CN101022342A - Attack information processing method and device - Google Patents
Attack information processing method and device Download PDFInfo
- Publication number
- CN101022342A CN101022342A CN 200710064532 CN200710064532A CN101022342A CN 101022342 A CN101022342 A CN 101022342A CN 200710064532 CN200710064532 CN 200710064532 CN 200710064532 A CN200710064532 A CN 200710064532A CN 101022342 A CN101022342 A CN 101022342A
- Authority
- CN
- China
- Prior art keywords
- notification message
- message
- processing method
- information processing
- attack information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
A method for processing attack information includes storing received notice message carried with attack information, combining preset numbers of said notice messages and sending combined message to user when it is judged out that stored notice message sending to the same user is over a preset number. The device used for realizing said method is also disclosed.
Description
Technical field
The present invention relates to a kind of attack information processing method and device, relate in particular to a kind of method and apparatus of the attack information processing that the network anti-attack system is produced, belong to computer communication field.
Background technology
In order to prevent the internet worm attack, be provided with intruding detection system (Intrusion Detection System is called for short IDS) or invasion usually and resist attack protection systems such as (IntrusionPrevention System are called for short IPS) of system in the existing network system.Existing attack protection system can carry out record to various attack after detecting network attack, is recorded in the attack logs thereby form attack information.Attack information is mainly used in checks attack source, the reason that security breaches that phase-split network exists and orientation problem take place.The attack that takes place in order to notify in the user network also will send to the user by modes such as mails as notification message with attack information, so that the attack situation of user in can awareness network takes further measures.
The defective of prior art is: will send a notification message to the user immediately whenever detecting after network attack generates an attack information.If network is subjected to is same type attack, and the user also can receive many notification messages that content is identical, because the user has known the existence of this attack, so this is nonsensical for the user.In addition, even network is subjected to is dissimilar attacks, if but number of times of attack frequently then can cause notification message quantity to increase sharply, thereby make notification message itself also can cause the associated server can't operate as normal.For example, if this notification message is the email message that sends by mail, then can cause the mail server can't operate as normal.
Summary of the invention
The problem to be solved in the present invention is: since the notification message that sends to the user too much, overfrequency, and cause to the associated server Effect on Performance in the network.
In order to address the above problem, one embodiment of the present of invention provide a kind of attack information processing method, comprising:
The attack notification of information message that carries that receives is preserved;
Surpassed predetermined number if judge the notification message that sends to same user in the notification message of having preserved, then the described notification message with predetermined number merges the back transmission.
In order to address the above problem, an alternative embodiment of the invention provides a kind of attack information processor, comprising:
The message format module is used to preserve carrying of receiving and attacks notification of information message
Time block is used for sending timing signal to message transmission module after predetermined timing arrives;
Message transmission module is used for judging that whether be kept at the notification message that the message format module sends to same user surpasses predetermined number, is then the described notification message of predetermined number to be merged the back to send; Otherwise all notification messages in the message format module are merged the back to be sent.
Therefore, by the present invention, notification message not is to send immediately after generating, but temporarily preserve, send to the user again after surpassing predetermined number, make that the user can frequent notified message, avoided owing to notification message too much produce to associated server Effect on Performance in the system.And to sending after the notification message merging that sends to same user, make the user only receive a notification message at every turn, reduced influence, also made things convenient for the processing of user notification message to user's systematic function.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Description of drawings
Fig. 1 is the embodiment of the invention 1 described attack message process flow figure;
Fig. 2 is the embodiment of the invention 2 described attack message process flow figure;
Fig. 3 is the embodiment of the invention 3 described attack message processing unit structural representations;
Fig. 4 is the embodiment of the invention 4 described attack message processing unit structural representations.
Embodiment
Embodiment 1
As shown in Figure 1, the attack message process flow figure that provides for present embodiment.
Particularly, described notification message can be kept in the buffering area.And,, the notification message that sends to same user can be carried out adjacent preservation in order to improve seek rate to the notification message of having preserved.Wherein, the notification message that sends to same user is meant the notification message with identical destination address or same subscriber sign.User ID sets in advance in each notification message, is used to indicate which user this notification message will send to.
Wherein, attack information is meant the attack information that Equipment Inspection that IDS or IPS etc. prevent network attack generates behind the network attack, is used for the situation that register system is attacked.Notification message is meant the message that carries above-mentioned attack information, is used to the use user of the system of sending to, to notify the user situation that this system is attacked.The form of existing notification message commonly used is a circular mail, and promptly the form with mail sends a notification message to the user.
Wherein, the size of buffering area is predefined, as 2MBit etc.Because the size of buffering area is limited, and buffering area is always constantly received the notification message that will send to the user, therefore there is the possibility of overflowing.
Wherein, low-level notification message is meant the notification message of the attack that destructiveness is lower.Because system's number of times or kind under fire is more, therefore need the notification message of transmission also more, if buffering area is expired and can't be preserved the notification message of newly receiving at this moment, then can be with the deletion of existing rank is lower in the buffering area notification message, thus vacantly go out the part memory space to preserve the notification message of newly receiving.Because the pairing system attack of low-level notification message is little to systematic influence, even therefore can not in time notify the user also can not affect greatly.
Wherein, timing is predefined before the described step of present embodiment begins, and timing need send out the notification message in the buffering area to corresponding user after arriving.Particularly, can select different timings at the notification message that sends to different user.Because the user that different destination addresses is corresponding different can set timing according to user's concrete needs.For example, the user who has wishes the situation of knowing that more in time system is attacked, then can set short timing; The user who has does not wish notified continually message, then can set long timing.
Wherein, predetermined number is similar to timing, all is predefined before the described step of present embodiment begins.Particularly, can select different predetermined number at the notification message that sends to different user.For example, the user who has wishes once to overcharge some notification messages, then bigger predetermined number can be set; Otherwise, then less predetermined number can be set.
For example, the predetermined number of supposing to send to same user's notification message is 20, when judging the described notification message of having preserved and surpass 20, send after will 20 notification messages wherein merging.Predetermined number is set to 20 benefit: the notification message that the user receives may be displayed in one page of indicator screen, therefore need not to drag, and makes things convenient for the user to read.Particularly, each notification message all includes destination address, corresponding to the user that will receive this notification message, can the notification message that send to same user be merged according to this destination address, and then sends to this user.Notification message can be forms such as circular mail, by calling mail sending module circular mail is sent.
It needs to be noted herein, can not wait until that also the predetermined timing described in the step 112 arrives, and has surpassed predetermined number as long as judge the notification message that sends to same user in the notification message of having preserved, just can begin to carry out this step.The execution that is this step is not that condition also is fine with step 112.
At this moment, the number of the notification message of having preserved that sends to same user is less than predetermined number, but because predetermined timing arrives, need send a notification message to the user, and therefore all notification messages that will preserve send.Particularly, the notification message that sends to same user is merged, and then send to this user.
By the described method of present embodiment, notification message not is to send immediately after generating, but temporarily preserve, behind one section timing, send to the user again, make that the user can frequent notified message, avoided owing to notification message too much produce to associated server Effect on Performance in the system.And to sending after the notification message merging that sends to same user, make the user only receive a notification message at every turn, reduced influence, also made things convenient for the processing of user notification message to user's systematic function.
Embodiment 2
As shown in Figure 2, a kind of attack information processing method flow chart that can further reduce notification message transmission number of times that provides for present embodiment.
Step 101,102,111,112,121 consistent with corresponding steps described in the embodiment 1 repeats no more herein. Step 131 and 141 and embodiment 1 described in corresponding steps basically identical, just when the user sends a notification message, will send to the user in the lump with the corresponding count value of the notification message that will send and this notification message.After the user receives this count value, can learn the number of times that once received this notification message.
By the described method of present embodiment, notification message with identical content has been carried out polymerization, be that the notification message of identical content only writes down total number and need not all to preserve, thereby further reduced the quantity that will send to user's notification message, and avoided identical notification message to the taking of buffer storage space, saved system resource.
Embodiment 3
As shown in Figure 3, a kind of attack information processor 10 for present embodiment provides comprises: message format module 11, and time block 12 and message transmission module 13, process is as follows:
After attack information processor 10 received and carries attack notification of information message, this notification message that message format module 11 will receive was kept in this module.If message format this moment module 11 is overflowed, then with low-level notification message deletion in this module.Wherein, low-level notification message is meant the notification message of the attack that destructiveness is lower.Because the pairing system attack of low-level notification message is little to systematic influence, even therefore can not in time notify the user also can not affect greatly.
After message transmission module 13 receives the timing signal that comes from time block 12, judging in the message format module 11 whether the notification message of preserving that sends to same user surpasses predetermined number, is then the described notification message of predetermined number to be merged the back to send.For example, the predetermined number that sends to same user's notification message is 20, when judging when preserving described notification message and surpassing 20, send after will 20 notification messages wherein merging.Otherwise the notification message that message transmission module 13 sends to same user with in the message format module 11 all merges the back and sends.Particularly, can the notification message that send to same user be merged according to the destination address of each notification message or the user ID in the notification message, and then send to this user.
Wherein, described predetermined number is similar to timing, all is predefined before the described step of present embodiment begins.Particularly, also can select different predetermined number at the notification message that sends to different user.For example, the user who has wishes once to overcharge some notification messages, then bigger predetermined number can be set; Otherwise, then less predetermined number can be set.
By the described device of present embodiment, notification message not is to send immediately after generating, but temporarily preserve, behind one section timing, send to the user again, make that the user can frequent notified message, avoided owing to notification message too much produce to associated server Effect on Performance in the system.And to sending after the notification message merging that sends to same user, make the user only receive a notification message at every turn, reduced influence, also made things convenient for the processing of user notification message to user's systematic function.
Embodiment 4
As shown in Figure 4, the another kind of attack message processing unit 10 that provides for present embodiment.Also comprise: message polymerization module 14 each module except comprising described in the embodiment 3.The course of work is as follows:
After attack message processing unit 10 receives and carries attack notification of information message, message polymerization module 14 judges whether preserve the notification message identical with the notification message that receives in the message format module 11, be then the count value of this notification message in the message format module 11 to be added 1, and abandon the described notification message that receives; Otherwise the described notification message that will receive is kept in the message format module 11.
By the described device of present embodiment, by message polymerization module the notification message with identical content has been carried out polymerization, be that the notification message of identical content only writes down total number and need not all to preserve, thereby further reduced the quantity that will send to user's notification message, and avoided identical notification message to the taking of message buffer module memory space, saved system resource.
It should be noted last that, above embodiment is only unrestricted in order to technical scheme of the present invention to be described, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that, can make amendment or be equal to replacement technical scheme of the present invention, and not break away from the spirit and scope of technical solution of the present invention.
Claims (11)
1, a kind of attack information processing method is characterized in that comprising:
The attack notification of information message that carries that receives is preserved;
Surpassed predetermined number if judge the notification message that sends to same user in the notification message of having preserved, then the described notification message with predetermined number merges the back transmission.
2, attack information processing method according to claim 1 is characterized in that also comprising:
If after predetermined timing arrives, judge the notification message that sends to same user in the buffering area and surpass predetermined number, then all notification messages that send to this user in the buffering area are merged the back and send.
3, attack information processing method according to claim 1 is characterized in that: the condition whether described notification message of having preserved that sends to same user is carried out judging above predetermined number is: reach predetermined timing.
4, according to each described attack information processing method among the claim 1-3, it is characterized in that also comprising:
Before the described notification message that receives preserved, judge in the notification message of having preserved whether the notification message identical with this notification message is arranged,
The count value that is the notification message that then will preserve adds 1, and abandons the described notification message that receives;
Otherwise the described notification message that will receive is preserved.
5, attack information processing method according to claim 4 is characterized in that:
Described notification message sent be specially: send in the lump to described notification message and with the corresponding count value of described notification message.
6, attack information processing method according to claim 1 is characterized in that:
The described notification message that receives preserved comprise: the described notification message that will receive is kept in the buffering area.
7, attack information processing method according to claim 6 is characterized in that:
The described notification message that receives is kept at buffering area also to be comprised before: the notification message of judging in the buffering area overflows, then with low-level notification message deletion in the buffering area.
8, attack information processing method according to claim 1 is characterized in that:
The described notification message that sends to same user comprises: the notification message with identical destination address or same subscriber sign.
9, attack information processing method according to claim 1 is characterized in that:
The described notification message that receives preserved comprise: the described notification message that sends to same user that will receive carries out adjacent preservation.
10, a kind of attack information processor is characterized in that comprising:
The message format module is used to preserve carrying of receiving and attacks notification of information message
Time block is used for sending timing signal to message transmission module after predetermined timing arrives;
Message transmission module is used for judging that whether be kept at the notification message that the message format module sends to same user surpasses predetermined number, is then the described notification message of predetermined number to be merged the back to send; Otherwise all notification messages in the message format module are merged the back to be sent.
11, attack information processing method according to claim 10 is characterized in that also comprising:
Message polymerization module, be used for before described message format module is preserved the notification message that receives, judge and whether preserve the notification message identical in the message format module with the notification message that receives, be then the count value of this notification message in the message format module to be added 1, and abandon the described notification message that receives; Otherwise the described notification message that will receive is kept in the message format module;
Described message transmission module also is used for will sending in the lump with the corresponding count value of described notification message when sending described notification message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200710064532 CN101022342A (en) | 2007-03-19 | 2007-03-19 | Attack information processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200710064532 CN101022342A (en) | 2007-03-19 | 2007-03-19 | Attack information processing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101022342A true CN101022342A (en) | 2007-08-22 |
Family
ID=38710003
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200710064532 Pending CN101022342A (en) | 2007-03-19 | 2007-03-19 | Attack information processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101022342A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212721B (en) * | 2007-12-25 | 2011-01-19 | 华为软件技术有限公司 | Information processing method, system, and information consolidation device |
| CN103067884A (en) * | 2011-10-21 | 2013-04-24 | 阿里巴巴集团控股有限公司 | Method and device for alarming information processing |
| CN104284308A (en) * | 2013-07-08 | 2015-01-14 | 中国电信股份有限公司 | Non-real-time short message transmitting control method, device and system |
| CN105871686A (en) * | 2016-03-22 | 2016-08-17 | 青岛海信移动通信技术股份有限公司 | Message receiving method and intelligent terminal in converged communication |
| CN109618421A (en) * | 2019-01-14 | 2019-04-12 | Oppo广东移动通信有限公司 | A kind of method and device, terminal, storage medium reconnecting AP |
-
2007
- 2007-03-19 CN CN 200710064532 patent/CN101022342A/en active Pending
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212721B (en) * | 2007-12-25 | 2011-01-19 | 华为软件技术有限公司 | Information processing method, system, and information consolidation device |
| US8725115B2 (en) | 2007-12-25 | 2014-05-13 | Huawei Technologies Co., Ltd. | Method and system for processing message |
| CN103067884A (en) * | 2011-10-21 | 2013-04-24 | 阿里巴巴集团控股有限公司 | Method and device for alarming information processing |
| CN103067884B (en) * | 2011-10-21 | 2016-03-30 | 阿里巴巴集团控股有限公司 | A kind of processing method of warning message and device |
| CN104284308A (en) * | 2013-07-08 | 2015-01-14 | 中国电信股份有限公司 | Non-real-time short message transmitting control method, device and system |
| CN105871686A (en) * | 2016-03-22 | 2016-08-17 | 青岛海信移动通信技术股份有限公司 | Message receiving method and intelligent terminal in converged communication |
| CN109618421A (en) * | 2019-01-14 | 2019-04-12 | Oppo广东移动通信有限公司 | A kind of method and device, terminal, storage medium reconnecting AP |
| CN109618421B (en) * | 2019-01-14 | 2021-04-30 | Oppo广东移动通信有限公司 | Method and device for reconnecting AP, terminal and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103561048B (en) | A kind of method and device determining that tcp port scans | |
| US7373385B2 (en) | Method and apparatus to block spam based on spam reports from a community of users | |
| US20060026242A1 (en) | Messaging spam detection | |
| CN107172171B (en) | Service request processing method and device and computer readable storage medium | |
| CN101022342A (en) | Attack information processing method and device | |
| CN103491170B (en) | Email reaches the method and system of prompting message | |
| CN101616083A (en) | A kind of message forwarding method and device | |
| CN103986585A (en) | Message preprocessing method and device | |
| CN107682446B (en) | Message mirroring method and device and electronic equipment | |
| CN109347819A (en) | A kind of virus mail detection method, system and electronic equipment and storage medium | |
| CN102314392A (en) | Computer monitoring system and monitoring alarm method | |
| CN104580108A (en) | Information prompting method and system as well as server | |
| CN104753825B (en) | The delivery method and system of login status when instant messaging multiple terminals logs in | |
| CN114510711A (en) | Method, device, medium and computer equipment for preventing CC attack | |
| CN111865716B (en) | Port congestion detection method, device, equipment and machine-readable storage medium | |
| US20050154728A1 (en) | Notification of access for a sender of an electronic message | |
| WO2011153582A9 (en) | Electronic messaging recovery engine | |
| CN111314432B (en) | Message processing method and device | |
| CN112671883A (en) | Design method of multifunctional message notification system | |
| CN108184209B (en) | Message response method and device | |
| CN112929197A (en) | Network communication method, device, equipment and storage medium | |
| US20080028324A1 (en) | Multi-applicaton bulletin board | |
| KR100875912B1 (en) | Apparatus and method for processing network event processing network events in open environment | |
| TW201517653A (en) | Method of handling rejections of SMS messages and related communication system | |
| CN111615150B (en) | 5G data transmission method, device, equipment and storage medium based on PCIe interface |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20070822 |