WO2019148714A1 - Ddos attack detection method and apparatus, and computer device and storage medium - Google Patents

Ddos attack detection method and apparatus, and computer device and storage medium Download PDF

Info

Publication number
WO2019148714A1
WO2019148714A1 PCT/CN2018/088975 CN2018088975W WO2019148714A1 WO 2019148714 A1 WO2019148714 A1 WO 2019148714A1 CN 2018088975 W CN2018088975 W CN 2018088975W WO 2019148714 A1 WO2019148714 A1 WO 2019148714A1
Authority
WO
WIPO (PCT)
Prior art keywords
access request
ddos attack
request
data access
ddos
Prior art date
Application number
PCT/CN2018/088975
Other languages
French (fr)
Chinese (zh)
Inventor
谭杰
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2019148714A1 publication Critical patent/WO2019148714A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A DDoS attack detection method, comprising: acquiring data access requests during a current time period; counting an access request number of the acquired data access requests; when the counted access request number is higher than a preset request number threshold value, extracting a feature field from the acquired data access requests; generating, according to the extracted feature field, an access request feature vector corresponding to the acquired data access request; and inputting the generated access request feature vector into a pre-trained DDoS attack detection model to acquire a detection result output by the pre-trained DDoS.

Description

DDoS攻击检测方法、装置、计算机设备和存储介质DDoS attack detection method, device, computer device and storage medium
相关申请的交叉引用Cross-reference to related applications
本申请要求于2018年01月31日提交中国专利局,申请号为2018100960786,申请名称为“DDoS攻击检测方法、装置、计算机设备和存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese Patent Application entitled "DDoS Attack Detection Method, Apparatus, Computer Equipment and Storage Media" by the Chinese Patent Office on January 31, 2018, the application number is 2018100960786, the entire contents of which are incorporated by reference. Combined in this application.
技术领域Technical field
本申请涉及一种DDoS攻击检测方法、装置、计算机设备和存储介质。The present application relates to a DDoS attack detection method, apparatus, computer device and storage medium.
背景技术Background technique
随着网络技术的发展,各种网络安全方面的问题也不断的凸显出来。一些网站容易受到DDoS攻击,DDoS攻击很容易导致网站瘫痪。尤其是对于一些比较重要网站,若受到DDoS攻击导致网站瘫痪,容易造成不可预估的损失。With the development of network technology, various network security issues have also been highlighted. Some websites are vulnerable to DDoS attacks, and DDoS attacks can easily lead to website awkwardness. Especially for some of the more important websites, if the website is embarrassed by DDoS attacks, it is easy to cause unpredictable losses.
然而,发明人意识到,目前的对于DDoS攻击也有一些网络安全方面的检测,这些检测一般都是通过人工预设检测方式来检测访问请求是否为DDoS攻击的访问请求。随着网络安全的需求越来越高,DDoS攻击访问请求也越来越多,人工预设的检测方式对DDoS攻击访问请求的检测准确率较低。However, the inventors have realized that there are also some network security detections for DDoS attacks. These tests generally detect the access request as a DDoS attack access request by manual preset detection. As the demand for network security becomes higher and higher, DDoS attacks access requests are more and more, and the detection accuracy of the manual preset detection method for DDoS attack access requests is low.
发明内容Summary of the invention
根据本申请公开的各种实施例,提供一种DDoS攻击检测方法、装置、计算机设备和存储介质。According to various embodiments disclosed herein, a DDoS attack detection method, apparatus, computer device, and storage medium are provided.
一种DDoS攻击检测方法包括:A DDoS attack detection method includes:
获取当前时间段内的数据访问请求;Obtain a data access request during the current time period;
统计获取到数据访问请求的访问请求数量;Count the number of access requests for obtaining data access requests;
当统计的访问请求数量高于预设请求数量阈值时,则从获取到的数据访问请求中提取特征字段;When the number of statistical access requests is higher than the preset request quantity threshold, the feature field is extracted from the obtained data access request;
根据提取到的特征字段生成所述获取到的数据访问请求对应的访问请求特征向量;及Generating an access request feature vector corresponding to the acquired data access request according to the extracted feature field; and
将生成的访问请求特征向量输入预先训练好的DDoS攻击检测模型,获取所述预先训练好的DDoS输出的检测结果。The generated access request feature vector is input into the pre-trained DDoS attack detection model, and the detection result of the pre-trained DDoS output is obtained.
一种DDoS攻击检测装置包括:A DDoS attack detection device includes:
访问请求获取模块,用于获取当前时间段内的数据访问请求;An access request obtaining module, configured to acquire a data access request in a current time period;
请求数量统计模块,用于统计获取到数据访问请求的访问请求数量;A request quantity statistics module, configured to count the number of access requests for obtaining a data access request;
特征字段提取模块,用于当统计的访问请求数量高于预设请求数量阈值时,则从获取到的数据访问请求中提取特征字段;a feature field extraction module, configured to: when the number of statistical access requests is higher than a preset number of request thresholds, extract a feature field from the obtained data access request;
特征向量生成模块,用于根据提取到的特征字段生成所述获取到的数据访问请求对应的访问请求特征向量;及a feature vector generating module, configured to generate, according to the extracted feature field, an access request feature vector corresponding to the acquired data access request; and
检测结果获取模块,用于将生成的访问请求特征向量输入预先训练好的DDoS攻击检测模型,获取所述预先训练好的DDoS输出的检测结果。The detection result obtaining module is configured to input the generated access request feature vector into the pre-trained DDoS attack detection model, and obtain the detection result of the pre-trained DDoS output.
一种计算机设备,包括存储器和一个或多个处理器,所述存储器中储存有计算机可读指令,所述计算机可读指令被所述处理器执行时,使得所述一个或多个处理器执行以下步骤:A computer device comprising a memory and one or more processors having stored therein computer readable instructions, the computer readable instructions being executable by the processor to cause the one or more processors to execute The following steps:
获取当前时间段内的数据访问请求;Obtain a data access request during the current time period;
统计获取到数据访问请求的访问请求数量;Count the number of access requests for obtaining data access requests;
当统计的访问请求数量高于预设请求数量阈值时,则从获取到的数据访问请求中提取特征字段;When the number of statistical access requests is higher than the preset request quantity threshold, the feature field is extracted from the obtained data access request;
根据提取到的特征字段生成所述获取到的数据访问请求对应的访问请求特征向量;及Generating an access request feature vector corresponding to the acquired data access request according to the extracted feature field; and
将生成的访问请求特征向量输入预先训练好的DDoS攻击检测模型,获取所述预先训练好的DDoS输出的检测结果。The generated access request feature vector is input into the pre-trained DDoS attack detection model, and the detection result of the pre-trained DDoS output is obtained.
一个或多个存储有计算机可读指令的非易失性存储介质,计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行以下步骤:One or more non-volatile storage media storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the following steps:
获取当前时间段内的数据访问请求;Obtain a data access request during the current time period;
统计获取到数据访问请求的访问请求数量;Count the number of access requests for obtaining data access requests;
当统计的访问请求数量高于预设请求数量阈值时,则从获取到的数据访问请求中提取特征字段;When the number of statistical access requests is higher than the preset request quantity threshold, the feature field is extracted from the obtained data access request;
根据提取到的特征字段生成所述获取到的数据访问请求对应的访问请求特征向量;及Generating an access request feature vector corresponding to the acquired data access request according to the extracted feature field; and
将生成的访问请求特征向量输入预先训练好的DDoS攻击检测模型,获取所述预先训练好的DDoS输出的检测结果。The generated access request feature vector is input into the pre-trained DDoS attack detection model, and the detection result of the pre-trained DDoS output is obtained.
本申请的一个或多个实施例的细节在下面的附图和描述中提出。本申请的其它特征和优点将从说明书、附图以及权利要求书变得明显。Details of one or more embodiments of the present application are set forth in the accompanying drawings and description below. Other features and advantages of the present invention will be apparent from the description, drawings and claims.
附图说明DRAWINGS
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例中所需要使用的附图 作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings to be used in the embodiments will be briefly described below. Obviously, the drawings in the following description are only some embodiments of the present application, Those skilled in the art can obtain other drawings according to these drawings without any creative work.
图1为根据一个或多个实施例中DDoS攻击检测方法的应用场景图。FIG. 1 is an application scenario diagram of a DDoS attack detection method according to one or more embodiments.
图2为根据一个或多个实施例中DDoS攻击检测方法的流程示意图。2 is a flow diagram of a DDoS attack detection method in accordance with one or more embodiments.
图3为根据一个或多个实施例中确定访问请求特征向量的步骤的流程示意图。3 is a flow diagram of the steps of determining an access request feature vector in accordance with one or more embodiments.
图4为根据一个或多个实施例中替换DDoS攻击检测模型的步骤的流程示意图。4 is a flow diagram of the steps of replacing a DDoS attack detection model in accordance with one or more embodiments.
图5为根据一个或多个实施例中生成DDoS攻击检测模型的步骤的流程示意图。5 is a flow diagram of the steps of generating a DDoS attack detection model in accordance with one or more embodiments.
图6为根据一个或多个实施例中分类后的DDoS攻击访问请求训练模型的步骤的流程示意图。6 is a flow diagram of the steps of a classified DDoS attack access request training model in accordance with one or more embodiments.
图7为根据一个或多个实施例中DDoS攻击检测装置的框图。7 is a block diagram of a DDoS attack detection device in accordance with one or more embodiments.
图8为另一个实施例中DDoS攻击检测装置的框图。FIG. 8 is a block diagram of a DDoS attack detecting apparatus in another embodiment.
图9为又一个实施例中DDoS攻击检测装置的框图。Figure 9 is a block diagram of a DDoS attack detecting apparatus in still another embodiment.
图10为根据一个或多个实施例中计算机设备的框图。Figure 10 is a block diagram of a computer device in accordance with one or more embodiments.
具体实施方式Detailed ways
为了使本申请的技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。In order to make the technical solutions and advantages of the present application more clear, the present application will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the application and are not intended to be limiting.
