CN101547129A - Method and system for detecting distributed denial of service attack - Google Patents

Method and system for detecting distributed denial of service attack Download PDF

Info

Publication number
CN101547129A
CN101547129A CN200910083452A CN200910083452A CN101547129A CN 101547129 A CN101547129 A CN 101547129A CN 200910083452 A CN200910083452 A CN 200910083452A CN 200910083452 A CN200910083452 A CN 200910083452A CN 101547129 A CN101547129 A CN 101547129A
Authority
CN
China
Prior art keywords
evidence
feature
confidence level
source
knowledge
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200910083452A
Other languages
Chinese (zh)
Other versions
CN101547129B (en
Inventor
张永铮
庹宇鹏
云晓春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yantai Zhong Ke Network Technical Institute
Original Assignee
中国科学院计算技术研究所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院计算技术研究所 filed Critical 中国科学院计算技术研究所
Priority to CN200910083452XA priority Critical patent/CN101547129B/en
Publication of CN101547129A publication Critical patent/CN101547129A/en
Application granted granted Critical
Publication of CN101547129B publication Critical patent/CN101547129B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention provides a method for detecting a distributed denial of service attack, which comprises the following steps: receiving a network data packet, and extracting detection features which are related to the detection of the distributed denial of the service attack and used for proving the existence of the distributed denial of the service attack from the network data packet; using the detection features as an evidence in a simple reliability model, and calculating the reliability of the evidence; creating knowledge in the simple reliability model according to the detection features and calculating the reliability of the knowledge, wherein in the knowledge of the simple reliability model, an independent feature among the detection features corresponds to independent knowledge, and related detection features among the detection features are in the same knowledge; and calculating the reliability of conclusion events related to the distributed denial of the service attack by introducing the reliability of the evidence and the reliability of the knowledge into a reliability calculation formula of the simple reliability model. The method and the system have high detection capacity, high detection accuracy and excellent processing capacity.

Description

The detection method of distributed denial of service attack and system
Technical field
The present invention relates to the network security monitoring field, particularly the detection method of distributed denial of service attack and system.
Background technology
In recent years, Internet frequently suffers distributed denial of service (DDoS, DistributedDenial of Service) attacks, cause basic Operation Network large tracts of land paralysis, the safety of important information system is subjected to grave danger, has seriously jeopardized economic development, social stability even national security.Therefore, the detection of ddos attack and missile defense had become the significant problem that network safety filed needs to be resolved hurrily already.Wherein, the ddos attack detection technique is subjected to the extensive concern of various circles of society as the technological means that effectively solves the ddos attack missile defense and element task.
The ddos attack detection technique can be divided into misuse usually and detect and abnormality detection two class methods.Misuse detects mainly and finds ddos attack by the method for network data being carried out the known features coupling, be suitable for detecting known attack, and accuracy is higher; And abnormality detection mainly utilizes network traffics or abnormal behavior phenomenon to find ddos attack, is suitable for detecting unknown attack, but rate of false alarm and rate of failing to report are higher.
The lot of domestic and international tissue has been done relevant research with the researcher to the method for detecting abnormality in the ddos attack detection technique, and according to the difference that detects foundation, existing method for detecting abnormality can be divided into following two classes:
(1) based on the detection method of Traffic Anomaly.These class methods serve as according to detecting attack with the current network flow and the difference of normal discharge on aspects such as quantity, ratio of different time and Spatial Dimension mainly.Specifically comprise based on dynamic threshold, based on turnover bag ratio, based on bidirectional traffics, based on distributed change point, based on methods such as flow self similarities.These class methods are simple, and are efficient, show relatively more responsively, effective to flow type ddos attack, but rate of false alarm are also more higher to the rate of failing to report of non-traffic attack than higher.
(2) based on dystropic detection method.These class methods are mainly with the current network data behavior of different time and Spatial Dimension and the normal data behavior difference on aspect such as data distribution, data attribute, data be related; the inherent data that network data is presented during perhaps with ddos attack is characterized as according to detecting attack; usually also utilize technology such as machine learning, artificial intelligence, data mining, expert system, random process, probability statistics and method to learn the data characteristics of normal behaviour, thereby set up threshold value, pattern or the model of normal behaviour.Specifically comprise based on the IP freshness, based on the Bayesian network scoring, based on the congested control response of TCP, based on frequency-domain analysis, based on Connection Density, based on connection distributed intelligence entropy, based on several different methods such as user access activities.This class methods relative complex, research work at local area network (LAN) or objective network environment is more, be suitable for the deep detection of non-traffic attack, the part method need be learnt and train in advance, detect stability that effect often depends on normal behaviour with and the correctness and the accuracy of modeling.
Totally it seems, people have obtained a series of achievements in research in ddos attack abnormality detection field, yet, in the face of the real-time detection under the extensive high speed complex network environment, the practical application request of defence, disclosed method also exists following problem: 1) often only rely on single detected characteristics, shortage is to the analysis-by-synthesis of multithread amount or behavioural characteristic, and because detected characteristics single causes at the adaptability of complicated actual application environment relatively poorly, rate of false alarm is higher; 2) because the part method is too complicated, calculating and storage resources are had relatively high expectations, so be difficult to satisfy the requirement that extensive express network detects in real time; 3) often only solve the ddos attack Existence problems, lack discovery the attack characteristic of target of attack, attack source and stochastic cook source IP.
Summary of the invention
The objective of the invention is to overcome existing distributed Denial of Service attack detection method and rely on the high defective of bad adaptability, rate of false alarm that single detected characteristics is brought, thereby a kind of attack detection method that has than high-adaptability and detection accuracy rate is provided.
To achieve these goals, the invention provides a kind of detection method of distributed denial of service attack, comprising:
Step 1), receiving network data bag extract relevant with Detection of Distributed Denial of Service Attacks in described network packet and are used to prove the detected characteristics of distributed denial of service attack existence;
Step 2), with described detected characteristics as the evidence in the naive credibility model, calculate the evidence confidence level; Wherein, described naive credibility model has increased the evidence in the knowledge and always supports conclusion for really supposing on the basis of credibility model;
Step 3), create knowledge in the described naive credibility model, calculate the confidence level of described knowledge according to described detected characteristics; Wherein, in the knowledge of described naive credibility model, the corresponding knowledge independently of independent detection feature in the described detected characteristics, and the coherent detection feature in the described detected characteristics is in same knowledge;
Step 4), with the confidence level computing formula of the confidence level substitution naive credibility model of described evidence confidence level and described knowledge, the conclusion incident relevant with distributed denial of service attack carried out confidence level calculates.
In the technique scheme, in described step 1), described relevant with Detection of Distributed Denial of Service Attacks and be used for proving that detected characteristics that distributed denial of service attack exists comprises at least two of following feature: the global data traffic characteristic, global data packet rate feature, global data flow extreme difference feature, global data packet rate extreme difference feature, global source IP distribution scale feature, global source IP regularity of distribution feature, overall situation purpose IP regularity of distribution feature, purpose IP traffic measure feature, purpose IP packet rate feature, purpose IP traffic amount extreme difference feature, purpose IP packet rate extreme difference feature, the source IP traffic measure feature of purpose IP correspondence, the source IP packet rate feature of purpose IP correspondence, the source IP traffic amount extreme difference feature of purpose IP correspondence, the source IP packet rate extreme difference feature of purpose IP correspondence, the source IP distribution scale feature of purpose IP correspondence, the source IP distribution scale extreme difference feature of purpose IP correspondence, the source IP regularity of distribution feature of purpose IP correspondence, the Dan Bao source IP distribution scale feature of purpose IP correspondence, the source IP packet rate uniformity feature of purpose IP correspondence, the source IP flow uniformity feature of purpose IP correspondence, the long uniformity feature of source IP bag of purpose IP correspondence.
In the technique scheme, described step 2) comprising:
Step 2-1), investigate the purpose IP and the corresponding source IP thereof of global data and all type of data packet correspondences, judge whether related detected characteristics exists unusually,, carry out next step, as if there not being unusually execution in step 2-3 if exist unusually);
Step 2-2), the intensity of anomaly of detected characteristics is done normalized, calculate the confidence level of detected characteristics, continue to handle next packet as evidence according to the normalization result;
Step 2-3), detected characteristics is made as 0 as the confidence level of evidence, continue to handle next packet then.
In the technique scheme, at described step 2-2) in, described normalized adopts following normalization formula:
CF ( E i ) = 0 thrsh i * ( 1 - c i ) &le; P i &le; thrsh i * ( 1 + c i ) 1 - 1 P i thrsh i - c i P i > thrsh i * ( 1 + c i ) 1 - 1 2 - ( c i + P i thrsh i ) P i < thrsh i * ( 1 - c i )
Wherein, P iThe statistical value of representing a detected characteristics, thrsh iThe threshold value of representing this detected characteristics, c iThe fluctuation ratio that expression allows, CF (E i) expression evidence E iConfidence level.
In the technique scheme, in described step 3), comprise according to described 22 resulting knowledge of detected characteristics:
K 1:E 1∨E 2→H CF 1(H,E)
K 2:E 3∨E 4→H CF 2(H,E)
K 3:(E 5∨E 6)∧E 7→H CF 3(H,E)
K 4:E 8∨E 9→H CF 4(H,E)
K 5:E 10∨E 11→H CF 5(H,E)
K 6:E 12∨E 13→S CF 6(S,E)
K 7:E 14∨E 15→S CF 7(S,E)
K 8:E 16→H CF 8(H,E)
K 9:E 17→H CF 9(H,E)
K 10:E 18→H CF 10(H,E)
K 11:(E 16∨E 18)∧E 19→F CF 11(F,E)
K 12:E 20∨E 21∨E 22→S CF 12(S,E)
Wherein, E 1The resulting evidence of expression global data traffic characteristic; E 2The resulting evidence of expression global data packet rate feature; E 3The resulting evidence of expression global data flow extreme difference feature; E 4The resulting evidence of expression global data packet rate extreme difference feature; E 5The resulting evidence of expression global source IP distribution scale feature; E 6The resulting evidence of expression global source IP regularity of distribution feature; E 7Represent the resulting evidence of overall purpose IP regularity of distribution feature; E 8The resulting evidence of expression purpose IP traffic measure feature; E 9The resulting evidence of expression purpose IP packet rate feature; E 10The resulting evidence of expression purpose IP traffic amount extreme difference feature; E 11The resulting evidence of expression purpose IP packet rate extreme difference feature; E 12The resulting evidence of source IP traffic measure feature of expression purpose IP correspondence; E 13The resulting evidence of source IP packet rate feature of expression purpose IP correspondence; E 14The resulting evidence of source IP traffic amount extreme difference feature of expression purpose IP correspondence; E 15The resulting evidence of source IP packet rate extreme difference feature of expression purpose IP correspondence; E 16The resulting evidence of source IP distribution scale feature of expression purpose IP correspondence; E 17The resulting evidence of source IP distribution scale extreme difference feature of expression purpose IP correspondence; E 18The resulting evidence of source IP regularity of distribution feature of expression purpose IP correspondence; E 19The resulting evidence of Dan Bao source IP distribution scale feature of expression purpose IP correspondence; E 20The resulting evidence of source IP packet rate uniformity feature of expression purpose IP correspondence; E 21The resulting evidence of source IP flow uniformity feature of expression purpose IP correspondence; E 22The resulting evidence of the long uniformity feature of source IP bag of expression purpose IP correspondence; H represents that the conclusion incident " exists ddos attack and definite target of attack "; S represents that the conclusion incident " determines the attack source "; F represents conclusion incident " ddos attack that has stochastic cook source IP ", CF iThe confidence level of (i=1~12) expression knowledge.
In the technique scheme, in described step 4), the conclusion incident relevant with distributed denial of service attack comprises the conclusion incident H that is used for expression " having ddos attack and definite target of attack " in the described knowledge.
In the technique scheme, in described step 4), the conclusion incident relevant with distributed denial of service attack also comprises conclusion incident S that is used for expression " determining the attack source " and the conclusion incident F that is used for expression " ddos attack that has stochastic cook source IP " in the described knowledge.
In the technique scheme, in described step 4), described confidence level computing formula comprises compound evidence confidence level computing formula and conclusion confidence level computing formula; Wherein,
Described compound evidence confidence level computing formula comprises:
When described evidence was the conjunction incident, E was expressed as E=E with evidence 1∧ ... ∧ En, then its confidence level computing formula is:
CF(E)=CF(E 1∧...∧En)=min{CF(E 1),...,CF(En)}; (1)
When described evidence when extracting incident, E is expressed as E=E with evidence 1∨ ... ∨ En, then its confidence level computing formula is:
CF(E)=CF(E 1∨...∨En)=max{CF(E 1),...,CF(En)}; (2)
When evidence is when comprising the compound event of the conjunction incident and the incident of extracting simultaneously, it to be disassembled into the some conjunction and the incident of extracting, distinguish application of formula (1) and (2) and try to achieve;
The computing formula of described conclusion confidence level comprises to the conclusion confidence level computing formula of a knowledge and to the synthetic computing formula of the same conclusion of many knowledge; Wherein,
The conclusion confidence level computing formula of a described knowledge comprises:
CF(H)=CF(H,E)×CF(E) (3)
Described CF (H) represents described conclusion confidence level, and CF (E) represents described evidence confidence level, CF (H, E) expression knowledge confidence level;
The synthetic computing formula of the same conclusion of described many knowledge comprises:
CF(H)=CF 1(H)+CF 2(H)-CF 1(H)×CF 2(H) (4)
Described CF 1(H) be illustrated in the knowledge confidence level, CF to conclusion H 2(H) be illustrated in another knowledge confidence level to conclusion H.
The present invention also provides a kind of detection system of distributed denial of service attack, comprises detected characteristics extraction module, evidence confidence level computing module, knowledge creating module and Detection of Distributed Denial of Service Attacks module; Wherein,
Described detected characteristics extraction module receiving network data bag extracts relevant with Detection of Distributed Denial of Service Attacks in described network packet and is used to prove the detected characteristics of distributed denial of service attack existence;
Described evidence confidence level computing module as the evidence in the naive credibility model, calculates the evidence confidence level with described detected characteristics; Wherein, described naive credibility model has increased the evidence in the knowledge and always supports conclusion for really supposing on the basis of credibility model;
Described knowledge creating module is created knowledge in the described naive credibility model according to described detected characteristics, calculates the confidence level of described knowledge;
Described Detection of Distributed Denial of Service Attacks module is carried out the confidence level computing formula of the confidence level substitution naive credibility model of described evidence confidence level and described knowledge confidence level to the conclusion incident relevant with distributed denial of service attack and is calculated.
The invention has the advantages that: have stronger detectability, higher detection accuracy rate also has handling property preferably simultaneously.
Description of drawings
Fig. 1 is a kind of flow chart of implementation of the detection method of distributed denial of service attack of the present invention;
Fig. 2 is the flow chart of detection method when carrying out confidence level calculating of distributed denial of service attack of the present invention.
Embodiment
Below in conjunction with the drawings and specific embodiments the present invention is illustrated.
Uncertain inference is the important component part in artificial intelligence study field, and it is insufficient, inaccurate for solving required knowledge, or many reasons cause the application problem of same conclusion that solid theory and effective method means are provided.1975, people (E.H.Shortliffe and B.G.Buchanan such as Xiao Te Lifei, " A Model of Inexact Reasoning in Medicine; " MathematicalBiosciences, vol.23, pp.351-379,1975) a kind of credibility model (Certainty Factor model of uncertain inference proposed, abbreviate the CF model as), and in medical consultation system MYCIN, obtained successful Application.The scientific practice activity shows, it is unusual often to present different network behaviors in the ddos attack process, and simultaneously, ddos attack detects problem and also has imperfect, the inaccurate characteristics of known Heuristics, therefore, the present invention considers to adopt the CF model to solve ddos attack detection problem.For ease of the practical application of CF model, the present invention has increased a hypothesis on its basis: the evidence in the knowledge always supports that conclusion is true, thereby has proposed a kind of naive credibility model (NaiveCertainty Factor model abbreviates the N-CF model as).The N-CF model has characteristics such as simple, directly perceived, practical.Understand for convenience, at first the notion of naive credibility model and concrete content are illustrated at this.
Define 1 knowledge (Knowledge is abbreviated as K).Knowledge is meant that going out conclusion by evidential reasoning is genuine rule, represents with production rule that usually its general form is:
K:E→H
Wherein, E is an evidence, and H is a conclusion.Evidence is a simple event or by conjunction and/or the compound event of extracting and constituting, conclusion is one or more incidents, and the conclusion of a knowledge also can be used as the evidence of another knowledge.
Define 2 confidence levels (Certainty Factor is abbreviated as CF).Confidence level is meant determines that the object incident is genuine credibility, comprises evidence confidence level CF (E), knowledge confidence level CF (H, E) and conclusion confidence level CF (H), its size is explained with fuzzy number (∈ [0,1]) usually, when confidence level is 0, the indicated object incident is false or uncorrelated.
Provide the computing formula of confidence level in the N-CF model below.
1, the calculating of compound evidence confidence level
If evidence is the conjunction incident, be made as E=E 1∧ ... ∧ En, then its confidence level computing formula is:
CF(E)=CF(E 1∧...∧En)=min{CF(E 1),...,CF(En)} (1)
If evidence is the incident of extracting, be made as E=E 1∨ ... ∨ En, then its confidence level computing formula is:
CF(E)=CF(E 1∨...∨En)=max{CF(E 1),...,CF(En)} (2)
If evidence is a compound event, then it is disassembled into the some conjunction and the incident of extracting, application of formula (1) and (2) is tried to achieve respectively.
2, the calculating of knowledge confidence level
The knowledge confidence level directly provides by having the domain expert who enriches professional knowledge and practical experience usually, perhaps calculate by study or training method by the objective history data, its principle is: the appearance of evidence is that genuine support is high more to conclusion, and then the value of knowledge confidence level is big more.
3, the calculating of conclusion confidence level
The conclusion confidence level of a, a knowledge is calculated
The conclusion confidence level computing formula of a knowledge is:
CF(H)=CF(H,E)×CF(E) (3)
Synthesizing of b, the same conclusion of many knowledge
If two knowledge K 1And K 2Can infer same conclusion H, and K 1Evidence E 1With K 2Evidence E 2Be separate, then can calculate the comprehensive confidence level of the conclusion of two knowledge releases by compose operation, the computing formula of its conclusion compose operation is as follows:
CF(H)=CF 1(H)+CF 2(H)-CF 1(H)×CF 2(H) (4)
More than be explanation, on above-mentioned model based, can realize whether network is subjected to the detection of distributed denial of service attack naive credibility model involved in the present invention.Detecting method of distributed denial of service attacking of the present invention is the receiving network data bag in the given time interval, from network packet, extract the detected characteristics relevant with distributed denial of service attack, calculating is by the confidence level of the formed evidence of these detected characteristics, then according to the knowledge in the aforesaid detected characteristics establishment naive credibility model, utilize the confidence level of conclusion in the confidence level calculation knowledge of the confidence level of evidence and knowledge at last, thereby draw the conclusion that whether has distributed denial of service attack in the network.Understand for convenience, hereinafter will be in conjunction with Fig. 1 and a specific embodiment, the detection method of distributed denial of service attack of the present invention is illustrated.
With reference to figure 1, before distributed denial of service attack is done concrete detecting operation, at first should do initialization operation to the parameter relevant with detection.For example, timer T is set to 0, will be set to T detection time 0
After finishing initialization operation to parameter, just can the receiving network data bag, and network packet carried out protocol assembly, with the network layer stem of obtaining network packet and the information of transport layer stem.In the present embodiment, described protocol assembly is the ICP/IP protocol reduction, and the network layer stem that can obtain and the information of transport layer stem comprise source IP, purpose IP, source port, destination interface, agreement, bag length, TCP flag information etc.
Obtain the information of the network layer stem of network packet and transport layer stem by protocol assembly after, according to the type of these information explicit data bags, and then according to type of data packet statistics relevant detection feature.In the present embodiment, the type of data packet that can detect has multiple, includes but not limited to ICMP bag, ICMP Echo bag (type Type is 8 ICMP bag), ICMP Reply (type Type is 0 ICMP bag), ICMP Unreachable bag (type Type is 3 ICMP bag), TCP bag, TCP Syn bag (flag bit is the TCP bag of Syn), TCP Rst bag (flag bit is the TCP bag of Rst), UDP bag, DNS bag, HTTP bag etc.The corresponding ddos attack type of type of data packet, the quantity of the type of data packet that can detect has been represented the detectability of detection method of the present invention to the ddos attack type.In the present embodiment, whether described detected characteristics is network flow characteristic and/or the behavioural characteristic that is presented when ddos attack takes place, can find to exist in the network Distributed Services to attack by these detected characteristics.The kind of detected characteristics and quantity can be selected as required by those skilled in the art, in the present embodiment, selected detected characteristics falls into 5 types 22, and the statistics of different detected characteristics is stored respectively, and the detailed content of these detected characteristics will be illustrated respectively hereinafter.
After obtaining the detected characteristics of network packet, whether counter T has been surpassed interval T detection time 0Judge,, then do not continue the receiving network data bag if surpass if surpass the confidence level of then calculating their formed evidences according to these detected characteristics.The confidence level of evidence can be measured with the intensity of anomaly of above-mentioned detected characteristics.The detailed content of how calculating about the evidence confidence level will be illustrated in conjunction with aforesaid 22 features hereinafter.
After the confidence level of the evidence that obtains generating by detected characteristics, according to detected characteristics is that naive credibility model is created relevant knowledge, then with evidence confidence level substitution naive credibility model, thereby utilize the confidence level of related conclusions in the confidence level computing formula calculation knowledge in the naive credibility model, and then draw the result whether network exists distributed denial of service attack.
It more than is the explanation of detecting method of distributed denial of service attacking of the present invention roughly implementation procedure in one embodiment.Do further discussion with regard to some the concrete ins and outs in this method below.
One, about 22 detected characteristics of 5 classes
The first kind: at the global traffic feature of all packets that collected.Consider that flow type ddos attack often presents the unusual of network in general flow in attack process, therefore be necessary to extract the global traffic feature.This category feature specifically comprises:
A, global data traffic characteristic (unit: bps, bits per second, bps);
B, global data packet rate feature (unit: pps, packets per second, bag/second);
C, global data flow extreme difference feature;
D, global data packet rate extreme difference feature.
Related extreme difference is meant the poor of the maximum of described object in detection time at interval and minimum value in feature c and d.
Second class: at the global I P distribution characteristics of all packets that collected.Consider that non-flow type ddos attack often presents unusual that network in general IP address distributes in attack process, therefore be necessary to extract global I P distribution characteristics.This category feature specifically comprises:
E, global source IP distribution scale feature;
F, global source IP regularity of distribution feature;
G, overall purpose IP regularity of distribution feature;
Wherein, distribution scale is the number of described object different in detection time at interval; The regularity of distribution is the numeric distribution characteristic of at interval interior described object detection time, can adopt disclosed technology and method to calculate, and for example the global source IP regularity of distribution can adopt relative entropy to calculate, and the overall purpose IP regularity of distribution can adopt absolute entropy to calculate.
The 3rd class: at the traffic characteristic of the pairing packet of each purpose IP.Consider that flow type ddos attack often presents the unusual of the data traffic that flows to the target ip address of being injured in attack process, therefore be necessary to extract each purpose IP traffic characteristic.This category feature specifically comprises:
H, purpose IP traffic measure feature;
I, purpose IP packet rate feature;
J, purpose IP traffic amount extreme difference feature;
K, purpose IP packet rate extreme difference feature;
L, source IP traffic measure feature;
M, source IP packet rate feature;
N, source IP traffic amount extreme difference feature;
O, source IP packet rate extreme difference feature.
The 4th class: at the source IP distribution characteristics of the pairing packet of each purpose IP.Considering that non-flow type ddos attack often presents in attack process flows to unusual that source IP address distributes in the target ip address flow of being injured, and therefore is necessary to extract the source IP distribution characteristics of each purpose IP.This category feature specifically comprises:
P, source IP distribution scale feature;
Q, source IP distribution scale extreme difference feature;
R, source IP regularity of distribution feature;
S, Dan Bao source IP distribution scale feature.
Wherein, Dan Bao source IP is for sending the source IP of one or several packet to purpose IP.Dan Bao source IP distribution scale feature is one of foundation of detecting of the ddos attack of stochastic cook source IP.
The 5th class: at the uniformity feature of the pairing packet of each source IP.Consider that in the ddos attack process packet that each attack source sends often presents similitude or uniformity, therefore be necessary to extract the packet uniformity feature of each source IP.This category feature specifically comprises:
T, packet rate uniformity feature;
U, flow uniformity feature;
V, the long uniformity feature of bag.
In the present invention, the detected characteristics relevant with the ddos attack detection that can extract is not limited to 22 detected characteristics of above-mentioned 5 classes that present embodiment is mentioned, in other embodiments, also can adopt other detected characteristics, for example the ratio feature of TCP Syn bag and TCPAck/Syn bag, outflow flow and ratio feature, IP address, port, protocol type and the data payload feature etc. that flow into flow.
Two, about the calculating of the evidence confidence level of detected characteristics
Confidence level by the formed evidence of detected characteristics can be measured with the intensity of anomaly of detected characteristics, and its size is explained with fuzzy number (∈ [0,1]) usually.For aforementioned 22 detected characteristics, their evidence confidence level computational methods are similar, all comprise: investigate global data and pairing purpose IP of all type of data packet and source IP thereof, judge whether their related detected characteristics are unusual,, then its intensity of anomaly is done normalized if unusual, calculate the confidence level of evidence, if not unusual, the confidence level that then makes its corresponding evidence is 0, continues to handle next data.Repeat said process until handling global data and pairing purpose IP of all type of data packet and source IP thereof.Wherein, whether unusual judgement generally can compare by the statistic that aforementioned detected characteristics is related and its corresponding threshold to detected characteristics.Described threshold value can be provided with respectively for each feature according to practical experience and applied environment, can be made as 1Mbps, 300Kbps respectively such as flow and extreme difference threshold value thereof, packet rate and extreme difference threshold value thereof can be made as 500pps, 200pps respectively, distribution scale and extreme difference threshold value thereof can be made as 1024,256 respectively, regularity of distribution threshold value can be made as 0.5, and uniformity threshold value can be made as 0.95.In addition, described threshold value also can carry out training in advance and learn being provided with to the network data of using environment by adopting disclosed technology and method.Can adopt in the prior art disclosed method to the normalized of described intensity of anomaly, utilize these disclosed method intensity of anomaly is mapped to a fuzzy number (∈ [0,1]), as the linear function method for normalizing, y=(x-Min)/(Max-Min), x ∈ [Min, Max], y ∈ [0,1].For the ease of understanding, provide a mapping formula that is used for intensity of anomaly is mapped to fuzzy number below:
CF ( E i ) = 0 thrsh i * ( 1 - c i ) &le; P i &le; thrsh i * ( 1 + c i ) 1 - 1 P i thrsh i - c i P i > thrsh i * ( 1 + c i ) 1 - 1 2 - ( c i + P i thrsh i ) P i < thrsh i * ( 1 - c i )
Wherein, P iThe statistical value of representing above-mentioned feature, thrsh iThe threshold value of representing this feature, c iThe fluctuation ratio that expression allows, CF (E i) expression evidence E iConfidence level.
Because the correlation technique when calculating the evidence confidence level of detected characteristics can pass through existing techniques in realizing, therefore, does brief description at this.
Three, about how utilizing naive credibility model to calculate the confidence level of conclusion
In naive credibility model, knowledge can change according to scene (mainly being the content of the detected characteristics) difference that naive credibility model was suitable for.Therefore, before the correlation computations of carrying out naive credibility model, need make up knowledge, when making up, should make independently corresponding knowledge of detected characteristics, and relevant detected characteristics be in same knowledge according to detected characteristics.22 of 5 classes of being mentioned with present embodiment are characterized as the basis below, provide one and are used for the knowledge base example that ddos attack detects:
K 1:E 1∨E 2→H CF 1(H,E)
K 2:E 3∨E 4→H CF 2(H,E)
K 3:(E 5∨E 6)∧E 7→H CF 3(H,E)
K 4:E 8∨E 9→H CF 4(H,E)
K 5:E 10∨E 11→H CF 5(H,E)
K 6:E 12∨E 13→S CF 6(S,E)
K 7:E 14∨E 15→S CF 7(S,E)
K 8:E 16→H CF 8(H,E)
K 9:E 17→H CF 9(H,E)
K 10:E 18→H CF 10(H,E)
K 11:(E 16∨E 18)∧E 19→F CF 11(F,E)
K 12:E 20∨E 21∨E 22→S CF 12(S,E)
Wherein, E i(i=1~22) represent above-mentioned described 22 pairing evidences of feature successively, specifically, and E 1The resulting evidence of expression global data traffic characteristic; E 2The resulting evidence of expression global data packet rate feature; E 3The resulting evidence of expression global data flow extreme difference feature; E 4The resulting evidence of expression global data packet rate extreme difference feature; E 5The resulting evidence of expression global source IP distribution scale feature; E 6The resulting evidence of expression global source IP regularity of distribution feature; E 7Represent the resulting evidence of overall purpose IP regularity of distribution feature; E 8The resulting evidence of expression purpose IP traffic measure feature; E 9The resulting evidence of expression purpose IP packet rate feature; E 10The resulting evidence of expression purpose IP traffic amount extreme difference feature; E 11The resulting evidence of expression purpose IP packet rate extreme difference feature; E 12The resulting evidence of source IP traffic measure feature of expression purpose IP correspondence; E 13The resulting evidence of source IP packet rate feature of expression purpose IP correspondence; E 14The resulting evidence of source IP traffic amount extreme difference feature of expression purpose IP correspondence; E 15The resulting evidence of source IP packet rate extreme difference feature of expression purpose IP correspondence; E 16The resulting evidence of source IP distribution scale feature of expression purpose IP correspondence; E 17The resulting evidence of source IP distribution scale extreme difference feature of expression purpose IP correspondence; E 18The resulting evidence of source IP regularity of distribution feature of expression purpose IP correspondence; E 19The resulting evidence of Dan Bao source IP distribution scale feature of expression purpose IP correspondence; E 20The resulting evidence of source IP packet rate uniformity feature of expression purpose IP correspondence; E 21The resulting evidence of source IP flow uniformity feature of expression purpose IP correspondence; E 22The resulting evidence of the long uniformity feature of source IP bag of expression purpose IP correspondence; H represents that the conclusion incident " exists ddos attack and definite target of attack ", and S represents that the conclusion incident " determines the attack source ", and F represents conclusion incident " ddos attack that has stochastic cook source IP ", CF iThe confidence level of (i=1~12) expression knowledge.The confidence level of each knowledge is directly provided by the domain expert, is perhaps calculated by study or training method by the objective history data, and its tolerance principle should guarantee that the appearance of evidence is that genuine support is high more to conclusion, and then the value of knowledge confidence level is big more.Above knowledge base only is the specific embodiment of the present invention in order to illustrate that detection method provides, and is not limited to the content in the above-mentioned knowledge base when concrete the application.
After above-mentioned knowledge has been arranged,, three conclusion incident H that comprised in the knowledge, the confidence level of S, F are calculated with reference to figure 2 and according to the formula of being mentioned in the above stated specification (1)-(4).In computational process, be the detection threshold that H incident, S incident, F incident are provided with confidence level respectively by practical experience or scientific experiment result; Investigate the purpose IP and the corresponding source IP thereof of global data and all type of data packet correspondences then, in the investigation process, based on the confidence level of above-mentioned 22 evidences, each the knowledge use formula (1) in the knowledge base or (2) are calculated the conjunction incident or/and the evidence confidence level of the incident of extracting; Using formula (3) calculates the conclusion confidence level of each knowledge; By using formula (4) repeatedly the same conclusion confidence level of all knowledge in the knowledge base is carried out compose operation in twos then, finally generate the comprehensive confidence level of conclusion incident; Judge the confidence level of conclusion incident at last.If the comprehensive confidence level of H incident surpasses the detection threshold of this incident, think then to have ddos attack that target of attack is the purpose IP of current investigation; If the confidence level of F incident surpasses the detection threshold of this incident, think further that then this attack is stochastic cook source IP attack, all Dan Bao source IP are confirmed as the attack source simultaneously; Further,, determine that then this source IP is the attack source, generate alert event, write the attack storehouse if the comprehensive confidence level of S incident of the source IP of this purpose IP correspondence surpasses the detection threshold of this incident.If the comprehensive confidence level of H incident is no more than detection threshold, need not then to consider whether the confidence level of S incident and F incident has surpassed corresponding threshold, can think not have ddos attack, continue to handle next data.Repeat said process until purpose IP that handles global data and all type of data packet correspondences and corresponding source IP thereof.
Need to prove, comprise three conclusion incident H, S, F in the above-mentioned knowledge base, in actual applications, and do not required the confidence level of calculating above-mentioned all conclusion incidents, as the confidence level result of calculation of having only conclusion incident H also can, but it is then better to obtain the result of calculation of three conclusion incidents simultaneously.
The present invention also provides a kind of detection system of distributed denial of service attack, comprises detected characteristics extraction module, evidence confidence level computing module, knowledge creating module and Detection of Distributed Denial of Service Attacks module; Wherein,
Described detected characteristics extraction module receiving network data bag extracts relevant with Detection of Distributed Denial of Service Attacks in described network packet and is used to prove the detected characteristics of distributed denial of service attack existence;
Described evidence confidence level computing module as the evidence in the naive credibility model, calculates the evidence confidence level with described detected characteristics;
Described knowledge creating module is created knowledge in the described naive credibility model according to described detected characteristics, calculates the confidence level of described knowledge;
Described Detection of Distributed Denial of Service Attacks module is carried out the confidence level computing formula of the confidence level substitution naive credibility model of described evidence confidence level and described knowledge confidence level to the conclusion incident relevant with distributed denial of service attack and is calculated.
Detecting method of distributed denial of service attacking of the present invention and detection system are in the testing process that realizes ddos attack, utilize naive credibility model that 22 kinds of network traffics of 5 classes such as the traffic characteristic of global traffic feature, global I P distribution characteristics, purpose IP, the corresponding source of purpose IP IP distribution characteristics, source IP packet uniformity feature and behavioural characteristic are merged, utilize individual characteristics to compare with existing method, be all to be enhanced on accuracy rate or the adaptability only isolatedly.In addition, detection method provided by the invention is mainly utilized characteristic statistics and threshold ratio, so method is simple, has good real-time and practicality, is suitable for the detection of ddos attack under the extensive high speed network environment.Once more, method of the present invention is compared with existing method, not only can judge the ddos attack Existence problems, the more important thing is the attack characteristic that further to determine target of attack, attack source and stochastic cook source IP, for further filtration, alleviation and the defence of ddos attack provide effective information.
For further specifying the validity of the inventive method, be that example tests comparison the inventive method and the isolated conventional method that adopts traffic characteristic by one group with UDP Flood attack detecting.
Experimental situation is as follows:
(1) hardware environment: adopt the dawn server, 4 CPU (Dual-Core AMD Opteron, 2211MHz, 64), 4GB internal memory, CentOS Linux 5.264 bit manipulation systems.A CPU deal with data is only adopted in this experiment.
(2) background traffic: the full message flow that gather in the international gateway of certain telecommunications in October, 2008, the rate of on average giving out a contract for a project is 22496pps, average discharge 91.2Mbps.In experimentation, adopt above-mentioned flow flow as a setting all the time.
For the fairness that guarantees to test, 2 kinds of methods are set same flow threshold parameter, concrete threshold parameter is provided with as shown in table 1 below:
Table 1
Figure A200910083452D00191
Figure A200910083452D00201
Wherein purpose IP traffic amount and purpose IP packet rate also are the threshold values of traditional detection method.The knowledge confidence level CF that the inventive method is related i(i=1~12) are set to 0.2,0.1,0.3,0.5,0.4,0.5,0.4,0.4,0.5,0.4,1.0,0.3 respectively, and the detection threshold of conclusion incident is 0.5, and other threshold values all adopt disclosed learning method to obtain.
We have designed 2 experiments at 2 kinds of attack condition with identical target of attack IP address respectively:
Experiment 1: the detection of attacking at the big flow of 2 true attack sources (background traffic relatively) UDP Flood;
Experiment 2: the detection of attacking at the low discharge UDP Flood of stochastic cook attack source;
Experimental result is as shown in table 2 below:
Table 2
Figure A200910083452D00202
In the above-mentioned experimental result, " √ " expression corresponding detecting method can be used, and " * " expression corresponding detecting method is unavailable.Experimental result shows that conventional method lacks the detectability that low discharge is attacked at a slow speed, and the inventive method has merged multiple behavioural characteristic, has stronger detectability, and higher detection accuracy rate also has handling property preferably simultaneously.
It should be noted last that above embodiment is only unrestricted in order to technical scheme of the present invention to be described.Although the present invention is had been described in detail with reference to embodiment, those of ordinary skill in the art is to be understood that, technical scheme of the present invention is made amendment or is equal to replacement, do not break away from the spirit and scope of technical solution of the present invention, it all should be encompassed in the middle of the claim scope of the present invention.

Claims (9)

1, a kind of detection method of distributed denial of service attack comprises:
Step 1), receiving network data bag extract relevant with Detection of Distributed Denial of Service Attacks in described network packet and are used to prove the detected characteristics of distributed denial of service attack existence;
Step 2), with described detected characteristics as the evidence in the naive credibility model, calculate the evidence confidence level; Wherein, described naive credibility model has increased the evidence in the knowledge and always supports conclusion for really supposing on the basis of credibility model;
Step 3), create knowledge in the described naive credibility model, calculate the confidence level of described knowledge according to described detected characteristics; Wherein, in the knowledge of described naive credibility model, the corresponding knowledge independently of independent detection feature in the described detected characteristics, and the coherent detection feature in the described detected characteristics is in same knowledge;
Step 4), with the confidence level computing formula of the confidence level substitution naive credibility model of described evidence confidence level and described knowledge, the conclusion incident relevant with distributed denial of service attack carried out confidence level calculates.
2, the detection method of distributed denial of service attack according to claim 1, it is characterized in that, in described step 1), described relevant with Detection of Distributed Denial of Service Attacks and be used for proving that detected characteristics that distributed denial of service attack exists comprises at least two of following feature: the global data traffic characteristic, global data packet rate feature, global data flow extreme difference feature, global data packet rate extreme difference feature, global source IP distribution scale feature, global source IP regularity of distribution feature, overall situation purpose IP regularity of distribution feature, purpose IP traffic measure feature, purpose IP packet rate feature, purpose IP traffic amount extreme difference feature, purpose IP packet rate extreme difference feature, the source IP traffic measure feature of purpose IP correspondence, the source IP packet rate feature of purpose IP correspondence, the source IP traffic amount extreme difference feature of purpose IP correspondence, the source IP packet rate extreme difference feature of purpose IP correspondence, the source IP distribution scale feature of purpose IP correspondence, the source IP distribution scale extreme difference feature of purpose IP correspondence, the source IP regularity of distribution feature of purpose IP correspondence, the Dan Bao source IP distribution scale feature of purpose IP correspondence, the source IP packet rate uniformity feature of purpose IP correspondence, the source IP flow uniformity feature of purpose IP correspondence, the long uniformity feature of source IP bag of purpose IP correspondence.
3, the detection method of distributed denial of service attack according to claim 1 is characterized in that, described step 2) comprising:
Step 2-1), investigate the purpose IP and the corresponding source IP thereof of global data and all type of data packet correspondences, judge whether related detected characteristics exists unusually,, carry out next step, as if there not being unusually execution in step 2-3 if exist unusually);
Step 2-2), the intensity of anomaly of detected characteristics is done normalized, calculate the confidence level of detected characteristics, continue to handle next packet as evidence according to the normalization result;
Step 2-3), detected characteristics is made as 0 as the confidence level of evidence, continue to handle next packet then.
4, the detection method of distributed denial of service attack according to claim 3 is characterized in that, at described step 2-2) in, described normalized adopts following normalization formula:
CF ( E i ) = 0 thrsh i * ( 1 - c i ) &le; P i &le; thrsh i * ( 1 + c i ) 1 - 1 P i thrsh i - c i P i > thrsh i * ( 1 + c i ) 1 - 1 2 - ( c i + P i thrsh i ) P i < thrsh i * ( 1 - c i )
Wherein, P iThe statistical value of representing a detected characteristics, thrsh iThe threshold value of representing this detected characteristics, c iThe fluctuation ratio that expression allows, CF (E i) expression evidence E iConfidence level.
5, the detection method of distributed denial of service attack according to claim 2 is characterized in that, in described step 3), comprises according to described 22 resulting knowledge of detected characteristics:
K 1:?E 1∨E 2→H CF 1(H,E)
K 2:?E 3∨E 4→H CF 2(H,E)
K 3:?(E 5∨E 6)∧E 7→H CF 3(H,E)
K 4:?E 8∨E 9→H CF 4(H,E)
K 5:?E 10∨E 11→H CF 5(H,E)
K 6:?E 12∨E 13→S CF 6(S,E)
K 7:?E 14∨E 15→S CF 7(S,E)
K 8:?E 16→H CF 8(H,E)
K 9:?E 17→H CF 9(H,E)
K 10:E 18→H CF 10(H,E)
K 11:(E 16∨E 18)∧E 19→F CF 11(F,E)
K 12:E 20∨E 21∨E 22→S CF 12(S,E)
Wherein, E 1The resulting evidence of expression global data traffic characteristic; E 2The resulting evidence of expression global data packet rate feature; E 3The resulting evidence of expression global data flow extreme difference feature; E 4The resulting evidence of expression global data packet rate extreme difference feature; E 5The resulting evidence of expression global source IP distribution scale feature; E 6The resulting evidence of expression global source IP regularity of distribution feature; E 7Represent the resulting evidence of overall purpose IP regularity of distribution feature; E 8The resulting evidence of expression purpose IP traffic measure feature; E 9The resulting evidence of expression purpose IP packet rate feature; E 10The resulting evidence of expression purpose IP traffic amount extreme difference feature; E 11The resulting evidence of expression purpose IP packet rate extreme difference feature; E 12The resulting evidence of source IP traffic measure feature of expression purpose IP correspondence; E 13The resulting evidence of source IP packet rate feature of expression purpose IP correspondence; E 14The resulting evidence of source IP traffic amount extreme difference feature of expression purpose IP correspondence; E1 5The resulting evidence of source IP packet rate extreme difference feature of expression purpose IP correspondence; E 16The resulting evidence of source IP distribution scale feature of expression purpose IP correspondence; E 17The resulting evidence of source IP distribution scale extreme difference feature of expression purpose IP correspondence; E 18The resulting evidence of source IP regularity of distribution feature of expression purpose IP correspondence; E 19The resulting evidence of Dan Bao source IP distribution scale feature of expression purpose IP correspondence; E 20The resulting evidence of source IP packet rate uniformity feature of expression purpose IP correspondence; E 21The resulting evidence of source IP flow uniformity feature of expression purpose IP correspondence; E 22The resulting evidence of the long uniformity feature of source IP bag of expression purpose IP correspondence; H represents that the conclusion incident " exists ddos attack and definite target of attack "; S represents that the conclusion incident " determines the attack source "; F represents conclusion incident " ddos attack that has stochastic cook source IP ", the confidence level of CFi (i=1~12) expression knowledge.
6, the detection method of distributed denial of service attack according to claim 5, it is characterized in that, in described step 4), the conclusion incident relevant with distributed denial of service attack comprises the conclusion incident H that is used for expression " having ddos attack and definite target of attack " in the described knowledge.
7, the detection method of distributed denial of service attack according to claim 6, it is characterized in that, in described step 4), the conclusion incident relevant with distributed denial of service attack also comprises conclusion incident S that is used for expression " determining the attack source " and the conclusion incident F that is used for expression " ddos attack that has stochastic cook source IP " in the described knowledge.
8, the detection method of distributed denial of service attack according to claim 1 is characterized in that, in described step 4), described confidence level computing formula comprises compound evidence confidence level computing formula and conclusion confidence level computing formula; Wherein,
Described compound evidence confidence level computing formula comprises:
When described evidence was the conjunction incident, E was expressed as E=E with evidence 1∧ ... ∧ En, then its confidence level computing formula is:
CF(E)=CF(E 1∧...∧En)=min{CF(E 1),...,CF(En)}; (1)
When described evidence when extracting incident, E is expressed as E=E with evidence 1∨ ... ∨ En, then its confidence level computing formula is:
CF(E)=CF(E 1∨...∨En)=max{CF(E 1),...,CF(En)}; (2)
When evidence is when comprising the compound event of the conjunction incident and the incident of extracting simultaneously, it to be disassembled into the some conjunction and the incident of extracting, distinguish application of formula (1) and (2) and try to achieve;
The computing formula of described conclusion confidence level comprises to the conclusion confidence level computing formula of a knowledge and to the synthetic computing formula of the same conclusion of many knowledge; Wherein,
The conclusion confidence level computing formula of a described knowledge comprises:
CF(H)=CF(H,E)×CF(E) (3)
Described CF (H) represents described conclusion confidence level, and CF (E) represents described evidence confidence level, CF (H, E) expression knowledge confidence level;
The synthetic computing formula of the same conclusion of described many knowledge comprises:
CF(H)=CF 1(H)+CF 2(H)-CF 1(H)×CF 2(H) (4)
Described CF 1(H) be illustrated in the knowledge confidence level, CF to conclusion H 2(H) be illustrated in another knowledge confidence level to conclusion H.
9, a kind of detection system of distributed denial of service attack is characterized in that, comprises detected characteristics extraction module, evidence confidence level computing module, knowledge creating module and Detection of Distributed Denial of Service Attacks module; Wherein,
Described detected characteristics extraction module receiving network data bag extracts relevant with Detection of Distributed Denial of Service Attacks in described network packet and is used to prove the detected characteristics of distributed denial of service attack existence;
Described evidence confidence level computing module as the evidence in the naive credibility model, calculates the evidence confidence level with described detected characteristics; Wherein, described naive credibility model has increased the evidence in the knowledge and always supports conclusion for really supposing on the basis of credibility model;
Described knowledge creating module is created knowledge in the described naive credibility model according to described detected characteristics, calculates the confidence level of described knowledge;
Described Detection of Distributed Denial of Service Attacks module is carried out the confidence level computing formula of the confidence level substitution naive credibility model of described evidence confidence level and described knowledge confidence level to the conclusion incident relevant with distributed denial of service attack and is calculated.
CN200910083452XA 2009-05-05 2009-05-05 Method and system for detecting distributed denial of service attack Expired - Fee Related CN101547129B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910083452XA CN101547129B (en) 2009-05-05 2009-05-05 Method and system for detecting distributed denial of service attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910083452XA CN101547129B (en) 2009-05-05 2009-05-05 Method and system for detecting distributed denial of service attack

Publications (2)

Publication Number Publication Date
CN101547129A true CN101547129A (en) 2009-09-30
CN101547129B CN101547129B (en) 2011-05-04

Family

ID=41194037

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910083452XA Expired - Fee Related CN101547129B (en) 2009-05-05 2009-05-05 Method and system for detecting distributed denial of service attack

Country Status (1)

Country Link
CN (1) CN101547129B (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951329A (en) * 2010-09-27 2011-01-19 北京系统工程研究所 Network security situation evaluation method and system
CN102238047A (en) * 2011-07-15 2011-11-09 山东大学 Distributed denial-of-service attack detection method based on external connection behaviors of Web communication group
CN102271068A (en) * 2011-09-06 2011-12-07 电子科技大学 Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack
CN102394868A (en) * 2011-10-12 2012-03-28 镇江金钛软件有限公司 Detection method for DDoS attacked address of dynamic threshold
CN105592044A (en) * 2015-08-21 2016-05-18 杭州华三通信技术有限公司 Message attack detection method and device
CN105827611A (en) * 2016-04-06 2016-08-03 清华大学 Distributed rejection service network attack detection method and system based on fuzzy inference
CN106453242A (en) * 2016-08-29 2017-02-22 四川超腾达物联科技有限公司 Network safety protection system
CN106533829A (en) * 2016-11-04 2017-03-22 东南大学 Bit entropy-based domain name system (DNS) flow identification method
CN107135281A (en) * 2017-03-13 2017-09-05 国家计算机网络与信息安全管理中心 A kind of IP regions category feature extracting method merged based on multi-data source
CN107528812A (en) * 2016-06-21 2017-12-29 北京金山云网络技术有限公司 A kind of attack detection method and device
CN107749859A (en) * 2017-11-08 2018-03-02 南京邮电大学 A kind of malice Mobile solution detection method of network-oriented encryption flow
CN108270778A (en) * 2017-12-29 2018-07-10 中国互联网络信息中心 A kind of DNS domain name abnormal access detection method and device
CN109040084A (en) * 2018-08-13 2018-12-18 广东电网有限责任公司 A kind of network flow abnormal detecting method, device, equipment and storage medium
CN110071934A (en) * 2019-04-30 2019-07-30 中国人民解放军国防科技大学 local sensitivity counting abstract method and system for network anomaly detection
CN110366727A (en) * 2017-02-13 2019-10-22 微软技术许可有限责任公司 Multi signal analysis for damage range identification
CN111131309A (en) * 2019-12-31 2020-05-08 奇安信科技集团股份有限公司 Distributed denial of service detection method and device and model creation method and device
CN111600859A (en) * 2020-05-08 2020-08-28 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for detecting distributed denial of service attack

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101383694A (en) * 2007-09-03 2009-03-11 电子科技大学 Defense method and system rejecting service attack based on data mining technology

Cited By (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951329A (en) * 2010-09-27 2011-01-19 北京系统工程研究所 Network security situation evaluation method and system
CN101951329B (en) * 2010-09-27 2013-01-16 北京系统工程研究所 Network security situation evaluation method and system
CN102238047A (en) * 2011-07-15 2011-11-09 山东大学 Distributed denial-of-service attack detection method based on external connection behaviors of Web communication group
CN102238047B (en) * 2011-07-15 2013-10-16 山东大学 Denial-of-service attack detection method based on external connection behaviors of Web communication group
CN102271068A (en) * 2011-09-06 2011-12-07 电子科技大学 Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack
CN102271068B (en) * 2011-09-06 2015-07-15 电子科技大学 Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack
CN102394868A (en) * 2011-10-12 2012-03-28 镇江金钛软件有限公司 Detection method for DDoS attacked address of dynamic threshold
CN102394868B (en) * 2011-10-12 2014-05-07 镇江金钛软件有限公司 Detection method for DDoS attacked address of dynamic threshold
CN105592044A (en) * 2015-08-21 2016-05-18 杭州华三通信技术有限公司 Message attack detection method and device
CN105592044B (en) * 2015-08-21 2019-05-07 新华三技术有限公司 Message aggression detection method and device
CN105827611A (en) * 2016-04-06 2016-08-03 清华大学 Distributed rejection service network attack detection method and system based on fuzzy inference
CN105827611B (en) * 2016-04-06 2018-12-28 清华大学 A kind of distributed denial of service network attack detecting method and system based on fuzzy reasoning
CN107528812B (en) * 2016-06-21 2020-05-01 北京金山云网络技术有限公司 Attack detection method and device
CN107528812A (en) * 2016-06-21 2017-12-29 北京金山云网络技术有限公司 A kind of attack detection method and device
CN106453242A (en) * 2016-08-29 2017-02-22 四川超腾达物联科技有限公司 Network safety protection system
CN106533829A (en) * 2016-11-04 2017-03-22 东南大学 Bit entropy-based domain name system (DNS) flow identification method
CN106533829B (en) * 2016-11-04 2019-04-30 东南大学 A kind of DNS method for recognizing flux based on bit entropy
CN110366727A (en) * 2017-02-13 2019-10-22 微软技术许可有限责任公司 Multi signal analysis for damage range identification
CN110366727B (en) * 2017-02-13 2023-09-19 微软技术许可有限责任公司 Multi-signal analysis for damaged range identification
CN107135281B (en) * 2017-03-13 2020-03-31 国家计算机网络与信息安全管理中心 IP region feature extraction method based on multi-data source fusion
CN107135281A (en) * 2017-03-13 2017-09-05 国家计算机网络与信息安全管理中心 A kind of IP regions category feature extracting method merged based on multi-data source
CN107749859A (en) * 2017-11-08 2018-03-02 南京邮电大学 A kind of malice Mobile solution detection method of network-oriented encryption flow
CN108270778B (en) * 2017-12-29 2020-11-20 中国互联网络信息中心 DNS domain name abnormal access detection method and device
CN108270778A (en) * 2017-12-29 2018-07-10 中国互联网络信息中心 A kind of DNS domain name abnormal access detection method and device
CN109040084B (en) * 2018-08-13 2021-03-12 广东电网有限责任公司 Network flow abnormity detection method, device, equipment and storage medium
CN109040084A (en) * 2018-08-13 2018-12-18 广东电网有限责任公司 A kind of network flow abnormal detecting method, device, equipment and storage medium
CN110071934B (en) * 2019-04-30 2021-03-26 中国人民解放军国防科技大学 Local sensitivity counting abstract method and system for network anomaly detection
CN110071934A (en) * 2019-04-30 2019-07-30 中国人民解放军国防科技大学 local sensitivity counting abstract method and system for network anomaly detection
CN111131309A (en) * 2019-12-31 2020-05-08 奇安信科技集团股份有限公司 Distributed denial of service detection method and device and model creation method and device
CN111600859A (en) * 2020-05-08 2020-08-28 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for detecting distributed denial of service attack
CN111600859B (en) * 2020-05-08 2022-08-05 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for detecting distributed denial of service attack

Also Published As

Publication number Publication date
CN101547129B (en) 2011-05-04

Similar Documents

Publication Publication Date Title
CN101547129B (en) Method and system for detecting distributed denial of service attack
CN101626322B (en) Method and system of network behavior anomaly detection
Poongodi et al. Intrusion prevention system for DDoS attack on VANET with reCAPTCHA controller using information based metrics
CN109600363B (en) Internet of things terminal network portrait and abnormal network access behavior detection method
Sun et al. Alert aggregation in mobile ad hoc networks
Bao et al. BLITHE: Behavior rule-based insider threat detection for smart grid
CN110474878B (en) DDoS attack situation early warning method and server based on dynamic threshold
Le et al. Data analytics on network traffic flows for botnet behaviour detection
CN106899435A (en) A kind of complex attack identification technology towards wireless invasive detecting system
CN105491013A (en) Multi-domain network security situation perception model and method based on SDN
CN102802158A (en) Method for detecting network anomaly of wireless sensor based on trust evaluation
CN101420442A (en) Network security risk evaluation system based on game theory
KR20150091775A (en) Method and System of Network Traffic Analysis for Anomalous Behavior Detection
CN108965248A (en) A kind of P2P Botnet detection system and method based on flow analysis
CN111586046A (en) Network traffic analysis method and system combining threat intelligence and machine learning
CN110445801A (en) A kind of Situation Awareness method and system of Internet of Things
CN106330611A (en) Anonymous protocol classification method based on statistical feature classification
CN110012037A (en) Network attack prediction model construction method based on uncertain perception attack graph
Zheng et al. Dynamic network security mechanism based on trust management in wireless sensor networks
CN107623691A (en) A kind of ddos attack detecting system and method based on reverse transmittance nerve network algorithm
CN110430212A (en) The Internet of Things of multivariate data fusion threatens cognitive method and system
Sen et al. On using contextual correlation to detect multi-stage cyber attacks in smart grids
US20170346834A1 (en) Relating to the monitoring of network security
Sen et al. Towards an approach to contextual detection of multi-stage cyber attacks in smart grids
Al-Abadi et al. Impact Of Availability Attacks On Enabling IoT Based Healthcare Applications

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: YANTAI ZHONGKE NETWORK TECHNOLOGY INSTITUTE

Free format text: FORMER OWNER: INSTITUTE OF COMPUTING TECHNOLOGY, CHINESE ACADEMY OF SCIENCES

Effective date: 20140411

C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 100190 HAIDIAN, BEIJING TO: 264003 YANTAI, SHANDONG PROVINCE

TR01 Transfer of patent right

Effective date of registration: 20140411

Address after: 264003, Blue Ocean International Software Park, No. 1 Blue Sea Road, Yantai, Shandong

Patentee after: Yantai Zhong Ke network technical institute

Address before: 100190 Haidian District, Zhongguancun Academy of Sciences, South Road, No. 6, No.

Patentee before: Institute of Computing Technology, Chinese Academy of Sciences

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110504

Termination date: 20210505