CN101635703A - Method for detecting WEB service abnormality - Google Patents

Method for detecting WEB service abnormality Download PDF

Info

Publication number
CN101635703A
CN101635703A CN200810117114A CN200810117114A CN101635703A CN 101635703 A CN101635703 A CN 101635703A CN 200810117114 A CN200810117114 A CN 200810117114A CN 200810117114 A CN200810117114 A CN 200810117114A CN 101635703 A CN101635703 A CN 101635703A
Authority
CN
China
Prior art keywords
web server
service
state
attack
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN200810117114A
Other languages
Chinese (zh)
Inventor
赵海峰
牛妍萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Venus Information Security Technology Co Ltd
Beijing Venus Information Technology Co Ltd
Original Assignee
Beijing Venus Information Security Technology Co Ltd
Beijing Venus Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Venus Information Security Technology Co Ltd, Beijing Venus Information Technology Co Ltd filed Critical Beijing Venus Information Security Technology Co Ltd
Priority to CN200810117114A priority Critical patent/CN101635703A/en
Publication of CN101635703A publication Critical patent/CN101635703A/en
Pending legal-status Critical Current

Links

Abstract

The invention relates to a method for detecting WEB service abnormality, which comprises the following steps: analyzing and establishing a corresponding relation between a state of a Web server (4) and a behavior of communication message; detecting and analyzing network communication message in real time, and acquiring the state of the Web server (4) and transition thereof according to the behavior of the communication message; and judging and reporting whether the Web server is subjected to unknown denial service attack according to the state transition condition of the Web server (4). By analyzing and establishing the corresponding relation between the state of the Web server and the behavior of the communication message, detecting the message in real time and analyzing the corresponding state and transition of the Web server, the method can discover the abnormal state of the Web server, and can warn and stop the unknown denial service attack, and prevent, extract and record the network message with attack characteristics compared with the prior method.

Description

A kind of WEB service method for detecting abnormality
Technical field
The present invention relates to network security, be specifically related to a kind of WEB service method for detecting abnormality.
Background technology
Detection at unknown attack and unknown Denial of Service attack is the difficult problem in network intrusions defence, network intrusions protection, anti-denial of service field always.The network invasion monitoring of industry, network intrusions are protected and are prevented that the denial of service product all can not detect, report to the police, protect and defend the new Denial of Service attack of the unknown.The reason of searching to the bottom is that the network invasion monitoring of industry, network intrusions are protected and prevented that the denial of service product substantially all detects, reports to the police, blocks and protect in the mode of characteristic matching.The defective of the maximum of this technology path is, this method must be extracted the attack signature of known attack in advance, and this method has the inborn defective of the unknown attack of lagging behind.
Summary of the invention
The technical issues that need to address of the present invention are how a kind of WEB service method for detecting abnormality is provided, and can detect, report to the police, stop the unknown Denial of Service attack of Web server.
Above-mentioned technical problem of the present invention solves like this, and a kind of WEB service method for detecting abnormality is provided, and specifically may further comprise the steps:
1.1) analyze the corresponding relation set up between Web server state and the communication packet behavior;
1.2) detect in real time and the phase-split network communication packet and according to communication packet behavior know Web server state and transition thereof;
1.3) judge and report whether be subjected to unknown Denial of Service attack according to Web server status change situation.
According to detection method provided by the invention, described step 1.2) the concrete deployment way of the attack detector that detects in real time and analyze has two kinds, is respectively:
(1) carrying out bypass type by the attack detector that is connected the switch mirror port detects and analyzes; Described detection method comprises that also judgement is subjected to finishing the attack signature extraction automatically behind the unknown Denial of Service attack.
(2) the attack detector that inserts between Web server and Web client by transparent series connection in the network carries out concatenation type detection and analysis; Described detection method also comprises judges that be subjected to finishing attack signature automatically behind the unknown Denial of Service attack extracts and use automatically, stops automatically the unknown Denial of Service attack at Web server.
According to detection method provided by the invention, described Web server state comprises off-mode, the no service state of start, normal service state, service abort state and service abnormality.
According to detection method provided by the invention, described service abort state comprises not having that response is ended but the operating system existing state, do not have that response is ended and operating system collapse state and end when sending response but operating system is not collapsed state.
According to detection method provided by the invention, described step 1.3) comprises in that entering service abort state according to Web server by the normal service state judges and be subjected to unknown Denial of Service attack.
According to detection method provided by the invention, described step 1.3) comprises in that entering the service abnormality according to Web server by the normal service state judges that being subjected to connecting blocking-up attacks.
According to detection method provided by the invention, described communication packet comprises HTTP, ICP/IP protocol message.
A kind of WEB service method for detecting abnormality provided by the invention, communication packet by analyzing client and Web server end is in the behavior pattern of various states, the state of Web server and the corresponding relation between the behavior pattern have been set up, by the system that proposed among the present invention to the behavior pattern of message between the client and server end in the network communication and the analysis of corresponding states transition, can find the residing abnormality of Web server, method can be reported to the police to the Denial of Service attack of the unknown at present, stops and extraction, record has the network message of attack signature.
Description of drawings
Further the present invention is described in detail below in conjunction with the drawings and specific embodiments.
Fig. 1 is that bypass type of the present invention is attacked the detection system structural representation;
Fig. 2 is that concatenation type of the present invention is attacked the detection system structural representation.
Embodiment
At first, thought of the present invention is described:
Analysis and research by message behavior pattern under various states to TCP/IP between client and the Web server end and http protocol communication packet, set up the normal condition of Web server, corresponding relation between abnormality and the communication packet behavior pattern such as attacked, the behavior pattern of the message by the phase-split network communication, find the state variation of Web server, thereby detect unknown Denial of Service attack, report to the police on this basis and the request msg of the http protocol that comprises attack is partly extracted and record, thereby further can detect and block follow-up same attack for the attack detecting devices that adopts transparent series connection access module; Can accomplish to attack for the attack detecting devices that adopts bypass mode and in time report to the police when taking place and record and provide attack signature to the keeper.
In second step, basic principle of the present invention is described:
Corresponding relation model between Web server state and the behavior of ICP/IP protocol stack message
By to ICP/IP protocol stack communication packet behavioural analysis between the client and server end, set up the behavior of the mutual communication packet in ICP/IP protocol stack two ends and the corresponding model between the protected Web server state.The behavior of the ICP/IP protocol stack message of these states and correspondence is as follows:
The a off-mode refers to that protected Web server is not started shooting or this server is not connected into network; the TCP/IP address of this Web server can not be arrived at, perhaps place fire compartment wall being provided with between this server and the Internet to abandon the strategy of all external request messages.The behavior pattern of the TCP/IP communication packet of this state clients corresponding and Web server end is as follows:
Client connects message to the SYN of the 80 ports transmission TCP of target Web server, but server end does not have follow-up response, can be expressed as:
Client SYN---〉Web server 80 ports
There is not any back message using
The no service state of b start refers to protected Web server start, and operating system is normally moved, but does not open Web service.The behavior pattern of the TCP/IP communication packet of this state clients corresponding and Web server end is as follows:
Client connects message to the SYN of the 80 ports transmission TCP of target Web server, and destination server has been responded the RST message.Be expressed as:
Client SYN---〉Web server 80 ports
RST ACK<---Web server
C normal service state refers to protected Web server start; operating system is normally moved; opened Web service; can in the time period of appointment, make request responding to HTTP; and can stop the TCP/IP connection normally; here provide the parameter Tr of a response time, Tr specifies and adjustable in advance in the present invention.The behavior pattern of the TCP/IP communication packet of this state clients corresponding and Web server end is as follows:
Client sends the SYN connection message of TCP to 80 ports of target Web server, destination server has been responded SYN ACK message, client sends the ACK message to the Web server end then, then client sends the message that comprises the http protocol request content, for example " Get/HTTP/1.1 ", destination server is following severally to be fed back to normal service state at Tr in the time:
(1) server end has provided the response message of HTTP, if the response message of HTTP is that the length of HTTP/1.1 200 OK then the HTTP content that follow-up server sends and length that first http response message is stated are identical; Perhaps Web server has provided the clear and definite response of other http protocol institute standard.
(2) if this connection is Keep Live to be connected, repeatedly request and response must meet content described in (1) between the client and server end.
(3) if last between the client and server end to the request of complete HTTP, reply, comprised the FIN position in the message of replying, then follow-up TCP end message can for, client has sent FIN ACK to server end, server end is responded to connect behind the ACK and is finished.
(4) except that (3), the end mode that the TCP between the client and server end connects is that the message behavior pattern between the client and server end is as follows:
Client TCP FIN ACK---〉Web server
ACK<---Web server
FINACK<---Web server
ACK---→ Web server
D service abort state 1---does not have http response to be ended; operating system this state of surviving is meant that client is normally with after server end has been set up being connected of Web server port; client is after protected Web server end has sent a certain HTTP request; server does not provide any http response in the time T r of appointment; be that the Web server program has suffered Denial of Service attack and withdraws from, but the server OS operation is normal.The behavior pattern of the TCP/IP communication packet of this state clients corresponding and Web server end is as follows:
Client is set up TCP by transmission SYN message with the Web server end and is connected, server end is responded SYN ACK message, client sends the ACK message to server end again, successful connection is set up, then, the user end to server end has sent some HTTP requests, but the destination server end does not provide the response of any http protocol standard defined in given time T r, but sent FIN ACK and finished the message that TCP connects to client, client is replied the ACK message, send FIN ACK message to server end then, server acknowledge ACK finishes both sides' connection.Be expressed as:
Client TCP SYN-→ Web server
SYNACK<---Web server
ACK-→ Web server
HTTP request as " Get/HTTP/1.1 "--Web server
There is not response
TCP FINACK<---Web server
ACK--〉Web server
FINACK---→ Web server
ACK<--Web server
This abnormality shows in the HTTP request of client to comprise Denial of Service attack, the Web server program after receiving this request, out-of-service, but operating system and ICP/IP protocol stack still can operate as normal.
E service abort state 2---does not have response to be ended; operating system is collapsed this state and is meant that client is normally with after server end has been set up being connected of Web server port; client is after protected Web server end has sent a certain HTTP request; server does not provide any http response in the time T r of appointment; the Web server end does not provide any FIN ACK yet and confirms response; be that Web server has suffered Denial of Service attack and the collapse of operating system has taken place, thereby Web server can not provide any subsequent response message.The behavior pattern of the TCP/IP communication packet of this state clients corresponding and Web server end is as follows:
Client is set up TCP by transmission SYN message with the Web server end and is connected, server end is responded SYN ACK message, client sends the ACK message to server end again, successful connection is set up, then, the user end to server end has sent some HTTP requests, but the destination server end does not provide the response of any http protocol standard defined in given time T r, does not also send FIN ACK to client and finishes TCP connection message.Be expressed as:
Client TCP SYN---〉Web server
SYNACK<---Web server
ACK--→ Web server
HTTP request as " Get/xxxx HTTP/1.1 "--Web server
There is not follow-up any response
This abnormality shows in the HTTP request of client to comprise Denial of Service attack, the Web server program after receiving this request, operating system collapse, out-of-service.
F service abort state 3---ends when sending response; operating system is not collapsed this state and is meant that client is normally with after server end has been set up being connected of Web server port; client is after protected Web server end has sent a certain HTTP request; server has provided http response in the time T r of appointment; but not sending the data length service of stating to client in head response is abort, but operating system is not collapsed.The behavior pattern of the TCP/IP communication packet of this state clients corresponding and Web server end is as follows:
Client is set up TCP by transmission SYN message with the Web server end and is connected, server end is responded SYN ACK message, client sends the ACK message to server end again, successful connection is set up, then, the user end to server end has sent some HTTP requests, the destination server end provides the http response of corresponding requests in given time T r, beginning sends data to client, but before finishing the data length transmission that head response states, in sending to the packet of client, comprised stop bit in the FIN connection, the service abort, then, client has sent FIN ACK confirmation message, Web server has been responded the ACK message, connects to end.
This state shows that the HTTP of client transmission has comprised Denial of Service attack in asking, and server program collapses when processing response, has ended service, but the server OS survival.
G serves abnormality----and responded slowly this state and be meant that client is normally with after server end has been set up being connected of Web server port; client is after protected Web server end has sent a certain HTTP request; server fails to provide http response in the acceptable slow-response time T min of appointment; but in the time-out time Tmax of appointment, provided response, shown that Web server transships.
The behavior pattern of the TCP/IP communication packet of this state clients corresponding and Web server end is as follows:
Client is set up TCP by transmission SYN message with the Web server end and is connected, server end is responded SYN ACK message, client sends the ACK message to server end again, successful connection is set up, then, the user end to server end has sent some HTTP request, and server fails to provide HTTP in the acceptable slow-response time T min of appointment, but has provided response in the time-out time Tmax of appointment.
This state shows in the HTTP request that client sends and has comprised Denial of Service attack, and overload has appearred in server program and system, but the Web server program do not withdraw from, and server OS is not collapsed.
H serves abnormality----service and connects and attacked this state of blocking-up and be meant when client and Web server end are set up TCP and be connected, can intercept the bypass attack person of both sides' communication packet, send the communication connection that the mode that disconnects connection deception message has been blocked both sides by bogus server end address to client, the Web service of client-requested can not normally be finished.
The behavior pattern of the TCP/IP communication packet of this state clients corresponding and Web server end is as follows:
Client is set up TCP by transmission SYN message with the Web server end and is connected, client has successively been received server end response SYN ACK message, RST ACK message (order in no particular order) with identical ACK sequence number, this behavior is for independent Web server system, be impossible take place, this behavior pattern can be confirmed to be the assailant that can eavesdrop both sides' communication the blocking-up attack has been carried out in both sides' communication.
The 3rd step illustrated that the present invention attacked the deployment way of detector system, specifically comprised two kinds:
(1) bypass mode inserts
As shown in Figure 1, attack the mirror port that detector 31 is connected on switch 2, can monitor bypass Web client and Web server 4 between all communication packets; Among the figure, the Web client is divided into normal client end 11 and Denial of Service attack client 12, and described attack detector 31 also connects attacks detector management end 32.
(2) transparent series system inserts
As shown in Figure 2, and the part of Fig. 1 difference is to attack detector 31 to be serially connected between Web client and the Web server 4, attacks the communication packet that detector not only can obtain both sides in this mode, can also determine whether transmit the request that has attack signature.The attack detector management end 32 that described attack detector 31 connects can be configured the following parameter of attacking detector 31, the scope inventory that comprises the Web server 4 that attack detector 31 will be protected, the minimum response time T min of the Web server of being protected 4, maximum response time Tmax, response time threshold values Tr; This administrative client 32 is in order to show from the alarm of attacking detection engine and to comprise the request content of concrete attack signature simultaneously.
Attack detection engine by catching to the network mirror image message, message is carried out protocal analysis to determine the kind of TCP/IP message, be that SYN connects message, SYN ACK connects confirmation message, FIN connects end message, FIN ACK connects the end confirmation message, the message that RST ACK connects the replacement message and comprises application layer data is such as the HTTP data message.
At last, attack detection method of the present invention and handling process are described:
The communication major part of at first supposing client and Web server end all is in normal operating state,
Promptly, confirm that protected Web server is in the c state by the message of detection and phase-split network.Begin the workflow of this method then.
1) state of protected Web server enters a by c, attacks the detection system administrative client and reports that to the keeper protected Web server shuts down unusually.
2) state of protected Web server enters b by c, attacks the detection system administrative client and reports protected Web server Web service abort to the keeper.
3) state of protected Web server enters d by c, attacks the detection system administrative client and reports that to the keeper protected Web server is subjected to unknown Denial of Service attack, service stopping.
4) state of protected Web server enters e by c, attacks the detection system administrative client and reports that to the keeper protected Web server is subjected to unknown Denial of Service attack, the collapse of Web server operating system.
5) state of protected Web server enters f by c, attacks the detection system administrative client and reports that to the keeper protected Web server is subjected to unknown Denial of Service attack, and the Web service program is ended when processing response.
6) state of protected Web server enters g by c, attacks the detection system administrative client and reports that to the keeper protected Web server is subjected to unknown Denial of Service attack, and the Web service program is transshipped, and responds slow.
7) state of protected Web server enters h by c, attacks the detection system administrative client and reports that to the keeper being subjected to connecting blocking-up between protected Web server and the client attacks.
8) for handling process 3), 4), 5), 6), the HTTP content of asking that will this time in alarm with bypass mode is disposed and transparent serial mode is disposed attack detector writes down by administrative client and is shown to the keeper for analysis.For handling process 3), 4), 5), 6), the attack detector of disposing with transparent serial mode will extract in the URL that this HTTP asks the data division of Post in the http protocol perhaps, and it is judged whether the foundation of Denial of Service attack as it according to the request feature, attacking detector mates URL content and the attack URL that has extracted or Post data in the HTTP request of follow-up client, if conform to, then think Denial of Service attack, and abandon corresponding request message, avoid server to be attacked, thereby finishing automatic attack signature extracts, automatically use, stop unknown Denial of Service attack automatically at Web server.
9) finish handling process 1)---8) afterwards, the appearance of the message behavior pattern of this system wait match state c repeats the abnormality detection process that begins from state c then.

Claims (10)

1, a kind of WEB service method for detecting abnormality is characterized in that, may further comprise the steps:
1.1) analyze the corresponding relation set up between Web server (4) state and the communication packet behavior;
1.2) detect in real time and the phase-split network communication packet and according to communication packet behavior know Web server (4) state and transition thereof;
1.3) judge and report whether be subjected to unknown Denial of Service attack according to Web server (4) status change situation.
2, according to the described detection method of claim 1, it is characterized in that described step 1.2) in detect in real time and analysis is to carry out bypass type by the attack detector (31) that is connected switch (2) mirror port to detect and analyze.
According to the described detection method of claim 2, it is characterized in that 3, described detection method comprises that also judgement is subjected to finishing the attack signature extraction automatically behind the unknown Denial of Service attack.
4, according to the described detection method of claim 1, it is characterized in that described step 1.2) in be to insert attack detector (31) between Web server (4) and Web client (11,12) by transparent series connection to carry out that concatenation type detects and analysis.
5, according to the described detection method of claim 3, it is characterized in that described detection method also comprises judges that be subjected to finishing attack signature automatically behind the unknown Denial of Service attack extracts and use automatically, stops automatically the unknown Denial of Service attack at Web server (4).
According to the described detection method of claim 1, it is characterized in that 6, described Web server (4) state comprises off-mode, the no service state of start, normal service state, service abort state and service abnormality.
7, according to the described detection method of claim 6, it is characterized in that described service abort state comprises not having that response is ended but the operating system existing state, do not have that response is ended and operating system collapse state and end when sending response but operating system is not collapsed state.
8, according to claim 1 or 6 described detection methods, it is characterized in that described step 1.3) in comprise that entering service abort state according to Web server (4) by the normal service state judges and be subjected to unknown Denial of Service attack.
9, according to claim 1 or 6 described detection methods, it is characterized in that described step 1.3) in comprise that entering the service abnormality according to Web server (4) by the normal service state judges that be subjected to connecting blocking-up attacks.
According to the described detection method of claim 1, it is characterized in that 10, described communication packet comprises HTTP, ICP/IP protocol message.
CN200810117114A 2008-07-24 2008-07-24 Method for detecting WEB service abnormality Pending CN101635703A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200810117114A CN101635703A (en) 2008-07-24 2008-07-24 Method for detecting WEB service abnormality

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200810117114A CN101635703A (en) 2008-07-24 2008-07-24 Method for detecting WEB service abnormality

Publications (1)

Publication Number Publication Date
CN101635703A true CN101635703A (en) 2010-01-27

Family

ID=41594765

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200810117114A Pending CN101635703A (en) 2008-07-24 2008-07-24 Method for detecting WEB service abnormality

Country Status (1)

Country Link
CN (1) CN101635703A (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102164135A (en) * 2011-04-14 2011-08-24 上海红神信息技术有限公司 Device and method for defending prepositioned reconfigurable DDoS (distributed denial of service) attack
CN102761450A (en) * 2012-08-07 2012-10-31 北京鼎震科技有限责任公司 System, method and device for website analysis
CN102761449A (en) * 2012-08-07 2012-10-31 北京鼎震科技有限责任公司 System, device and method for web service performance analysis
CN102857799A (en) * 2012-09-14 2013-01-02 乐视网信息技术(北京)股份有限公司 Set top box fault diagnosis method
CN103746987A (en) * 2013-12-31 2014-04-23 东软集团股份有限公司 Method and system for detecting DoS attack in semantic Web application
CN105743878A (en) * 2014-12-30 2016-07-06 瞻博网络公司 Dynamic service handling using a honeypot
CN105763560A (en) * 2016-04-15 2016-07-13 北京思特奇信息技术股份有限公司 Web Service interface flow real-time monitoring method and system
CN105897909A (en) * 2016-05-23 2016-08-24 西安交大捷普网络科技有限公司 WEB service monitoring method for use in bypass mode of server protection equipment
CN106411659A (en) * 2016-11-29 2017-02-15 福建中金在线信息科技有限公司 Business data monitoring method and apparatus
CN107070990A (en) * 2011-03-17 2017-08-18 华为技术有限公司 The method and apparatus of transmitting data resources
CN109361674A (en) * 2018-10-29 2019-02-19 杭州安恒信息技术股份有限公司 Bypass stream data detection method, device and the electronic equipment of access
CN109698823A (en) * 2018-11-29 2019-04-30 广东电网有限责任公司信息中心 A kind of Cyberthreat discovery method
CN111147466A (en) * 2019-12-19 2020-05-12 中国南方电网有限责任公司 Protocol defense device with high safety

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107070990A (en) * 2011-03-17 2017-08-18 华为技术有限公司 The method and apparatus of transmitting data resources
CN107070990B (en) * 2011-03-17 2021-04-09 华为技术有限公司 Method and device for transmitting data resources
CN102164135B (en) * 2011-04-14 2014-02-19 上海红神信息技术有限公司 Device and method for defending prepositioned reconfigurable DDoS (distributed denial of service) attack
CN102164135A (en) * 2011-04-14 2011-08-24 上海红神信息技术有限公司 Device and method for defending prepositioned reconfigurable DDoS (distributed denial of service) attack
CN102761450A (en) * 2012-08-07 2012-10-31 北京鼎震科技有限责任公司 System, method and device for website analysis
CN102761449A (en) * 2012-08-07 2012-10-31 北京鼎震科技有限责任公司 System, device and method for web service performance analysis
CN102761450B (en) * 2012-08-07 2015-02-11 北京鼎震科技有限责任公司 System, method and device for website analysis
CN102761449B (en) * 2012-08-07 2014-08-13 北京鼎震科技有限责任公司 Method and device for web service performance analysis
CN102857799B (en) * 2012-09-14 2015-08-26 乐视致新电子科技(天津)有限公司 Based on the method for diagnosing faults of Set Top Box
CN102857799A (en) * 2012-09-14 2013-01-02 乐视网信息技术(北京)股份有限公司 Set top box fault diagnosis method
CN103746987A (en) * 2013-12-31 2014-04-23 东软集团股份有限公司 Method and system for detecting DoS attack in semantic Web application
CN103746987B (en) * 2013-12-31 2017-02-01 东软集团股份有限公司 Method and system for detecting DoS attack in semantic Web application
CN105743878A (en) * 2014-12-30 2016-07-06 瞻博网络公司 Dynamic service handling using a honeypot
CN105743878B (en) * 2014-12-30 2021-08-13 瞻博网络公司 Dynamic service handling using honeypots
CN105763560A (en) * 2016-04-15 2016-07-13 北京思特奇信息技术股份有限公司 Web Service interface flow real-time monitoring method and system
CN105897909B (en) * 2016-05-23 2019-06-14 西安交大捷普网络科技有限公司 The WEB service monitoring method of server protection equipment in bypass mode
CN105897909A (en) * 2016-05-23 2016-08-24 西安交大捷普网络科技有限公司 WEB service monitoring method for use in bypass mode of server protection equipment
CN106411659A (en) * 2016-11-29 2017-02-15 福建中金在线信息科技有限公司 Business data monitoring method and apparatus
CN109361674A (en) * 2018-10-29 2019-02-19 杭州安恒信息技术股份有限公司 Bypass stream data detection method, device and the electronic equipment of access
CN109698823A (en) * 2018-11-29 2019-04-30 广东电网有限责任公司信息中心 A kind of Cyberthreat discovery method
CN111147466A (en) * 2019-12-19 2020-05-12 中国南方电网有限责任公司 Protocol defense device with high safety

Similar Documents

Publication Publication Date Title
CN101635703A (en) Method for detecting WEB service abnormality
CN101136922B (en) Service stream recognizing method, device and distributed refusal service attack defending method, system
US7200866B2 (en) System and method for defending against distributed denial-of-service attack on active network
CN107135187A (en) Preventing control method, the apparatus and system of network attack
CN103312689B (en) Network hiding method for computer and network hiding system based on method
US20060280121A1 (en) Frame-transfer control device, DoS-attack preventing device, and DoS-attack preventing system
CN102123076A (en) High availability for network security devices
CN103944915A (en) Threat detection and defense device, system and method for industrial control system
CN105554009B (en) A method of passing through Network Data Capture device operating system information
JP2004356915A (en) System and apparatus for information processing, program, and method for detecting abnormality of communication through communication network
CN106992955A (en) APT fire walls
Dabbagh et al. Slow port scanning detection
CN101364981A (en) Hybrid intrusion detection method based on Internet protocol version 6
CN102130920A (en) Botnet discovery method and system thereof
CN103905415A (en) Method and system for preventing remote control type Trojan viruses
CN101257416B (en) Networking type abnormal flow defense method based on combining network with host computer
CN104125213A (en) Distributed denial of service DDOS attack resisting method and device for firewall
CN109587156A (en) Abnormal network access connection identification and blocking-up method, system, medium and equipment
CN103281336A (en) Network intrusion detection method
CN107864128B (en) Network behavior based scanning detection method and device and readable storage medium
Kang et al. Cyber threats and defence approaches in SCADA systems
CN101540681A (en) Method and system for monitoring computer network connection statuses
CN101577645B (en) Method and device for detecting counterfeit network equipment
JP2006033472A (en) Unauthorized access detecting device
CN105792216A (en) Wireless phishing access point detection method based on authentication

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20100127

C12 Rejection of a patent application after its publication