本申请提供的DDoS攻击检测方法,可以应用于如图1所示的应用环境中。终端102通过网络与服务器104通过网络进行通信。终端102可以但不限于是各种个人计算机、笔记本电脑、智能手机、平板电脑和便携式可穿戴设备,服务器104可以用独立的服务器或者是多个服务器组成的服务器集群来实现。The DDoS attack detection method provided by the present application can be applied to an application environment as shown in FIG. 1. Terminal 102 communicates with server 104 over a network over a network. The terminal 102 can be, but is not limited to, various personal computers, notebook computers, smart phones, tablets, and portable wearable devices, and the server 104 can be implemented with a stand-alone server or a server cluster composed of a plurality of servers.
在其中一个实施例中,如图2所示,提供了一种DDoS攻击检测方法,以该方法应用于图1中的服务器为例进行说明,包括以下步骤:In one embodiment, as shown in FIG. 2, a DDoS attack detection method is provided. The method is applied to the server in FIG. 1 as an example, and includes the following steps:
S202,获取当前时间段内的数据访问请求。S202. Acquire a data access request in a current time period.
具体地,终端通过网络与服务器连接,终端通过网络向服务器发送数据访问请求,以对服务器中的数据进行访问。服务器按照预设时间段接收各终端发送的数据访问请求。服务器接收当前时间段内各终端发送的数据访问请求。Specifically, the terminal is connected to the server through the network, and the terminal sends a data access request to the server through the network to access the data in the server. The server receives the data access request sent by each terminal according to the preset time period. The server receives the data access request sent by each terminal in the current time period.
S204,统计获取到数据访问请求的访问请求数量。S204. Count the number of access requests for obtaining a data access request.
具体地,服务器在获取到当前时间段内各终端发送的数据访问请求后,统计当前时间段内各终端发送的数据访问请求的访问请求数量。Specifically, after obtaining the data access request sent by each terminal in the current time period, the server collects the number of access requests for the data access request sent by each terminal in the current time period.
在其中一个实施例中,服务器在当前时间段的开始时间点开始对接收到的数据访问请 求进行计数,以当前时间段的结束时间点所计数量为访问请求数量。In one of the embodiments, the server begins counting the received data access requests at the beginning of the current time period, and the number of access requests is the number of access requests at the end time point of the current time period.
S206,当统计的访问请求数量高于预设请求数量阈值时,则从获取到的数据访问请求中提取特征字段。S206. When the number of the statistical access requests is higher than the preset request quantity threshold, the feature field is extracted from the obtained data access request.
具体地,服务器将统计到的访问请求数量与预设请求数量阈值进行比较,通过比较确定统计的访问请求数量高于预设请求数量阈值时,对获取到的数据访问请求进行解析,通过解析提取数据访问请求中的特征字段。Specifically, the server compares the counted number of access requests with the preset number of thresholds, and compares and determines that the number of access requests is higher than the preset number of requests, and parses the obtained data access request, and extracts the data through the parsing. The feature field in the data access request.
在其中一个实施例中,S206具体包括:当统计的访问请求数量高于预设请求数量阈值时,获取特征字段表;在获取到的数据访问请求中,提取与获取到的特征字段表中字段标识对应的特征字段。In one embodiment, S206 specifically includes: acquiring a feature field table when the number of statistical access requests is higher than a preset request number threshold; and extracting and obtaining the field in the feature field table in the obtained data access request Identify the corresponding feature field.
特征字段表中包括数据访问请求中报文的特征字段标识、特征字段的数据类型和特征字段,特征字段表中的特征字段标识、特征字段的数据类型和特征字段对应存储。The feature field table includes the feature field identifier of the message in the data access request, the data type and the feature field of the feature field, and the feature field identifier in the feature field table, the data type of the feature field, and the feature field are correspondingly stored.
具体地,服务器对获取到的数据访问请求中的每个数据访问请求进行解析,通过解析提取数据访问请求中的访问数据。服务器读取特征字段表中的特征字段标识,从访问数据中提取与读取到的特征字段标识对应的特征字段。Specifically, the server parses each data access request in the acquired data access request, and extracts the access data in the data access request by parsing. The server reads the feature field identifier in the feature field table, and extracts a feature field corresponding to the read feature field identifier from the access data.
S208,根据提取到的特征字段生成获取到的数据访问请求对应的访问请求特征向量。S208. Generate an access request feature vector corresponding to the acquired data access request according to the extracted feature field.
具体地,服务器提取到特征字段,根据特征字段与数值的映射关系将提取到的特征字段映射为数值,根据提取到的特征字段对应的数值添加到预设特征向量中提到的特征字段所对应的位置,生成获取到的数据访问请求对应的访问请求特征向量。Specifically, the server extracts the feature field, and maps the extracted feature field into a numerical value according to the mapping relationship between the feature field and the numerical value, and adds the value corresponding to the extracted feature field to the feature field mentioned in the preset feature vector. The location, generates an access request feature vector corresponding to the obtained data access request.
S210,将生成的访问请求特征向量输入预先训练好的DDoS攻击检测模型,获取预先训练好的DDoS输出的检测结果。S210. The generated access request feature vector is input into the pre-trained DDoS attack detection model, and the detection result of the pre-trained DDoS output is obtained.
DDoS攻击,即分布式拒绝服务(DDoS,Distributed Denial of Service)攻击,指借助于客户/服务器技术,将多个终端联合起来作为攻击平台,对一个或多个目标发动DDoS攻击,从而成倍地提高拒绝服务攻击的威力。攻击者使用一个偷窃帐号将DDoS主控程序安装在一个终端上,在一个设定的时间,安装有主控程序的终端将与大量安装有代理程序的终端通讯,代理程序已经被安装在网络上的许多计算机上。安装有代理程序的终端在收到指令时向目标发用访问请求以发动攻击。利用客户/服务器技术,主控程序能在几秒钟内激活成百上千次代理程序的运行。DDoS attacks, which are distributed denial of service (DDoS) attacks, refer to the use of client/server technology to combine multiple terminals as an attack platform to launch DDoS attacks on one or more targets, thereby multiplying Increase the power of denial of service attacks. The attacker uses a theft account to install the DDoS master program on a terminal. At a set time, the terminal with the host program installed will communicate with a large number of terminals with the agent installed. The agent has been installed on the network. On many computers. The terminal with the agent installed sends an access request to the target to receive an attack when it receives the instruction. With client/server technology, the main control program can activate hundreds or thousands of agents in a matter of seconds.
DDoS攻击类型具体包括SYN泛洪攻击、ICMP泛洪攻击、UDP泛洪攻击、LAND攻击等。The types of DDoS attacks include SYN flood attacks, ICMP flood attacks, UDP flood attacks, and LAND attacks.
SYN泛洪攻击(SYN flood)利用的是TCP的三次握手机制,攻击端利用伪造的IP地址向被攻击端发出请求,而被攻击端发出的响应报文将永远发送不到目的地,那么被攻击端在等待关闭这个连接的过程中消耗了资源,如果有成千上万的这种连接,主机资源 将被耗尽,从而达到攻击的目的。The SYN flood attack uses the three-way handshake mechanism of TCP. The attacker sends a request to the attacked end by using the forged IP address. The response packet sent by the attacker will never be sent to the destination. The attacker consumes resources while waiting to close the connection. If there are thousands of such connections, the host resources will be exhausted, thus achieving the purpose of the attack.
ICMP泛洪攻击(ICMP flood),是利用ICMP报文进行攻击的一种方法。如果攻击者向目标主机发送大量的ICMP ECHO报文,将产生ICMP泛洪,目标主机会将大量的时间和资源用于处理ICMP ECHO报文,而无法处理正常的请求或响应,从而实现对目标主机的攻击。An ICMP flood attack is a method of attacking with ICMP packets. If an attacker sends a large number of ICMP ECHO packets to the target host, ICMP flooding will occur. The target host will use a large amount of time and resources to process ICMP ECHO packets, and cannot process normal requests or responses. Host attack.
UDP泛洪攻击(UDP flood)的实现原理与ICMP泛洪类似,攻击者通过向目标主机发送大量的UDP报文,导致目标主机忙于处理这些UDP报文,而无法处理正常的报文请求或响应。The UDP flooding (UDP flood) is similar to the ICMP flooding. The attacker sends a large number of UDP packets to the target host. The target host is busy processing the UDP packets and cannot process normal packet requests or responses. .
LAND攻击利用了TCP连接建立的三次握手过程,通过向一个目标主机发送一个用于建立请求连接的TCP SYN报文而实现对目标主机的攻击。与正常的TCP SYN报文不同的是:LAND攻击报文的源IP地址和目的IP地址是相同的,都是目标主机的IP地址。这样目标主机接在收到这个SYN报文后,就会向该报文的源地址发送一个ACK报文,并建立一个TCP连接控制结构,而该报文的源地址就是自己。由于目的IP地址和源IP地址是相同的,都是目标主机的IP地址,因此这个ACK报文就发给了目标主机本身。The LAND attack utilizes the three-way handshake process established by the TCP connection to attack the target host by sending a TCP SYN packet to establish a request connection to a target host. The difference between the source IP address and the destination IP address of the LAND attack packet is the same as the IP address of the target host. After receiving the SYN packet, the target host sends an ACK packet to the source address of the packet and establishes a TCP connection control structure, and the source address of the packet is itself. Since the destination IP address and the source IP address are the same and are the IP addresses of the target host, the ACK packet is sent to the target host itself.
具体地,服务器将生成的访问请求特征向量输入预先训练好的DDoS攻击检测模型,利用预先训练好的DDoS攻击检测模型对生成的访问请求特征向量进行处理,获取预先训练好的DDoS攻击检测模型输出的检测结果。Specifically, the server inputs the generated access request feature vector into the pre-trained DDoS attack detection model, and processes the generated access request feature vector by using the pre-trained DDoS attack detection model to obtain the pre-trained DDoS attack detection model output. Test results.
在其中一个实施例中,S210之后具体还包括:若检测结果为该数据访问请求为DDoS攻击访问请求,则丢弃该数据访问请求;若检测结果为该数据访问请求为正常访问请求时,允许该数据访问请求。In one embodiment, after S210, the method further includes: if the detection result is that the data access request is a DDoS attack access request, discarding the data access request; if the detection result is that the data access request is a normal access request, allowing the Data access request.
本实施例中,将统计到当前时间段内的数据访问请求的访问请求数量与预设请求数量阈值进行比较,进行第一次检测。当统计到的访问请求数量高于预设请求数量阈值时,预判定可能受到DDoS攻击,需要进行第二次检测,即提取获取到的数据访问请求中的特征字段,根据特征字段生成获取到的数据访问请求对应的特征向量,将特征向量输入到预先训练好的DDoS攻击检测模型进行检测,得到检测结果。第二次检测中利用预先训练好的DDoS攻击检测模型对访问请求进行检测,提高了第二次检测的准确性。通过两次检测的配合,整体提高了对DDoS攻击访问请求的检测准确率。In this embodiment, the number of access requests for the data access request in the current time period is compared with the preset request number threshold, and the first detection is performed. When the number of the received access requests is higher than the preset number of requests, the pre-judgment may be subjected to a DDoS attack, and a second detection is required, that is, the feature field in the obtained data access request is extracted, and the acquired domain is generated according to the feature field. The feature vector corresponding to the data access request is input to the pre-trained DDoS attack detection model for detection, and the detection result is obtained. In the second detection, the pre-trained DDoS attack detection model is used to detect the access request, which improves the accuracy of the second detection. Through the cooperation of the two tests, the detection accuracy of the DDoS attack access request is improved as a whole.
