CN110858831A - Safety protection method and device and safety protection equipment - Google Patents
Safety protection method and device and safety protection equipment Download PDFInfo
- Publication number
- CN110858831A CN110858831A CN201810960164.7A CN201810960164A CN110858831A CN 110858831 A CN110858831 A CN 110858831A CN 201810960164 A CN201810960164 A CN 201810960164A CN 110858831 A CN110858831 A CN 110858831A
- Authority
- CN
- China
- Prior art keywords
- identification information
- client
- access request
- matching
- information database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The embodiment of the invention provides a safety protection method, a safety protection device and safety protection equipment. The method comprises the following steps: receiving a first access request from a client, wherein the first access request comprises identification information of the client; matching the identification information of the client with an identification information database and obtaining a matching result; calculating the matching probability according to the matching result; and starting safety protection under the condition that the matching probability reaches a preset value. Therefore, the accuracy of CC attack detection can be improved, and the protection against CC attack can be enhanced.
Description
Technical Field
The embodiment of the invention relates to the technical field of information security, in particular to a security protection method, a security protection device and security protection equipment.
Background
In the internet, various communication protocols are applied to information transmission between devices. For example, data transmission between the client and the server may be implemented through a hypertext Transfer Protocol (HTTP).
For illegal purposes, an attacker often sends a large number of HTTP requests, such as HTTP Flood attack (also called CC attack), to a target server through a proxy or a zombie host, and the like, thereby consuming request processing resources of the target server and causing the server resources to be exhausted.
For such an attack, the existing security protection strategy is: a front-end cache (cache) is arranged at the client, and the front-end cache responds to the resources of the HTTP requests as much as possible, so that the occupation of a large number of HTTP requests on the server resources is reduced and even avoided.
Furthermore, in a CC attack, when an attacker makes a large number of HTTP requests to a target server, the front-end cache is breached by setting fields in the HTTP requests and requests resources from the server, for example, by using a Uniform Resource Identifier (URI) related to database operations or other URIs that consume system resources, causing the server resources to be exhausted and unable to respond to normal requests.
The existing CC attack detection scheme generally analyzes HTTP flow, and automatically starts the protection of CC attack after certain specific conditions are reached, for example, whether the request rate of real-time statistics exceeds a set threshold, whether the website response state code of real-time statistics exceeds a set threshold, and detection is performed according to the deviation of the actual click probability distribution of user access behaviors and the prior probability distribution of the website, and the like. Moreover, in the case of opening the protection of CC attack, the existing scheme generally adopts protection strategies such as reverse probing, identifying codes, closing connections, and the like.
However, in these CC attack detection schemes, there are cases where normal traffic scenarios are misjudged as CC attacks (e.g., normal traffic scenarios such as certain second kill, red packet robbery, and voting), and cases where certain attack scenarios cannot be detected (e.g., certain low-frequency and small-traffic attack scenarios), and in existing protection strategies, there are cases where normal accesses are misintercepted (e.g., third-party payment traffic, crawler request, and the like).
It should be noted that the above background description is only for the sake of clarity and complete description of the technical solutions of the present invention and for the understanding of those skilled in the art. Such solutions are not considered to be known to the person skilled in the art merely because they have been set forth in the background section of the invention.
Disclosure of Invention
In view of at least one of the above problems, embodiments of the present invention provide a security protection method, apparatus, and protection device, which are expected to improve accuracy of CC attack detection and enhance protection against CC attack.
According to a first aspect of the embodiments of the present invention, there is provided a safety protection method, including:
receiving a first access request from a client, wherein the first access request comprises identification information of the client;
matching the identification information of the client with an identification information database and obtaining a matching result;
calculating the matching probability according to the matching result; and
and starting safety protection under the condition that the matching probability reaches a preset value.
Optionally, the identification information database is an identification information classification database generated by analyzing historical network traffic and based on the reputation of the identification information.
Optionally, the first access request is a hypertext transfer protocol request; the identification information of the client is an internet protocol address, and a plurality of internet protocol addresses are stored in the identification information database.
Optionally, in the case of opening the safety protection, the method further includes:
receiving a second access request from the client, wherein the second access request comprises identification information of the client;
matching the identification information of the client in the second access request with the identification information database;
and intercepting or releasing the second access request according to the matching result of the identification information of the client in the second access request and the identification information database.
Optionally, under the condition of intercepting the second access request, reverse probing is performed based on the identification information of the client in the second access request.
Optionally, the identification information database includes an internet protocol address black list library and an internet protocol address white list library.
