CN111970261B - Network attack identification method, device and equipment - Google Patents

Network attack identification method, device and equipment Download PDF

Info

Publication number
CN111970261B
CN111970261B CN202010783202.3A CN202010783202A CN111970261B CN 111970261 B CN111970261 B CN 111970261B CN 202010783202 A CN202010783202 A CN 202010783202A CN 111970261 B CN111970261 B CN 111970261B
Authority
CN
China
Prior art keywords
address
source address
server
sdk
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010783202.3A
Other languages
Chinese (zh)
Other versions
CN111970261A (en
Inventor
赵志阳
陈邦忠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Perfect World Beijing Software Technology Development Co Ltd
Original Assignee
Perfect World Beijing Software Technology Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Perfect World Beijing Software Technology Development Co Ltd filed Critical Perfect World Beijing Software Technology Development Co Ltd
Priority to CN202010783202.3A priority Critical patent/CN111970261B/en
Publication of CN111970261A publication Critical patent/CN111970261A/en
Application granted granted Critical
Publication of CN111970261B publication Critical patent/CN111970261B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Abstract

The application discloses a network attack identification method, a network attack identification device and network attack identification equipment, which relate to the technical field of network security. The method comprises the following steps: acquiring a source address accessed to an attacked server; acquiring an address list of which the SDK request is successful, and judging whether the source address exists in the address list or not based on the address list of which the SDK request is successful; if not, the source address is used as an abnormal access address, and the access authority of the abnormal access address is intercepted.

