Summary of the invention
The embodiment of the invention provides a kind of method and apparatus that detects network attack, accurately to detect network attack.
The embodiment of the invention proposes a kind of method that detects network attack, comprising:
Receive packet, obtain the adjacent comparison value of observing average distance value constantly of packet, wherein, the distance value of packet is defined as (TTL
Initial value-TTL
Final value), life span TTL is a territory of the IP header of IP packet, TTL
Final valueCan from the packet of receiving, read, and TTL
Initial valueThen set by operating system, the described average distance value of packet is exactly the distance value summation to all packets, with the number of the result who is drawn divided by packet, it is the average distance value that is carved at interval interior all packets that receive of a preset time that this observations experienced constantly when last observes that one of packet is observed average distance value constantly;
Described comparison value is accumulated and is added up, obtain accumulation and statistic;
In the predetermined observation cycle, when described accumulation and statistic when surpassing pre-set threshold, judge network attack take place.
The embodiment of the invention has also proposed a kind of equipment that detects network attack, comprising:
The comparison value acquisition module is used to obtain the adjacent comparison value of observing average distance value constantly of packet, and the distance value of packet is defined as (TTL
Initial value-TTL
Final value), the described average distance value of packet is exactly to the summation of the distance value of all packets, uses the result that the drawn number divided by packet;
The statistic acquisition module is used for described comparison value is accumulated and added up, obtain accumulation and statistic;
Determination module was used in the predetermined observation cycle, when described accumulation and statistic when surpassing pre-set threshold, judge network attack take place.
Wherein, the comparison value acquisition module comprises: the first comparison value acquisition module is used to obtain the adjacent absolute value of observing the difference of average distance value constantly of packet; Or the second comparison value acquisition module, be used to obtain the adjacent average distance value ratio constantly of observing of packet.
Further, when the comparison value acquisition module comprised the second comparison value acquisition module, the statistic acquisition module comprised:
The second statistics of variable module is used for packet adjacent observed the difference of the absolute value of average distance value ratio constantly and a preset value as variable;
Accumulator module, be used for each observe variable constantly on the occasion of adding up.
Compared with prior art, the embodiment of the invention has the following advantages: accumulation and algorithm mainly are the obviously values of the variable higher than the average level under the normal operation of accumulation, promptly accumulate difference value, therefore can detect network attack more accurately, reduce rate of false alarm; Simultaneously, algorithm is simple, can promptly detect network attack.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
The embodiment of the invention one provides a kind of method that detects network attack, as shown in Figure 2, may further comprise the steps:
Step S201 receives packet, obtains the adjacent comparison value of observing average distance value constantly of described packet;
Step S202, to described comparison value accumulate and (Cumulative Sum, CUSUM) statistics, obtain accumulation and statistic;
Step S203 in the predetermined observation cycle, when the statistic of described CUSUM surpasses pre-set threshold, judges network attack takes place.
Wherein network attack can be attacked for DDoS Flooding, when DDoS Flooding attack takes place, the assailant can start a large amount of puppet's machines to start to attack, host number is huge and have characteristics of widely distributed property, each attacks the performance of puppet's machine of main frame, the situation and the distributing position of network link all can there are differences, and the generation that DDoS Flooding attacks also is a process gradual change, that continue.The DDoS Flooding detection method that the embodiment of the invention proposes just is based on the stability of average distance under normal condition of packet, and uses the CUSUM algorithm to detect DDoS Flooding and attack.CUSUM is an algorithm commonly used in statistical Process Control, is used for detecting the variation of a statistic processes average, and it is derived based on likelihood ratio, and being proved to be has desirable effect when detecting little drift.CUSUM needs the parameter model of random sequence, comes supervisory sequence with probability density function, if change generation, then the probability distribution of random sequence will change.The CUSUM algorithm mainly is the obviously value of the variable higher than the average level under the normal operation of accumulation, promptly accumulates difference value, therefore can detect network attack more accurately, reduces rate of false alarm; Simultaneously, algorithm is simple, can promptly detect network attack.
The method of a kind of DDoS of detection Flooding that the embodiment of the invention two provides as shown in Figure 3, may further comprise the steps:
Step S301 detects engine and collects packet, extracts the ttl value of ip bag in the packet, and the distance value of calculated data bag, and the distance value d of packet is defined as (TTL
Initial value-TTL
Final value), TTL is a territory of IP packet IP header, and packet is every, and the value of TTL will subtract 1 through a router, and when the value of TTL became 0, router will abandon this packet, so just can prevent packet unlimited circulating transfer in network.The distance value d of packet also shows the jumping figure that will pass through to victim host from the border router of transmitting terminal.The final value of TTL can read from the packet of receiving, the initial value of TTL is then set by operating system, gets 32, in 64,128,255 one, main frame in the network generally can arrive in 30 jump, so can push away the initial value of measuring TTL according to the final value of TTL.
Step S302, detect engine according to the size of network traffics and the handling property of main frame, set an observation interval γ, it is the observation cycle of packet, add up the average distance value that arrives all packets of victim host in this observation cycle, because common ddos attack can make victim host that normal service can't be provided within 14 seconds, therefore selection that should observation cycle γ must be less than 14 seconds, in the process of setting, it is the smaller the better that the value of observation cycle γ is set, and observes cycle γ and can select 1-2 second.At all after dates that arrive the observation cycle γ that sets, detect the average distance value that engine just will calculate all packets, flow into the ttl value of packet according to all that detect in the observed special time period of engine, calculate the average distance value of packet, the average distance value of packet is exactly to the summation of the distance value of all packets, uses the result that the drawn number divided by packet.
Step S303, the absolute value of the average distance value in the detection engine calculating t+ Δ t moment and the difference of t average distance value is constantly used d
T+ Δ tExpression t+ Δ t average distance value constantly, d
tExpression t average distance value constantly, X
T+ Δ tExpression t+ Δ t is the absolute value of the difference of average distance value constantly, and t represents that one of packet is observed constantly, and value is less than γ, and Δ t represents that preset time at interval, can be 1 second, also can be 0.5 second, can preestablish according to concrete needs; In the observation cycle, since 0 second constantly, the Δ t of whenever being separated by is exactly one constantly to be observed constantly, and t+ Δ t is two adjacent observations moment with t constantly constantly; The value of t+ Δ t is smaller or equal to γ, then the absolute value X of the difference of the average distance value in the t+ Δ t moment and t average distance value constantly
T+ Δ tFor:
X
t+Δt=|d
t+Δt-d
t|
Under normal condition, each value of observing average distance value d constantly differs very little, and the sequence of being made up of average distance value d also is stable sequence, i.e. an X
T+ Δ tValue be basicly stable.When ddos attack took place, because the popularity of the huge and distribution of host number, bigger change, X can take place in the value of d
T+ Δ tValue also bigger change can take place thereupon.
Step S304 detects the absolute value X of engine according to the difference of average distance value
tCalculate the CUSUM statistic.Make Y
t=X
t-k, k get suitable value, X
tBe the t constantly absolute value of average distance value and the difference of a last moment average distance value, under normal circumstances Y
t<0, when generation is unusual, X
tCan have greatly changed, cause Y
t>0; Make Z
t=max{0, Z
T-1+ Y
t, Z wherein
0=0, Z then
tBe exactly a CUSUM statistic, the CUSUM statistic be exactly with the Y variable each constantly on the occasion of adding up, just anomalous effect is added up.Parameter k will select according to the difference of bag average distance under normal condition and the abnormal conditions, according to historical record or other historical experience, perhaps determines according to the excursion of bag average distance value under the normal condition.
Step S305 in an observation cycle of packet, detects engine and judges CUSUM statistic Z
tWhether exceeded pre-set threshold h,, forwarded step S306 to,, then forwarded step S307 to if do not exceed threshold value h if surpassed threshold value h.H should be as requested detection time, promptly from unusual produce to be judged as attack length and specifically select, specifically also should adjust according to the balance between real network situation and rate of false alarm and the rate of failing to report.
Step S306 detects engine and reports to the police, and illustrates that detected object has suffered the attack of DDoS Flooding.
Step S307, the detection engine is a normal condition, shows the attack that is not subjected to DDoS Flooding, finishes this observation cycle, enters the next observation cycle, the t zero clearing detects engine and detects again.
As seen, in the present embodiment, carry out the CUSUM statistics by two adjacent absolute values of observing the difference of average distance value constantly that obtain packet, judging whether to take place DDoS Flooding according to the CUSUM statistical value attacks, can distinguish the variation of normal access to netwoks stream quickly and accurately, reduce rate of false alarm.
A kind of method that detects DDoS Flooding of the embodiment of the invention three as shown in Figure 4, may further comprise the steps:
Step S401-step S402 and step S301-step S302 are just the same, are not giving unnecessary details at this.
Step S403 detects engine and calculates the t+ Δ t average distance value constantly and the ratio of t average distance value constantly, uses d
T+ Δ tExpression t+ Δ t average distance value constantly, d
tExpression t average distance value constantly, X
T+ Δ tExpression t+1 moment average distance value and t be the ratio of average distance value constantly.Then the t+ Δ t average distance value constantly and the ratio X of t average distance value constantly
T+ Δ tFor:
Under normal condition, each value of observing average distance value d constantly differs very little, and the sequence of being made up of average distance value d then is stable sequence, i.e. an X
T+ Δ tValue also be basicly stable.When ddos attack took place, because the popularity of the huge and distribution of host number, bigger change, X can take place in the value of d
T+ Δ tValue also bigger change can take place thereupon.
Step S404 in an observation cycle of packet, detects the ratio X of engine according to the average distance value
tCalculate the CUSUM statistic.Make Y
t=X
t-k, k get suitable value, X
tFor t constantly average distance value and a last moment average distance value ratio and the absolute value of 1 difference, under normal circumstances Y
t<0, when generation is unusual, X
tCan have greatly changed, cause Y
t>0; Make Z
t=max{0, Z
T-1+ Y
t, Z wherein
0=0, Z then
tBe exactly a CUSUM statistic, promptly be with the Y variable each constantly on the occasion of adding up, just anomalous effect is added up.Parameter k will select according to the difference of bag average distance under normal condition and the abnormal conditions, according to historical record or other historical experience, perhaps determines according to the excursion of bag average distance value under the normal condition.
Step S405 detects engine and judges whether CUSUM statistic Z has exceeded pre-set threshold h, if surpassed threshold value h, forwards step S406 to, if do not exceed threshold value h, then forwards step S407 to.H should be as requested detection time, promptly from unusual produce to be judged as attack length and select, specifically also should adjust according to the balance between real network situation and rate of false alarm and the rate of failing to report.
Step S406 detects engine and reports to the police, and illustrates that the victim has suffered the attack of DDoS Flooding.
Step S407, the detection engine is a normal condition, shows the attack that is not subjected to DDoS Flooding, finishes this observation cycle, enters the next observation cycle, the t zero clearing detects engine and detects again.
As seen, in the present embodiment, carry out the CUSUM statistics by two adjacent absolute values of observing the ratio of average distance value constantly that obtain packet, judging whether to take place DDoS Flooding according to the CUSUM statistical value attacks, can distinguish the variation of normal access to netwoks stream quickly and accurately, reduce rate of false alarm.
The embodiment of the invention also provides the equipment of a kind of DDoS of detection Flooding, as shown in Figure 5, comprising:
Setting module 10 is used for the setting data bag and observes the cycle.
Average distance value acquisition module 20 is used in the observation cycle that setting module 10 is set the average distance value in Δ t obtains the packet observation cycle, Δ t represents that preset time at interval, can be 1 second, also can be 0.5 second, can preestablish according to concrete needs;
The first comparison value acquisition module 30, be used for the average distance value that obtains according to average distance value acquisition module 20, obtain the adjacent absolute value of observing the difference of average distance value constantly of packet, wherein adjacent the observation moment that refers to all two interval of delta t in the observation cycle constantly.
The first statistics of variable module 40, the difference that is used for the absolute value of the adjacent difference of observing average distance value constantly of two of the packet that obtains according to the first comparison value acquisition module 30 and a preset value is as variable.
Accumulator module 50, each that is used for variable that the first statistics of variable module 40 is obtained observe constantly on the occasion of adding up, obtain the statistic of CUSUM.
Determination module 60, be used in an observation cycle of packet, statistic according to the CUSUM of described statistic accumulator module 50 statistics judges that whether network takes place is hit, when the statistic of described CUSUM surpasses pre-set threshold, network attack takes place, when the statistic of described CUSUM did not surpass pre-set threshold, network attack did not then take place.
As seen, in the present embodiment, undertaken on the occasion of adding up by two adjacent absolute values of observing the difference of average distance value constantly to packet, promptly carry out the CUSUM statistics, can distinguish the variation of normal access to netwoks stream quickly and accurately, detect network attack, reduce rate of false alarm.
The another kind of the embodiment of the invention detects the equipment of DDoS Flooding, as shown in Figure 6, comprising: setting module 10, and average distance value acquisition module 20, accumulator module 50, determination module 60, these modules are identical with a last embodiment function, also comprise
The second comparison value acquisition module 70 is used for the average distance value that obtains according to average distance value acquisition module 20, obtains two adjacent average distance value ratios constantly of observing of packet.
The second statistics of variable module 80, the adjacent two data bag that is used for obtaining according to the second comparison value acquisition module 70 are observed the average distance value ratio in cycle and the difference of a preset value is observed variable constantly as each.
As seen, in the present embodiment, undertaken on the occasion of adding up by two adjacent absolute values of observing the ratio of average distance value constantly to packet, promptly carry out the CUSUM statistics, can distinguish the variation of normal access to netwoks stream quickly and accurately, detect network attack, reduce rate of false alarm.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be looked protection scope of the present invention.