Optionally, the identification information database is updated at a predetermined period.
According to a second aspect of an embodiment of the present invention, there is provided a safety shield apparatus, including:
the device comprises a receiving unit, a processing unit and a processing unit, wherein the receiving unit receives a first access request from a client, and the first access request comprises identification information of the client;
the matching unit is used for matching the identification information of the client with an identification information database and obtaining a matching result;
a calculation unit that calculates a matching probability from the matching result; and
and the safety protection starting unit is used for starting safety protection under the condition that the matching probability reaches a preset value.
Optionally, the identification information database is an identification information classification database generated by analyzing historical network traffic and based on the reputation of the identification information.
Optionally, the receiving unit receives a second access request from the client, where the second access request includes identification information of the client;
the matching unit matches the identification information of the client in the second access request with the identification information database,
the device further comprises:
and the access control unit intercepts or releases the second access request according to the matching result of the identification information of the client in the second access request and the identification information database.
Optionally, the apparatus further comprises:
and the reverse detection unit is used for performing reverse detection on the basis of the identification information of the client in the second access request under the condition that the access control unit intercepts the second access request.
Optionally, the apparatus further comprises:
an updating unit that updates the identification information database at a predetermined cycle.
According to a third aspect of the embodiments of the present invention, there is provided a security device, including a memory and a processor, where the memory stores a computer program, and the processor executes the computer program to implement the security method according to the first aspect and any one of the above options.
According to a fourth aspect of embodiments of the present invention, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the security protection method according to the first aspect and any one of the above-mentioned alternatives.
The embodiment of the invention has the beneficial effects that: receiving a first access request including identification information of a client from the client, matching the identification information of the client with an identification information database and obtaining a matching result; calculating the matching probability according to the matching result; and starting safety protection under the condition that the matching probability reaches a preset value. Therefore, the condition of CC attack misdetection can be avoided to a great extent, and the protection against CC attack can be enhanced.
Drawings
Elements and features described in one drawing or one implementation of an embodiment of the invention may be combined with elements and features shown in one or more other drawings or implementations. Moreover, in the drawings, like reference numerals designate corresponding parts throughout the several views, and may be used to designate corresponding parts for use in more than one embodiment.
FIG. 1 is a schematic view of a safety shield system according to an embodiment of the present invention;
FIG. 2 is a schematic view of a safety protection method according to embodiment 1 of the present invention;
FIG. 3 is another schematic view of the safety protection method according to embodiment 1 of the present invention;
FIG. 4 is a schematic view of a safety shield apparatus according to embodiment 2 of the present invention;
figure 5 is a schematic diagram of the construction of a safety shield apparatus in accordance with an embodiment of the present invention.
Detailed Description
Specific embodiments of the present invention are disclosed in detail with reference to the following description and drawings, indicating the manner in which the principles of the invention may be employed. It should be understood that the embodiments of the invention are not so limited in scope. The embodiments of the invention include many variations, modifications and equivalents within the spirit and scope of the appended claims.
Features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments, in combination with or instead of the features of the other embodiments.
It should be emphasized that the term "comprises/comprising" when used herein, is taken to specify the presence of stated features, integers, steps or components but does not preclude the presence or addition of one or more other features, integers, steps or components.
The foregoing and other features of the invention will become apparent from the following description taken in conjunction with the accompanying drawings. In the description and drawings, particular embodiments of the invention have been disclosed in detail as being indicative of some of the embodiments in which the principles of the invention may be employed, it being understood that the invention is not limited to the embodiments described, but, on the contrary, is intended to cover all modifications, variations, and equivalents falling within the scope of the appended claims.
In the embodiments of the present invention, the terms "first", "second", and the like are used for distinguishing different elements by name, but do not denote a spatial arrangement, a temporal order, or the like of the elements, and the elements should not be limited by the terms. The term "and/or" includes any and all combinations of one or more of the associated listed terms. The terms "comprising," "including," "having," and the like, refer to the presence of stated features, elements, components, and do not preclude the presence or addition of one or more other features, elements, components, and elements.
In embodiments of the invention, the singular forms "a", "an", and the like include the plural forms and are to be construed broadly as "a" or "an" and not limited to the meaning of "a" or "an"; furthermore, the term "comprising" should be understood to include both the singular and the plural, unless the context clearly dictates otherwise. Further, the term "according to" should be understood as "at least partially according to … …," and the term "based on" should be understood as "based at least partially on … …," unless the context clearly dictates otherwise.