在其中一个实施例中,如图3所示,S208具体还包括确定访问请求特征向量的步骤,该步骤具体包括以下内容:In one embodiment, as shown in FIG. 3, S208 specifically includes the step of determining an access request feature vector, and the step specifically includes the following:
S302,识别提取到的特征字段的字段类型。S302. Identify a field type of the extracted feature field.
具体地,服务器在提取到特征字段后,识别提取到特征字段为数字还是字符串,若识别到提取到的特征字段为数字,则判定提取到的特征字段为数值类型;若识别到提取到的 特征字段为字符串,则判定提取到的特征字段为布尔类型。Specifically, after extracting the feature field, the server identifies whether the extracted feature field is a number or a character string, and if the extracted feature field is identified as a number, determining that the extracted feature field is a numeric type; if the extracted If the feature field is a string, it is determined that the extracted feature field is a Boolean type.
S304,根据识别到的字段类型所对应的数值确定方式,确定提取到的特征字段对应的数值。S304. Determine a value corresponding to the extracted feature field according to the value determining manner corresponding to the identified field type.
具体地,不同的字段类型对应的数值确定方式不同。若服务器识别到提取到的特征字段的字段类型为数值类型时,直接以识别到的数字作为识别到的特征字段对应的数值;若服务器识别到提取到的特征字段的字段类型为布尔类型时,查询提取到的特征字段所对应的特征字段标识的字符串与数值的对应关系,根据查询到的对应关系将识别到的字符串映射到对应的数值。Specifically, the value corresponding to different field types is determined differently. If the server recognizes that the field type of the extracted feature field is a numeric type, directly use the identified number as the value corresponding to the identified feature field; if the server recognizes that the extracted feature field has a field type of Boolean type, Querying the correspondence between the character string and the numerical value of the feature field corresponding to the extracted feature field, and mapping the recognized character string to the corresponding value according to the corresponding correspondence.
S306,根据提取到的特征字段对应的数值,确定获取到的数据访问请求对应的访问请求特征向量。S306. Determine an access request feature vector corresponding to the obtained data access request according to the value corresponding to the extracted feature field.
具体地,服务器中存储着预设特征向量,预设特征向量中的每个数值与特征字段表中的特征字段一一对应。服务器将提取到的特征字段对应的数值添加到预设特征向量中对应位置得到获取到的数据访问请求对应的访问请求特征向量。Specifically, the server stores a preset feature vector, and each of the preset feature vectors has a one-to-one correspondence with the feature field in the feature field table. The server adds the value corresponding to the extracted feature field to the corresponding location in the preset feature vector to obtain the access request feature vector corresponding to the obtained data access request.
本实施例中,根据特征字段的字段类型对应的数值确定方式,将提取到的特征字段转换为数据访问请求对应的访问请求特征向量,通过访问请求特征向量对数据访问请求进行检测,提高了数据访问请求的检测准确率。In this embodiment, according to the value determining manner corresponding to the field type of the feature field, the extracted feature field is converted into an access request feature vector corresponding to the data access request, and the data access request is detected by the access request feature vector, thereby improving the data. The detection accuracy of the access request.
在其中一个实施例中,如图4所示,S210之后具体还包括替换DDoS攻击检测模型的步骤,该步骤具体包括以下内容:In one embodiment, as shown in FIG. 4, after S210, the method further includes the step of replacing the DDoS attack detection model, and the step specifically includes the following content:
S402,根据检测结果确定DDoS攻击类型对应的数据访问请求。S402. Determine, according to the detection result, a data access request corresponding to the DDoS attack type.
具体地,检测结果中包括检测到各数据访问请求分别对应的DDoS攻击类型。服务器检测结果中各数据访问请求标识对应的DDoS攻击类型,对数据访问请求进行分类,确定各种DDoS攻击类型对应的数据访问请求。Specifically, the detection result includes detecting a DDoS attack type corresponding to each data access request. The data detection request identifies the DDoS attack type corresponding to each data access request identifier in the server detection result, classifies the data access request, and determines data access requests corresponding to various DDoS attack types.
在其中一个实施例中,S402具体包括以下内容:根据检测结果统计DDoS攻击访问请求的攻击请求数量;当统计到的攻击请求数量大于预设攻击请求阈值时,根据检测结果按照DDoS攻击请求类型对DDoS攻击访问请求进行分类。In one embodiment, S402 specifically includes the following: counting the number of attack requests for DDoS attack access requests according to the detection result; and when the number of statistical attack requests is greater than the preset attack request threshold, according to the detection result, according to the DDoS attack request type DDoS attack access requests are classified.
具体地,服务器根据检测结果获取判定为DDoS攻击访问请求的数据访问请求,统计DDoS攻击访问请求的数量,得到攻击请求数量,将统计到的攻击请求数量与预设攻击请求阈值进行比较。当当统计到的攻击请求数量大于预设攻击请求阈值时,服务器根据检测结果中各DDoS攻击访问请求对应的DDoS攻击请求类型,对DDoS攻击访问请求进行分类,得到各种DDoS攻击请求类型对应的DDoS攻击访问请求。Specifically, the server obtains a data access request that is determined to be a DDoS attack access request according to the detection result, collects the number of DDoS attack access requests, obtains the number of attack requests, and compares the counted number of attack requests with a preset attack request threshold. The DDoS attack access request is classified according to the type of the DDoS attack request corresponding to each DDoS attack request in the detection result, and the DDoS corresponding to the DDoS attack request type is obtained. Attack access request.
S404,以确定的DDoS攻击请求类型对应的数据访问请求作为训练样本数据,重新训练DDoS攻击检测模型。S404. The data access request corresponding to the determined DDoS attack request type is used as training sample data to retrain the DDoS attack detection model.
具体地,服务器按照DDoS攻击类型对数据访问请求分类后,分别以各DDoS攻击类型对应的数据访问请求作为输入,以DDoS攻击类型作为输出重新训练DDoS攻击检测模型,得到重新训练的DDoS攻击检测模型。Specifically, after the server classifies the data access request according to the DDoS attack type, the data access request corresponding to each DDoS attack type is taken as an input, and the DDoS attack detection model is re-trained by using the DDoS attack type as an output, and the retrained DDoS attack detection model is obtained. .
S406,将预先训练好的DDoS攻击检测模型替换为重新训练的DDoS攻击检测模型。S406, replacing the pre-trained DDoS attack detection model with the retrained DDoS attack detection model.
具体地,服务器将预先训练好的DDoS攻击访问请求进行替换,替换为重新训练的DDoS攻击检测模型。服务器再次获取终端的数据访问请求,将获取到的数据访问请求输入到重新训练的DDoS攻击检测模型,利用重新训练的DDoS攻击检测模型对获取到的数据访问请求进行检测,得到检测结果。Specifically, the server replaces the pre-trained DDoS attack access request with the retrained DDoS attack detection model. The server obtains the data access request of the terminal again, inputs the obtained data access request into the retrained DDoS attack detection model, and uses the retrained DDoS attack detection model to detect the obtained data access request, and obtains the detection result.
在其中一个实施例中,服务器根据检测结果确定数据访问请求为DDoS攻击访问请求时,丢弃该数据访问请求;根据检测结果确定数据访问请求不是DDoS攻击访问请求时,允许数据访问请求的访问。In one embodiment, the server discards the data access request when the data access request is a DDoS attack access request according to the detection result, and allows the access of the data access request when the data access request is not a DDoS attack access request according to the detection result.
本实施例中,根据检测结果中各种DDoS攻击类型对DDoS攻击访问请求进行分类,根据分类后的DDoS攻击访问请求重新训练DDoS攻击检测模型,将预先训练好的DDoS攻击检测模型替换为重新训练的DDoS攻击检测模型,更新DDoS攻击检测模型,提高DDoS攻击检测模型的检测准确率。In this embodiment, the DDoS attack access request is classified according to various DDoS attack types in the detection result, and the DDoS attack detection model is retrained according to the classified DDoS attack access request, and the pre-trained DDoS attack detection model is replaced with retraining. The DDoS attack detection model updates the DDoS attack detection model and improves the detection accuracy of the DDoS attack detection model.
在其中一个实施例中,如图5所示,DDoS攻击检测方法具体还包括生成DDoS攻击检测模型的步骤,该步骤具体包括以下内容:In one embodiment, as shown in FIG. 5, the DDoS attack detection method specifically includes the step of generating a DDoS attack detection model, and the step specifically includes the following content:
S502,获取模型训练指令。S502. Acquire a model training instruction.
具体地,终端检测到模型训练页面中的模型训练按钮被点击时,触发模型训练指令,将模型训练指令发送至服务器。服务器接收终端发送的模型训练指令。模型训练指令用于指示服务器开始训练DDoS攻击检测模型的指令。Specifically, when the terminal detects that the model training button in the model training page is clicked, the terminal triggers the model training instruction, and sends the model training instruction to the server. The server receives the model training instruction sent by the terminal. The model training instruction is used to instruct the server to start training the DDoS attack detection model.
S504,根据模型训练指令调用DDoS攻击程序批量产生DDoS攻击访问请求。S504. Call the DDoS attack program to generate a DDoS attack access request in batch according to the model training instruction.
DDoS攻击程序运行在服务器上,该程序用于批量生成模拟DDoS攻击访问请求。The DDoS attacker runs on the server and is used to batch generate simulated DDoS attack access requests.
具体地,服务器在接收到模型训练指令后,触发DDoS攻击程序的调用指令,根据调用指令调用DDoS攻击程序批量产生DDoS攻击访问请求。产生的DDoS攻击访问请求可以包括各种DDoS攻击类型的DDoS攻击访问请求。Specifically, after receiving the model training instruction, the server triggers a call instruction of the DDoS attack program, and invokes the DDoS attack program to generate a DDoS attack access request in batch according to the calling instruction. The generated DDoS attack access request may include DDoS attack access requests of various DDoS attack types.
S506,以批量产生的DDoS攻击访问请求作为训练样本数据训练DDoS攻击检测模型,得到预先训练好的DDoS攻击检测模型。S506: The DDoS attack detection model is trained as a training sample data by using a DDoS attack access request generated in batches, and a pre-trained DDoS attack detection model is obtained.
具体地,服务器以批量产生的DDoS攻击访问请求作为训练样本数据。对于训练样本数据中的每个DDoS攻击访问请求,根据特征字段表从DDoS攻击访问请求中提取特征字段,根据提取到的特征字段构建该DDoS攻击访问请求对应的访问请求特征向量,以得到的每个DDoS攻击访问请求对应的访问请求特征向量。服务器以每个DDoS攻击访问请求 对应的访问请求特征向量作作为输入,以DDoS攻击访问请求的标识作为输出,训练得到DDoS攻击检测模型。Specifically, the server uses the DDoS attack access request generated in batches as the training sample data. For each DDoS attack access request in the training sample data, extract a feature field from the DDoS attack access request according to the feature field table, and construct an access request feature vector corresponding to the DDoS attack access request according to the extracted feature field, to obtain each The access request feature vector corresponding to the DDoS attack access request. The server takes as input the corresponding access request feature vector for each DDoS attack access request, and uses the DDoS attack access request identifier as an output to train the DDoS attack detection model.
本实施例中,通过调用DDoS攻击程序批量产生DDoS攻击访问请求,节省了收集DDoS攻击访问请求的所耗费的时间,以DDoS攻击程序批量产生DDoS攻击访问请求作为训练样本数据,可直接训练得到DDoS攻击检测模型,提高了生成DDoS攻击检测模型的速度。In this embodiment, the DDoS attack access request is generated in batches by calling the DDoS attack program, which saves the time taken for collecting the DDoS attack access request, and the DDoS attack access request is generated in batches as the training sample data by the DDoS attack program, and the DDoS can be directly trained. The attack detection model improves the speed of generating DDoS attack detection models.
在其中一个实施例中,如图6所示,S506具体包括根据分类后的DDoS攻击访问请求训练模型的步骤,该步骤具体包括以下内容:In one embodiment, as shown in FIG. 6, S506 specifically includes the step of training the model according to the classified DDoS attack access request, and the step specifically includes the following content:
S602,将批量产生的DDoS攻击访问请求按照DDoS攻击请求类型进行分类,得到各DDoS攻击请求类型对应的DDoS攻击访问请求。S602. The DDoS attack access request generated by the batch is classified according to the DDoS attack request type, and the DDoS attack access request corresponding to each DDoS attack request type is obtained.
具体地,批量产生的DDoS攻击访问请求中包括各种DDoS攻击类型的DDoS攻击访问请求。服务器按照DDoS攻击类型对批量产生的DDoS攻击访问请求进行分类,得到各种DDoS攻击类型对应的DDoS攻击访问请求。Specifically, the DDoS attack access request generated in batches includes DDoS attack access requests of various DDoS attack types. The server classifies the DDoS attack access requests generated in batches according to the DDoS attack type, and obtains DDoS attack access requests corresponding to various DDoS attack types.
S604,以分类后的DDoS攻击访问请求作为输入,且以分类后的DDoS攻击访问请求对应的DDoS攻击请求类型作为输出,进行训练得到预先训练好的DDoS攻击检测模型。S604, using the classified DDoS attack access request as an input, and using the DDoS attack request type corresponding to the classified DDoS attack access request as an output, performing training to obtain a pre-trained DDoS attack detection model.
具体地,服务器以每种DDoS攻击类型分类对应的DDoS攻击访问请求作为输入,以输入的DDoS攻击访问请求对应的DDoS攻击类型作为输出进行训练,通过训练得到预先训练好的DDoS攻击检测模型。Specifically, the server classifies the corresponding DDoS attack access request by using each DDoS attack type as an input, and uses the DDoS attack type corresponding to the input DDoS attack access request as an output to perform training, and obtains a pre-trained DDoS attack detection model through training.
预先训练好的DDoS攻击检测模型输出的检测结果中可以包括数据访问请求对应的DDoS攻击类型。The detection result output by the pre-trained DDoS attack detection model may include a DDoS attack type corresponding to the data access request.
本实施例中,预先训练好的DDoS攻击检测模型可以用于检测数据访问请求是否为DDoS攻击访问请求,若检测到数据访问请求为DDoS攻击访问请求,还可以检测到该数据访问请求属于哪种DDoS攻击类型,可以更加准确的对数据访问请求进行检测。In this embodiment, the pre-trained DDoS attack detection model may be used to detect whether the data access request is a DDoS attack access request. If the data access request is detected as a DDoS attack access request, the data access request may also be detected. The DDoS attack type can detect data access requests more accurately.
应该理解的是,虽然图1-6的流程图中的各个步骤按照箭头的指示依次显示,但是这些步骤并不是必然按照箭头指示的顺序依次执行。除非本文中有明确的说明,这些步骤的执行并没有严格的顺序限制,这些步骤可以以其它的顺序执行。而且,图1-6中的至少一部分步骤可以包括多个子步骤或者多个阶段,这些子步骤或者阶段并不必然是在同一时刻执行完成,而是可以在不同的时刻执行,这些子步骤或者阶段的执行顺序也不必然是依次进行,而是可以与其它步骤或者其它步骤的子步骤或者阶段的至少一部分轮流或者交替地执行。It should be understood that although the various steps in the flowcharts of FIGS. 1-6 are sequentially displayed as indicated by the arrows, these steps are not necessarily performed in the order indicated by the arrows. Except as explicitly stated herein, the execution of these steps is not strictly limited, and the steps may be performed in other orders. Moreover, at least some of the steps in FIGS. 1-6 may include a plurality of sub-steps or stages, which are not necessarily performed at the same time, but may be executed at different times, these sub-steps or stages The order of execution is not necessarily performed sequentially, but may be performed alternately or alternately with at least a portion of other steps or sub-steps or stages of other steps.
在其中一个实施例中,如图7所示,提供了一种DDoS攻击检测装置700,包括:访 问请求获取模块702、请求数量统计模块704、特征字段提取模块706、特征向量生成模块708和检测结果获取模块710:In one embodiment, as shown in FIG. 7, a DDoS attack detection apparatus 700 is provided, including: an access request acquisition module 702, a request quantity statistics module 704, a feature field extraction module 706, a feature vector generation module 708, and detection. Result acquisition module 710:
访问请求获取模块702,用于获取当前时间段内的数据访问请求。The access request obtaining module 702 is configured to acquire a data access request in a current time period.
请求数量统计模块704,用于统计获取到数据访问请求的访问请求数量。The request quantity statistics module 704 is configured to count the number of access requests for obtaining the data access request.
特征字段提取模块706,用于当统计的访问请求数量高于预设请求数量阈值时,则从获取到的数据访问请求中提取特征字段。The feature field extraction module 706 is configured to extract a feature field from the obtained data access request when the number of the statistical access requests is higher than the preset request number threshold.
特征向量生成模块708,用于根据提取到的特征字段生成获取到的数据访问请求对应的访问请求特征向量。The feature vector generation module 708 is configured to generate an access request feature vector corresponding to the acquired data access request according to the extracted feature field.
检测结果获取模块710,用于将生成的访问请求特征向量输入预先训练好的DDoS攻击检测模型,获取预先训练好的DDoS输出的检测结果。The detection result obtaining module 710 is configured to input the generated access request feature vector into the pre-trained DDoS attack detection model, and obtain the detection result of the pre-trained DDoS output.
本实施例中,将统计到当前时间段内的数据访问请求的访问请求数量与预设请求数量阈值进行比较,进行第一次检测。当统计到的访问请求数量高于预设请求数量阈值时,预判定可能受到DDoS攻击,需要进行第二次检测,即提取获取到的数据访问请求中的特征字段,根据特征字段生成获取到的数据访问请求对应的特征向量,将特征向量输入到预先训练好的DDoS攻击检测模型进行检测,得到检测结果。第二次检测中利用预先训练好的DDoS攻击检测模型对访问请求进行检测,提高了第二次检测的准确性。通过两次检测的配合,整体提高了对DDoS攻击访问请求的检测准确率。In this embodiment, the number of access requests for the data access request in the current time period is compared with the preset request number threshold, and the first detection is performed. When the number of the received access requests is higher than the preset number of requests, the pre-judgment may be subjected to a DDoS attack, and a second detection is required, that is, the feature field in the obtained data access request is extracted, and the acquired domain is generated according to the feature field. The feature vector corresponding to the data access request is input to the pre-trained DDoS attack detection model for detection, and the detection result is obtained. In the second detection, the pre-trained DDoS attack detection model is used to detect the access request, which improves the accuracy of the second detection. Through the cooperation of the two tests, the detection accuracy of the DDoS attack access request is improved as a whole.
在其中一个实施例中,特征字段提取模块706还用于当统计的访问请求数量高于预设请求数量阈值时,获取特征字段表;在获取到的数据访问请求中,提取与获取到的特征字段表中字段标识对应的特征字段。In one embodiment, the feature field extraction module 706 is further configured to: when the number of the statistical access requests is higher than the preset request number threshold, acquire the feature field table; and extract and acquire the feature in the obtained data access request. The field in the field table identifies the corresponding feature field.
在其中一个实施例中,特征向量生成模块708还用于识别提取到的特征字段的字段类型;根据识别到的字段类型所对应的数值确定方式,确定提取到的特征字段对应的数值;根据提取到的特征字段对应的数值,确定获取到的数据访问请求对应的访问请求特征向量。In one embodiment, the feature vector generation module 708 is further configured to identify a field type of the extracted feature field; determine a value corresponding to the extracted feature field according to a numerical determination manner corresponding to the identified field type; The value corresponding to the feature field is determined, and the access request feature vector corresponding to the obtained data access request is determined.
在其中一个实施例中,如图8所示,DDoS攻击检测装置700具体还包括以下内容:访问请求分类模块712、模型重新训练模块714和检测模型替换模块716:In one embodiment, as shown in FIG. 8, the DDoS attack detection apparatus 700 specifically includes the following contents: an access request classification module 712, a model retraining module 714, and a detection model replacement module 716:
访问请求分类模块712,用于根据检测结果确定DDoS攻击类型对应的数据访问请求。The access request classification module 712 is configured to determine, according to the detection result, a data access request corresponding to the DDoS attack type.
模型重新训练模块714,用于以确定的DDoS攻击请求类型对应的数据访问请求作为训练样本数据,重新训练DDoS攻击检测模型。The model retraining module 714 re-trains the DDoS attack detection model by using the data access request corresponding to the determined DDoS attack request type as the training sample data.
检测模型替换模块716,将预先训练好的DDoS攻击检测模型替换为重新训练的DDoS攻击检测模型。The detection model replacement module 716 replaces the pre-trained DDoS attack detection model with the retrained DDoS attack detection model.
本实施例中,根据检测结果中各种DDoS攻击类型对DDoS攻击访问请求进行分类, 根据分类后的DDoS攻击访问请求重新训练DDoS攻击检测模型,将预先训练好的DDoS攻击检测模型替换为重新训练的DDoS攻击检测模型,更新DDoS攻击检测模型,提高DDoS攻击检测模型的检测准确率。In this embodiment, the DDoS attack access request is classified according to various DDoS attack types in the detection result, and the DDoS attack detection model is retrained according to the classified DDoS attack access request, and the pre-trained DDoS attack detection model is replaced with retraining. The DDoS attack detection model updates the DDoS attack detection model and improves the detection accuracy of the DDoS attack detection model.
在其中一个实施例中,访问请求分类模块712还用于根据检测结果统计DDoS攻击访问请求的攻击请求数量;当统计到的攻击请求数量大于预设攻击请求阈值时,根据检测结果按照DDoS攻击请求类型对DDoS攻击访问请求进行分类。In one embodiment, the access request classification module 712 is further configured to count the number of attack requests for the DDoS attack access request according to the detection result; and when the number of the collected attack requests is greater than the preset attack request threshold, according to the detection result, according to the DDoS attack request. Types classify DDoS attack access requests.
在其中一个实施例中,如图9所示,DDoS攻击检测装置700具体还包括以下内容:训练指令获取模块718、请求批量生成模块720和检测模型训练模块722:In one embodiment, as shown in FIG. 9, the DDoS attack detection apparatus 700 specifically includes the following: a training instruction acquisition module 718, a request batch generation module 720, and a detection model training module 722:
训练指令获取模块718,用于获取模型训练指令。The training instruction acquisition module 718 is configured to acquire a model training instruction.
请求批量生成模块720,用于根据模型训练指令调用DDoS攻击程序批量产生DDoS攻击访问请求。The request batch generation module 720 is configured to invoke the DDoS attack program to generate a DDoS attack access request in batch according to the model training instruction.
检测模型训练模块722,用于以批量产生的DDoS攻击访问请求作为训练样本数据训练DDoS攻击检测模型,得到预先训练好的DDoS攻击检测模型。The detection model training module 722 is configured to train the DDoS attack detection model by using the DDoS attack access request generated in batches as the training sample data, and obtain a pre-trained DDoS attack detection model.
本实施例中,通过调用DDoS攻击程序批量产生DDoS攻击访问请求,节省了收集DDoS攻击访问请求的所耗费的时间,以DDoS攻击程序批量产生DDoS攻击访问请求作为训练样本数据,可直接训练得到DDoS攻击检测模型,提高了生成DDoS攻击检测模型的速度。In this embodiment, the DDoS attack access request is generated in batches by calling the DDoS attack program, which saves the time taken for collecting the DDoS attack access request, and the DDoS attack access request is generated in batches as the training sample data by the DDoS attack program, and the DDoS can be directly trained. The attack detection model improves the speed of generating DDoS attack detection models.
在其中一个实施例中,检测模型训练模块722还用于将批量产生的DDoS攻击访问请求按照DDoS攻击请求类型进行分类,得到各DDoS攻击请求类型对应的DDoS攻击访问请求;以分类后的DDoS攻击访问请求作为输入,且以分类后的DDoS攻击访问请求对应的DDoS攻击请求类型作为输出,进行训练得到预先训练好的DDoS攻击检测模型。In one embodiment, the detection model training module 722 is further configured to classify the DDoS attack access request generated by the batch according to the DDoS attack request type, and obtain a DDoS attack access request corresponding to each DDoS attack request type; and use the classified DDoS attack. The access request is used as an input, and the DDoS attack request type corresponding to the classified DDoS attack access request is output as an output, and the pre-trained DDoS attack detection model is obtained.
本实施例中,预先训练好的DDoS攻击检测模型可以用于检测数据访问请求是否为DDoS攻击访问请求,若检测到数据访问请求为DDoS攻击访问请求,还可以检测到该数据访问请求属于哪种DDoS攻击类型,可以更加准确的对数据访问请求进行检测。In this embodiment, the pre-trained DDoS attack detection model may be used to detect whether the data access request is a DDoS attack access request. If the data access request is detected as a DDoS attack access request, the data access request may also be detected. The DDoS attack type can detect data access requests more accurately.
关于DDoS攻击检测装置的具体限定可以参见上文中对于DDoS攻击检测方法的限定,在此不再赘述。上述DDoS攻击检测装置中的各个模块可全部或部分通过软件、硬件及其组合来实现。上述各模块可以硬件形式内嵌于或独立于计算机设备中的处理器中,也可以以软件形式存储于计算机设备中的存储器中,以便于处理器调用执行以上各个模块对应的操作。For the specific definition of the DDoS attack detection device, refer to the above definition of the DDoS attack detection method, and details are not described herein again. Each of the above modules in the DDoS attack detection apparatus may be implemented in whole or in part by software, hardware, and a combination thereof. Each of the above modules may be embedded in or independent of the processor in the computer device, or may be stored in a memory in the computer device in a software form, so that the processor invokes the operations corresponding to the above modules.
在其中一个实施例中,提供了一种计算机设备,该计算机设备可以是服务器,其内部结构图可以如图10所示。该计算机设备包括通过系统总线连接的处理器、存储器、网络接口和数据库。该计算机设备的处理器用于提供计算和控制能力。该计算机设备的存储器 包括非易失性存储介质、内存储器。该非易失性存储介质存储有操作系统、计算机可读指令和数据库。该内存储器为非易失性存储介质中的操作系统和计算机可读指令的运行提供环境。该计算机设备的数据库用于存储特征字段表。该计算机设备的网络接口用于与外部的终端通过网络连接通信。该计算机可读指令被处理器执行时以实现一种DDoS攻击检测方法。In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in FIG. The computer device includes a processor, memory, network interface, and database connected by a system bus. The processor of the computer device is used to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium, an internal memory. The non-volatile storage medium stores an operating system, computer readable instructions, and a database. The internal memory provides an environment for operation of an operating system and computer readable instructions in a non-volatile storage medium. The database of the computer device is used to store a feature field table. The network interface of the computer device is used to communicate with an external terminal via a network connection. The computer readable instructions are executed by the processor to implement a DDoS attack detection method.
本领域技术人员可以理解,图10中示出的结构,仅仅是与本申请方案相关的部分结构的框图,并不生成对本申请方案所应用于其上的计算机设备的限定,具体的计算机设备可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。It will be understood by those skilled in the art that the structure shown in FIG. 10 is only a block diagram of a part of the structure related to the solution of the present application, and does not generate a limitation on the computer device to which the present application is applied. The specific computer device may It includes more or fewer components than those shown in the figures, or some components are combined, or have different component arrangements.
在其中一个实施例中,提供了一种计算机设备,包括存储器和一个或多个处理器,存储器中储存有计算机可读指令,计算机可读指令被处理器执行时,使得一个或多个处理器执行以下步骤:获取当前时间段内的数据访问请求;统计获取到数据访问请求的访问请求数量;当统计的访问请求数量高于预设请求数量阈值时,则从获取到的数据访问请求中提取特征字段;根据提取到的特征字段生成获取到的数据访问请求对应的访问请求特征向量;将生成的访问请求特征向量输入预先训练好的DDoS攻击检测模型,获取预先训练好的DDoS输出的检测结果。In one embodiment, a computer apparatus is provided comprising a memory and one or more processors having stored therein computer readable instructions that, when executed by a processor, cause one or more processors The following steps are performed: obtaining a data access request in the current time period; counting the number of access requests for obtaining the data access request; and extracting the data access request from the obtained data access request when the number of the statistical access requests is higher than the preset request number threshold a feature field; generating an access request feature vector corresponding to the acquired data access request according to the extracted feature field; inputting the generated access request feature vector into the pre-trained DDoS attack detection model, and acquiring the detection result of the pre-trained DDoS output .
在其中一个实施例中,当统计的访问请求数量高于预设请求数量阈值时,则从获取到的数据访问请求中提取特征字段,包括:当统计的访问请求数量高于预设请求数量阈值时,获取特征字段表;在获取到的数据访问请求中,提取与获取到的特征字段表中字段标识对应的特征字段。In one embodiment, when the number of the statistic access requests is higher than the preset request number threshold, the feature field is extracted from the obtained data access request, including: when the number of statistic access requests is higher than the preset request number threshold And acquiring a feature field table; and extracting, in the obtained data access request, a feature field corresponding to the field identifier in the acquired feature field table.
在其中一个实施例中,根据提取到的特征字段生成获取到的数据访问请求对应的访问请求特征向量,包括:识别提取到的特征字段的字段类型;根据识别到的字段类型所对应的数值确定方式,确定提取到的特征字段对应的数值;根据提取到的特征字段对应的数值,确定获取到的数据访问请求对应的访问请求特征向量。In one embodiment, the generating an access request feature vector corresponding to the acquired data access request according to the extracted feature field includes: identifying a field type of the extracted feature field; determining according to the value corresponding to the identified field type The method determines a value corresponding to the extracted feature field, and determines an access request feature vector corresponding to the acquired data access request according to the value corresponding to the extracted feature field.
在其中一个实施例中,将生成的访问请求特征向量输入预先训练好的DDoS攻击检测模型,获取预先训练好的DDOS输出的检测结果之后,处理器执行计算机可读指令时还实现以下步骤:根据检测结果确定DDoS攻击类型对应的数据访问请求;以确定的DDoS攻击请求类型对应的数据访问请求作为训练样本数据,重新训练DDoS攻击检测模型;将预先训练好的DDoS攻击检测模型替换为重新训练的DDoS攻击检测模型。In one embodiment, after the generated access request feature vector is input into the pre-trained DDoS attack detection model to obtain the detection result of the pre-trained DDOS output, the processor further implements the following steps when executing the computer readable instruction: The detection result determines a data access request corresponding to the DDoS attack type; the data access request corresponding to the determined DDoS attack request type is used as the training sample data, and the DDoS attack detection model is retrained; and the pre-trained DDoS attack detection model is replaced with the retrained DDoS attack detection model.
在其中一个实施例中,根据检测结果确定DDoS攻击类型对应的数据访问请求,包括:根据检测结果统计DDoS攻击访问请求的攻击请求数量;当统计到的攻击请求数量大于预设攻击请求阈值时,根据检测结果按照DDoS攻击请求类型对DDoS攻击访问请求进行分 类。In one embodiment, the data access request corresponding to the DDoS attack type is determined according to the detection result, including: counting the number of attack requests for the DDoS attack access request according to the detection result; and when the number of the collected attack requests is greater than the preset attack request threshold, According to the detection result, the DDoS attack access request is classified according to the DDoS attack request type.
在其中一个实施例中,预先训练好的DDoS攻击检测模型生成过程中,处理器执行计算机可读指令时还实现以下步骤:获取模型训练指令;根据模型训练指令调用DDoS攻击程序批量产生DDoS攻击访问请求;以批量产生的DDoS攻击访问请求作为训练样本数据训练DDoS攻击检测模型,得到预先训练好的DDoS攻击检测模型。In one embodiment, during the pre-trained DDoS attack detection model generation process, when the processor executes the computer readable instructions, the processor further implements the following steps: acquiring the model training instruction; and invoking the DDoS attack program according to the model training instruction to generate the DDoS attack access in batches. The DDoS attack detection model is trained as a training sample data by using a batch generated DDoS attack access request, and a pre-trained DDoS attack detection model is obtained.
在其中一个实施例中,以批量产生的DDoS攻击访问请求作为训练样本数据训练DDoS攻击检测模型,得到预先训练好的DDoS攻击检测模型,包括:将批量产生的DDoS攻击访问请求按照DDoS攻击请求类型进行分类,得到各DDoS攻击请求类型对应的DDoS攻击访问请求;以分类后的DDoS攻击访问请求作为输入,且以分类后的DDoS攻击访问请求对应的DDoS攻击请求类型作为输出,进行训练得到预先训练好的DDoS攻击检测模型。In one embodiment, the DDoS attack detection request is generated by using the batch-generated DDoS attack access request as the training sample data, and the pre-trained DDoS attack detection model is obtained, including: the DDoS attack access request generated in batch according to the DDoS attack request type. The DDoS attack access request corresponding to each DDoS attack request type is obtained, and the DDoS attack access request is used as an input, and the DDoS attack request type corresponding to the DDoS attack access request is output as an output, and the training is pre-trained. Good DDoS attack detection model.
本实施例中,将统计到当前时间段内的数据访问请求的访问请求数量与预设请求数量阈值进行比较,进行第一次检测。当统计到的访问请求数量高于预设请求数量阈值时,预判定可能受到DDoS攻击,需要进行第二次检测,即提取获取到的数据访问请求中的特征字段,根据特征字段生成获取到的数据访问请求对应的特征向量,将特征向量输入到预先训练好的DDoS攻击检测模型进行检测,得到检测结果。第二次检测中利用预先训练好的DDoS攻击检测模型对访问请求进行检测,提高了第二次检测的准确性。通过两次检测的配合,整体提高了对DDoS攻击访问请求的检测准确率。In this embodiment, the number of access requests for the data access request in the current time period is compared with the preset request number threshold, and the first detection is performed. When the number of the received access requests is higher than the preset number of requests, the pre-judgment may be subjected to a DDoS attack, and a second detection is required, that is, the feature field in the obtained data access request is extracted, and the acquired domain is generated according to the feature field. The feature vector corresponding to the data access request is input to the pre-trained DDoS attack detection model for detection, and the detection result is obtained. In the second detection, the pre-trained DDoS attack detection model is used to detect the access request, which improves the accuracy of the second detection. Through the cooperation of the two tests, the detection accuracy of the DDoS attack access request is improved as a whole.
在其中一个实施例中,提供了一个或多个存储有计算机可读指令的非易失性存储介质,计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行以下步骤:获取当前时间段内的数据访问请求;统计获取到数据访问请求的访问请求数量;当统计的访问请求数量高于预设请求数量阈值时,则从获取到的数据访问请求中提取特征字段;根据提取到的特征字段生成获取到的数据访问请求对应的访问请求特征向量;将生成的访问请求特征向量输入预先训练好的DDoS攻击检测模型,获取预先训练好的DDoS输出的检测结果。In one embodiment, there is provided one or more non-volatile storage media having computer readable instructions that, when executed by one or more processors, cause one or more processors to perform the following Step: obtaining a data access request in the current time period; counting the number of access requests for obtaining the data access request; and extracting the feature field from the obtained data access request when the number of the statistical access requests is higher than the preset request number threshold And generating an access request feature vector corresponding to the acquired data access request according to the extracted feature field; inputting the generated access request feature vector into the pre-trained DDoS attack detection model, and acquiring the detection result of the pre-trained DDoS output.
在其中一个实施例中,当统计的访问请求数量高于预设请求数量阈值时,则从获取到的数据访问请求中提取特征字段,包括:当统计的访问请求数量高于预设请求数量阈值时,获取特征字段表;在获取到的数据访问请求中,提取与获取到的特征字段表中字段标识对应的特征字段。In one embodiment, when the number of the statistic access requests is higher than the preset request number threshold, the feature field is extracted from the obtained data access request, including: when the number of statistic access requests is higher than the preset request number threshold And acquiring a feature field table; and extracting, in the obtained data access request, a feature field corresponding to the field identifier in the acquired feature field table.
在其中一个实施例中,根据提取到的特征字段生成获取到的数据访问请求对应的访问请求特征向量,包括:识别提取到的特征字段的字段类型;根据识别到的字段类型所对应 的数值确定方式,确定提取到的特征字段对应的数值;根据提取到的特征字段对应的数值,确定获取到的数据访问请求对应的访问请求特征向量。In one embodiment, the generating an access request feature vector corresponding to the acquired data access request according to the extracted feature field includes: identifying a field type of the extracted feature field; determining according to the value corresponding to the identified field type The method determines a value corresponding to the extracted feature field, and determines an access request feature vector corresponding to the acquired data access request according to the value corresponding to the extracted feature field.
在其中一个实施例中,将生成的访问请求特征向量输入预先训练好的DDoS攻击检测模型,获取预先训练好的DDOS输出的检测结果之后,计算机可读指令被处理器执行时还实现以下步骤:根据检测结果确定DDoS攻击类型对应的数据访问请求;以确定的DDoS攻击请求类型对应的数据访问请求作为训练样本数据,重新训练DDoS攻击检测模型;将预先训练好的DDoS攻击检测模型替换为重新训练的DDoS攻击检测模型。In one of the embodiments, the generated access request feature vector is input into the pre-trained DDoS attack detection model, and after the detection result of the pre-trained DDOS output is obtained, the computer readable instructions are executed by the processor to implement the following steps: Determining a data access request corresponding to the DDoS attack type according to the detection result; determining a data access request corresponding to the DDoS attack request type as training sample data, retraining the DDoS attack detection model; and replacing the pre-trained DDoS attack detection model with retraining DDoS attack detection model.
在其中一个实施例中,根据检测结果确定DDoS攻击类型对应的数据访问请求,包括:根据检测结果统计DDoS攻击访问请求的攻击请求数量;当统计到的攻击请求数量大于预设攻击请求阈值时,根据检测结果按照DDoS攻击请求类型对DDoS攻击访问请求进行分类。In one embodiment, the data access request corresponding to the DDoS attack type is determined according to the detection result, including: counting the number of attack requests for the DDoS attack access request according to the detection result; and when the number of the collected attack requests is greater than the preset attack request threshold, According to the detection result, the DDoS attack access request is classified according to the DDoS attack request type.
在其中一个实施例中,预先训练好的DDoS攻击检测模型生成过程中,计算机可读指令被处理器执行时还实现以下步骤:获取模型训练指令;根据模型训练指令调用DDoS攻击程序批量产生DDoS攻击访问请求;以批量产生的DDoS攻击访问请求作为训练样本数据训练DDoS攻击检测模型,得到预先训练好的DDoS攻击检测模型。In one embodiment, during the pre-trained DDoS attack detection model generation process, when the computer readable instructions are executed by the processor, the following steps are further performed: acquiring the model training instruction; and invoking the DDoS attack program according to the model training instruction to generate the DDoS attack in batches. Access request; DDoS attack detection model is trained as a training sample data by batch-generated DDoS attack access request, and a pre-trained DDoS attack detection model is obtained.
在其中一个实施例中,以批量产生的DDoS攻击访问请求作为训练样本数据训练DDoS攻击检测模型,得到预先训练好的DDoS攻击检测模型,包括:将批量产生的DDoS攻击访问请求按照DDoS攻击请求类型进行分类,得到各DDoS攻击请求类型对应的DDoS攻击访问请求;以分类后的DDoS攻击访问请求作为输入,且以分类后的DDoS攻击访问请求对应的DDoS攻击请求类型作为输出,进行训练得到预先训练好的DDoS攻击检测模型。In one embodiment, the DDoS attack detection request is generated by using the batch-generated DDoS attack access request as the training sample data, and the pre-trained DDoS attack detection model is obtained, including: the DDoS attack access request generated in batch according to the DDoS attack request type. The DDoS attack access request corresponding to each DDoS attack request type is obtained, and the DDoS attack access request is used as an input, and the DDoS attack request type corresponding to the DDoS attack access request is output as an output, and the training is pre-trained. Good DDoS attack detection model.
本实施例中,将统计到当前时间段内的数据访问请求的访问请求数量与预设请求数量阈值进行比较,进行第一次检测。当统计到的访问请求数量高于预设请求数量阈值时,预判定可能受到DDoS攻击,需要进行第二次检测,即提取获取到的数据访问请求中的特征字段,根据特征字段生成获取到的数据访问请求对应的特征向量,将特征向量输入到预先训练好的DDoS攻击检测模型进行检测,得到检测结果。第二次检测中利用预先训练好的DDoS攻击检测模型对访问请求进行检测,提高了第二次检测的准确性。通过两次检测的配合,整体提高了对DDoS攻击访问请求的检测准确率。In this embodiment, the number of access requests for the data access request in the current time period is compared with the preset request number threshold, and the first detection is performed. When the number of the received access requests is higher than the preset number of requests, the pre-judgment may be subjected to a DDoS attack, and a second detection is required, that is, the feature field in the obtained data access request is extracted, and the acquired domain is generated according to the feature field. The feature vector corresponding to the data access request is input to the pre-trained DDoS attack detection model for detection, and the detection result is obtained. In the second detection, the pre-trained DDoS attack detection model is used to detect the access request, which improves the accuracy of the second detection. Through the cooperation of the two tests, the detection accuracy of the DDoS attack access request is improved as a whole.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机可读指令来指令相关的硬件来完成,所述的计算机可读指令可存储于一非易失性计算机可读取存储介质中,该计算机可读指令在执行时,可包括如上述各方法的实施例的流程。本申请所提供的各实施例中所使用的对存储器、存储、数据库或其它介质的任何引 用,均可包括非易失性和/或易失性存储器。非易失性存储器可包括只读存储器(ROM)、可编程ROM(PROM)、电可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)或闪存。易失性存储器可包括随机存取存储器(RAM)或者外部高速缓冲存储器。作为说明而非局限,RAM以多种形式可得,诸如静态RAM(SRAM)、动态RAM(DRAM)、同步DRAM(SDRAM)、双数据率SDRAM(DDRSDRAM)、增强型SDRAM(ESDRAM)、同步链路(Synchlink)DRAM(SLDRAM)、存储器总线(Rambus)直接RAM(RDRAM)、直接存储器总线动态RAM(DRDRAM)、以及存储器总线动态RAM(RDRAM)等。One of ordinary skill in the art can understand that all or part of the process of implementing the above embodiments can be completed by computer readable instructions, which can be stored in a non-volatile computer. The readable storage medium, which when executed, may include the flow of an embodiment of the methods as described above. Any reference to a memory, storage, database or other medium used in the various embodiments provided herein can include non-volatile and/or volatile memory. Non-volatile memory can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory can include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of formats, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronization chain. Synchlink DRAM (SLDRAM), Memory Bus (Rambus) Direct RAM (RDRAM), Direct Memory Bus Dynamic RAM (DRDRAM), and Memory Bus Dynamic RAM (RDRAM).
以上实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above embodiments may be arbitrarily combined. For the sake of brevity of description, all possible combinations of the technical features in the above embodiments are not described. However, as long as there is no contradiction in the combination of these technical features, It is considered to be the range described in this specification.
以上所述实施例仅表达了本申请的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对发明专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本申请构思的前提下,还可以做出若干变形和改进,这些都属于本申请的保护范围。因此,本申请专利的保护范围应以所附权利要求为准。The above-mentioned embodiments are merely illustrative of several embodiments of the present application, and the description thereof is more specific and detailed, but is not to be construed as limiting the scope of the invention. It should be noted that a number of variations and modifications may be made by those skilled in the art without departing from the spirit and scope of the present application. Therefore, the scope of the invention should be determined by the appended claims.

Claims (20)

  1. 一种DDoS攻击检测方法,包括:A DDoS attack detection method includes:
    获取当前时间段内的数据访问请求;Obtain a data access request during the current time period;
    统计获取到数据访问请求的访问请求数量;Count the number of access requests for obtaining data access requests;
    当统计的访问请求数量高于预设请求数量阈值时,则从获取到的数据访问请求中提取特征字段;When the number of statistical access requests is higher than the preset request quantity threshold, the feature field is extracted from the obtained data access request;
    根据提取到的特征字段生成所述获取到的数据访问请求对应的访问请求特征向量;及Generating an access request feature vector corresponding to the acquired data access request according to the extracted feature field; and
    将生成的访问请求特征向量输入预先训练好的DDoS攻击检测模型,获取所述预先训练好的DDoS输出的检测结果。The generated access request feature vector is input into the pre-trained DDoS attack detection model, and the detection result of the pre-trained DDoS output is obtained.
  2. 根据权利要求1所述的方法,其特征在于,所述当统计的访问请求数量高于预设请求数量阈值时,则从获取到的数据访问请求中提取特征字段,包括:The method according to claim 1, wherein when the number of the statistical access requests is higher than the preset number of requests, the feature fields are extracted from the obtained data access request, including:
    当统计的访问请求数量高于预设请求数量阈值时,获取特征字段表;及Obtaining a feature field table when the number of statistical access requests is higher than a preset request number threshold; and
    在获取到的数据访问请求中,提取与获取到的特征字段表中字段标识对应的特征字段。In the obtained data access request, the feature field corresponding to the field identifier in the acquired feature field table is extracted.
  3. 根据权利要求2所述的方法,其特征在于,所述根据提取到的特征字段生成所述获取到的数据访问请求对应的访问请求特征向量,包括:The method according to claim 2, wherein the generating the access request feature vector corresponding to the acquired data access request according to the extracted feature field comprises:
    识别提取到的特征字段的字段类型;Identify the field type of the extracted feature field;
    根据识别到的字段类型所对应的数值确定方式,确定所述提取到的特征字段对应的数值;及Determining a value corresponding to the extracted feature field according to a method for determining a value corresponding to the identified field type; and
    根据所述提取到的特征字段对应的数值,确定所述获取到的数据访问请求对应的访问请求特征向量。Determining, according to the value corresponding to the extracted feature field, an access request feature vector corresponding to the acquired data access request.
  4. 根据权利要求1所述的方法,其特征在于,在所述将生成的访问请求特征向量输入预先训练好的DDoS攻击检测模型,获取所述预先训练好的DDOS输出的检测结果之后,所述方法还包括:The method according to claim 1, wherein after the generated access request feature vector is input into a pre-trained DDoS attack detection model to obtain the detection result of the pre-trained DDOS output, the method Also includes:
    根据所述检测结果确定DDoS攻击类型对应的数据访问请求;Determining, according to the detection result, a data access request corresponding to the DDoS attack type;
    以确定的DDoS攻击请求类型对应的数据访问请求作为训练样本数据,重新训练DDoS攻击检测模型;及Re-training the DDoS attack detection model by using the data access request corresponding to the determined DDoS attack request type as training sample data; and
    将预先训练好的DDoS攻击检测模型替换为重新训练的DDoS攻击检测模型。Replace the pre-trained DDoS attack detection model with the retrained DDoS attack detection model.
  5. 根据权利要求4所述的方法,其特征在于,所述根据所述检测结果确定DDoS攻击类型对应的数据访问请求,包括:The method according to claim 4, wherein the determining, according to the detection result, a data access request corresponding to a DDoS attack type, comprising:
    根据所述检测结果统计DDoS攻击访问请求的攻击请求数量;及Counting the number of attack requests for DDoS attack access requests according to the detection result; and
    当统计到的攻击请求数量大于预设攻击请求阈值时,根据所述检测结果按照DDoS攻 击请求类型对所述DDoS攻击访问请求进行分类。When the number of the detected attack requests is greater than the preset attack request threshold, the DDoS attack access request is classified according to the DDoS attack request type according to the detection result.
  6. 根据权利要求1所述的方法,其特征在于,所述预先训练好的DDoS攻击检测模型生成过程包括:The method according to claim 1, wherein the pre-trained DDoS attack detection model generation process comprises:
    获取模型训练指令;Obtain model training instructions;
    根据所述模型训练指令调用DDoS攻击程序批量产生DDoS攻击访问请求;及Generating a DDoS attack access request in batches according to the model training instruction by calling a DDoS attack program; and
    以批量产生的DDoS攻击访问请求作为训练样本数据训练DDoS攻击检测模型,得到预先训练好的DDoS攻击检测模型。The DDoS attack detection model is trained as a training sample data by using DDoS attack access requests generated in batches to obtain a pre-trained DDoS attack detection model.
  7. 根据权利要求6所述的方法,其特征在于,所述以批量产生的DDoS攻击访问请求作为训练样本数据训练DDoS攻击检测模型,得到预先训练好的DDoS攻击检测模型,包括:The method according to claim 6, wherein the DDoS attack access request generated by the batch is used as training sample data to train the DDoS attack detection model, and the pre-trained DDoS attack detection model is obtained, including:
    将批量产生的DDoS攻击访问请求按照DDoS攻击请求类型进行分类,得到各DDoS攻击请求类型对应的DDoS攻击访问请求;及The DDoS attack access request generated by the batch is classified according to the DDoS attack request type, and the DDoS attack access request corresponding to each DDoS attack request type is obtained;
    以分类后的DDoS攻击访问请求作为输入,且以所述分类后的DDoS攻击访问请求对应的DDoS攻击请求类型作为输出,进行训练得到预先训练好的DDoS攻击检测模型。The DDoS attack access request is used as an input, and the DDoS attack request type corresponding to the DDoS attack access request is used as an output to perform training to obtain a pre-trained DDoS attack detection model.
  8. 一种DDoS攻击检测装置,包括:A DDoS attack detection device includes:
    访问请求获取模块,用于获取当前时间段内的数据访问请求;An access request obtaining module, configured to acquire a data access request in a current time period;
    请求数量统计模块,用于统计获取到数据访问请求的访问请求数量;A request quantity statistics module, configured to count the number of access requests for obtaining a data access request;
    特征字段提取模块,用于当统计的访问请求数量高于预设请求数量阈值时,则从获取到的数据访问请求中提取特征字段;a feature field extraction module, configured to: when the number of statistical access requests is higher than a preset number of request thresholds, extract a feature field from the obtained data access request;
    特征向量生成模块,用于根据提取到的特征字段生成所述获取到的数据访问请求对应的访问请求特征向量;及a feature vector generating module, configured to generate, according to the extracted feature field, an access request feature vector corresponding to the acquired data access request; and
    检测结果获取模块,用于将生成的访问请求特征向量输入预先训练好的DDoS攻击检测模型,获取所述预先训练好的DDoS输出的检测结果。The detection result obtaining module is configured to input the generated access request feature vector into the pre-trained DDoS attack detection model, and obtain the detection result of the pre-trained DDoS output.
  9. 根据权利要求8所述的装置,其特征在于,所述特征字段提取模块,还用于当统计的访问请求数量高于预设请求数量阈值时,获取特征字段表;及The device according to claim 8, wherein the feature field extraction module is further configured to: when the number of statistical access requests is higher than a preset number of request thresholds, obtain a feature field table;
    所述特征字段提取模块,还用于在获取到的数据访问请求中,提取与获取到的特征字段表中字段标识对应的特征字段。The feature field extraction module is further configured to extract, in the obtained data access request, a feature field corresponding to the field identifier in the acquired feature field table.
  10. 根据权利要求9所述的装置,其特征在于,所述特征向量生成模块,还用于识别提取到的特征字段的字段类型;The device according to claim 9, wherein the feature vector generating module is further configured to identify a field type of the extracted feature field;
    所述特征向量生成模块,还用于根据识别到的字段类型所对应的数值确定方式,确定提取到的特征字段对应的数值;及The feature vector generating module is further configured to determine a value corresponding to the extracted feature field according to a method for determining a value corresponding to the identified field type; and
    所述特征向量生成模块,还用于根据提取到的特征字段对应的数值,确定获取到的数据访问请求对应的访问请求特征向量。The feature vector generating module is further configured to determine, according to the value corresponding to the extracted feature field, an access request feature vector corresponding to the acquired data access request.
  11. 一种计算机设备,包括存储器及一个或多个处理器,所述存储器中储存有计算机可读指令,所述计算机可读指令被所述一个或多个处理器执行时,使得所述一个或多个处理器执行以下步骤:A computer device comprising a memory and one or more processors having stored therein computer readable instructions, the computer readable instructions being executed by the one or more processors to cause the one or more The processors perform the following steps:
    获取当前时间段内的数据访问请求;Obtain a data access request during the current time period;
    统计获取到数据访问请求的访问请求数量;Count the number of access requests for obtaining data access requests;
    当统计的访问请求数量高于预设请求数量阈值时,则从获取到的数据访问请求中提取特征字段;When the number of statistical access requests is higher than the preset request quantity threshold, the feature field is extracted from the obtained data access request;
    根据提取到的特征字段生成所述获取到的数据访问请求对应的访问请求特征向量;及Generating an access request feature vector corresponding to the acquired data access request according to the extracted feature field; and
    将生成的访问请求特征向量输入预先训练好的DDoS攻击检测模型,获取所述预先训练好的DDoS输出的检测结果。The generated access request feature vector is input into the pre-trained DDoS attack detection model, and the detection result of the pre-trained DDoS output is obtained.
  12. 根据权利要求11所述的计算机设备,其特征在于,所述处理器执行所述计算机可读指令时还执行以下步骤:The computer apparatus according to claim 11, wherein said processor further performs the following steps when said computer readable instructions are executed:
    当统计的访问请求数量高于预设请求数量阈值时,获取特征字段表;及Obtaining a feature field table when the number of statistical access requests is higher than a preset request number threshold; and
    在获取到的数据访问请求中,提取与获取到的特征字段表中字段标识对应的特征字段。In the obtained data access request, the feature field corresponding to the field identifier in the acquired feature field table is extracted.
  13. 根据权利要求12所述的计算机设备,其特征在于,所述处理器执行所述计算机可读指令时还执行以下步骤:The computer apparatus according to claim 12, wherein said processor further performs the following steps when said computer readable instructions are executed:
    识别提取到的特征字段的字段类型;Identify the field type of the extracted feature field;
    根据识别到的字段类型所对应的数值确定方式,确定所述提取到的特征字段对应的数值;及Determining a value corresponding to the extracted feature field according to a method for determining a value corresponding to the identified field type; and
    根据所述提取到的特征字段对应的数值,确定所述获取到的数据访问请求对应的访问请求特征向量。Determining, according to the value corresponding to the extracted feature field, an access request feature vector corresponding to the acquired data access request.
  14. 根据权利要求11所述的计算机设备,其特征在于,所述处理器执行所述计算机可读指令时还执行以下步骤:The computer apparatus according to claim 11, wherein said processor further performs the following steps when said computer readable instructions are executed:
    根据所述检测结果确定DDoS攻击类型对应的数据访问请求;Determining, according to the detection result, a data access request corresponding to the DDoS attack type;
    以确定的DDoS攻击请求类型对应的数据访问请求作为训练样本数据,重新训练DDoS攻击检测模型;及Re-training the DDoS attack detection model by using the data access request corresponding to the determined DDoS attack request type as training sample data; and
    将预先训练好的DDoS攻击检测模型替换为重新训练的DDoS攻击检测模型。Replace the pre-trained DDoS attack detection model with the retrained DDoS attack detection model.
  15. 根据权利要求14所述的计算机设备,其特征在于,所述处理器执行所述计算机 可读指令时还执行以下步骤:The computer apparatus according to claim 14, wherein said processor further performs the following steps when said computer readable instructions are executed:
    根据所述检测结果统计DDoS攻击访问请求的攻击请求数量;及Counting the number of attack requests for DDoS attack access requests according to the detection result; and
    当统计到的攻击请求数量大于预设攻击请求阈值时,根据所述检测结果按照DDoS攻击请求类型对所述DDoS攻击访问请求进行分类。When the number of the received attack requests is greater than the preset attack request threshold, the DDoS attack access request is classified according to the DDoS attack request type according to the detection result.
  16. 一个或多个存储有计算机可读指令的非易失性计算机可读存储介质,所述计算机可读指令被一个或多个处理器执行时,使得所述一个或多个处理器执行以下步骤:One or more non-transitory computer readable storage mediums storing computer readable instructions, when executed by one or more processors, cause the one or more processors to perform the following steps:
    获取当前时间段内的数据访问请求;Obtain a data access request during the current time period;
    统计获取到数据访问请求的访问请求数量;Count the number of access requests for obtaining data access requests;
    当统计的访问请求数量高于预设请求数量阈值时,则从获取到的数据访问请求中提取特征字段;When the number of statistical access requests is higher than the preset request quantity threshold, the feature field is extracted from the obtained data access request;
    根据提取到的特征字段生成所述获取到的数据访问请求对应的访问请求特征向量;及Generating an access request feature vector corresponding to the acquired data access request according to the extracted feature field; and
    将生成的访问请求特征向量输入预先训练好的DDoS攻击检测模型,获取所述预先训练好的DDoS输出的检测结果。The generated access request feature vector is input into the pre-trained DDoS attack detection model, and the detection result of the pre-trained DDoS output is obtained.
  17. 根据权利要求16所述的存储介质,其特征在于,所述计算机可读指令被所述处理器执行时还执行以下步骤:The storage medium of claim 16 wherein said computer readable instructions are further executed by said processor to perform the following steps:
    当统计的访问请求数量高于预设请求数量阈值时,获取特征字段表;及Obtaining a feature field table when the number of statistical access requests is higher than a preset request number threshold; and
    在获取到的数据访问请求中,提取与获取到的特征字段表中字段标识对应的特征字段。In the obtained data access request, the feature field corresponding to the field identifier in the acquired feature field table is extracted.
  18. 根据权利要求17所述的存储介质,其特征在于,所述计算机可读指令被所述处理器执行时还执行以下步骤:A storage medium according to claim 17, wherein said computer readable instructions are further executed by said processor to perform the following steps:
    识别提取到的特征字段的字段类型;Identify the field type of the extracted feature field;
    根据识别到的字段类型所对应的数值确定方式,确定所述提取到的特征字段对应的数值;及Determining a value corresponding to the extracted feature field according to a method for determining a value corresponding to the identified field type; and
    根据所述提取到的特征字段对应的数值,确定所述获取到的数据访问请求对应的访问请求特征向量。Determining, according to the value corresponding to the extracted feature field, an access request feature vector corresponding to the acquired data access request.
  19. 根据权利要求16所述的存储介质,其特征在于,所述计算机可读指令被所述处理器执行时还执行以下步骤:The storage medium of claim 16 wherein said computer readable instructions are further executed by said processor to perform the following steps:
    根据所述检测结果确定DDoS攻击类型对应的数据访问请求;Determining, according to the detection result, a data access request corresponding to the DDoS attack type;
    以确定的DDoS攻击请求类型对应的数据访问请求作为训练样本数据,重新训练DDoS攻击检测模型;及Re-training the DDoS attack detection model by using the data access request corresponding to the determined DDoS attack request type as training sample data; and
    将预先训练好的DDoS攻击检测模型替换为重新训练的DDoS攻击检测模型。Replace the pre-trained DDoS attack detection model with the retrained DDoS attack detection model.
  20. 根据权利要求19所述的存储介质,其特征在于,所述计算机可读指令被所述处 理器执行时还执行以下步骤:A storage medium according to claim 19, wherein said computer readable instructions are further executed by said processor to perform the following steps:
    根据所述检测结果统计DDoS攻击访问请求的攻击请求数量;及Counting the number of attack requests for DDoS attack access requests according to the detection result; and
    当统计到的攻击请求数量大于预设攻击请求阈值时,根据所述检测结果按照DDoS攻击请求类型对所述DDoS攻击访问请求进行分类。When the number of the received attack requests is greater than the preset attack request threshold, the DDoS attack access request is classified according to the DDoS attack request type according to the detection result.
PCT/CN2018/088975 2018-01-31 2018-05-30 Ddos attack detection method and apparatus, and computer device and storage medium WO2019148714A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810096078.6A CN108322463A (en) 2018-01-31 2018-01-31 Ddos attack detection method, device, computer equipment and storage medium
CN201810096078.6 2018-01-31

Publications (1)

Publication Number Publication Date
WO2019148714A1 true WO2019148714A1 (en) 2019-08-08

Family

ID=62891246

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/088975 WO2019148714A1 (en) 2018-01-31 2018-05-30 Ddos attack detection method and apparatus, and computer device and storage medium

Country Status (2)

Country Link
CN (1) CN108322463A (en)
WO (1) WO2019148714A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111049784B (en) * 2018-10-12 2023-08-01 三六零科技集团有限公司 Network attack detection method, device, equipment and storage medium
CN111181897A (en) * 2018-11-13 2020-05-19 中移(杭州)信息技术有限公司 Attack detection model training method, attack detection method and system
CN111224919B (en) * 2018-11-23 2022-05-13 中移(杭州)信息技术有限公司 DDOS (distributed denial of service) identification method and device, electronic equipment and medium
CN110650142B (en) * 2019-09-25 2022-05-24 腾讯科技(深圳)有限公司 Access request processing method, device, system, storage medium and computer equipment
CN111371757B (en) * 2020-02-25 2021-11-30 腾讯科技(深圳)有限公司 Malicious communication detection method and device, computer equipment and storage medium
CN113051583A (en) * 2021-04-30 2021-06-29 中国银行股份有限公司 Vulnerability defense method and system
CN116708013A (en) * 2023-07-25 2023-09-05 深圳市锐速云计算有限公司 DDoS protection method and device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078856A (en) * 2012-12-29 2013-05-01 大连环宇移动科技有限公司 Method for detecting and filtering application layer DDoS (Distributed Denial of Service) attack on basis of access marking
CN104991887A (en) * 2015-06-18 2015-10-21 北京京东尚科信息技术有限公司 Information providing method and apparatus
US9282113B2 (en) * 2013-06-27 2016-03-08 Cellco Partnership Denial of service (DoS) attack detection systems and methods
CN105897674A (en) * 2015-11-25 2016-08-24 乐视云计算有限公司 DDoS attack protection method applied to CDN server group and system
CN105930727A (en) * 2016-04-25 2016-09-07 无锡中科富农物联科技有限公司 Web-based crawler identification algorithm
CN105939342A (en) * 2016-03-31 2016-09-14 杭州迪普科技有限公司 HTTP attack detection method and device
CN106911669A (en) * 2017-01-10 2017-06-30 浙江工商大学 A kind of DDOS detection methods based on deep learning

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102821002B (en) * 2011-06-09 2015-08-26 中国移动通信集团河南有限公司信阳分公司 Network flow abnormal detecting method and system
US9172721B2 (en) * 2013-07-16 2015-10-27 Fortinet, Inc. Scalable inline behavioral DDOS attack mitigation
CN104753863B (en) * 2013-12-26 2018-10-26 中国移动通信集团公司 A kind of defence method of distributed denial of service attack, equipment and system
US9900342B2 (en) * 2014-07-23 2018-02-20 Cisco Technology, Inc. Behavioral white labeling
CN106411934B (en) * 2016-11-15 2017-11-21 平安科技(深圳)有限公司 DoS/DDoS attack detection methods and device
CN106921666B (en) * 2017-03-06 2020-10-02 中山大学 DDoS attack defense system and method based on cooperative theory
CN107483458A (en) * 2017-08-29 2017-12-15 杭州迪普科技股份有限公司 The recognition methods of network attack and device, computer-readable recording medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078856A (en) * 2012-12-29 2013-05-01 大连环宇移动科技有限公司 Method for detecting and filtering application layer DDoS (Distributed Denial of Service) attack on basis of access marking
US9282113B2 (en) * 2013-06-27 2016-03-08 Cellco Partnership Denial of service (DoS) attack detection systems and methods
CN104991887A (en) * 2015-06-18 2015-10-21 北京京东尚科信息技术有限公司 Information providing method and apparatus
CN105897674A (en) * 2015-11-25 2016-08-24 乐视云计算有限公司 DDoS attack protection method applied to CDN server group and system
CN105939342A (en) * 2016-03-31 2016-09-14 杭州迪普科技有限公司 HTTP attack detection method and device
CN105930727A (en) * 2016-04-25 2016-09-07 无锡中科富农物联科技有限公司 Web-based crawler identification algorithm
CN106911669A (en) * 2017-01-10 2017-06-30 浙江工商大学 A kind of DDOS detection methods based on deep learning

Also Published As

Publication number Publication date
CN108322463A (en) 2018-07-24

Similar Documents

Publication Publication Date Title
WO2019148714A1 (en) Ddos attack detection method and apparatus, and computer device and storage medium
CN109194680B (en) Network attack identification method, device and equipment
US9294501B2 (en) Fuzzy hash of behavioral results
US20150229669A1 (en) Method and device for detecting distributed denial of service attack
US20130332456A1 (en) Method and system for detecting operating systems running on nodes in communication network
WO2019134333A1 (en) Port monitoring method, apparatus, computer device and storage medium
WO2019144549A1 (en) Vulnerability testing method and device, computer equipment, and storage medium
WO2009093226A2 (en) A method and apparatus for fingerprinting systems and operating systems in a network
WO2021139641A1 (en) Web attack detection method and device, electronic apparatus, and storage medium
CN113364752A (en) Flow abnormity detection method, detection equipment and computer readable storage medium
CN111245784A (en) Method for multi-dimensional detection of malicious domain name
CN111049783A (en) Network attack detection method, device, equipment and storage medium
CN111049781A (en) Detection method, device, equipment and storage medium for rebound network attack
CN111049784A (en) Network attack detection method, device, equipment and storage medium
CN116346418A (en) DDoS detection method and device based on federal learning
CN112738018A (en) ARP spoofing attack detection method, device, computer equipment and storage medium
CN112565229A (en) Hidden channel detection method and device
CN106789413B (en) Method and device for detecting proxy internet surfing
WO2019043804A1 (en) Log analysis device, log analysis method, and computer-readable recording medium
US20210158217A1 (en) Method and Apparatus for Generating Application Identification Model
CN112804263A (en) Vulnerability scanning method, system and equipment for Internet of things
CN108650274B (en) Network intrusion detection method and system
US20210097399A1 (en) Domain name identification
CN106961393B (en) Detection method and device for UDP (user Datagram protocol) message in network session
Shen et al. Passive fingerprinting for wireless devices: A multi-level decision approach

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18903082

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 12/11/2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18903082

Country of ref document: EP

Kind code of ref document: A1