Description

Network attack identification method, device and equipment
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, and a device for identifying a network attack.
Background
As network applications go deep into people's lives and works, network attacks are also endless, and particularly for network attacks in internet games, players need to connect to a game server and frequently-updated online games, and attackers view to analyze source codes in the network games and further find vulnerabilities which can be used for attacks to conduct network attacks on the source codes in the games.
At present, the network attacks often encountered in the network games include cc attacks at an application layer, and the cc attacks are realized by various technologies on the network, and specifically, high-frequency concurrent access can be performed by simulating the request of a user. The cc attack identification method mainly comprises two modes, one mode is that distribution characteristics such as URL (uniform resource locator) requests and response codes are integrated to judge malicious characteristic attacks in abnormal behaviors, and then malicious characteristics appearing in common header fields in the requests are intercepted to configure access control, although the identification mode can filter some more mainstream attack modes, the identification mode can cause loss of connection to the existing users when the strategy takes effect, namely the condition of error sealing, and the error sealing rate of the users is increased along with the change of attack means of attackers, so that the operation of a game network is influenced; the other is that a feature packet is added in a communication protocol between a client and a server, and further illegal traffic is identified to configure access control, so that the increase of network packets is brought, the processing capability of the server is reduced, the network stability is poor, and the game experience of a user is influenced.
Disclosure of Invention
In view of this, the present application provides a method, an apparatus, and a device for identifying a network attack, and mainly aims to solve the problems of a high user error rate and poor network stability in the prior art.
According to a first aspect of the present application, there is provided a network attack identification method, including:
acquiring a source address accessed to an attacked server;
acquiring an address list of which the SDK request is successful, and judging whether the source address exists in the address list or not based on the address list of which the SDK request is successful;
if not, the source address is used as an abnormal access address, and the access authority of the abnormal access address is intercepted.
In another embodiment, before the obtaining the source address of the accessed attacked server, the method further comprises:
monitoring flow data of address information accessed by a network request and resource occupancy rate generated by the network request;
and if the flow data reaches a first preset value and/or the resource occupancy rate reaches a second preset value, acquiring a source address accessed to the attacked server.
In another embodiment, the obtaining the source address of the accessed attacked server specifically includes:
counting connection information of an attacked server based on address information of the attacked server;
and screening out address information of which the connection information meets preset conditions from the address information accessed to the attacked server as a source address.
In another embodiment, the screening out, from the address information of the accessed attacked server, address information whose connection information meets a preset condition as a source address specifically includes:
inquiring the access times of the attacked server aiming at each address information in a preset time based on the connection information of the attacked server;
and screening out the address information with the access times reaching a preset value from the address information accessed to the attacked server as a source address.
In another embodiment, the obtaining of the address list in which the SDK request is successful specifically includes:
acquiring an initial time point of a source address accessed to the attacked server based on the connection information of the attacked server;
collecting SDK logs uploaded after the start time point;
and analyzing the record of the SDK request in the SDK log to obtain an address list of the SDK request success.
In another embodiment, before the taking the source address as an abnormal access address and intercepting the access right of the abnormal access address, the method further comprises:
inquiring a distribution area corresponding to a source address accessed to an attacked server;
the taking the source address as an abnormal access address and intercepting the access authority of the abnormal access address specifically includes:
and if the distribution area does not belong to a preset access area, taking the source address as an abnormal access address, and intercepting the access authority of the abnormal access address.
In another embodiment, before the taking the source address as an abnormal access address and intercepting the access right of the abnormal access address, the method further comprises:
utilizing an open tool platform to inquire the historical connection record of the source address accessed by the attacked server;
the taking the source address as an abnormal access address and intercepting the access authority of the abnormal access address specifically includes:
and if the historical connection records have illegal requests, taking the source address as an abnormal access address, and intercepting the access authority of the abnormal access address.
According to a second aspect of the present application, there is provided an apparatus for identifying a cyber attack, the apparatus including:
a first obtaining unit, configured to obtain a source address of an accessed attacked server;
the second obtaining unit is used for obtaining an address list of which the SDK request is successful, and judging whether the source address exists in the address list or not based on the address list of which the SDK request is successful;
and the intercepting unit is used for taking the source address as an abnormal access address and intercepting the access authority of the abnormal access address if the source address does not exist.
In another embodiment, the apparatus further comprises:
the monitoring unit is used for monitoring the traffic data of the address information accessed by the network request and the resource occupancy rate generated by the network request before the source address accessed to the attacked server is obtained;
the first obtaining unit is configured to obtain a source address of an accessed attacked server if the traffic data reaches a first preset value and/or the resource occupancy rate reaches a second preset value.
In another embodiment, the first obtaining unit includes:
the statistical module is used for counting the connection information of the attacked server based on the address information accessed to the attacked server;
and the screening module is used for screening out the address information of which the connection information meets the preset condition from the address information accessed to the attacked server as a source address.
In another embodiment, the screening module comprises:
the query submodule is used for querying the access times of the attacked server aiming at each address information in the preset time based on the connection information of the attacked server;
and the screening submodule is used for screening the address information with the access frequency reaching a preset value from the address information accessed to the attacked server as a source address.
In another embodiment, the second acquiring unit includes:
an obtaining module, configured to obtain, before determining whether the source address exists in the address list based on the address list in which the SDK request is successful and based on connection information of the attacked server, an initial time point of accessing the source address of the attacked server;
a collecting module for collecting the SDK log uploaded after the starting time point;
and the analysis module is used for acquiring an address list of the SDK request success by analyzing the record of the SDK request in the SDK log.
In another embodiment, the apparatus further comprises:
a first query unit, configured to query a distribution area corresponding to a source address accessed to an attacked server before taking the source address as an abnormal access address and intercepting an access right of the abnormal access address;