In the embodiments of the present invention, the term client or "Terminal Equipment" (TE) refers to, for example, a device that accesses a communication network through a network device and receives a network service. End devices may be fixed or mobile and may also be referred to as terminals, user terminals, access terminals, stations, and the like.
The terminal device may include, but is not limited to, the following devices: personal computers, workstations, Cellular telephones (Cellular phones), Personal Digital Assistants (PDAs), wireless modems, wireless communication devices, handheld devices, machine-type communication devices, laptop computers, cordless telephones, smartphones, smartwatches, Digital cameras, and the like.
In the embodiment of the present invention, the term "security protection device" may be a gateway or a firewall device, or may be other devices. The safety protection device can be positioned between the terminal device and the server and is used for carrying out safety protection on communication between the terminal device and the server. The security protection device may be a network device independent from the server, or may be a network security application integrated with the server, and the present invention does not limit the specific forms of the security protection device and the terminal device.
The following illustrates the scenarios of the embodiments of the present invention by way of example, but the present invention is not limited thereto.
Fig. 1 is a schematic diagram of a security protection system according to an embodiment of the present invention, schematically illustrating the situations of a terminal device, a security protection device, and a server, as shown in fig. 1, a security protection system 100 may include a terminal device 101, a security protection device 102, and a server 103. For simplicity, fig. 1 only illustrates one terminal device, one security device, and one server as an example, but the embodiment of the present invention is not limited thereto, and for example, the terminal device may be multiple.
As shown in fig. 1, the safety device 102 is communicatively connected to the terminal device 101 and the server 103, respectively. For example, the outer network IP address of security device 102 and the outer network IP address of server 103 may be the same, although the invention is not limited thereto. Since the external network IP address of the security device 102 is the same as the external network IP address of the server 103, the data sent by the terminal device 101 to the server 103 is obtained by the security device 102, and the terminal device 101 cannot know the existence of the security device 102.
The above description has been made only by way of example for the scenario of the present invention, but the present invention is not limited thereto, and may be applied to other scenarios according to practical situations. The following examples further illustrate the invention.
Example 1
The embodiment of the invention provides a safety protection method. Fig. 2 is a schematic diagram of a security protection method according to an embodiment of the present invention. As shown in fig. 2, the safety protection method includes:
and 204, starting safety protection under the condition that the matching probability reaches a preset value.
In this embodiment, a first access request including identification information of a client from the client is received, the identification information of the client is matched with an identification information database, and a matching result is obtained; calculating the matching probability according to the matching result; and starting safety protection under the condition that the matching probability reaches a preset value. Therefore, the condition of CC attack misdetection can be avoided to a great extent, and the protection against CC attack can be enhanced.
In this embodiment, the first access request may be a hypertext transfer protocol (HTTP) request; the identification information of the client may be an Internet Protocol (IP) address, and the identification information database stores a plurality of IP addresses. However, the present invention is not limited to this, for example, the first access request may also be a request of other transmission protocols, and the identification information may also be other identification information for identifying the client.
In the following, the first access request is an HTTP request, and the identification information of the client is an IP address, but the present invention is not limited thereto.
In this embodiment, the identification information database is an identification information classification database generated by analyzing historical network traffic and based on the reputation of the identification information. For example, a method of big data analysis of historical statistical information of network traffic may be adopted to summarize IP behavior analysis based on historical traffic, and count and summarize different types of IP reputation libraries, for example, the identification information database may include an IP address blacklist library, but is not limited thereto, and may also include an IP address whitelist library, etc., and a set of reputation systems of behavioral abnormalities and hazardous IPs may be formed by continuously investigating or monitoring IP addresses that are invaded or behavioral abnormalities from the perspective of network security through collection, analysis, sorting and classification induction of network traffic and requested access. For example, the determined broiler address may be determined as an IP address in a blacklist based on the analysis summary, or the proxy IP address library may be determined as an IP address in a blacklist, or the source IP address of the crawler may be determined as an IP address in a blacklist, etc., but the present invention is not limited thereto, for example, the source IP of the crawler may also be considered as an IP that is normally accessed, and the IP address in the IP blacklist library may be determined according to an actual scenario.
In this embodiment, the identification information database may be updated at a predetermined period, for example, the predetermined period may be at an hour level, and the IP address blacklist library is updated at an update granularity at the hour level. This can improve recognition of handling dynamic IPs (for example, dynamic broadband broiler IPs). However, the present invention is not limited thereto, for example, the update period of the identification information database (IP address blacklist) may also be other granularities (e.g. less than 1 hour for update granularity, or day for update granularity), and may be selected according to the actual application scenario.
