CN110798426A - Method and system for detecting flood DoS attack behavior and related components - Google Patents
Method and system for detecting flood DoS attack behavior and related components Download PDFInfo
- Publication number
- CN110798426A CN110798426A CN201810864643.9A CN201810864643A CN110798426A CN 110798426 A CN110798426 A CN 110798426A CN 201810864643 A CN201810864643 A CN 201810864643A CN 110798426 A CN110798426 A CN 110798426A
- Authority
- CN
- China
- Prior art keywords
- preset value
- flow
- dos
- flood
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a method for detecting a flood DoS attack behavior, which comprises the steps of generating a network flow set corresponding to intranet host flow in a target time period; judging whether the connection frequency of the network traffic set is greater than a first preset value; if yes, obtaining difference data according to the flow characteristics of the network flow set; judging whether the similarity between all the flows in the difference data is greater than a second preset value or not; and if so, judging that the flood DoS attack behavior is detected. The method can reduce the dependence on the training set and improve the accuracy of the flood DoS detection. The application also discloses a detection system of the flood DoS attack behavior, a computer readable storage medium and a detection device of the flood DoS attack behavior, and the detection system has the beneficial effects.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a system for detecting a flood DoS attack behavior, a computer readable storage medium and a device for detecting the flood DoS attack behavior.
Background
DoS (Denial of Service) is an attack that causes DoS, and aims to prevent computers or networks from providing normal services. The longer an attacker is left for a defender, the greater the likelihood that their computer or network service will be down.
The purpose of DoS attacks is generally to disable the attack object (a computer or network) from providing proper service. Common DoS attacks include two types, computer network bandwidth attacks and connectivity attacks. Bandwidth attacks mainly use extremely large traffic to impact the network, thereby consuming network resources and eventually rendering the network unusable. There are many kinds of DoS attacks, mainly Land-type DoS attacks, Smurf-type DoS attacks, flood-type DoS attacks, and the like. The flood DoS attack impacts the computer through a large number of connection requests, and consumes the available operating system of the computer, so that the computer cannot normally respond to the requests of users, and the host and the network are greatly damaged.
In the prior art, network traffic including DoS traffic is mainly used as a training set, a detection model for detecting DoS traffic is obtained in a machine learning mode, and host traffic is detected, such as a detection scheme based on entropy and DBSCAN, a detection scheme based on PCA + DBSCAN + HMM, and the like. For example, the detection scheme based on PCA + DBSCAN + HMM is: and counting the flow in a fixed time window containing the DoS flow as a training set, and extracting 8 basic features to form corresponding feature vectors. The feature vectors are then reduced in dimension using PCA. And then, clustering by using the DBSCAN to obtain the category of each flow. Finally, constructing an HMM model, and displaying a layer sequence: PCA feature of each packet, hidden sequence: DBSCAN classification of each data packet. And then, for new data, directly using the features as known conditions, sleeving the features into an HMM model, and solving a classification result. The final result of each flow is obtained. The scheme obtains whether each flow is DoS or not, and ignores other characteristics of the DoS. Because the features that can be provided by the training set in the method for detecting DoS behaviors by training the detection model are very limited, the problems of high dependence on a training machine and high false alarm rate can be caused.
Therefore, how to reduce the dependency on the training set and improve the accuracy of flood-like DoS detection is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide a method and a system for detecting a flood DoS attack behavior, a computer readable storage medium and a device for detecting the flood DoS attack behavior, which can reduce the dependence on a training set and improve the accuracy of the flood DoS detection.
In order to solve the above technical problem, the present application provides a method for detecting a flood DoS attack behavior, where the method includes:
generating a network flow set corresponding to the intranet host flow in the target time period;
judging whether the connection frequency of the network traffic set is greater than a first preset value;
if yes, obtaining difference data according to the flow characteristics of the network flow set;
judging whether the similarity between all the flows in the difference data is greater than a second preset value or not; and if so, judging that the flood DoS attack behavior is detected.
Optionally, judging whether the similarity between all the flows in the difference data is greater than a second preset value; if yes, judging that the detected flood DoS attack behavior comprises the following steps:
removing outliers in the differential data to obtain data to be clustered;
performing clustering operation on the data to be clustered to obtain a DoS clustering result;
judging whether the similarity between all the flows in the DoS clustering result is greater than the second preset value or not;
and if so, judging that the flood DoS attack behavior is detected.
Optionally, the performing a clustering operation on the data to be clustered to obtain a DoS clustering result includes:
and performing binary clustering operation on the data to be clustered to obtain a first clustering result and a second clustering result, and setting a result with a larger flow number in the first clustering result and the second clustering result as the DoS clustering result.
Optionally, the generating a network traffic set corresponding to the intranet host traffic in the target time period includes:
dividing the target time period into a preset number of time windows;
and generating a preset number of network flow sets corresponding to the time window according to the intranet host flow of the target time period.
Optionally, the obtaining of the difference data according to the traffic characteristics of the network traffic set includes:
judging whether the number of the continuous suspicious time windows is larger than a third preset value or not; wherein the suspicious time window is a time window in which the connection frequency is greater than the first preset value;
if yes, obtaining difference data according to the flow characteristics of the network flow set; wherein the traffic characteristics include a timestamp and/or an uplink and downlink traffic size.
The application also provides a detection system for the flood DoS attack behavior, which comprises:
the flow set generating module is used for generating a network flow set corresponding to the intranet host flow in the target time period;
the frequency judgment module is used for judging whether the connection frequency of the network traffic set is greater than a first preset value or not;
the difference data acquisition module is used for acquiring difference data according to the flow characteristics of the network flow set when the connection frequency is greater than the first preset value;
the similarity judging module is used for judging whether the similarity between all the flows in the difference data is greater than a second preset value or not; and if so, judging that the flood DoS attack behavior is detected.
Optionally, the similarity determining module includes:
the outlier removing unit is used for removing outliers in the differential data to obtain data to be clustered;
the clustering unit is used for carrying out clustering operation on the data to be clustered to obtain a DoS clustering result;
the judging unit is used for judging whether the similarity between all the flows in the DoS clustering result is greater than the second preset value or not;
and the result output unit is used for judging that the flood DoS attack behavior is detected when the similarity is greater than the second preset value.
Optionally, the clustering unit includes a unit that specifically performs a binary clustering operation on the data to be clustered to obtain a first clustering result and a second clustering result, and sets a result with a larger number of flows in the first clustering result and the second clustering result as the DoS clustering result.
Optionally, the flow set generating module includes:
the time window dividing unit is used for dividing the target time period into a preset number of time windows;
and the set generating unit is used for generating a preset number of network flow sets corresponding to the time window according to the intranet host flow of the target time period.
Optionally, the difference data acquiring module includes:
the continuity judging unit is used for judging whether the number of continuous suspicious time windows is larger than a third preset value or not; wherein the suspicious time window is a time window in which the connection frequency is greater than the first preset value;
a data obtaining unit, configured to obtain difference data according to traffic characteristics of the network traffic set when the number of consecutive suspicious time windows is greater than the third preset value; wherein the traffic characteristics include a timestamp and/or an uplink and downlink traffic size.
The application also provides a computer readable storage medium, on which a computer program is stored, and when the computer program is executed, the steps executed by the method for detecting the flood DoS attack behavior are realized.
The application also provides a detection device of the flood DoS attack behavior, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the execution of the detection method of the flood DoS attack behavior when calling the computer program in the memory.
The invention provides a method for detecting a flood DoS attack behavior, which comprises the steps of generating a network flow set corresponding to intranet host flow in a target time period; judging whether the connection frequency of the network traffic set is greater than a first preset value; if yes, obtaining difference data according to the flow characteristics of the network flow set; judging whether the similarity between all the flows in the difference data is greater than a second preset value or not; and if so, judging that the flood DoS attack behavior is detected.
The flood DoS has the characteristics of high frequency and high flow similarity, so that the host flow is judged according to the connection frequency, if the connection frequency is greater than a preset value in a certain time, the corresponding host flow in the certain time can be considered to be suspected of receiving the attack of the flood DoS, and the host flow has the high-frequency characteristic of the flood DoS. And then, performing feature extraction based on flow features on the suspected host flow, comparing the similarity of each flow in the feature extraction result, and if the similarity is greater than a second preset value, indicating that the host flow has the characteristic of high flow similarity of the flood DoS. The host flow has the characteristics of high frequency and high flow similarity of the flood DoS, and the normal host flow without the flood DoS does not have the characteristics, so that the detection of the attack behavior of the flood DoS can be judged at the moment. Furthermore, the detection model trained by the training set is not relied on to detect the attack behavior of the flood DoS, but the host flow is detected from the most basic common characteristics of the flood DoS, so that the dependence on the training set can be reduced, and the accuracy of the detection of the flood DoS can be improved. Furthermore, the method and the device can judge whether the suspicion of the flood DoS attack behavior exists in the network flow set or not by judging whether the number of the continuous time windows with the connection frequency larger than the first preset value is larger than the third preset value or not, and test is performed on the continuity characteristic of the flood DoS attack behavior, so that the detection accuracy is improved. The application also provides a detection system of the flood DoS attack behavior, a computer readable storage medium and a detection device of the flood DoS attack behavior, and the detection system, the computer readable storage medium and the detection device have the beneficial effects and are not repeated herein.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a method for detecting a flood DoS attack behavior according to an embodiment of the present application;
fig. 2 is a flowchart of another method for detecting a flood DoS attack behavior according to an embodiment of the present application;
fig. 3 is a schematic overall flow chart of the method for detecting a flood DoS attack behavior according to the embodiment of the present application;
fig. 4 is a schematic structural diagram of a system for detecting a flood DoS attack behavior according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a method for detecting a flood DoS attack behavior according to an embodiment of the present application.
The specific steps may include:
s101: generating a network flow set corresponding to the intranet host flow in the target time period;
the purpose can be achieved by acquiring the flow of the core switch for all the host flows of the intranet acquired in the step. It can be understood that there may be a plurality of intranet host traffic flows in the target time period, and the purpose of this step is to extract data from the intranet host traffic flows to obtain a network traffic set. The network traffic set comprises characteristic information of each host traffic: the method comprises the information of a source IP address, a destination IP address, a source port, a destination port, a protocol state, an uplink flow size, a downlink flow size, a timestamp, connection times and the like.
It should be noted that the target time period corresponding to the network traffic set mentioned in this step is specifically set by a technician according to the actual application environment of the present solution, and the duration of the target time period is not specifically limited here. However, in order to keep the accuracy of the present solution for detecting the intranet host traffic high enough, the target time period is not short enough, and for example, as a preferred embodiment, the target time period is 1 hour long.
It is to be noted that, after the network traffic set is obtained in this step, there may be an operation of performing and processing on data in the network traffic set for convenience: some information which can identify the stream, such as a source IP address, a destination IP address and the like, is combined into a key, and the stream data of the same key is aggregated together. For example: taking the source IP address as 1.1.1.1, the destination IP address as 2.2.2.2, the destination port as 80 and the protocol as tcp as the preset conditions, and extracting all the flows meeting the preset conditions, so that one key is (1.1.1.1,2.2.2.2,80, tcp).
S102: judging whether the connection frequency of the network traffic set is greater than a first preset value; if yes, entering S103; if not, ending the flow;
it should be noted that, here, the main body to which the connection frequency belongs is not limited, that is, the connection frequency here may be a connection frequency for connecting the source IP address to the destination IP address, or a connection frequency related to a port or a protocol. And as long as a certain connection frequency is greater than a first preset value, the flow in the network flow set is proved to conform to the high-frequency characteristic of the flood DoS. It can be understood that the first preset value, which is a criterion for evaluating whether the connection frequency reaches the high frequency, is flexibly set by a technician according to different application scenarios, different application time periods, and other environmental factors, and is not specifically limited herein.
S103: acquiring difference data according to the flow characteristics of the network flow set;
based on the fact that the network traffic set is judged to be in accordance with the high-frequency characteristic in S102, when the network traffic set is in accordance with the high-frequency characteristic, it can be considered that a suspicion of a flood DoS attack exists in the network traffic, so that the difference data can be obtained according to the traffic characteristics of the network traffic set, so as to compare the similarity with the difference data.
It should be noted that the network drop traffic set may include a plurality of traffic features, such as timestamps or uplink and downlink traffic sizes, and in this step, the difference data may be obtained through a single traffic feature, or may be obtained through a plurality of traffic features. Of course, the more traffic features are used to obtain the differential data, the higher the accuracy of detecting the flood DoS attack behavior in this embodiment is, and a technician may select to specifically obtain the differential data according to the traffic features of which network traffic according to the specific implementation of the scheme.
S104: judging whether the similarity between all the flows in the difference data is greater than a second preset value or not; if yes, entering S105; if not, the flow is ended.
The purpose of this step is to determine whether the intranet host traffic conforms to the characteristic of high similarity, specifically, by comparing the similarities between all the traffic in the differential data, and if the similarity is greater than a second preset value, it indicates that the host traffic has the characteristic of high traffic similarity of the flood DoS, and further, it may be determined that the flood DoS attack behavior is detected.
It should be noted that, since the detection of the connection frequency is simpler than the detection of the similarity, in this embodiment, the detection of the connection frequency is performed on the network traffic set first, and then the detection of the similarity is performed, so that the detection with higher efficiency can be realized. Of course, the detection of similarity and the detection of connection frequency may be performed, but the efficiency is lower than that of the present embodiment.
S105: and judging that the flood DoS attack behavior is detected.
The flood DoS has the characteristics of high frequency and high flow similarity, so that the host flow is judged according to the connection frequency, if the connection frequency is greater than a preset value in a certain time, the corresponding host flow in the certain time can be considered to be suspected of receiving the attack of the flood DoS, and the host flow has the high-frequency characteristic of the flood DoS. And then, performing feature extraction based on flow features on the suspected host flow, comparing the similarity of each flow in the feature extraction result, and if the similarity is greater than a second preset value, indicating that the host flow has the characteristic of high flow similarity of the flood DoS. The host flow has the characteristics of high frequency and high flow similarity of the flood DoS, and the normal host flow without the flood DoS does not have the characteristics, so that the detection of the attack behavior of the flood DoS can be judged at the moment. Furthermore, because the embodiment does not rely on the detection model trained by the training set to detect the attack behavior of the flood DoS, but detects the host traffic from the most basic common characteristics of the flood DoS, the dependence on the training set can be reduced, and the accuracy of the flood DoS detection can be improved.
Referring to fig. 2, fig. 2 is a flowchart of another method for detecting a flood DoS attack behavior according to an embodiment of the present application.
The specific steps may include:
s201: dividing a target time period into a preset number of time windows;
in this embodiment, the previous embodiment is further optimized, and the target time period is first divided into a preset number of time windows, so as to perform the persistence detection in S204. In this step, a short time may be used as a time window (e.g., 10 minutes), and whether the connection frequency meets a certain condition is determined according to the corresponding characteristic of the time in the time window. If the condition is satisfied, it indicates that the radio frequency characteristic is present.
It will be appreciated that the purpose of this step is to break the target time period into zero, translating it into a plurality of time windows, each time window being equal in duration as a preferred embodiment.
S202: and generating a preset number of network flow sets corresponding to the time window according to the intranet host flow of the target time period.
The intranet host traffic corresponds to a target time period, and the target time period is divided into a preset number of time windows in the previous step, so that a network traffic set corresponding to each time window is generated in the step. The network traffic set in this embodiment is equivalent to a part of the network traffic set in the previous embodiment, that is, the whole of the preset number of network traffic sets in this embodiment is the network traffic set in the previous embodiment.
S203: judging whether the connection frequency of the network flow set is greater than a first preset value or not; if yes, entering S204; if not, ending the flow;
in S201, the target time period has been divided into a plurality of time windows, so in this step, it is actually determined whether the connection frequency of the network traffic set corresponding to each time window is greater than a first preset value.
S204: judging whether the number of the continuous suspicious time windows is larger than a third preset value or not; if yes, go to S205; if not, ending the flow;
wherein the suspicious time window is a time window in which the connection frequency is greater than the first preset value; after the number of point-to-point connections within the single time window described in S203 is detected, a persistence check is performed. That is, it is determined whether the connection frequency of a plurality of consecutive time windows is greater than a first preset value, and if the window vector number is greater than a third preset value, the continuity is verified. The flow of the intranet host is also in accordance with the continuous characteristic of the flood DoS;
s205: acquiring difference data according to the flow characteristics of the network flow set; wherein the traffic characteristics include a timestamp and/or an uplink and downlink traffic size;
s206: removing outliers in the difference data to obtain data to be clustered;
in which, an outlier rejection algorithm (isolation forest algorithm, Local of Factor algorithm, etc.) may be adopted to reject outliers from the difference data, so as to improve the detection accuracy of the embodiment.
S207: executing binary clustering operation on data to be clustered to obtain a first clustering result and a second clustering result, and setting a result with a larger flow number in the first clustering result and the second clustering result as the DoS clustering result;
the binary clustering operation (such as Kmeans clustering, hierarchical clustering and the like) is to divide data to be clustered into two types of data, one type is a DoS clustering result, the other type is a non-DoS clustering result, and the detection accuracy can be improved only by judging the similarity of the DoS clustering results. Because the operation is carried out on the data to be clustered in the differential data, the number of clustering results obtained by the binary clustering operation is far larger than that of non-Dos clustering results.
A Cluster (Cluster) is composed of several patterns (Pattern), usually a vector of metrics (measures), or a point in a multidimensional space. Clustering operations are based on similarity, with more similarity between patterns in one cluster than between patterns not in the same cluster.
S208: judging whether the similarity between all the flows in the DoS clustering result is greater than the second preset value or not; if yes, go to S209; if not, the flow is ended.
S209: and judging that the flood DoS attack behavior is detected.
Referring to fig. 3, fig. 3 is a schematic overall flow chart of the method for detecting a flood DoS attack behavior according to the embodiment of the present application, and the embodiment may also perform the operation in this step after performing the preprocessing on the network traffic set. Fig. 3 illustrates a key obtained by preprocessing data, where sip is a source IP address, dip is a destination IP address, req is a request packet length, rep is a response packet length, and ts is a timestamp.
The embodiment detects the intranet host flow based on the three characteristics of high frequency, continuity and flow similarity of the flood DoS attack behavior, is easy for engineering realization, does not need to depend on a training set training detection model, and has relatively good flood DoS detection accuracy. In addition, the embodiment has good expansibility, namely, the ideas can be realized through other schemes. For example, the size of the time window may be varied to detect; for example, the length of time that the detection persists may be varied; for example, similarity may be detected in a plurality of classes (e.g., three or four classes).
Referring to fig. 4, fig. 4 is a schematic structural diagram of a system for detecting a flood DoS attack behavior according to an embodiment of the present application;
the detection system may include:
a traffic set generating module 100, configured to generate a network traffic set corresponding to the intranet host traffic in a target time period;
a frequency judging module 200, configured to judge whether a connection frequency of the network traffic set is greater than a first preset value;
a difference data obtaining module 300, configured to obtain difference data according to a traffic characteristic of the network traffic set when the connection frequency is greater than the first preset value;
a similarity determination module 400, configured to determine whether similarity between all flows in the difference data is greater than a second preset value; and if so, judging that the flood DoS attack behavior is detected.
Optionally, the similarity determining module 400 includes:
the outlier removing unit is used for removing outliers in the differential data to obtain data to be clustered;
the clustering unit is used for carrying out clustering operation on the data to be clustered to obtain a DoS clustering result;
the judging unit is used for judging whether the similarity between all the flows in the DoS clustering result is greater than the second preset value or not;
and the result output unit is used for judging that the flood DoS attack behavior is detected when the similarity is greater than the second preset value.
Optionally, the clustering unit includes a unit that specifically performs a binary clustering operation on the data to be clustered to obtain a first clustering result and a second clustering result, and sets a result with a larger number of flows in the first clustering result and the second clustering result as the DoS clustering result.
Optionally, the traffic set generating module 100 includes:
the time window dividing unit is used for dividing the target time period into a preset number of time windows;
and the set generating unit is used for generating a preset number of network flow sets corresponding to the time window according to the intranet host flow of the target time period.
Optionally, the difference data obtaining module 300 includes:
the continuity judging unit is used for judging whether the number of continuous suspicious time windows is larger than a third preset value or not; wherein the suspicious time window is a time window in which the connection frequency is greater than the first preset value;
a data obtaining unit, configured to obtain difference data according to traffic characteristics of the network traffic set when the number of consecutive suspicious time windows is greater than the third preset value; wherein the traffic characteristics include a timestamp and/or an uplink and downlink traffic size.
Since the embodiment of the system part corresponds to the embodiment of the method part, the embodiment of the system part is described with reference to the embodiment of the method part, and is not repeated here.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when executed, may implement the steps provided by the above-described embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application further provides a detection device for flood DoS attack behavior, which may include a memory and a processor, where the memory stores a computer program, and the processor may implement the steps provided in the above embodiment when calling the computer program in the memory. Of course, the detection apparatus for the flood DoS attack behavior may further include various network interfaces, power supplies, and other components.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (12)
1. A method for detecting a flood DoS attack behavior is characterized by comprising the following steps:
generating a network flow set corresponding to the intranet host flow in the target time period;
judging whether the connection frequency of the network traffic set is greater than a first preset value;
if yes, obtaining difference data according to the flow characteristics of the network flow set;
judging whether the similarity between all the flows in the difference data is greater than a second preset value or not; and if so, judging that the flood DoS attack behavior is detected.
2. The detection method according to claim 1, wherein it is determined whether the similarity between all the flows in the differential data is greater than a second preset value; if yes, judging that the detected flood DoS attack behavior comprises the following steps:
removing outliers in the differential data to obtain data to be clustered;
performing clustering operation on the data to be clustered to obtain a DoS clustering result;
judging whether the similarity between all the flows in the DoS clustering result is greater than the second preset value or not;
and if so, judging that the flood DoS attack behavior is detected.
3. The detection method according to claim 2, wherein the step of performing a clustering operation on the data to be clustered to obtain a DoS clustering result comprises:
and performing binary clustering operation on the data to be clustered to obtain a first clustering result and a second clustering result, and setting a result with a larger flow number in the first clustering result and the second clustering result as the DoS clustering result.
4. The detection method according to claim 1, wherein the generating of the network traffic set corresponding to the intranet host traffic in the target time period comprises:
dividing the target time period into a preset number of time windows;
and generating a preset number of network flow sets corresponding to the time window according to the intranet host flow of the target time period.
5. The detection method according to claim 4, wherein obtaining the difference data according to the traffic characteristics of the network traffic set comprises:
judging whether the number of the continuous suspicious time windows is larger than a third preset value or not; wherein the suspicious time window is a time window in which the connection frequency is greater than the first preset value;
if yes, obtaining difference data according to the flow characteristics of the network flow set; wherein the traffic characteristics include a timestamp and/or an uplink and downlink traffic size.
6. A system for detecting a flood-like DoS attack behavior, comprising:
the flow set generating module is used for generating a network flow set corresponding to the intranet host flow in the target time period;
the frequency judgment module is used for judging whether the connection frequency of the network traffic set is greater than a first preset value or not;
the difference data acquisition module is used for acquiring difference data according to the flow characteristics of the network flow set when the connection frequency is greater than the first preset value;
the similarity judging module is used for judging whether the similarity between all the flows in the difference data is greater than a second preset value or not; and if so, judging that the flood DoS attack behavior is detected.
7. The detection system according to claim 6, wherein the similarity determination module comprises:
the outlier removing unit is used for removing outliers in the differential data to obtain data to be clustered;
the clustering unit is used for carrying out clustering operation on the data to be clustered to obtain a DoS clustering result;
the judging unit is used for judging whether the similarity between all the flows in the DoS clustering result is greater than the second preset value or not;
and the result output unit is used for judging that the flood DoS attack behavior is detected when the similarity is greater than the second preset value.
8. The detection system according to claim 7, wherein the clustering unit includes a unit that performs a binary clustering operation on the data to be clustered to obtain a first clustering result and a second clustering result, and sets a result that includes a larger number of traffic pieces in the first clustering result and the second clustering result as the DoS clustering result.
9. The detection system of claim 6, wherein the traffic set generation module comprises:
the time window dividing unit is used for dividing the target time period into a preset number of time windows;
and the set generating unit is used for generating a preset number of network flow sets corresponding to the time window according to the intranet host flow of the target time period.
10. The detection system of claim 9, wherein the differential data acquisition module comprises:
the continuity judging unit is used for judging whether the number of continuous suspicious time windows is larger than a third preset value or not; wherein the suspicious time window is a time window in which the connection frequency is greater than the first preset value;
a data obtaining unit, configured to obtain difference data according to traffic characteristics of the network traffic set when the number of consecutive suspicious time windows is greater than the third preset value; wherein the traffic characteristics include a timestamp and/or an uplink and downlink traffic size.
11. A detection apparatus for flood type DoS attack behavior, comprising:
a memory for storing a computer program;
a processor for executing the computer program to perform the steps of the method of detecting behavior of a flood-like DoS attack according to any of claims 1 to 5.
12. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the method for detecting a behavior of a flood-like DoS attack according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810864643.9A CN110798426A (en) | 2018-08-01 | 2018-08-01 | Method and system for detecting flood DoS attack behavior and related components |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810864643.9A CN110798426A (en) | 2018-08-01 | 2018-08-01 | Method and system for detecting flood DoS attack behavior and related components |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110798426A true CN110798426A (en) | 2020-02-14 |
Family
ID=69425120
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810864643.9A Pending CN110798426A (en) | 2018-08-01 | 2018-08-01 | Method and system for detecting flood DoS attack behavior and related components |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110798426A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112003824A (en) * | 2020-07-20 | 2020-11-27 | 中国银联股份有限公司 | Attack detection method and device and computer readable storage medium |
| CN112953933A (en) * | 2021-02-09 | 2021-06-11 | 恒安嘉新(北京)科技股份公司 | Abnormal attack behavior detection method, device, equipment and storage medium |
| CN113452714A (en) * | 2021-06-29 | 2021-09-28 | 清华大学 | Host clustering method and device |
| CN113452651A (en) * | 2020-03-24 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Network attack detection method, device, equipment and storage medium |
| CN114039796A (en) * | 2021-11-26 | 2022-02-11 | 安天科技集团股份有限公司 | Network attack determination method and device, computer equipment and storage medium |
| CN114745161A (en) * | 2022-03-23 | 2022-07-12 | 烽台科技(北京)有限公司 | Abnormal flow detection method and device, terminal equipment and storage medium |
| CN115086060A (en) * | 2022-06-30 | 2022-09-20 | 深信服科技股份有限公司 | Flow detection method, device and equipment and readable storage medium |
| CN117119462A (en) * | 2023-10-25 | 2023-11-24 | 北京派网科技有限公司 | Security audit system and method of 5G mobile communication network based on distributed dip engine heterogeneous diagram architecture |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090271865A1 (en) * | 2008-04-23 | 2009-10-29 | Huawei Technologies Co., Ltd. | Method and device for detecting flood attacks |
| CN102271068A (en) * | 2011-09-06 | 2011-12-07 | 电子科技大学 | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack |
| CN107733937A (en) * | 2017-12-01 | 2018-02-23 | 广东奥飞数据科技股份有限公司 | A kind of Abnormal network traffic detection method |
-
2018
- 2018-08-01 CN CN201810864643.9A patent/CN110798426A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090271865A1 (en) * | 2008-04-23 | 2009-10-29 | Huawei Technologies Co., Ltd. | Method and device for detecting flood attacks |
| CN102271068A (en) * | 2011-09-06 | 2011-12-07 | 电子科技大学 | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack |
| CN107733937A (en) * | 2017-12-01 | 2018-02-23 | 广东奥飞数据科技股份有限公司 | A kind of Abnormal network traffic detection method |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113452651A (en) * | 2020-03-24 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Network attack detection method, device, equipment and storage medium |
| CN113452651B (en) * | 2020-03-24 | 2022-10-21 | 百度在线网络技术(北京)有限公司 | Network attack detection method, device, equipment and storage medium |
| CN112003824B (en) * | 2020-07-20 | 2023-04-18 | 中国银联股份有限公司 | Attack detection method and device and computer readable storage medium |
| CN112003824A (en) * | 2020-07-20 | 2020-11-27 | 中国银联股份有限公司 | Attack detection method and device and computer readable storage medium |
| CN112953933A (en) * | 2021-02-09 | 2021-06-11 | 恒安嘉新(北京)科技股份公司 | Abnormal attack behavior detection method, device, equipment and storage medium |
| CN112953933B (en) * | 2021-02-09 | 2023-02-17 | 恒安嘉新(北京)科技股份公司 | Abnormal attack behavior detection method, device, equipment and storage medium |
| CN113452714A (en) * | 2021-06-29 | 2021-09-28 | 清华大学 | Host clustering method and device |
| CN114039796A (en) * | 2021-11-26 | 2022-02-11 | 安天科技集团股份有限公司 | Network attack determination method and device, computer equipment and storage medium |
| CN114039796B (en) * | 2021-11-26 | 2023-08-22 | 安天科技集团股份有限公司 | Network attack determination method and device, computer equipment and storage medium |
| CN114745161A (en) * | 2022-03-23 | 2022-07-12 | 烽台科技(北京)有限公司 | Abnormal flow detection method and device, terminal equipment and storage medium |
| CN114745161B (en) * | 2022-03-23 | 2023-08-22 | 烽台科技(北京)有限公司 | Abnormal traffic detection method and device, terminal equipment and storage medium |
| CN115086060A (en) * | 2022-06-30 | 2022-09-20 | 深信服科技股份有限公司 | Flow detection method, device and equipment and readable storage medium |
| CN115086060B (en) * | 2022-06-30 | 2023-11-07 | 深信服科技股份有限公司 | Flow detection method, device, equipment and readable storage medium |
| CN117119462A (en) * | 2023-10-25 | 2023-11-24 | 北京派网科技有限公司 | Security audit system and method of 5G mobile communication network based on distributed dip engine heterogeneous diagram architecture |
| CN117119462B (en) * | 2023-10-25 | 2024-01-26 | 北京派网科技有限公司 | Security audit system and method of 5G mobile communication network based on distributed DPI engine heterogeneous diagram architecture |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110798426A (en) | Method and system for detecting flood DoS attack behavior and related components | |
| CN109960729B (en) | Method and system for detecting HTTP malicious traffic | |
| US9870470B2 (en) | Method and apparatus for detecting a multi-stage event | |
| CN111355697B (en) | Detection method, device, equipment and storage medium for botnet domain name family | |
| CN110505241B (en) | Network attack plane detection method and system | |
| US9836600B2 (en) | Method and apparatus for detecting a multi-stage event | |
| EP3258409B1 (en) | Device for detecting terminal infected by malware, system for detecting terminal infected by malware, method for detecting terminal infected by malware, and program for detecting terminal infected by malware | |
| CN111935143B (en) | Method and system for visualizing attack defense strategy | |
| CN109842588B (en) | Network data detection method and related equipment | |
| CN112600792B (en) | Abnormal behavior detection method and system for Internet of things equipment | |
| CN111131260A (en) | Mass network malicious domain name identification and classification method and system | |
| CN113821793B (en) | Multi-stage attack scene construction method and system based on graph convolution neural network | |
| Papadopoulos et al. | A novel graph-based descriptor for the detection of billing-related anomalies in cellular mobile networks | |
| CN112437062A (en) | ICMP tunnel detection method, device, storage medium and electronic equipment | |
| Sukhwani et al. | A survey of anomaly detection techniques and hidden markov model | |
| CN112583827B (en) | Data leakage detection method and device | |
| Zali et al. | Real-time intrusion detection alert correlation and attack scenario extraction based on the prerequisite-consequence approach | |
| Daneshgadeh et al. | A hybrid approach to detect DDoS attacks using KOAD and the Mahalanobis distance | |
| CN113792291B (en) | Host recognition method and device infected by domain generation algorithm malicious software | |
| CN113872931B (en) | Port scanning behavior detection method and system, server and proxy node | |
| CN113709097B (en) | Network risk sensing method and defense method | |
| US11038921B1 (en) | Detecting malicious actors | |
| Zolotukhin et al. | Detection of anomalous http requests based on advanced n-gram model and clustering techniques | |
| CN113032774A (en) | Training method, device and equipment of anomaly detection model and computer storage medium | |
| CN112149121A (en) | Malicious file identification method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200214 |
|
| RJ01 | Rejection of invention patent application after publication |