the intercepting unit is further configured to, if the distribution area does not belong to a preset access area, use the source address as an abnormal access address, and intercept an access right of the abnormal access address.
In another embodiment, the apparatus further comprises:
a second query unit, configured to query, by using an open tool platform, a historical connection record of a source address accessed by the attacked server before the source address is used as an abnormal access address and an access right of the abnormal access address is intercepted;
the intercepting unit is further configured to, if an illegal request exists in the historical connection record, use the source address as an abnormal access address, and intercept an access right of the abnormal access address.
According to a third aspect of the present application, there is provided a computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the steps of the method of the first aspect when executing the computer program.
According to a fourth aspect of the present application, there is provided a readable storage medium having stored thereon a computer program which, when executed by a processor, carries out the steps of the method of the first aspect described above.
By means of the technical scheme, compared with the existing mode that the network attack is identified by means of distributed features or feature packets added in a communication protocol, the method, the device and the equipment for identifying the network attack acquire the source address of the server to be attacked, due to timeliness of a sample library of suspected attack behaviors, if the suspected attack behaviors are continuously attacked, the suspected attack behaviors are judged to be generated, instructions are not needed to be started when the suspected attack behaviors are judged not to be generated, therefore, influences on users and operation caused by missealing are reduced, further, the source address is analyzed by means of an address list successfully requested by an SDK (software description kit), if the source address does not exist in the address list, the source address does not log in an authentication system of network service, the source address is identified to be an abnormal access address, access authority of the abnormal access address is intercepted, the source address suspected to generate the attack behaviors can be accurately identified by means of layer-by layer judgment, other programs do not need to be loaded or modified in the communication process, data processing capacity of the server is improved, and identification time of the network attack behaviors is shortened.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart illustrating a network attack identification method according to an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating another network attack identification method provided in an embodiment of the present application;
fig. 3 is a schematic flowchart illustrating another network attack identification method provided in an embodiment of the present application;
fig. 4 is a schematic structural diagram illustrating an apparatus for identifying a cyber attack according to an embodiment of the present application;
fig. 5 is a schematic structural diagram illustrating another network attack recognition apparatus provided in an embodiment of the present application;
fig. 6 is a schematic device structure diagram of a computer apparatus according to an embodiment of the present invention.
Detailed Description
The contents of the present invention will now be discussed with reference to several exemplary embodiments. It should be understood that these embodiments are discussed only to enable those of ordinary skill in the art to better understand and thus implement the context of the present invention, and are not meant to imply any limitations on the scope of the invention.
As used herein, the term "include" and its variants are to be read as open-ended terms meaning "including, but not limited to. The term "based on" is to be read as "based, at least in part, on". The terms "one embodiment" and "an embodiment" are to be read as "at least one embodiment". The term "another embodiment" is to be read as "at least one other embodiment".
In the attack scenario of a network game, an attacker may generate any type of attack action against a computer system, infrastructure, computer network, or personal computer device. For computers and computer networks, the act of destroying, revealing, modifying, disabling software or services, stealing or accessing data from any computer without any authorization, is considered an attack in computers and computer networks. The existing network attacks are of various types, distributed denial of service attacks can enable a plurality of computers to be attacked at the same time, the targets of the attacks cannot be used normally, cc attacks can generate legal requests pointing to a victim host by means of a proxy server, DDOS and disguise are realized, network attack behaviors can be identified in various modes, one mode is that malicious feature attacks in abnormal behaviors are judged by integrating distributed features such as URL requests, response codes and the like, and then malicious features appearing in common header fields in the requests are intercepted to configure access control, the identification mode can filter some more mainstream attack modes, but connection loss can be caused to existing users when a strategy is effective, namely, the situation of error sealing is realized, and as attackers change attack means, the error sealing rate of the users is increased along with the change of the attack means, and the operation of a game network is influenced; the other method is that a feature packet is added in a communication protocol between a client and a server, and then illegal traffic is identified to configure access control, which can increase network packets, so that the processing capability of the server is reduced, the network stability is poor, and the game experience of a user is influenced.
In order to solve the problem, the embodiment provides a network attack identification method, as shown in fig. 1, where the method is applied to a server and includes the following steps:
101. and acquiring a source address for accessing the attacked server.
In the embodiment of the invention, after the function of accessing the source address of the attacked server is obtained, whether the address information accessed to the network service is safe or not can not be determined. In general, a user client does not frequently access a network service, address information accessed by a server is relatively safe and access time is relatively dispersed, the address information can be an IP address, namely an internet protocol address, a uniform address format provided by an IP protocol, and a logical address is allocated to each and every network and every casting machine on the internet, so as to shield differences of physical addresses, a connection address provided for the server by the user client is required in the process of accessing the network service, and the condition that the network service is frequently accessed in a short time indicates that the address information has a suspicion of generating an attack behavior, further counts address information accessed by the attacked server in a preset time, and takes the frequently accessed address information as a source address with the suspicion of attack to obtain the source address accessed to the attacked server.
Specifically, in the process of obtaining the source address of the accessed attacked server, the user client sends request information, such as address information of the user client, state information of the user client, request content of the user client, and the like, to the network server in the process of accessing the network service, and the network server counts the address information accessed by the server after receiving the request information each time, and further screens the source address from the address information accessed to the attacked server.
The execution subject of this embodiment may be an identification apparatus or device for network attack, and may be configured at a server of a network game, and after a user client accesses a network service, it is impossible to determine whether the user client is safe or not, and in order to ensure the security of the server, the identification function for network attack may be directly turned on to obtain a source address of an accessed attacked server, and it may also be determined whether a situation of generating a network attack is reached according to access data of the server of the network game, and after it is determined that the situation of generating a network attack is reached, the identification function for network attack may be turned on, and further, the source address of the accessed attacked server may be obtained according to connection data of the user client.