In this embodiment, CC attack detection may be performed in combination with other CC attack detection technologies, for example, the detection system may perform real-time statistics on the request rate, perform real-time statistics on the website response status code, and perform real-time statistics on a header (header) of the HTTP request (modeling the user request).
The detection system may determine whether a CC attack exists according to the statistical result, for example, determine whether a real-time statistical request rate exceeds a set threshold, determine whether a real-time statistical website response status code exceeds a set threshold, perform detection according to a deviation between an actual click probability distribution of a user access behavior and a website prior probability distribution, and the like.
When the detection system cannot judge whether the CC attack occurs according to the scheme, for example, on the basis of real-time statistics of Query Per Second (QPS), HTTP request header field (header) and response status code, the detection system can be linked with the IP blacklist library, the source access IP is subjected to hit rate statistics by matching the source access IP with the IP blacklist library, if the hit rate is higher than a critical risk value, the detection system is judged to be in the CC attack state, and at this time, security protection is started. Therefore, the CC attack detection can be successfully carried out even in the situation that the existing CC attack detection cannot cover, for example, in the low-frequency and small-flow attack situation and when the detection threshold cannot be triggered, the accuracy of the CC attack detection is improved. In addition, in this embodiment, when matching the source access IP and the IP blacklist library to count the hit rate, the processing time can be controlled to be delayed in the second level, and efficient CC attack detection can be realized.
Or, when the detection system judges that the CC attack occurs according to the above scheme, the detection system may also be linked with the IP blacklist library, and perform hit rate statistics on the source access IP by matching the source access IP with the IP blacklist library, and if the hit rate does not exceed the critical risk value, it is judged that the CC attack state is not in the case, and at this time, the security protection is not opened. Therefore, the existing CC attack detection can be misjudged as the scene of the CC attack, for example, in the normal service scenes of killing, robbing red packets, voting and the like in some seconds, the misdetection can be prevented, and the interception of normal access can be avoided. In addition, in this embodiment, when matching the source access IP and the IP blacklist library to count the hit rate, the processing time can be controlled to be delayed in the second level, and efficient CC attack detection can be realized.
The above describes how to perform CC attack detection in this embodiment, and when a CC attack is detected, the security protection device starts security protection. The following describes the safety protection of the safety protection device when the protection is opened.
Fig. 3 is another schematic diagram of the safety protection method according to embodiment 1 of the present invention. In this embodiment, as shown in fig. 3, in the case of opening the security protection, the security protection method further includes:
Therefore, in the security protection method of this embodiment, under the condition that security protection is started, the identification information of the user side in the access request from the client is matched with the identification information database, and the second access request is intercepted or released according to the matching result. Therefore, by carrying out access control on the matching result of the identification information of the user side and the identification information database, the false interception of normal access requests (such as automatic program requests of third party payment, crawlers and the like) can be avoided, and meanwhile, illegal access requests aiming at server resources can be intercepted.
In this embodiment, the second access request may be a hypertext transfer protocol (HTTP) request; the identification information of the client may be an Internet Protocol (IP) address, and the identification information database stores a plurality of IP addresses. However, the present invention is not limited to this, for example, the second access request may also be a request of other transmission protocols, and the identification information may also be other identification information for identifying the client.
In this embodiment, the identification information database may include an internet protocol address blacklist library and an internet protocol address whitelist library. In step 302, the identification information of the client in the second access request may be matched with the internet protocol address blacklist library and the internet protocol address whitelist library, and in step 303, access control may be performed according to the result in step 302, for example, in the case that the identification information of the client in the second access request is matched with the internet protocol address blacklist library, the second access request may be intercepted, and in the case that the identification information of the client in the second access request is matched with the internet protocol address whitelist library, the second access request may be released. Therefore, the access request in the white list is directly released, and even if the normal HTTP request of protection algorithms such as reverse detection and verification codes cannot be normally responded to the HTTP service of non-access types such as an API (application program interface) interface, the IP of the access request can be prevented from being intercepted by mistake.
In this embodiment, the safety protection method may further include:
and 304, under the condition of intercepting the second access request, performing reverse detection based on the identification information of the client in the second access request.
For example, when the second access request is an HTTP request and the identification information of the client is an IP address, and the HTTP request is intercepted based on an IP reputation, it may be verified whether the HTTP request is a real browser access by using a reverse detection algorithm, for example, META refresh, 302 skip, JS check, and the like, and a general zombie tool cannot implement a complete HTTP protocol stack and cannot pass through the reverse detection algorithm. Therefore, whether the HTTP request is an illegal request can be further confirmed, and the accuracy of CC attack detection can be improved. However, the present invention is not limited thereto, and other protection algorithms, such as a verification code technique, may be used.
Therefore, in the security protection method of this embodiment, when security protection is turned on, the IP in the HTTP request is matched with the IP white list library, and if the IP in the HTTP request is matched with the IP white list library, the HTTP request is determined to be a normal request and released. For example, the IP of services such as third party payment (such as pay pal, wechat payment, wechat public number, etc.) and automatic request class such as crawler can be set as a white list, so that normal access can be prevented from being intercepted.
It should be noted that fig. 2 and 3 above are only schematic illustrations of embodiments of the present invention, but the present invention is not limited thereto. For example, the execution sequence of the steps may be adjusted as appropriate, and other steps may be added or some of the steps may be reduced. For example, for step 302 in fig. 3, IP black and white list library matching may be performed simultaneously, but the present invention is not limited thereto, for example, IP white list library matching may be performed first, and when determining that the IP in the HTTP request matches the IP in the IP white list library, the pass may be made directly without performing step 304. The present invention is not limited to this, and those skilled in the art can determine the above steps according to actual situations, for example, the execution steps can be determined according to statistics of hit rates of the IP black name list library and the white name list library. Those skilled in the art can make appropriate modifications in light of the above disclosure, and are not limited to the description of fig. 2 and 3 above.
As can be seen from the above embodiments, a first access request (HTTP request) including identification information of a client is received from the client, and the identification Information (IP) of the client is matched with an identification information database to obtain a matching result; calculating the matching probability according to the matching result; and starting safety protection under the condition that the matching probability reaches a preset value. Therefore, the condition of CC attack misdetection can be avoided to a great extent, the accuracy of CC attack detection is improved, and the protection against CC attack can be enhanced. The IP in the HTTP request can be matched through the IP reputation base, and data support is provided for the system to detect CC attack, so that the possibility of system misjudgment is avoided; and after the security protection is started, the false killing condition caused by the protection strategy can be reduced by filtering the malicious IP address of the IP credit library, and the protection against CC attack can be enhanced.
Example 2
The embodiment of the invention provides a safety protection device. The apparatus may be, for example, a safety shield device, or may be a component or assembly configured with one or more parts of a safety shield device. The same contents of embodiment 2 as embodiment 1 will not be described again.
Fig. 4 is a schematic view of a safety shield apparatus according to an embodiment of the present invention, and as shown in fig. 4, a safety shield apparatus 400 includes:
a receiving unit 401, configured to receive a first access request from a client, where the first access request includes identification information of the client;
a matching unit 402, which matches the identification information of the client with an identification information database and obtains a matching result;
a calculating unit 403 that calculates a matching probability from the matching result; and
a security guard opening unit 404 that opens security guard in a case where the matching probability reaches a predetermined value.
In this embodiment, the identification information database may be an identification information classification database generated by analyzing historical network traffic and based on the reputation of the identification information.
In this embodiment, the security guard may further have an access control unit 405, the receiving unit 401 may further receive a second access request from the client, where the second access request may include identification information of the client, the matching unit 403 matches the identification information of the client in the second access request with the identification information database, and the access control unit 405 intercepts or releases the second access request according to a matching result of the identification information of the client in the second access request and the identification information database.
In this embodiment, the security guard may further have a reverse detection unit 406, and perform reverse detection based on the identification information of the client in the second access request when the second access request is intercepted.
In this embodiment, the safety device may further include an updating unit 407, and the updating unit 407 may update the identification information database at a predetermined cycle.
It should be noted that the above description only describes the components or modules related to the present invention, but the present invention is not limited thereto. Safety shield apparatus 400 may also include other components or modules, the specifics of which may be referenced in the pertinent art.
The embodiment of the invention also provides safety protection equipment.
Figure 5 is a schematic diagram of the construction of a safety shield apparatus in accordance with an embodiment of the present invention. As shown in fig. 5, safety shield apparatus 500 may include: a processor 510 (e.g., a central processing unit, CPU) and a memory 520; a memory 520 is coupled to the processor 510. Wherein the memory 520 may store various data; a secured program 530 is also stored and executed under control of processor 510, program 530.
For example, processor 510 may be configured to execute program 530 to implement a security method as described in embodiment 1. For example, processor 510 may be configured to control as follows: receiving a first access request from a client, wherein the first access request comprises identification information of the client; matching the identification information of the client with an identification information database and obtaining a matching result; calculating the matching probability according to the matching result; and starting safety protection under the condition that the matching probability reaches a preset value.
In addition, as shown in fig. 5, safety shield apparatus 500 may further include: input/output (I/O) unit 540, etc.; the functions of the above components are similar to those of the prior art, and are not described in detail here. It is noted that the safety shield apparatus 500 does not necessarily include all of the components shown in FIG. 5; in addition, safety shield apparatus 500 may also include components or modules not shown in FIG. 5, as may be found in the prior art.
An embodiment of the present invention further provides a computer-readable program, where when the program is executed in a security protection device, the program causes the security protection device to execute the security protection method described in embodiment 1.
An embodiment of the present invention further provides a storage medium storing a computer readable program, where the computer readable program, when executed by a processor, causes a security protection device to implement the security protection method described in embodiment 1.
As can be seen from the above embodiments, a first access request including identification information of a client is received from the client, the identification information of the client is matched with a first identification information database, and a matching result is obtained; calculating the matching probability according to the matching result; and starting safety protection under the condition that the matching probability reaches a preset value. Therefore, the condition of CC attack misdetection can be avoided to a great extent, the accuracy of CC attack detection is improved, and the protection against CC attack can be enhanced.
The above devices and methods of the present invention can be implemented by hardware, or can be implemented by hardware and software. The present invention relates to a computer-readable program which, when executed by a logic section, enables the logic section to realize the above-described apparatus or constituent section, or to realize the above-described various methods or steps. The present invention also relates to a storage medium such as a hard disk, a magnetic disk, an optical disk, a DVD, a flash memory, or the like, for storing the above program.
The methods/apparatus described in connection with the embodiments of the invention may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. For example, one or more of the functional block diagrams and/or one or more combinations of the functional block diagrams illustrated in the figures may correspond to individual software modules, or may correspond to individual hardware modules of a computer program flow. These software modules may correspond to various steps shown in the figures, respectively. These hardware modules may be implemented, for example, by solidifying these software modules using a Field Programmable Gate Array (FPGA).
A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. A storage medium may be coupled to the processor such that the processor can read information from, and write information to, the storage medium; or the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The software module may be stored in the memory of the mobile terminal or in a memory card that is insertable into the mobile terminal. For example, if the device (e.g., mobile terminal) employs a relatively large capacity MEGA-SIM card or a large capacity flash memory device, the software module may be stored in the MEGA-SIM card or the large capacity flash memory device.
One or more of the functional blocks and/or one or more combinations of the functional blocks described in the figures can be implemented as a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any suitable combination thereof designed to perform the functions described herein. One or more of the functional blocks and/or one or more combinations of the functional blocks described in connection with the figures may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP communication, or any other such configuration.
While the invention has been described with reference to specific embodiments, it will be apparent to those skilled in the art that these descriptions are illustrative and not intended to limit the scope of the invention. Various modifications and alterations of this invention will become apparent to those skilled in the art based upon the spirit and principles of this invention, and such modifications and alterations are also within the scope of this invention.
Claims (14)
1. A method of safeguarding, the method comprising:
receiving a first access request from a client, wherein the first access request comprises identification information of the client;
matching the identification information of the client with an identification information database and obtaining a matching result;
calculating the matching probability according to the matching result; and
and starting safety protection under the condition that the matching probability reaches a preset value.
2. A method of safeguarding according to claim 1,
the identification information database is an identification information classification database which is generated by analyzing historical network traffic and is based on the credibility of the identification information.
3. A method of safeguarding according to claim 1,
the first access request is a hypertext transfer protocol request; the identification information of the client is an internet protocol address, and a plurality of internet protocol addresses are stored in the identification information database.
4. The method of safeguarding according to claim 1, wherein in the event of opening the safeguards, the method further comprises:
receiving a second access request from the client, wherein the second access request comprises identification information of the client;
matching the identification information of the client in the second access request with the identification information database;
and intercepting or releasing the second access request according to the matching result of the identification information of the client in the second access request and the identification information database.
5. A method of safeguarding according to claim 4,
and under the condition of intercepting the second access request, performing reverse detection based on the identification information of the client in the second access request.
6. A method of safeguarding according to claim 1,
the identification information database comprises an internet protocol address black list library and an internet protocol address white list library.
7. A method of safeguarding according to claim 1 or 2, characterized in that the method further comprises:
and updating the identification information database at a preset period.
8. A safety shield apparatus, comprising:
the device comprises a receiving unit, a processing unit and a processing unit, wherein the receiving unit receives a first access request from a client, and the first access request comprises identification information of the client;
the matching unit is used for matching the identification information of the client with an identification information database and obtaining a matching result;
a calculation unit that calculates a matching probability from the matching result; and
and the safety protection starting unit is used for starting safety protection under the condition that the matching probability reaches a preset value.
9. The apparatus of claim 8,
the identification information database is an identification information classification database which is generated by analyzing historical network traffic and is based on the credibility of the identification information.
10. The apparatus of claim 8,
the receiving unit receives a second access request from the client, wherein the second access request comprises identification information of the client;
the matching unit matches the identification information of the client in the second access request with the identification information database,
the device further comprises:
and the access control unit intercepts or releases the second access request according to the matching result of the identification information of the client in the second access request and the identification information database.
11. The apparatus of claim 10, further comprising:
and the reverse detection unit is used for performing reverse detection based on the identification information of the client in the second access request under the condition that the access control unit intercepts the second access request.
12. The apparatus of claim 8 or 9, further comprising:
an updating unit that updates the identification information database at a predetermined cycle.
13. A safety device comprising a memory and a processor, the memory storing a computer program, wherein the processor executes the computer program to implement the safety method according to any one of claims 1 to 7.
14. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the safeguarding method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810960164.7A CN110858831B (en) | 2018-08-22 | 2018-08-22 | Safety protection method and device and safety protection equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810960164.7A CN110858831B (en) | 2018-08-22 | 2018-08-22 | Safety protection method and device and safety protection equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110858831A true CN110858831A (en) | 2020-03-03 |
| CN110858831B CN110858831B (en) | 2022-07-29 |
Family
ID=69634808
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810960164.7A Active CN110858831B (en) | 2018-08-22 | 2018-08-22 | Safety protection method and device and safety protection equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110858831B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113037841A (en) * | 2021-03-08 | 2021-06-25 | 北京靠谱云科技有限公司 | Protection method for providing distributed denial of attack |
| CN113285919A (en) * | 2021-04-14 | 2021-08-20 | 上海瀚银信息技术有限公司 | Automatic protection method and system for website |
| CN113992358A (en) * | 2021-09-29 | 2022-01-28 | 杭州迪普科技股份有限公司 | Method and device for distributing network security policy |
| CN114928452A (en) * | 2022-05-17 | 2022-08-19 | 壹沓科技(上海)有限公司 | Access request verification method, device, storage medium and server |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
| CN101789947A (en) * | 2010-02-21 | 2010-07-28 | 成都市华为赛门铁克科技有限公司 | Method and firewall for preventing HTTP POST flooding attacks |
| CN102891829A (en) * | 2011-07-18 | 2013-01-23 | 航天信息股份有限公司 | Method and system for detecting and defending distributed denial of service attack |
| CN104009983A (en) * | 2014-05-14 | 2014-08-27 | 杭州安恒信息技术有限公司 | Detection method and system for CC attack |
| CN104378357A (en) * | 2014-10-23 | 2015-02-25 | 河北省电力建设调整试验所 | Protection method for HTTP Get Flood attack |
| CN104917779A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Protection method of CC attack based on cloud, device thereof and system thereof |
| CN105610851A (en) * | 2016-01-14 | 2016-05-25 | 北京乐动卓越科技有限公司 | Method and system for defending distributed denial of service (DDoS) attack |
| US20160205120A1 (en) * | 2015-01-13 | 2016-07-14 | Level 3 Communications, Llc | Vertical threat analytics for ddos attacks |
| CN107800723A (en) * | 2017-12-06 | 2018-03-13 | 中盈优创资讯科技有限公司 | CC attack guarding methods and equipment |
| CN107800726A (en) * | 2017-12-12 | 2018-03-13 | 蔡昌菊 | A kind of defence method of attack |
| CN107819727A (en) * | 2016-09-13 | 2018-03-20 | 腾讯科技(深圳)有限公司 | A kind of network safety protection method and system based on the safe credit worthiness of IP address |
| CN108259425A (en) * | 2016-12-28 | 2018-07-06 | 阿里巴巴集团控股有限公司 | The determining method, apparatus and server of query-attack |
-
2018
- 2018-08-22 CN CN201810960164.7A patent/CN110858831B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
| CN101789947A (en) * | 2010-02-21 | 2010-07-28 | 成都市华为赛门铁克科技有限公司 | Method and firewall for preventing HTTP POST flooding attacks |
| CN102891829A (en) * | 2011-07-18 | 2013-01-23 | 航天信息股份有限公司 | Method and system for detecting and defending distributed denial of service attack |
| CN104009983A (en) * | 2014-05-14 | 2014-08-27 | 杭州安恒信息技术有限公司 | Detection method and system for CC attack |
| CN104378357A (en) * | 2014-10-23 | 2015-02-25 | 河北省电力建设调整试验所 | Protection method for HTTP Get Flood attack |
| US20160205120A1 (en) * | 2015-01-13 | 2016-07-14 | Level 3 Communications, Llc | Vertical threat analytics for ddos attacks |
| CN104917779A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Protection method of CC attack based on cloud, device thereof and system thereof |
| CN105610851A (en) * | 2016-01-14 | 2016-05-25 | 北京乐动卓越科技有限公司 | Method and system for defending distributed denial of service (DDoS) attack |
| CN107819727A (en) * | 2016-09-13 | 2018-03-20 | 腾讯科技(深圳)有限公司 | A kind of network safety protection method and system based on the safe credit worthiness of IP address |
| CN108259425A (en) * | 2016-12-28 | 2018-07-06 | 阿里巴巴集团控股有限公司 | The determining method, apparatus and server of query-attack |
| CN107800723A (en) * | 2017-12-06 | 2018-03-13 | 中盈优创资讯科技有限公司 | CC attack guarding methods and equipment |
| CN107800726A (en) * | 2017-12-12 | 2018-03-13 | 蔡昌菊 | A kind of defence method of attack |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113037841A (en) * | 2021-03-08 | 2021-06-25 | 北京靠谱云科技有限公司 | Protection method for providing distributed denial of attack |
| CN113285919A (en) * | 2021-04-14 | 2021-08-20 | 上海瀚银信息技术有限公司 | Automatic protection method and system for website |
| CN113992358A (en) * | 2021-09-29 | 2022-01-28 | 杭州迪普科技股份有限公司 | Method and device for distributing network security policy |
| CN113992358B (en) * | 2021-09-29 | 2023-07-07 | 杭州迪普科技股份有限公司 | Distribution method and device of network security policy |
| CN114928452A (en) * | 2022-05-17 | 2022-08-19 | 壹沓科技(上海)有限公司 | Access request verification method, device, storage medium and server |
| CN114928452B (en) * | 2022-05-17 | 2024-02-13 | 壹沓科技(上海)有限公司 | Access request verification method, device, storage medium and server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110858831B (en) | 2022-07-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110858831B (en) | Safety protection method and device and safety protection equipment | |
| CN109951500B (en) | Network attack detection method and device | |
| CN107465648B (en) | Abnormal equipment identification method and device | |
| CN112019574B (en) | Abnormal network data detection method and device, computer equipment and storage medium | |
| AU2004289001B2 (en) | Method and system for addressing intrusion attacks on a computer system | |
| CN101009607B (en) | Systems and methods for detecting and preventing flooding attacks in a network environment | |
| KR101369727B1 (en) | Apparatus and method for controlling traffic based on captcha | |
| EP2634989A1 (en) | Mobile terminal to detect network attack and method thereof | |
| CN105577608B (en) | Network attack behavior detection method and device | |
| CN110417778B (en) | Access request processing method and device | |
| EP2471292B1 (en) | Method and arrangement for detecting fraud in telecommunication networks. | |
| CN109922072B (en) | Distributed denial of service attack detection method and device | |
| CN106685899B (en) | Method and device for identifying malicious access | |
| CN111131310A (en) | Access control method, device, system, computer device and storage medium | |
| KR102222377B1 (en) | Method for Automatically Responding to Threat | |
| CN113518064B (en) | Defense method and device for challenging black hole attack, computer equipment and storage medium | |
| CN114826946B (en) | Unauthorized access interface detection method, device, equipment and storage medium | |
| CN111565203A (en) | Method, device and system for protecting service request and computer equipment | |
| CN108737344B (en) | Network attack protection method and device | |
| CN107968765A (en) | A kind of network inbreak detection method and server | |
| CN109547427B (en) | Blacklist user identification method and device, computer equipment and storage medium | |
| CN112231679B (en) | Terminal equipment verification method and device and storage medium | |
| KR101268104B1 (en) | Intrusion prevention system and controlling method | |
| CN115102781B (en) | Network attack processing method, device, electronic equipment and medium | |
| KR20140126633A (en) | Method and appratus for detecting malicious message |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40024926 Country of ref document: HK |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |