CN101369897B - Method and equipment for detecting network attack - Google Patents
Method and equipment for detecting network attack Download PDFInfo
- Publication number
- CN101369897B CN101369897B CN200810144463XA CN200810144463A CN101369897B CN 101369897 B CN101369897 B CN 101369897B CN 200810144463X A CN200810144463X A CN 200810144463XA CN 200810144463 A CN200810144463 A CN 200810144463A CN 101369897 B CN101369897 B CN 101369897B
- Authority
- CN
- China
- Prior art keywords
- value
- packet
- constantly
- average distance
- distance value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for detecting network attack comprising: receiving a data pack, getting a comparison value of an average distance value at the adjacent observation time of the data pack; accumulating and counting the comparison value, getting a statistics of the cumulative sum; judging the network attack when the statistics of the cumulative sum exceeds the presetting threshold in a presetting observation period. In the invention, the CUSUM algorithm is mainly to accumulate the variable values which are obvious higher than the average level under a normal operation condition, that is to accumulate the differences, thereby the network attack is more accurately detected and the false alarm rate is reduced; simultaneously the algorithm is simple and the network can be quickly detected.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of method and apparatus that detects network attack.
Background technology
DDoS (Distributed Denial of Service, distributed denial of service) basic principle of Flooding flood attack is that the assailant is by starting puppet's machine of enormous amount, send a large amount of service requests or lot of data bag to the victim, finally exhaust the resource of victim's main frame or network, make the victim that service can not externally be provided again, as shown in Figure 1, the structure chart of attacking for DDoS Flooding.Because the attack tool of DDoSFlooding is very easy, and have huge destructiveness and the characteristics that are difficult to detect, defend, this just makes DDoS Flooding attack becomes one of security threat maximum in the current Internet network.The detection of DDoS Flooding and defence method have a lot, but effect is not fine, especially at aspects such as fast detecting, the normal big flow of differentiation and abnormal flows.
The distance value d of packet is defined as (TTL
Initial value-TTL
Final value), wherein, TTL (Time To Live, life span) is a territory of IP packet IP header, packet is every, and the value of TTL will subtract 1 through a router, when the value of TTL becomes 0, router will abandon this packet, so just can prevent packet unlimited circulating transfer in network.Angle from network topology, the attack source of DDoSFlooding is in a large amount of routers, the attack of DDoS Flooding will change the Distribution Statistics of network topology, concerning a victim's main frame, network topology be exactly be sent to it network traffics the upstream router topology of process.The variation of the distance of packet can directly reflect the variation of attacking the network topology when taking place.In the prior art, detection method by data estimator bag average distance detects DDoS Flooding attack, detect engine and observe the ttl value of all the inflow packets in the special time period, and calculate the average distance value of packet, the average distance value of packet is to the summation of the distance value of all packets, use drawn and divided by the number of packet.According to the average distance value of next period of algorithm predicts of exponential smoothing prediction, estimate the average distance of next time period then.With the predicted value of this average distance and measured value relatively, judge whether to take place unusually with the method for mean absolute error, and evaluated error.
In realizing process of the present invention, the inventor finds to have following problem in the prior art at least: because enormous amount, the network topology complexity of network node, normal client access has randomness, is difficult to only conclude that according to a statistical property ANOMALOUS VARIATIONS at a time of packet DDoS Flooding has taken place to be attacked.The method of prior art is easy to the normal access to netwoks situation fluctuation or the big flow visit wrong report that happens suddenly are normally attacked for DDoS Flooding.
Summary of the invention
The embodiment of the invention provides a kind of method and apparatus that detects network attack, accurately to detect network attack.
The embodiment of the invention proposes a kind of method that detects network attack, comprising:
Receive packet, obtain the adjacent comparison value of observing average distance value constantly of packet, wherein, the distance value of packet is defined as (TTL
Initial value-TTL
Final value), life span TTL is a territory of the IP header of IP packet, TTL
Final valueCan from the packet of receiving, read, and TTL
Initial valueThen set by operating system, the described average distance value of packet is exactly the distance value summation to all packets, with the number of the result who is drawn divided by packet, it is the average distance value that is carved at interval interior all packets that receive of a preset time that this observations experienced constantly when last observes that one of packet is observed average distance value constantly;
Described comparison value is accumulated and is added up, obtain accumulation and statistic;
In the predetermined observation cycle, when described accumulation and statistic when surpassing pre-set threshold, judge network attack take place.
The embodiment of the invention has also proposed a kind of equipment that detects network attack, comprising:
The comparison value acquisition module is used to obtain the adjacent comparison value of observing average distance value constantly of packet, and the distance value of packet is defined as (TTL
Initial value-TTL
Final value), the described average distance value of packet is exactly to the summation of the distance value of all packets, uses the result that the drawn number divided by packet;
The statistic acquisition module is used for described comparison value is accumulated and added up, obtain accumulation and statistic;
Determination module was used in the predetermined observation cycle, when described accumulation and statistic when surpassing pre-set threshold, judge network attack take place.
Wherein, the comparison value acquisition module comprises: the first comparison value acquisition module is used to obtain the adjacent absolute value of observing the difference of average distance value constantly of packet; Or the second comparison value acquisition module, be used to obtain the adjacent average distance value ratio constantly of observing of packet.
Further, when the comparison value acquisition module comprised the second comparison value acquisition module, the statistic acquisition module comprised:
The second statistics of variable module is used for packet adjacent observed the difference of the absolute value of average distance value ratio constantly and a preset value as variable;
Accumulator module, be used for each observe variable constantly on the occasion of adding up.
Compared with prior art, the embodiment of the invention has the following advantages: accumulation and algorithm mainly are the obviously values of the variable higher than the average level under the normal operation of accumulation, promptly accumulate difference value, therefore can detect network attack more accurately, reduce rate of false alarm; Simultaneously, algorithm is simple, can promptly detect network attack.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
The structural representation that Fig. 1 attacks for DDoS Flooding;
Fig. 2 is a kind of method flow diagram that detects network attack of the embodiment of the invention one;
Fig. 3 is a kind of method flow diagram that detects DDoS Flooding of the embodiment of the invention two;
Fig. 4 is a kind of method flow diagram that detects DDoS Flooding of the embodiment of the invention three;
Fig. 5 is a kind of equipment structure chart that detects DDoS Flooding of the embodiment of the invention;
Fig. 6 is the equipment structure chart that the another kind of the embodiment of the invention detects DDoS Flooding.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
The embodiment of the invention one provides a kind of method that detects network attack, as shown in Figure 2, may further comprise the steps:
Step S201 receives packet, obtains the adjacent comparison value of observing average distance value constantly of described packet;
Step S202, to described comparison value accumulate and (Cumulative Sum, CUSUM) statistics, obtain accumulation and statistic;
Step S203 in the predetermined observation cycle, when the statistic of described CUSUM surpasses pre-set threshold, judges network attack takes place.
Wherein network attack can be attacked for DDoS Flooding, when DDoS Flooding attack takes place, the assailant can start a large amount of puppet's machines to start to attack, host number is huge and have characteristics of widely distributed property, each attacks the performance of puppet's machine of main frame, the situation and the distributing position of network link all can there are differences, and the generation that DDoS Flooding attacks also is a process gradual change, that continue.The DDoS Flooding detection method that the embodiment of the invention proposes just is based on the stability of average distance under normal condition of packet, and uses the CUSUM algorithm to detect DDoS Flooding and attack.CUSUM is an algorithm commonly used in statistical Process Control, is used for detecting the variation of a statistic processes average, and it is derived based on likelihood ratio, and being proved to be has desirable effect when detecting little drift.CUSUM needs the parameter model of random sequence, comes supervisory sequence with probability density function, if change generation, then the probability distribution of random sequence will change.The CUSUM algorithm mainly is the obviously value of the variable higher than the average level under the normal operation of accumulation, promptly accumulates difference value, therefore can detect network attack more accurately, reduces rate of false alarm; Simultaneously, algorithm is simple, can promptly detect network attack.
The method of a kind of DDoS of detection Flooding that the embodiment of the invention two provides as shown in Figure 3, may further comprise the steps:
Step S301 detects engine and collects packet, extracts the ttl value of ip bag in the packet, and the distance value of calculated data bag, and the distance value d of packet is defined as (TTL
Initial value-TTL
Final value), TTL is a territory of IP packet IP header, and packet is every, and the value of TTL will subtract 1 through a router, and when the value of TTL became 0, router will abandon this packet, so just can prevent packet unlimited circulating transfer in network.The distance value d of packet also shows the jumping figure that will pass through to victim host from the border router of transmitting terminal.The final value of TTL can read from the packet of receiving, the initial value of TTL is then set by operating system, gets 32, in 64,128,255 one, main frame in the network generally can arrive in 30 jump, so can push away the initial value of measuring TTL according to the final value of TTL.
Step S302, detect engine according to the size of network traffics and the handling property of main frame, set an observation interval γ, it is the observation cycle of packet, add up the average distance value that arrives all packets of victim host in this observation cycle, because common ddos attack can make victim host that normal service can't be provided within 14 seconds, therefore selection that should observation cycle γ must be less than 14 seconds, in the process of setting, it is the smaller the better that the value of observation cycle γ is set, and observes cycle γ and can select 1-2 second.At all after dates that arrive the observation cycle γ that sets, detect the average distance value that engine just will calculate all packets, flow into the ttl value of packet according to all that detect in the observed special time period of engine, calculate the average distance value of packet, the average distance value of packet is exactly to the summation of the distance value of all packets, uses the result that the drawn number divided by packet.
Step S303, the absolute value of the average distance value in the detection engine calculating t+ Δ t moment and the difference of t average distance value is constantly used d
T+ Δ tExpression t+ Δ t average distance value constantly, d
tExpression t average distance value constantly, X
T+ Δ tExpression t+ Δ t is the absolute value of the difference of average distance value constantly, and t represents that one of packet is observed constantly, and value is less than γ, and Δ t represents that preset time at interval, can be 1 second, also can be 0.5 second, can preestablish according to concrete needs; In the observation cycle, since 0 second constantly, the Δ t of whenever being separated by is exactly one constantly to be observed constantly, and t+ Δ t is two adjacent observations moment with t constantly constantly; The value of t+ Δ t is smaller or equal to γ, then the absolute value X of the difference of the average distance value in the t+ Δ t moment and t average distance value constantly
T+ Δ tFor:
X
t+Δt=|d
t+Δt-d
t|
Under normal condition, each value of observing average distance value d constantly differs very little, and the sequence of being made up of average distance value d also is stable sequence, i.e. an X
T+ Δ tValue be basicly stable.When ddos attack took place, because the popularity of the huge and distribution of host number, bigger change, X can take place in the value of d
T+ Δ tValue also bigger change can take place thereupon.
Step S304 detects the absolute value X of engine according to the difference of average distance value
tCalculate the CUSUM statistic.Make Y
t=X
t-k, k get suitable value, X
tBe the t constantly absolute value of average distance value and the difference of a last moment average distance value, under normal circumstances Y
t<0, when generation is unusual, X
tCan have greatly changed, cause Y
t>0; Make Z
t=max{0, Z
T-1+ Y
t, Z wherein
0=0, Z then
tBe exactly a CUSUM statistic, the CUSUM statistic be exactly with the Y variable each constantly on the occasion of adding up, just anomalous effect is added up.Parameter k will select according to the difference of bag average distance under normal condition and the abnormal conditions, according to historical record or other historical experience, perhaps determines according to the excursion of bag average distance value under the normal condition.
Step S305 in an observation cycle of packet, detects engine and judges CUSUM statistic Z
tWhether exceeded pre-set threshold h,, forwarded step S306 to,, then forwarded step S307 to if do not exceed threshold value h if surpassed threshold value h.H should be as requested detection time, promptly from unusual produce to be judged as attack length and specifically select, specifically also should adjust according to the balance between real network situation and rate of false alarm and the rate of failing to report.
Step S306 detects engine and reports to the police, and illustrates that detected object has suffered the attack of DDoS Flooding.
Step S307, the detection engine is a normal condition, shows the attack that is not subjected to DDoS Flooding, finishes this observation cycle, enters the next observation cycle, the t zero clearing detects engine and detects again.
As seen, in the present embodiment, carry out the CUSUM statistics by two adjacent absolute values of observing the difference of average distance value constantly that obtain packet, judging whether to take place DDoS Flooding according to the CUSUM statistical value attacks, can distinguish the variation of normal access to netwoks stream quickly and accurately, reduce rate of false alarm.
A kind of method that detects DDoS Flooding of the embodiment of the invention three as shown in Figure 4, may further comprise the steps:
Step S401-step S402 and step S301-step S302 are just the same, are not giving unnecessary details at this.
Step S403 detects engine and calculates the t+ Δ t average distance value constantly and the ratio of t average distance value constantly, uses d
T+ Δ tExpression t+ Δ t average distance value constantly, d
tExpression t average distance value constantly, X
T+ Δ tExpression t+1 moment average distance value and t be the ratio of average distance value constantly.Then the t+ Δ t average distance value constantly and the ratio X of t average distance value constantly
T+ Δ tFor:
Under normal condition, each value of observing average distance value d constantly differs very little, and the sequence of being made up of average distance value d then is stable sequence, i.e. an X
T+ Δ tValue also be basicly stable.When ddos attack took place, because the popularity of the huge and distribution of host number, bigger change, X can take place in the value of d
T+ Δ tValue also bigger change can take place thereupon.
Step S404 in an observation cycle of packet, detects the ratio X of engine according to the average distance value
tCalculate the CUSUM statistic.Make Y
t=X
t-k, k get suitable value, X
tFor t constantly average distance value and a last moment average distance value ratio and the absolute value of 1 difference, under normal circumstances Y
t<0, when generation is unusual, X
tCan have greatly changed, cause Y
t>0; Make Z
t=max{0, Z
T-1+ Y
t, Z wherein
0=0, Z then
tBe exactly a CUSUM statistic, promptly be with the Y variable each constantly on the occasion of adding up, just anomalous effect is added up.Parameter k will select according to the difference of bag average distance under normal condition and the abnormal conditions, according to historical record or other historical experience, perhaps determines according to the excursion of bag average distance value under the normal condition.
Step S405 detects engine and judges whether CUSUM statistic Z has exceeded pre-set threshold h, if surpassed threshold value h, forwards step S406 to, if do not exceed threshold value h, then forwards step S407 to.H should be as requested detection time, promptly from unusual produce to be judged as attack length and select, specifically also should adjust according to the balance between real network situation and rate of false alarm and the rate of failing to report.
Step S406 detects engine and reports to the police, and illustrates that the victim has suffered the attack of DDoS Flooding.
Step S407, the detection engine is a normal condition, shows the attack that is not subjected to DDoS Flooding, finishes this observation cycle, enters the next observation cycle, the t zero clearing detects engine and detects again.
As seen, in the present embodiment, carry out the CUSUM statistics by two adjacent absolute values of observing the ratio of average distance value constantly that obtain packet, judging whether to take place DDoS Flooding according to the CUSUM statistical value attacks, can distinguish the variation of normal access to netwoks stream quickly and accurately, reduce rate of false alarm.
The embodiment of the invention also provides the equipment of a kind of DDoS of detection Flooding, as shown in Figure 5, comprising:
Average distance value acquisition module 20 is used in the observation cycle that setting module 10 is set the average distance value in Δ t obtains the packet observation cycle, Δ t represents that preset time at interval, can be 1 second, also can be 0.5 second, can preestablish according to concrete needs;
The first comparison value acquisition module 30, be used for the average distance value that obtains according to average distance value acquisition module 20, obtain the adjacent absolute value of observing the difference of average distance value constantly of packet, wherein adjacent the observation moment that refers to all two interval of delta t in the observation cycle constantly.
The first statistics of variable module 40, the difference that is used for the absolute value of the adjacent difference of observing average distance value constantly of two of the packet that obtains according to the first comparison value acquisition module 30 and a preset value is as variable.
As seen, in the present embodiment, undertaken on the occasion of adding up by two adjacent absolute values of observing the difference of average distance value constantly to packet, promptly carry out the CUSUM statistics, can distinguish the variation of normal access to netwoks stream quickly and accurately, detect network attack, reduce rate of false alarm.
The another kind of the embodiment of the invention detects the equipment of DDoS Flooding, as shown in Figure 6, comprising: setting module 10, and average distance value acquisition module 20, accumulator module 50, determination module 60, these modules are identical with a last embodiment function, also comprise
The second comparison value acquisition module 70 is used for the average distance value that obtains according to average distance value acquisition module 20, obtains two adjacent average distance value ratios constantly of observing of packet.
The second statistics of variable module 80, the adjacent two data bag that is used for obtaining according to the second comparison value acquisition module 70 are observed the average distance value ratio in cycle and the difference of a preset value is observed variable constantly as each.
As seen, in the present embodiment, undertaken on the occasion of adding up by two adjacent absolute values of observing the ratio of average distance value constantly to packet, promptly carry out the CUSUM statistics, can distinguish the variation of normal access to netwoks stream quickly and accurately, detect network attack, reduce rate of false alarm.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be looked protection scope of the present invention.
Claims (12)
1. a method that detects network attack is characterized in that, comprising:
Receive packet, obtain the adjacent comparison value of observing average distance value constantly of described packet, wherein, the distance value of packet is defined as (TTL
Initial value-TTL
Final value), life span TTL is a territory of the IP header of IP packet, TTL
Final valueCan from the packet of receiving, read, and TTL
Initial valueThen set by operating system, the described average distance value of packet is exactly the distance value summation to all packets, with the number of the result who is drawn divided by packet, it is the average distance value that is carved at interval interior all packets that receive of a preset time that this observations experienced constantly when last observes that one of packet is observed average distance value constantly;
Described comparison value is accumulated and is added up, obtain accumulation and statistic;
In the predetermined observation cycle, when described accumulation and statistic when surpassing pre-set threshold, judge network attack take place.
2. the method for claim 1 is characterized in that, the described adjacent comparison value of observing average distance value constantly that obtains described packet comprises:
Obtain the adjacent absolute value of observing the difference of average distance value constantly of described packet; Or
Obtain the adjacent absolute value of observing the ratio of average distance value constantly of described packet.
3. method as claimed in claim 2, it is characterized in that the described adjacent absolute value of observing the ratio of average distance value constantly that obtains described packet comprises: observe average distance value constantly and deduct 1 absolute value for back one of packet in making that two of described packet are adjacent and observing constantly divided by the previous result who observes average distance value constantly of packet.
4. method as claimed in claim 2 is characterized in that, described described comparison value is accumulated and statistics comprises:
When described comparison value was the absolute value of the adjacent difference of observing average distance value constantly of described packet, the difference of packet adjacent being observed the absolute value of difference of average distance value constantly and a preset value was as variable;
With each observe in the variable constantly on the occasion of adding up.
5. method as claimed in claim 2 is characterized in that, described described comparison value is accumulated and statistics comprises:
When described comparison value is the absolute value of the adjacent ratio of observing average distance value constantly of described packet, packet adjacent observed the difference of the absolute value of average distance value ratio constantly and a preset value as variable;
With each observe in the variable constantly on the occasion of adding up.
6. as the arbitrary described method of claim 1 to 5, it is characterized in that described adjacent the observation moment that is specially two preset time intervals that are separated by in the observation cycle constantly.
7. an equipment that detects network attack is characterized in that, comprising:
The comparison value acquisition module is used to receive packet, obtains the adjacent comparison value of observing average distance value constantly of described packet, and wherein, the distance value of packet is defined as (TTL
Initial value-TTL
Final value), life span TTL is a territory of the IP header of IP packet, TTL
Final valueCan from the packet of receiving, read, and TTL
Initial valueThen set by operating system, the described average distance value of packet is exactly the distance value summation to all packets, with the number of the result who is drawn divided by packet, it is the average distance value that is carved at interval interior all packets that receive of a preset time that this observations experienced constantly when last observes that one of packet is observed average distance value constantly;
The statistic acquisition module is used for described comparison value is accumulated and added up, obtain accumulation and statistic;
Determination module was used in the predetermined observation cycle, when described accumulation and statistic when surpassing pre-set threshold, judge network attack take place.
8. equipment as claimed in claim 7 is characterized in that, described comparison value acquisition module comprises:
The first comparison value acquisition module is used to obtain the adjacent absolute value of observing the difference of average distance value constantly of described packet; Or
The second comparison value acquisition module is used to obtain the adjacent average distance value ratio constantly of observing of described packet.
9. equipment as claimed in claim 8 is characterized in that, when described comparison value acquisition module comprised the first comparison value acquisition module, described statistic acquisition module comprised:
The first statistics of variable module is used for described packet adjacent observed the difference of the absolute value of difference of average distance value constantly and a preset value as variable;
Accumulator module, be used for each observe variable constantly on the occasion of adding up.
10. equipment as claimed in claim 8 is characterized in that, when described comparison value acquisition module comprised the second comparison value acquisition module, described statistic acquisition module comprised:
The second statistics of variable module is used for packet adjacent observed the difference of the absolute value of average distance value ratio constantly and a preset value as variable;
Accumulator module, be used for each observe variable constantly on the occasion of adding up.
11. equipment as claimed in claim 7 is characterized in that, also comprises:
Setting module is used for the setting data bag and observes the cycle.
12. equipment as claimed in claim 7 is characterized in that, described adjacent the observation moment that is specially two preset time intervals that are separated by in the observation cycle constantly.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810144463XA CN101369897B (en) | 2008-07-31 | 2008-07-31 | Method and equipment for detecting network attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810144463XA CN101369897B (en) | 2008-07-31 | 2008-07-31 | Method and equipment for detecting network attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101369897A CN101369897A (en) | 2009-02-18 |
| CN101369897B true CN101369897B (en) | 2011-04-20 |
Family
ID=40413546
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810144463XA Expired - Fee Related CN101369897B (en) | 2008-07-31 | 2008-07-31 | Method and equipment for detecting network attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101369897B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101917309B (en) * | 2010-08-27 | 2012-11-07 | 电子科技大学 | Detection method of denial of service of public service number under soft switching platform |
| CN101917445B (en) * | 2010-08-27 | 2013-02-13 | 电子科技大学 | Method for detecting denial of service attack of number segment in soft switching platform |
| CN102175266B (en) * | 2011-02-18 | 2012-09-19 | 哈尔滨工业大学 | Fault diagnosis method for mobile gyroscope inertia subassembly |
| CN102420825B (en) * | 2011-11-30 | 2014-07-02 | 北京星网锐捷网络技术有限公司 | Network attack defense and detection method and system thereof |
| CN102882880A (en) * | 2012-10-10 | 2013-01-16 | 常州大学 | Detection method and detection system of distributed denial of service (DDoS) attack aiming at domain name server (DNS) service |
| CN105119735B (en) * | 2015-07-15 | 2018-07-06 | 百度在线网络技术(北京)有限公司 | A kind of method and apparatus for determining discharge pattern |
| CN105357228B (en) * | 2015-12-19 | 2018-03-20 | 中国人民解放军信息工程大学 | A kind of burst flow detection method based on dynamic threshold |
| CN107085576A (en) * | 2016-02-15 | 2017-08-22 | 阿里巴巴集团控股有限公司 | A kind of stream data statistic algorithm and device |
| TWI707565B (en) * | 2019-04-19 | 2020-10-11 | 國立中央大學 | Network attacker identifying method and network system |
| CN110173627B (en) * | 2019-06-03 | 2020-09-25 | 山东建筑大学 | Solar energy system |
| CN117729055A (en) * | 2024-02-08 | 2024-03-19 | 中汽智联技术有限公司 | Network flow statistics method and system based on Linux process |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1350231A (en) * | 2001-12-04 | 2002-05-22 | 上海复旦光华信息科技股份有限公司 | By-pass investigation and remisson method for rejecting service attack |
| CN101183433A (en) * | 2007-11-19 | 2008-05-21 | 华为技术有限公司 | Data protection method and client identification module card |
-
2008
- 2008-07-31 CN CN200810144463XA patent/CN101369897B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1350231A (en) * | 2001-12-04 | 2002-05-22 | 上海复旦光华信息科技股份有限公司 | By-pass investigation and remisson method for rejecting service attack |
| CN101183433A (en) * | 2007-11-19 | 2008-05-21 | 华为技术有限公司 | Data protection method and client identification module card |
Non-Patent Citations (2)
| Title |
|---|
| JP特开2003-87333A 2003.03.20 |
| 吴国纲.DDoS攻击与IP拥塞控制研究.《电子科技大学学报》.2007,第36卷(第3期), * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101369897A (en) | 2009-02-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101369897B (en) | Method and equipment for detecting network attack | |
| Zheng et al. | Realtime DDoS defense using COTS SDN switches via adaptive correlation analysis | |
| CN101378394B (en) | Detection defense method for distributed reject service and network appliance | |
| US8272044B2 (en) | Method and system to mitigate low rate denial of service (DoS) attacks | |
| US8201252B2 (en) | Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks | |
| CN110225037B (en) | DDoS attack detection method and device | |
| CN112134894A (en) | Moving target defense method for DDoS attack | |
| CN108028828B (en) | Distributed denial of service (DDoS) attack detection method and related equipment | |
| Wan et al. | Engineering of a global defense infrastructure for DDoS attacks | |
| CN106534068A (en) | Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system | |
| Kamiyama et al. | Simple and accurate identification of high-rate flows by packet sampling | |
| CN113364810B (en) | Link flooding attack detection and defense system and method | |
| Patel | URED: Upper threshold RED an efficient congestion control algorithm | |
| Beitollahi et al. | A cooperative mechanism to defense against distributed denial of service attacks | |
| Das et al. | Flood control: Tcp-syn flood detection for software-defined networks using openflow port statistics | |
| Annamalai et al. | Secured system against DDoS attack in mobile adhoc network | |
| Bellaiche et al. | SYN flooding attack detection based on entropy computing | |
| CN103269337A (en) | Data processing method and device | |
| RU2531878C1 (en) | Method of detection of computer attacks in information and telecommunication network | |
| Guo et al. | A flow based detection mechanism against flooding attacks in mobile ad hoc networks | |
| CN111835750B (en) | DDoS attack defense method based on ARIMA model in SDN | |
| Chen et al. | Distributed Change-Point Detection of DDoS Attacks: Experimental Results on DETER Testbed. | |
| Arunmozhi et al. | A new defense scheme against DDoS attack in mobile ad hoc networks | |
| Zhang et al. | Cooperative Mechanism Against DDoS Attacks. | |
| Sardana et al. | Dual-level attack detection and characterization for networks under DDoS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after: Huawei Symantec Technologies Co., Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee before: Chengdu Huawei Symantec Technologies Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110420 Termination date: 20170731 |