102. And acquiring an address list of which the SDK request is successful, and judging whether the source address exists in the address list or not based on the address list of which the SDK request is successful.
In a game development scene, in order to facilitate access to a server of a network game, a user client integrates an SDK, wherein the SDK is a software development tool package, a software developer usually establishes a development tool set when application software is established for a specific software package, a software framework, a hardware platform, an operating system and the like, the SDK communicates with the SDK server by using the SDK, an SDK request carrying connection information is sent to the SDK server, the SDK request is equivalent to a function request of the user client in network service, can be a login request, can also be a payment request and the like, the SDK server verifies the connection information and user information in a database after receiving the connection information, after the verification is passed, the connection information is stored in a session, a session identifier is generated, then the SDK server returns to the user client to verify whether the connection information is passed or not, the session identifier and the like, and further transmits the verification information whether the connection information is passed or not, the session identifier and the like to the user server.
It can be understood that only the user server requesting to pass through can be connected to the network service, and the functions of logging in to the game interface, logging in to the payment interface and the like are realized. The SDK server is responsible for receiving the connection information of each user client and storing the information whether the SDK request of the user client is successful or not, the client with the successful SDK request shows that the SDK request sent by the user client is effective, the server corresponding to the user client is a legal server, the connection information of the user client with the successful SDK request is further obtained, and the address information in the connection information forms an address list with the successful SDK request.
For a source address, the phenomena of blocking, incapability of logging in, disconnection and the like of a user in the process of accessing a network service are likely to occur, the network service is required to be accessed frequently, the source address is not a source address generating a network attack behavior, if the source addresses are directly intercepted, address information requested by a normal user is easily mistakenly sealed, and the game experience of the user is influenced.
103. If the source address does not exist, the source address is used as an abnormal access address, and the access authority of the abnormal access address is intercepted.
In the embodiment of the invention, the address list of the successful SDK request can reflect whether the user client terminal really successfully initiates the access request, and the address list does not have a source address, which indicates that the SDK request sent by the client terminal corresponding to the source address is not successful, and indicates that the client terminal of the source address is not accessed to the server, the purpose of multiple access requests is more likely to be a network attack behavior initiated by the server, and further takes the source address as an abnormal access address, and intercepts the access authority of the abnormal access address.
Compared with the existing mode that the network attack is identified by using the distributed characteristics or adding the characteristic packets in the communication protocol, the method for identifying the network attack obtains the source address accessed to the attacked server, because the sample library of the suspected attack behavior has timeliness, if the suspected attack behavior is continuously attacked, the suspected attack behavior is determined to be generated, and no instruction needs to be started for determining that the suspected attack behavior is not generated, so that the influence on users and operation caused by missealing is reduced.
Further, as a refinement and an extension of the specific implementation of the foregoing embodiment, in order to fully describe the specific implementation process of the present embodiment, the present embodiment provides another network attack identification method, as shown in fig. 2, the method includes:
201. and monitoring the traffic data of the address information accessed by the network request and the resource occupancy rate generated by the network request.
Whether the network attack behavior of the server occurs or not is indicated on the flow data of the network service, a user client accessed to the network service does not frequently send a connection request under normal conditions, a large number of abnormal behaviors are not generated, the network attack behavior is possibly generated under the condition that the user client frequently accesses the network service, and a starting instruction for identifying the network attack behavior is further triggered.
In the embodiment of the present invention, the network server may be specifically connected to the data monitoring system, and the data monitoring system is used to monitor the traffic data of the address information accessed by the network request and the resource occupancy rate generated by the network request.
202. And if the flow data reaches a first preset value and/or the resource occupancy rate reaches a second preset value, acquiring a source address accessed to the attacked server.
Specifically, in the process of judging whether to trigger a start instruction for identifying the network attack behavior, for the condition that the flow quantity is increased suddenly and the CPU resource is obviously increased but the real user is not increased, the server is likely to be subjected to the network attack behavior, a connection quantity threshold and a resource occupancy rate threshold can be set for the network server, and then when the connection quantity of the server reaches a first preset value and/or the resource occupancy rate reaches a second preset value, a trigger instruction for accessing a source address of the attacked server is obtained.
Illustratively, if the number of service connections reaches 65535 (upper limit of the number of server connections) or the CPU occupancy reaches 100% (upper limit of the CPU utilization), the online user server may be stuck and the queued user server may not be connected to the server, which may generate a network attack behavior of the server, further triggering a start command for identifying the network attack behavior.
In a game scene, an operator provides network service to the outside so that a user can log in and connect to a network to experience a game, meanwhile, a large number of user clients can be accessed into the network service, as the number of the user clients accessed into the network service increases, CPU resources obviously increase, the number of the users also increases, and if the number of real users does not increase, a network attack behavior may be indicated. For the embodiment of the invention, the flow of the users accessed by the network service can be monitored and compared with the actual number of the users, if obvious difference exists, the network attack behavior is generated, the identification function of the network attack behavior is further started, and the source address accessed to the attacked server is obtained; and the source address accessed to the attacked server can be obtained by monitoring the CPU resource of the network service, if the CPU resource of the network service obviously rises, the network attack behavior is generated, and the identification function of the network attack behavior is further started.
It should be noted that, if the traffic data of the network service does not indicate that the network attack behavior is generated, the identification function of the network attack behavior does not need to be started, and thus the processing resources of the server are saved.
203. And counting the connection information of the attacked server based on the address information of the accessed attacked server.
Specifically, in a network service scenario where a user client requests to access a game, a network server needs to serve as a long-term running program for multiple indefinite and indefinite network connection requests, and in general, multiple cooperating servers are needed to improve the carrying capacity, and corresponding network servers are set for different service functions, for example, a gateway server is set for a login function, a game server is set for a game function, and a storage server is set for a storage function, so as to improve the processing capacity of the servers, so that after the identification function of network attack behaviors is started, the servers in the network service as attacked servers can accurately acquire accessed address information, and count the connection information of the attacked servers, for example, the IP address, the access time point, the access time length, and other information of the user client accessing the attacked servers.
204. And screening out address information of which the connection information meets preset conditions from the address information accessed to the attacked server as a source address.
In the embodiment of the present invention, the preset condition may set a time limit for the number of times of access formed by the address information, may set a time limit for the access duration formed by the address information, and may set a limit for the access area formed by the address information, which is not limited here.
In a scenario where a number limit is set for access times formed by address information, access times formed by the attacked server for each address information within a preset time may be specifically queried based on connection information accessed to the attacked server, and address information with access times reaching a preset number is further screened from the address information accessed to the attacked server as a source address. For example, the connection information of the attacked server includes 50 IP addresses, 12 IP addresses in the 50 IP addresses are duplicate addresses and are access requests continuously initiated within 5s, and the preset value set for the access times is 10, that is, the access times of the IP addresses within 5s is greater than the preset threshold, and the IP addresses are further screened out as source addresses.
For example, the query gets the IP address: 139.59.42.33 accesses 12 times at 14 o' clock 37 in 3 months, 19 days and determines as the source address.
205. And acquiring the starting time point of the source address accessed to the attacked server based on the connection information of the attacked server.
For an access request initiated by a user client with suspected attack behavior, the access request is generally continuously initiated, the attacked server can obtain a starting time point of a source address accessed to the attacked server by using the recorded connection information, and further perform deep judgment on the source address with the suspected attack behavior by taking the starting time point as the starting time point with the suspected attack behavior, so that the false sealing rate of normal users is reduced.
For example, the query gets the IP address: 139.59.42.33 accesses 12 times at 14 o ' clock 37 of 19.3 months, and the initial time of accessing the source address is 37 o ' clock 14 o ' clock of 19.3 months.
206. Collecting SDK logs uploaded after the start time point.
In the embodiment of the present invention, the SDK may be used as a software tool kit deployed by an authentication system for logging in a game network, and after the SDK is deployed, in order to facilitate statistics on a function request of an access user client, an SDK server may be configured to collect SDK log data, where the SDK log data may record an access request, success or failure of the access request, access time information, and the like.
In order to save the processing time of the SDK log data, the starting time of the accessed source address of the attacked server can be used as the initial point suspected of generating the attack behavior, the SDK log data before the initial point does not need to be considered, the SDK log data after the initial point are further collected, and the log data generating the attack behavior can be acquired in a more targeted manner.
207. And analyzing the record of the SDK request in the SDK log to obtain an address list of the SDK request success.
The record for the SDK request may include a large number of request records initiated by the user client, the request record for the request failing to pass may not be accessed to the server, and the request record for the request passing may be accessed to the server, and the relevant information for the request passing the user client includes the SDK server in the SDK request success address list storage, so as to further determine whether the user client is a normal user according to the SDK request success address list.
In general, after a network attack behavior occurs, the SDK request has a peak period, and records of the SDK request in the log are analyzed within a period of time (e.g., 10min is adjustable) of the request peak period, so that whether the user client is the user client initiating the attack can be accurately determined within the shortest time, and the user client is further prohibited.
208. And acquiring an address list of which the SDK request is successful, and judging whether the source address exists in the address list or not based on the address list of which the SDK request is successful.
It can be understood that, the address table where the SDK request is successful may be an address where each user client accesses successfully, and specifically, the source address needs to be compared with each address recorded in the address table where the SDK request is successful, so as to determine whether a source address where the attack server accesses exists in the address list.
The embodiment of the invention does not modify the SDK server, only utilizes the result information of the success of the SDK request, does not need to judge the IP access times and the number of IP accounts from the SDK level, but uses the SDK log as an auxiliary data reference to carry out deep identification aiming at the attack behavior of the network game server so as to accurately identify the source address of the attack behavior source.
209. If not, the source address is used as an abnormal access address, and the access authority of the abnormal access address is intercepted.
And for the source address existing in the address list of the SDK request success, the source address is not normally logged in the user client, and the source address is further intercepted as an abnormal access address.
In order to improve the accuracy of judging the abnormal access address, a distribution area corresponding to a source address accessed to the attacked server can be inquired before the source address is used as the abnormal access address and the access authority of the abnormal access address is intercepted, if the distribution area does not belong to a preset access area, the source address is used as the abnormal access address and the access authority of the abnormal access address is intercepted, for example, the geographic position of the IP address is inquired, whether the geographic position of the IP address is in a game area defined by an operator is further judged, and if not, the access authority of the IP address is intercepted; the historical connection record of the source address accessed by the attacked server can be inquired by utilizing an open tool platform, if an illegal request exists in the historical connection record, the source address is taken as an abnormal access address, and the access authority of the abnormal access address is intercepted, wherein the meal-starting tool platform can be an internationally open platform and can collect the connection record of the IP address of each geographic position, for example, the access authority of the IP address is intercepted when the illegal request is connected to the IP address in the historical connection data inquired from the IP address.
Specifically, the access authority of the abnormal access address is intercepted, and the access authority of the IP address can be closed through a firewall or an agent tool. In addition, in order to save the subsequent time for judging the abnormal access address, the result data of each judgment of the source address can be taken as a sample and put into the sample library, so that in the subsequent process of analyzing any address, whether the address is the abnormal access address or not can be judged by directly utilizing the result data recorded in the sample library, and the identification efficiency of the network attack behavior is further improved.
Specifically, in an actual application scenario of network attack behavior identification, for a situation that a suspected attack behavior is generated in a game network, as shown in fig. 3, first, a game server starts a function of identifying the network attack behavior, acquires an IP address of an accessed attacked server, and simultaneously executes an IP address list for successfully acquiring an SDK request, and then calculates whether the number of times of access of the IP address of the accessed attacked server is greater than 10 times/second, if so, determines whether the IP address of the accessed attacked server appears in the IP address list for successfully acquiring the SDK request, if not, queries whether a distribution area corresponding to the IP address of the accessed attacked server belongs to a non-operation area, further counts whether the distribution area corresponding to the IP address of the accessed attacked server is a non-operation area, and accumulates as sample analysis, if so, submits the IP address of the accessed attacked server to a firewall or an agent for blocking, and if not, exits.
Further, as a specific implementation of the method in fig. 1 and fig. 2, an embodiment of the present application provides a device for identifying a network attack, and as shown in fig. 4, the device includes: a first acquisition unit 31, a second acquisition unit 32, and an interception unit 33.
A first obtaining unit 31, configured to obtain a source address for accessing an attacked server;
the second obtaining unit 32 may be configured to obtain an address list of successful SDK requests, and determine whether the source address exists in the address list based on the address list of successful SDK requests;
the intercepting unit 33 may be configured to, if the source address does not exist, use the source address as an abnormal access address, and intercept an access right of the abnormal access address.
Compared with the existing mode that the network attack is identified by using the distribution characteristics or adding the characteristic packet in the communication protocol, the identification device for the network attack obtains the source address accessed to the attacked server, because the sample library of the suspected attack behavior has timeliness, if the suspected attack behavior is continuously attacked, the suspected attack behavior is determined to be generated, and an instruction does not need to be started when the suspected attack behavior is determined not to be generated, so that the influence of error sealing on a user and operation is reduced.
In a specific application scenario, as shown in fig. 5, the apparatus further includes:
a monitoring unit 34, configured to monitor traffic data of address information accessed by a network request and resource occupancy rate generated by the network request before the obtaining of the source address accessing the attacked server;
the first obtaining unit 31 may be specifically configured to obtain a source address of an accessed attacked server if the traffic data reaches a first preset value and/or the resource occupancy rate reaches a second preset value.
In a specific application scenario, as shown in fig. 5, the first obtaining unit 31 includes:
a counting module 311, configured to count connection information of an attacked server based on address information of the attacked server;
the screening module 312 may be configured to screen, from the address information of the accessed attacked server, address information of which the connection information meets a preset condition as a source address.
In a specific application scenario, as shown in fig. 5, the filtering module 312 includes:
the query submodule 3121 may be configured to query, based on the connection information of the attacked server, access times formed by the attacked server for each address information within a preset time;
the screening submodule 3122 may be configured to screen, from the address information of the accessed attacked server, address information whose access times reach a preset number as a source address.
In a specific application scenario, as shown in fig. 5, the second obtaining unit 32 includes:
an obtaining module 321, configured to obtain a starting time point of a source address accessing to the attacked server based on the connection information of the attacked server;
a collecting module 322, which may be configured to collect SDK logs uploaded after the start time point;
the analyzing module 323 may be configured to obtain an address list of successful SDK requests by analyzing records of SDK requests in the SDK log.
In a specific application scenario, as shown in fig. 5, the apparatus further includes:
a first query unit 35, configured to query a distribution area corresponding to a source address accessed to an attacked server before intercepting an access right of the abnormal access address by using the source address as the abnormal access address;
the intercepting unit 33 may be further configured to, if the distribution area does not belong to a preset access area, use the source address as an abnormal access address, and intercept an access right of the abnormal access address.
In a specific application scenario, as shown in fig. 5, the apparatus further includes:
a second query unit 36, configured to query, by using an open tool platform, a historical connection record of a source address accessed by the attacked server before intercepting an access right of the abnormal access address by using the source address as the abnormal access address;
the intercepting unit 33 may be further configured to, if an illegal request exists in the historical connection record, use the source address as an abnormal access address, and intercept an access right of the abnormal access address.
It should be noted that other corresponding descriptions of the functional units related to the network attack recognition apparatus provided in this embodiment may refer to the corresponding descriptions in fig. 1 to fig. 2, and are not described herein again.
Based on the above methods shown in fig. 1-2, correspondingly, the present application further provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for identifying a network attack as shown in fig. 1-2 is implemented.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the implementation scenarios of the present application.
Based on the method shown in fig. 1 to fig. 2 and the virtual device embodiment shown in fig. 4 to fig. 5, to achieve the above object, in this embodiment of the present application, an entity device for identifying a network attack is further provided, which may be specifically a computer, a smart phone, a tablet computer, a smart watch, a server, or a network device, and the entity device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing a computer program to implement the above network attack identification method as shown in fig. 1-2.
Optionally, the entity device may further include a user interface, a network interface, a camera, a Radio Frequency (RF) circuit, a sensor, an audio circuit, a WI-FI module, and the like. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), etc.
In an exemplary embodiment, referring to fig. 6, the entity device 400 includes a communication bus, a processor, a memory, and a communication interface, and may further include an input/output interface and a display device, wherein the functional units may communicate with each other through the bus. The memory stores computer programs, and the processor is used for executing the programs stored in the memory and executing the painting mounting method in the embodiment.
Those skilled in the art will appreciate that the identified physical device structure of a network attack provided by the present embodiment does not constitute a limitation to the physical device, and may include more or less components, or combine some components, or arrange different components.
The storage medium may further include an operating system and a network communication module. The operating system is a program for managing hardware and software resources of the actual device for store search information processing, and supports the operation of the information processing program and other software and/or programs. The network communication module is used for realizing communication among components in the storage medium and other hardware and software in the information processing entity equipment.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and can also be implemented by hardware. By applying the technical scheme, compared with the existing mode, the source address is analyzed by utilizing the address list successfully requested by the SDK, if the source address does not exist in the address list, the source address is not logged in an authentication system of the network service, the source address is identified as an abnormal access address, the access authority of the abnormal access address is intercepted, the source address suspected of generating the attack behavior can be accurately identified by judging layer by layer, other programs do not need to be loaded or modified in the communication process, the data processing capacity of the server is improved, and the identification time of the network attack behavior is shortened.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into multiple sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be considered by those skilled in the art are intended to fall within the scope of the present application.

Claims (9)

1. A network attack recognition method is characterized by comprising the following steps:
acquiring a source address accessed to an attacked server;
acquiring an address list of which the SDK request is successful, and judging whether the source address exists in the address list or not based on the address list of which the SDK request is successful, wherein the acquiring of the address list of which the SDK request is successful comprises the following steps: acquiring an initial time point of a source address accessed to the attacked server based on the connection information of the attacked server, collecting SDK logs uploaded after the initial time point, and acquiring an address list of successful SDK requests by analyzing records of the SDK requests in the SDK logs;
if not, the source address is used as an abnormal access address, and the access authority of the abnormal access address is intercepted.
2. The method of claim 1, wherein prior to said obtaining the source address of the server to be attacked, the method further comprises:
monitoring flow data of address information accessed by a network request and resource occupancy rate generated by the network request;
and if the flow data reaches a first preset value and/or the resource occupancy rate reaches a second preset value, acquiring a source address accessed to the attacked server.
3. The method according to claim 1, wherein the obtaining of the source address of the server to be accessed includes:
counting connection information of an attacked server based on address information of the attacked server;
and screening out address information of which the connection information meets preset conditions from the address information accessed to the attacked server as a source address.
4. The method according to claim 3, wherein the screening out, from the address information of the accessed attacked server, address information whose connection information meets a preset condition as a source address specifically includes:
inquiring the access times of the attacked server aiming at each address information in a preset time based on the connection information of the attacked server;
and screening the address information with the access times reaching a preset value from the address information accessed to the attacked server to serve as a source address.
5. The method according to any of claims 1-4, wherein before said taking the source address as an abnormal access address and intercepting the access right of the abnormal access address, the method further comprises:
inquiring a distribution area corresponding to a source address accessed to an attacked server;
the taking the source address as an abnormal access address and intercepting the access authority of the abnormal access address specifically includes:
and if the distribution area does not belong to a preset access area, taking the source address as an abnormal access address, and intercepting the access authority of the abnormal access address.
6. The method according to any of claims 1-4, wherein before said taking the source address as an abnormal access address and intercepting the access right of the abnormal access address, the method further comprises:
utilizing an open tool platform to inquire the historical connection record of the source address accessed by the attacked server;
the taking the source address as an abnormal access address and intercepting the access authority of the abnormal access address specifically includes:
and if the historical connection records have illegal requests, taking the source address as an abnormal access address, and intercepting the access authority of the abnormal access address.
7. An apparatus for identifying a cyber attack, comprising:
a first obtaining unit, configured to obtain a source address of an accessed attacked server;
a second obtaining unit, configured to obtain an address list of successful SDK requests, and determine whether the address list has the source address based on the address list of successful SDK requests, where the address list of successful SDK requests includes: acquiring an initial time point of a source address accessed to the attacked server based on the connection information of the attacked server, collecting an SDK log uploaded after the initial time point, and acquiring an address list of successful SDK requests by analyzing records of SDK requests in the SDK log;
and the intercepting unit is used for taking the source address as an abnormal access address and intercepting the access authority of the abnormal access address if the source address does not exist.
8. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor when executing the computer program implements the steps of the method for identifying a cyber attack according to any one of claims 1 to 6.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method for identifying a cyber attack according to any one of claims 1 to 6.
CN202010783202.3A 2020-08-06 2020-08-06 Network attack identification method, device and equipment Active CN111970261B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010783202.3A CN111970261B (en) 2020-08-06 2020-08-06 Network attack identification method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010783202.3A CN111970261B (en) 2020-08-06 2020-08-06 Network attack identification method, device and equipment

Publications (2)

Publication Number Publication Date
CN111970261A CN111970261A (en) 2020-11-20
CN111970261B true CN111970261B (en) 2023-04-07

Family

ID=73365574

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010783202.3A Active CN111970261B (en) 2020-08-06 2020-08-06 Network attack identification method, device and equipment

Country Status (1)

Country Link
CN (1) CN111970261B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112784230B (en) * 2021-01-21 2024-02-09 北京启明星辰信息安全技术有限公司 Network security data sharing and controlling method and system
CN115514501A (en) * 2021-06-03 2022-12-23 中国移动通信集团四川有限公司 Method and device for blocking network attack
CN113923048B (en) * 2021-11-09 2023-07-04 中国联合网络通信集团有限公司 Network attack behavior identification method, device, equipment and storage medium
CN115225368A (en) * 2022-07-15 2022-10-21 北京天融信网络安全技术有限公司 Message processing method and device, electronic equipment and storage medium
CN115296886A (en) * 2022-08-02 2022-11-04 哈尔滨工业大学 Alliance chain DoS attack detection and mitigation method, electronic device and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483500A (en) * 2017-09-25 2017-12-15 咪咕文化科技有限公司 A kind of Risk Identification Method based on user behavior, device and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9411708B2 (en) * 2013-04-12 2016-08-09 Wipro Limited Systems and methods for log generation and log obfuscation using SDKs
CN103701793B (en) * 2013-12-20 2018-08-07 北京奇安信科技有限公司 The recognition methods of server broiler chicken and device
US11245706B2 (en) * 2017-03-27 2022-02-08 Oracle Systems Corporation Protection configuration for application programming interfaces
CN110445770B (en) * 2019-07-18 2022-07-22 平安科技(深圳)有限公司 Network attack source positioning and protecting method, electronic equipment and computer storage medium

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483500A (en) * 2017-09-25 2017-12-15 咪咕文化科技有限公司 A kind of Risk Identification Method based on user behavior, device and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
面向Android生态系统中的第三方SDK安全性分析;马凯等;《软件学报》;20180111(第05期);全文 *

Also Published As

Publication number Publication date
CN111970261A (en) 2020-11-20

Similar Documents

Publication Publication Date Title
CN111970261B (en) Network attack identification method, device and equipment
Mishra et al. Defense mechanisms against DDoS attack based on entropy in SDN-cloud using POX controller
US9848016B2 (en) Identifying malicious devices within a computer network
CN109951500A (en) Network attack detecting method and device
US11671402B2 (en) Service resource scheduling method and apparatus
US9350758B1 (en) Distributed denial of service (DDoS) honeypots
US8782796B2 (en) Data exfiltration attack simulation technology
CN107612924B (en) Attacker positioning method and device based on wireless network intrusion
US10218733B1 (en) System and method for detecting a malicious activity in a computing environment
WO2021139643A1 (en) Method and apparatus for detecting encrypted network attack traffic, and electronic device
US20130227687A1 (en) Mobile terminal to detect network attack and method thereof
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
CN107465702B (en) Early warning method and device based on wireless network intrusion
US9350754B2 (en) Mitigating a cyber-security attack by changing a network address of a system under attack
CN111565203B (en) Method, device and system for protecting service request and computer equipment
CN113676449A (en) Network attack processing method and device
CN112615863A (en) Method, device, server and storage medium for resisting attack host
CN110933082B (en) Method, device and equipment for identifying lost host and storage medium
Kim et al. Agent-based honeynet framework for protecting servers in campus networks
CN112217777A (en) Attack backtracking method and equipment
CN111064731B (en) Identification method and identification device for access authority of browser request and terminal
CN110995738A (en) Violent cracking behavior identification method and device, electronic equipment and readable storage medium
CN107124390B (en) Security defense and implementation method, device and system of computing equipment
KR101686472B1 (en) Network security apparatus and method of defending an malicious behavior
KR100564438B1 (en) Device for detecting and preventing system hacking

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant