CN101355463B - Method, system and equipment for judging network attack - Google Patents
Method, system and equipment for judging network attack Download PDFInfo
- Publication number
- CN101355463B CN101355463B CN2008101469444A CN200810146944A CN101355463B CN 101355463 B CN101355463 B CN 101355463B CN 2008101469444 A CN2008101469444 A CN 2008101469444A CN 200810146944 A CN200810146944 A CN 200810146944A CN 101355463 B CN101355463 B CN 101355463B
- Authority
- CN
- China
- Prior art keywords
- characteristic information
- traffic characteristic
- baseline
- flow
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The embodiment of the invention discloses a judgment method for network attack, which comprises the following steps: flow characteristic information sent by detection equipment is received; and whether the attack appears is judged by comparing the flow characteristic information sent by detection equipment with a local flow baseline which is dynamically adjusted according to history data. The embodiment of the invention also discloses a judgment system and judgment equipment for the network attack. With the embodiment of the invention, whether the attack appears is judged through the flow baseline which is dynamically adjusted, whether a host group in a large range is attacked can be promptly and effectively judged, and the timely alarm is performed to start corresponding defensive measures. The judgment method for the network attack overcomes the defect that the misreporting and the missing report of the attack are easy to appear when a unified static benchmark value is adopted for alarm protection of the network attack.
Description
Technical field
The present invention relates to communication technical field, relate in particular to a kind of determination methods, system and equipment of network attack.
Background technology
Along with networks development, the attack on the network is also more and more diversified and complicated.Wherein the maximum attack of harm is exactly that DoS (Denial of Service, denial of service) attacks and DDoS (DistributedDenial of Service, distributed denial of service) attack.This attack makes network paralysis and causes a large amount of losses by sending resource and the bandwidth that large-scale attack message consumes target.
In order to defend DDos to attack, there has been the increasing network equipment to begin to support detection and defence at present to abnormal flow and attack traffic.Present DDos attack detecting measure is provided with different static fiducial values according to different attack signatures usually, and by judging whether discharge characteristic surpasses the fiducial value scope and judge whether target is attacked.
The inventor finds that there is following problem in implementation of the prior art in realizing process of the present invention:
When protecting on a large scale, objective of defense hundreds of thousands, the discharge characteristic of each target has nothing in common with each other, and can't be customized to each target and all customize fiducial value.And define unified fiducial value is impossible, can cause to attack and report by mistake and fail to report.Owing to, set a fiducial value and can cause attack-discovering delay long in the fiducial value difference of different periods.
Summary of the invention
Embodiments of the invention provide a kind of determination methods, system and equipment of network attack, are used for the attack of network is effectively judged.
For achieving the above object, embodiments of the invention provide a kind of determination methods of network attack, comprising:
Receive the traffic characteristic information that detecting devices sends, described traffic characteristic information is that detecting devices carries out characteristic matching respectively to the zonal flow rate between protected network and the Internet, then described traffic characteristic matching result is added up, obtained and send every special time after the traffic characteristic information;
With the traffic characteristic information that described detecting devices sends, the flow baseline of dynamically adjusting according to historical data with this locality compares, and has judged whether to attack to take place.
The system that the embodiment of the invention also provides a kind of network attack to judge comprises treatment facility and at least one detecting devices;
Whether described treatment facility is used to receive the traffic characteristic information that described detecting devices sends, and the traffic characteristic information that detecting devices sends is compared with the local flow baseline of dynamically adjusting according to historical data, judge to have in the protected area to attack and take place;
Described detecting devices is used for the zonal flow rate between protected network and the Internet is carried out characteristic matching respectively, and described traffic characteristic matching result is added up, and obtains traffic characteristic information, sends described traffic characteristic information every special time.
A kind of treatment facility that the embodiment of the invention provides comprises:
Receiving element, be used to receive the traffic characteristic information that each detecting devices sends, described traffic characteristic information is that detecting devices carries out characteristic matching respectively to the zonal flow rate between protected network and the Internet, then described traffic characteristic matching result is added up, obtained and send every special time after the traffic characteristic information;
Flow baseline memory cell is used to store the flow baseline of dynamically adjusting according to historical data and offers judging unit to be used to judge whether have network attack to take place in the protected area.
Processing unit, the traffic characteristic information that each detecting devices that is used for receiving according to described receiving element sends, and the flow baseline that provides of described flow baseline memory cell judge whether the network attack generation is arranged in the protected area.
Compared with prior art, embodiments of the invention have the following advantages:
Whether the flow baseline by dynamic adjustment is judged taking place to attack, whether can judge an interior main frame group timely and effectively on a large scale under attack, and in time report to the police and start corresponding defensive measure, solved the defective of attacking wrong report and failing to report has easily taken place when adopting unified static fiducial value to carry out network attack alarm protection.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the networking schematic diagram that the determination methods of network attack in the embodiments of the invention is used;
Fig. 2 is the flow chart of the determination methods of network attack in the embodiments of the invention;
Fig. 3 is the process flow figure of detecting devices in the embodiments of the invention;
Fig. 4 is the process flow figure of treatment facility in the embodiments of the invention;
Fig. 5 is the structural representation of the system that network attack is judged in the embodiments of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.A kind of determination methods of network attack is provided in the embodiments of the invention, the networking schematic diagram of its application as shown in Figure 1, comprising a treatment facility and at least one detecting devices.Concrete, the determination methods of the network attack in the embodiment of the invention may further comprise the steps as shown in Figure 2:
Step s201, treatment facility receive the traffic characteristic information that detecting devices sends.
Concrete, the flow among protected area and the Internet is monitored by many detecting devicess (as being that detecting devices 1 is to detecting devices n among Fig. 1), and each detecting devices gathers flow information and reports treatment facility.
The traffic characteristic information that step s202, treatment facility send detecting devices compares with the flow baseline of dynamically adjusting according to historical data, has judged whether to attack and has taken place.Wherein the flow baseline comprises warning baseline, suspicious baseline and normal baseline.
In this step, the method that the flow baseline is dynamically adjusted is exemplified below:
1) treatment facility was the cycle with 7 days, and every day to be 1 hour being the traffic characteristic information that unit interval record detecting devices sends, and with the traffic characteristic information of each unit interval historical data as next unit interval.
2) when real-time traffic does not surpass normal baseline, preserve this traffic characteristic information to refresh historical data.
3) every night the effective discharge of each unit interval is weighted the traffic trends that on average obtains unit interval on the same day.
4) adopt the sliding window mode that the interval censored data before 30 days is aging, upgrade the flow baseline of each unit interval in conjunction with nearest 30 days interval flow value weighting.
The described flow baseline of dynamically adjusting according to historical data compares, and has judged whether to attack to comprise step: guarding against reaches the standard grade then be judged to be to produce attacks and alarms if described flow baseline surpasses; If described flow baseline does not surpass normal baseline then adopts the sliding window mode to upgrade historical traffic statistics data and flow baseline; If described flow baseline surpasses and suspiciously to reach the standard grade but surpass the warning baseline, then, wait for after next flow reports and adjudicating once more according to real-time traffic feature and historical changes in flow rate trend adjustment weighted value and flow baseline value.
Concrete, in the network attack determination methods of the embodiment of the invention, the handling process of detecting devices may further comprise the steps as shown in Figure 3:
Step s301, detecting devices are added up the up-downgoing total flow between protected network and the Internet.
Step s302, detecting devices carry out the classification of 3~7 laminar flow amounts according to the discharge pattern feature, and the flow that flows through each layering is added up.
Concrete, the traffic statistics of this layering are for each zonal flow rate is carried out characteristic matching respectively.
Step s303, detecting devices carry out characteristic matching to each zonal flow rate, and matching result are added up to obtain traffic characteristic information in conjunction with existing possible DDos attack pattern.
Step s304, detecting devices are sampled to above-mentioned traffic characteristic information, and the sampling statistical nature is added up.For example for HTTP traffic statistics GET message number and GET message length.
Step s305, detecting devices report a characteristic statistics result (being traffic characteristic information) every special time to treatment facility, as reporting once every 32 seconds.
Concrete, in the network attack determination methods of the embodiment of the invention, the handling process of treatment facility may further comprise the steps as shown in Figure 4:
Step s401, treatment facility read the flow baseline of dynamically adjusting according to historical data.Wherein to be specially in the specific cycle with the specific time be unit to historical statistical data, and the data of the traffic characteristic information that each detecting devices reports gather,
In this step, the method that the flow baseline is dynamically adjusted is exemplified below:
1) be the cycle with 7 days, every day to be 1 hour being the traffic characteristic information that unit interval record detecting devices sends, and with the traffic characteristic information of each unit interval historical data as next unit interval.
2) when real-time traffic is in normal range (NR), preserve this traffic characteristic information to refresh historical data.
3) every night the effective discharge of each unit interval is weighted the traffic trends that on average obtains unit interval on the same day.
4) adopt the sliding window mode that the interval censored data before 30 days is aging, upgrade the flow baseline of each unit interval in conjunction with nearest 30 days interval flow value weighting.
Step s402, treatment facility read the traffic characteristic information that each detecting devices reports.
Step s403, treatment facility are weighted comparison with the traffic characteristic information that each detecting devices reports with the local flow baseline of dynamically adjusting according to historical data, and this flow baseline may further include warning baseline, suspicious baseline and normal baseline.If the traffic characteristic information after the described weighting surpasses the warning baseline, then carry out step s404; If the traffic characteristic information after the described weighting does not surpass normal baseline, then carry out step s405; Do not surpass the warning baseline if the traffic characteristic information after the described weighting surpasses suspicious baseline, then carry out step s406.
Concrete, this weighted ratio is meant: according to the position at application scenarios, protected network place etc., it is comprehensive that the traffic characteristic information that each detecting devices is reported is weighted the back, and the flow baseline of dynamically adjusting according to historical data with this locality compares again.
Step s404, treatment facility have been judged to be the attack generation and have alarmed.
Concrete, processing method when alarm takes place can for: when alarm is attacked when taking place in the zone, attack the pairing attack type of alarm according to the zone, the equipment of searching this kind attack type flow accounting showed increased in institute's zone of protection carries out flow cleaning, and attack traffic is filtered.Filter method can adopt the black hole route maybe this equipment flow to be drained into to carry out on the third party DDos cleaning equipment target flow to clean.
Step s405, treatment facility upgrade historical traffic statistics data and flow baseline.
Concrete, for example adopt the sliding window mode that the interval censored data before 30 days is aging, upgrade the flow baseline of each unit interval in conjunction with nearest 30 days interval flow value weighting.
Step s406, treatment facility be according to real-time traffic feature and historical changes in flow rate trend adjustment weighted value and flow baseline value, and return step s402 and wait for after next flow reports and adjudicating once more.
In the said method that embodiments of the invention provide, whether the flow baseline by dynamic adjustment is judged taking place to attack, whether can judge an interior main frame group timely and effectively on a large scale under attack, and in time report to the police and start corresponding defensive measure, solved the defective of attacking wrong report and failing to report has easily taken place when adopting unified static fiducial value to carry out network attack alarm protection.
The system that embodiments of the invention also provide a kind of network attack to judge, its structure comprises treatment facility 10 and at least one detecting devices 20 as shown in Figure 5.Whether wherein treatment facility 10 receives the traffic characteristic information that each detecting devices 20 sends, and the traffic characteristic information that detecting devices 20 sends is compared with the local flow baseline of dynamically adjusting according to historical data, judge to have in the protected area to attack and take place.
Concrete, treatment facility 10 further comprises:
Receiving element 11 is used to receive the traffic characteristic information that each detecting devices 20 sends.
Flow baseline memory cell 12 is used to store the flow baseline of dynamically adjusting according to historical data and offers processing unit 13 to be used to judge whether have network attack to take place in the protected area.
Processing unit 13, the traffic characteristic information that each detecting devices 20 that is used for receiving according to receiving element 11 sends, and the flow baseline that provides of flow baseline memory cell 12 have judged whether that network attack takes place.
This processing unit 13 comprises:
First handles subelement 131, is used for when traffic characteristic information surpasses the local warning baseline of dynamically adjusting according to historical data, has been judged to be to attack generation and alarm.
Second handles subelement 132, is used for surpassing local according to historical data dynamically during the security baseline of adjustment, according to historical data and the flow baseline in the traffic characteristic information updating flow baseline memory cell 12 when traffic characteristic information;
The 3rd handles subelement 133, be used for when traffic characteristic information surpasses this locality according to the dynamic suspicious baseline of adjusting of historical data but above the warning baseline, according to the flow baseline in traffic characteristic information and the historical changes in flow rate trend adjustment flow baseline memory cell 12.
Concrete, detecting devices 20 further comprises:
Traffic characteristic matching unit 21 is used for the zonal flow rate between protected network and the Internet is carried out characteristic matching;
Traffic characteristic information acquisition unit 22 is used for the traffic characteristic matching result of traffic characteristic matching unit 21 is added up, and obtains traffic characteristic information;
Traffic characteristic information transmitting unit 23 is used for the traffic characteristic information of obtaining to described treatment facility 10 transmitted traffic characteristic acquisition unit 22 every special time.
In the said system and equipment that embodiments of the invention provide, whether the flow baseline by dynamic adjustment is judged taking place to attack, whether can judge an interior main frame group timely and effectively on a large scale under attack, and in time report to the police and start corresponding defensive measure, solved the defective of attacking wrong report and failing to report has easily taken place when adopting unified static fiducial value to carry out network attack alarm protection.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize based on such understanding by the mode that software adds necessary general hardware platform, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise that some instructions are with so that a computer equipment (can be a personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (9)
1. the determination methods of a network attack is characterized in that, may further comprise the steps:
Receive the traffic characteristic information that detecting devices sends, described traffic characteristic information is that detecting devices carries out characteristic matching respectively to the zonal flow rate between protected network and the Internet, then described traffic characteristic matching result is added up, obtained and send every special time after the traffic characteristic information;
With the traffic characteristic information that described detecting devices sends, the flow baseline of dynamically adjusting according to historical data with this locality compares, and has judged whether to attack to take place.
2. the determination methods of network attack according to claim 1 is characterized in that, described flow baseline comprises warning baseline, suspicious baseline and security baseline.
3. the determination methods of network attack as claimed in claim 1 or 2 is characterized in that, the described traffic characteristic information that described detecting devices is sent, and the flow baseline of dynamically adjusting according to historical data with this locality compares, and has judged whether to attack to comprise:
Traffic characteristic information with described detecting devices sends is weighted comparison with the flow baseline of dynamically adjusting according to historical data;
If the traffic characteristic information after the weighting when surpassing the local warning baseline of dynamically adjusting according to historical data, has been judged to be to attack and has taken place and alarm.
4. as the determination methods of network attack as described in the claim 3, it is characterized in that, the described traffic characteristic information that described detecting devices is sent, the flow baseline of dynamically adjusting according to historical data with this locality compares, and has judged whether to attack to take place also to comprise:
If the traffic characteristic information after the weighting is when surpassing the local security baseline of dynamically adjusting according to historical data, according to described traffic characteristic information updating historical data and flow baseline;
If the traffic characteristic information after the weighting is when surpassing this locality according to the dynamic suspicious baseline of adjusting of historical data but above the warning baseline, according to traffic characteristic information and the described flow baseline of historical changes in flow rate trend adjustment.
5. the judgement system of a network attack is characterized in that, comprises treatment facility and at least one detecting devices;
Whether described treatment facility is used to receive the traffic characteristic information that described detecting devices sends, and the traffic characteristic information that detecting devices sends is compared with the local flow baseline of dynamically adjusting according to historical data, judge to have in the protected area to attack and take place;
Described detecting devices is used for the zonal flow rate between protected network and the Internet is carried out characteristic matching respectively, and described traffic characteristic matching result is added up, and obtains traffic characteristic information, sends described traffic characteristic information every special time.
6. as the judgement system of network attack as described in the claim 5, it is characterized in that described treatment facility comprises:
Receiving element is used to receive the traffic characteristic information that each detecting devices sends;
Flow baseline memory cell is used to store the flow baseline of dynamically adjusting according to historical data and offers judging unit to be used to judge whether have network attack to take place in the protected area;
Judging unit, the traffic characteristic information that each detecting devices that is used for receiving according to described receiving element sends, and the flow baseline that provides of described flow baseline memory cell judge whether the network attack generation is arranged in the protected area.
7. as the judgement system of network attack as described in the claim 5, it is characterized in that described detecting devices comprises:
The traffic characteristic matching unit is used for the zonal flow rate between protected network and the Internet is carried out characteristic matching;
The traffic characteristic information acquisition unit is used for the traffic characteristic matching result of described traffic characteristic matching unit is added up, and obtains traffic characteristic information;
The traffic characteristic information transmitting unit is used for sending the traffic characteristic information that described traffic characteristic information acquisition unit is obtained every special time.
8. a treatment facility is characterized in that, comprising:
Receiving element, be used to receive the traffic characteristic information that each detecting devices sends, described traffic characteristic information is that detecting devices carries out characteristic matching respectively to the zonal flow rate between protected network and the Internet, then described traffic characteristic matching result is added up, obtained and send every special time after the traffic characteristic information;
Flow baseline memory cell is used to store the flow baseline of dynamically adjusting according to historical data and offers processing unit to be used to judge whether have network attack to take place in the protected area;
Processing unit, the traffic characteristic information that each detecting devices that is used for receiving according to described receiving element sends, and the flow baseline that provides of described flow baseline memory cell judge whether the network attack generation is arranged in the protected area.
9. as treatment facility as described in the claim 8, it is characterized in that described processing unit comprises:
First handles subelement, is used for when traffic characteristic information surpasses the local warning baseline of dynamically adjusting according to historical data, has been judged to be to attack generation and alarm;
Second handles subelement, is used for surpassing local according to historical data dynamically during the security baseline of adjustment, according to historical data and the flow baseline in the described flow baseline of the described traffic characteristic information updating memory cell when traffic characteristic information;
The 3rd handles subelement, be used for when traffic characteristic information surpasses this locality according to the dynamic suspicious baseline of adjusting of historical data but above the warning baseline, according to the flow baseline in traffic characteristic information and the described flow baseline of the historical changes in flow rate trend adjustment memory cell.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101469444A CN101355463B (en) | 2008-08-27 | 2008-08-27 | Method, system and equipment for judging network attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101469444A CN101355463B (en) | 2008-08-27 | 2008-08-27 | Method, system and equipment for judging network attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101355463A CN101355463A (en) | 2009-01-28 |
| CN101355463B true CN101355463B (en) | 2011-04-20 |
Family
ID=40308071
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101469444A Active CN101355463B (en) | 2008-08-27 | 2008-08-27 | Method, system and equipment for judging network attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101355463B (en) |
Families Citing this family (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741847B (en) * | 2009-12-22 | 2012-11-07 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
| CN102118272A (en) * | 2009-12-31 | 2011-07-06 | 蓝盾信息安全技术股份有限公司 | Network perimeter anomaly monitoring method |
| CN102457250B (en) * | 2010-10-20 | 2015-04-15 | Tcl集团股份有限公司 | Collected data filter processing method and device |
| CN102624534A (en) * | 2011-10-18 | 2012-08-01 | 北京小米科技有限责任公司 | Method for creating group |
| CN103828301A (en) * | 2012-08-31 | 2014-05-28 | 华为技术有限公司 | Method and device for defending bearer attack |
| CN103036741B (en) * | 2012-12-19 | 2016-02-03 | 北京神州绿盟信息安全科技股份有限公司 | The defining method of flow monitoring baseline and device |
| CN103905227B (en) * | 2012-12-26 | 2018-05-22 | 中国移动通信集团辽宁有限公司 | A kind of server energy consumption control method and system |
| CN103414585A (en) * | 2013-08-01 | 2013-11-27 | 华南师范大学 | Method and device for building safety baselines of service system |
| CN104348811B (en) * | 2013-08-05 | 2018-01-26 | 深圳市腾讯计算机系统有限公司 | Detecting method of distributed denial of service attacking and device |
| CN104753863B (en) * | 2013-12-26 | 2018-10-26 | 中国移动通信集团公司 | A kind of defence method of distributed denial of service attack, equipment and system |
| CN105281966A (en) * | 2014-06-13 | 2016-01-27 | 腾讯科技(深圳)有限公司 | Method and device for identifying abnormal traffic of network equipment |
| CN104202329B (en) * | 2014-09-12 | 2018-01-26 | 北京神州绿盟信息安全科技股份有限公司 | Ddos attack detection method and device |
| CN105530219B (en) * | 2014-09-28 | 2019-12-10 | 腾讯科技(深圳)有限公司 | Connection detection method and device |
| CN104901833B (en) * | 2015-05-19 | 2018-05-08 | 无锡天脉聚源传媒科技有限公司 | A kind of method and device for the equipment that notes abnormalities |
| CN105141604B (en) * | 2015-08-19 | 2019-03-08 | 国家电网公司 | A kind of network security threats detection method and system based on trusted service stream |
| WO2017193271A1 (en) * | 2016-05-10 | 2017-11-16 | 华为技术有限公司 | Method and device for detecting network attack |
| CN107979561B (en) * | 2016-10-21 | 2020-07-03 | 中国电信股份有限公司 | Method, device and system for controlling malicious traffic |
| CN106411934B (en) * | 2016-11-15 | 2017-11-21 | 平安科技(深圳)有限公司 | DoS/DDoS attack detection methods and device |
| CN106899601A (en) * | 2017-03-10 | 2017-06-27 | 北京华清信安科技有限公司 | Network attack defence installation and method based on cloud and local platform |
| CN107682354B (en) * | 2017-10-25 | 2020-06-12 | 东软集团股份有限公司 | Network virus detection method, device and equipment |
| CN109413021B (en) * | 2018-04-28 | 2021-04-09 | 武汉思普崚技术有限公司 | IPS false alarm detection method and device |
| CN111131290B (en) * | 2019-12-30 | 2022-06-10 | 山石网科通信技术股份有限公司 | Flow data processing method and device |
| CN114650210B (en) * | 2020-12-21 | 2023-04-11 | 华为技术有限公司 | Alarm processing method and protection equipment |
| CN112907321B (en) * | 2021-02-03 | 2021-08-27 | 珠海市鸿瑞信息技术股份有限公司 | Big data-based information security anomaly sensing platform for data mining and analysis |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1507233A (en) * | 2002-12-11 | 2004-06-23 | 中国科学院研究生院 | Firm gateway system and its attack detecting method |
| CN1697404A (en) * | 2005-06-10 | 2005-11-16 | 广东省电信有限公司研究院 | System and method for detecting network worm in interactive mode |
| CN1750536A (en) * | 2004-09-14 | 2006-03-22 | 国际商业机器公司 | Method and system for managing refuse service attack |
-
2008
- 2008-08-27 CN CN2008101469444A patent/CN101355463B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1507233A (en) * | 2002-12-11 | 2004-06-23 | 中国科学院研究生院 | Firm gateway system and its attack detecting method |
| CN1750536A (en) * | 2004-09-14 | 2006-03-22 | 国际商业机器公司 | Method and system for managing refuse service attack |
| CN1697404A (en) * | 2005-06-10 | 2005-11-16 | 广东省电信有限公司研究院 | System and method for detecting network worm in interactive mode |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101355463A (en) | 2009-01-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101355463B (en) | Method, system and equipment for judging network attack | |
| EP2080317B1 (en) | Apparatus and a security node for use in determining security attacks | |
| US8578493B1 (en) | Botnet beacon detection | |
| CN1946077B (en) | System and method for detecting abnormal traffic based on early notification | |
| KR100748246B1 (en) | Multi-step integrated security monitoring system and method using intrusion detection system log collection engine and traffic statistic generation engine | |
| CN101567812B (en) | method and device for detecting network attack | |
| US11258825B1 (en) | Computer network monitoring with event prediction | |
| CN104967588A (en) | Protection method, apparatus and system for distributed denial of service DDoS (distributed denial of service) attack | |
| US7917957B2 (en) | Method and system for counting new destination addresses | |
| CN104753863A (en) | DDoS (Distributed Denial of Service) attack prevention method, device and system | |
| Guillot et al. | Chocolatine: Outage detection for internet background radiation | |
| CN113518057B (en) | Method and device for detecting distributed denial of service attack and computer equipment thereof | |
| CN101034976B (en) | Intrusion detection in an IP connected security system | |
| CN102447707A (en) | DDoS (Distributed Denial of Service) detection and response method based on mapping request | |
| CN107682341A (en) | The means of defence and device of CC attacks | |
| CN113329017A (en) | Network security risk detection system and method | |
| GB2381722A (en) | intrusion detection (id) system which uses signature and squelch values to prevent bandwidth (flood) attacks on a server | |
| CN108712365B (en) | DDoS attack event detection method and system based on flow log | |
| CN109005181A (en) | A kind of detection method, system and the associated component of DNS amplification attack | |
| CN106330975A (en) | Method for periodic exception detection based on SCADA system | |
| Arshadi et al. | Entropy based SYN flooding detection | |
| Bhatnagar et al. | The proposal of hybrid intrusion detection for defence of sync flood attack in wireless sensor network | |
| US8095981B2 (en) | Worm detection by trending fan out | |
| KR100607110B1 (en) | Security information management and vulnerability analysis system | |
| CN112738077A (en) | Industrial control network safety detection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee before: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20220805 Address after: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee after: HUAWEI TECHNOLOGIES Co.,Ltd. Address before: 611731 Qingshui River District, Chengdu hi tech Zone, Sichuan, China Patentee before: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd. |
|
| TR01 | Transfer of patent right |