireless Internet access
CN111092900A (en) Method and device for monitoring abnormal connection and scanning behavior of server
CN111314179A (en) Network quality detection method, device, equipment and storage medium
CN110691007A (en) Method for accurately measuring QUIC connection packet loss rate
CN111343135B (en) Network security situation detection method
CN112788039B (en) DDoS attack identification method, device and storage medium
JP2005210601A (en) Intrusion detector
CN111355670A (en) Traffic identification method and device, electronic equipment and storage medium
US20200021647A1 (en) Method of P2P Botnet Detection Based on Netflow Sessions
KR101587845B1 (en) Method for detecting distributed denial of services attack apparatus thereto
JP4814270B2 (en) Traffic fluctuation amount estimation method, apparatus and program thereof
CN108347447B (en) P2P botnet detection method and system based on periodic communication behavior analysis
CN110995546A (en) Message sampling method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant