CN101741847A - Detecting method of DDOS (distributed denial of service) attacks - Google Patents
Detecting method of DDOS (distributed denial of service) attacks Download PDFInfo
- Publication number
- CN101741847A CN101741847A CN200910243441A CN200910243441A CN101741847A CN 101741847 A CN101741847 A CN 101741847A CN 200910243441 A CN200910243441 A CN 200910243441A CN 200910243441 A CN200910243441 A CN 200910243441A CN 101741847 A CN101741847 A CN 101741847A
- Authority
- CN
- China
- Prior art keywords
- packet
- data
- bag
- attack
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000001514 detection method Methods 0.000 claims abstract description 22
- 238000004458 analytical method Methods 0.000 claims abstract description 13
- 238000012545 processing Methods 0.000 claims abstract description 6
- 238000007405 data analysis Methods 0.000 claims description 8
- 102000006479 Heterogeneous-Nuclear Ribonucleoproteins Human genes 0.000 claims description 6
- 108010019372 Heterogeneous-Nuclear Ribonucleoproteins Proteins 0.000 claims description 6
- 239000012141 concentrate Substances 0.000 claims description 3
- 238000000205 computational method Methods 0.000 claims description 2
- 230000006855 networking Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000007619 statistical method Methods 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 238000009825 accumulation Methods 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a detecting method of DDOS (distributed denial of service) attacks, belonging to the field of computer network safety and comprising the steps that, (1) a data packet interception module is used for analyzing accessed network data packet information; (2) a data packet feature statistic module is used for counting the analyzed network data packet information; (3) a statistical data processing module is used for computing the proportional distribution of all kinds of data packets relative to the total number of the data packets at unit time; (4) a data analyzing module is used for computing an alarm threshold of network data according to stored historical data computed in the steps (2) and (3); (5) the data analyzing module is used for judging whether a network data value at the current unit time exceeds the alarm threshold of the corresponding network data or not; if exceeds, the network data is submitted to an attack analyzing module; and (6) the attack analyzing module is used for generating a detection report according to the received network data value. Compared with the prior art, by integrating the historical data transmitted by a network, the invention carries out further analysis on the current network data, and can identify various ddos attacks.
Description
Technical field
The invention belongs to security fields, computer networking, be specifically related to a kind of DDOS attack detection method.
Background technology
Denial of Service attack, English Denial of Service (DOS), as a kind of attack means on the Internet, very long history has been arranged, it mainly is the defective of utilizing ICP/IP protocol, the resource exhaustion of the network of service will be provided, cause normal service can not be provided, be a kind of to the huge malicious attack of network harm, some Denial of Service attack is a bandwidth consumed, and some is the cpu and the internal memory of consumption network equipment, and some are also arranged is to cause system crash, wherein representative attack means comprises SYN flood, ICMP flood, UDP flood etc.
At first, attack and generally launch a offensive to target based on the separate unit computer, it is the dos attack that we often say, development along with technology, present attack technology by the DOS mode development to the DDOS pattern, promptly, use distributed computing technology by the multiple computers of unified control, initiate Denial of Service attack to target of attack simultaneously, be called distributed denial of service attack.
Up to the present, also there is not a kind of good technology can thoroughly detect also defending against denial-of-service attacks.
Summary of the invention
At of the threat of present distributed denial of service attack to the Internet, the objective of the invention is to propose a kind of DDOS attack detection method, it can be real-time DDOS is attacked detects.A plurality of network characterizations that the comprehensive DDOS of the present invention attacks, analysis-by-synthesis is finished the detection that DDOS is attacked.
Technical scheme of the present invention is:
A kind of DDOS attack detection method the steps include:
1) the packet interception module is resolved the network data package informatin that inserts; Described network packet information comprises: type of data packet, IP address, port;
2) packet characteristic statistics module is added up the network data package informatin that parses, the IP address sum and the port sum of the packet sum that obtains intercepting in the unit interval, network layer data of different types bag quantity, transport layer data of different types bag quantity, application layer data of different types bag quantity, packet;
3) the statistics processing module calculates the ratio distribution that all types of packets account for the packet sum in the unit interval;
4) data analysis module is according to the step 2 of storage) and the historical data that calculated of step 3), the alarm threshold value of computing network data;
5) data analysis module judges whether the network data value in the current unit interval surpasses the alarm threshold value of map network data, if surpass then this network data value is submitted to the attack analysis module;
6) attack analysis module and generate examining report according to the network data value that receives.
Further, described network data package informatin also comprises the data packet length of various types of data bag; Simultaneously described packet characteristic statistics module is added up the data packet length of all types of packets that parse.
Further, described statistics processing module calculates the average length of all types of packets in the unit interval.
Further, the alarm threshold value of all types of packets of described data analysis module real-time update; The computational methods of described alarm threshold value are: at first calculate the mean value F1 that a certain interior the type packet of one time period of the front and back moment of certain type data packets accounts for total data bag ratio; Calculate then this moment a few days ago, in the synchronization in former week and former months, the type packet accounts for the mean value Fn of the ratio of total data bag; At last according to formula
Calculate the alarm threshold value F of the type packet; N time hop count wherein, kn is the weight of Fn correspondence, Q is a factor, and Q>1.
Further, the type of data packet of described network layer comprises: IP packet, ICMP packet, ARP packet; The type of data packet of described transport layer comprises: tcp data bag, TCPsyn packet, TCPsyn-ack packet, UDP message bag; The type of data packet of described application layer comprises: DNS packet, RTP packet, QQ packet, HTTP packet.
Further, described examining report is the network attack report, and it comprises: attack type, target of attack, attack source, attack scale.
Further, described attack type comprises:
1) UDPfloor attack type, its recognition methods is: total network traffics surpass the total flow alarm threshold value, and the flow of UDP message bag surpasses UDP bag flow alarm threshold value, and the ratio that the UDP message bag accounts for the network packet sum reaches UDP bag accounting alarm threshold value, and the bag average length of UDP message bag is reduced to sets the long alarm threshold value of UDP bag, and the bag average length of UDP message bag is reduced to the long alarm threshold value of setting UDP bag;
2) TCPsynfloor attack type, its recognition methods is: total network traffics surpass the total flow alarm threshold value, and the TCPsyn data packet flow surpasses TCPsyn bag flow alarm threshold value, and the ratio of TCPsyn packet and TCPsynack packet surpasses TCPsyn-ACK bag accounting alarm threshold value, and the ratio of TCPsyn packet and tcp data bag total amount surpasses TCPsyn bag accounting alarm threshold value, and the average length of tcp data bag surpasses TCP packet length alarm threshold value;
3) TCPfloor attack type, its recognition methods is: total network traffics surpass the total flow alarm threshold value, and the TCP network traffics surpass TCP bag flow alarm threshold value, and the ratio that the tcp data bag accounts for the network packet sum surpasses TCP bag accounting alarm threshold value;
4) DNS attack type, other in fact method is: the DNS data packet flow surpasses DNS bag flow alarm threshold value, and the DNS data packet flow accounts for the ratio of total flow above DNS flow accounting alarm threshold value.
Further, definite method of described attack scale is: at first according to the attack type of determining, obtain the present attack traffic of corresponding types; Comprehensively contrast the flow alarm threshold value and the historical normal discharge of the type packet then, assess out the attack scale of current this attack type.
Further, definite method of described target of attack is: at first the packet number that mails to same purpose IP address is added up; Then the purpose IP that relatively concentrates is carried out rank, the IP that rank is forward is defined as the target of being attacked; Definite method of described attack source IP is: the source IP address to packet is added up, and carries out from high to low arrangement according to sending the packet number, and the IP that rank is forward is defined as attack source IP.
Further, described examining report is the network monitor daily paper, and it comprises: the same day different time points network traffics broken line graph; The same day various types of data bag proportion broken line graph; The same day all types of packet proportion mean value cake chart; The broken line graph of all types of packet average lengths in the same day different time spot net.
System of the present invention is divided into three subsystems, network data detection subsystem, network data display subsystem, attack warning subsystem.
1, network data detection subsystem
Major function is the function of being responsible for the detection of networking data, is divided into lower module:
(1) packet interception module.
Equipment is received on the detected network, network data is inserted checkout equipment, this module is responsible for the packet that inserts is resolved, separating deepness can decide according to the performance and the detection safe class of network traffics, current device, the dark more equipment performance that requires of the degree of depth of resolving is high more, and the high more degree of depth of detection that needs of safe class is dark more.According to above factor packet information can be resolved to network layer, also can transport layer even can be resolved to application layer.
(2) packet characteristic statistics module.
The packet information that parses is added up, and concrete work comprises:
A, the sum of the packet that intercepts in the unit interval is added up.
B, the quantity of the network layer data of different types bag that intercepts in the unit interval is added up, comprise quantity of data packets such as IP quantity of data packets, ICMP quantity of data packets, ARP.
C, the quantity of the transport layer data of different types bag that intercepts in the unit interval is added up, comprise quantity, the TCPsyn quantity of data packets of tcp data bag, TCPsyn-ack quantity of data packets, the quantity of UDP message bag.
D, the quantity of the data of different types bag of the application layer that intercepts in the unit interval is added up, comprise DNS packet, RTP packet, QQ packet, HTTP packet etc.
E, the IP address and the port of the packet that intercepts in the unit interval are counted.
F, the data packet length of various types of data bag is carried out record.
(3) statistics processing module.
1) calculate in the unit interval, the ratio that all types of packets account for the packet sum distributes.
2) unit of account is in the time, the average length of all types of packets.
(4) data memory module
In (2), (3) step, the data of acquisition are stored.Be that keyword is preserved with time during storage.
(5) data analysis module.
According to the various data on history of preserving in (4) (be meant last one year, earlier month, former week, a few days ago), calculate the alarm threshold value of each time period.
Account for the total data bag ratio threshold value during t at a time such as UDP message bag in the calculated data bag:
At first, can go to search in the database this front and back a period of time in moment, (t-a, t+a) in this time period, the UDP message bag accounts for the mean value F1 of total data bag ratio.
Calculate again at this that (t-a, t+a) in the time period, the UDP message bag accounts for the mean value F2 of the ratio of total data bag during a few days ago same the period.
Calculate the mean value Fn of former weeks, this moment ratio of earlier month with similar method.
Then, compose a series of weights k1, k2 for each mean value ... kn.
Threshold value F
UdpComputing formula be:
The Q here be one greater than 1 value, be a multiple of the mean value that calculates before threshold value F is made as.
Use similar method to calculate the alarm threshold value of other packets.These threshold datas are real-time update.In case certain monitoring value has surpassed preset threshold, will submit this information to " attack analysis module ".
(6) attack analysis module
Mainly be that the various types of warning messages that obtain from " data analysis module " are carried out comprehensive analysis, the scale of the type of attacking, target of attack, attack source, attack is made judgement.
The type that a, judgement are attacked.
(a) the UDPfloor type is attacked identification:
Total network traffics surpass the total flow threshold value.
The flow of UDP message bag surpasses UDP bag flow threshold,
The UDP message bag accounts for the ratio of whole network packet and brings up to UDP bag accounting threshold value.
The bag average length of UDP message bag is reduced to sets the long threshold value of UDP bag, can judge it is the little packet attack of UDP.
(b) the TCPsynfloor type is attacked identification
Total network traffics surpass the total flow threshold value.
The TCPsyn data packet flow surpasses TCPsyn bag flow threshold.
The ratio of TCPsyn packet and TCPsynack packet surpasses TCPsyn-ACK bag accounting threshold value.
The ratio of TCPsyn packet and tcp data bag total amount surpasses TCPsyn bag accounting threshold value.
The average length of tcp data bag surpasses TCP packet length threshold value.
(c) the TCPfloor type is attacked identification
Total network traffics surpass the total flow threshold value.
The TCP network traffics surpass TCP bag flow threshold.
The ratio that the tcp data bag accounts for whole network packet surpasses TCP bag accounting threshold value.
Use the data packet flow of a lot of discernible application protocols of Transmission Control Protocol not surpass threshold values.
(d) DNS attacks
The DNS data packet flow surpasses DNS bag flow threshold.
The DNS data packet flow, the ratio that accounts for total flow surpasses DNS flow accounting threshold value.
The network total flow surpasses total flow threshold value when serious (attack can occur).
(e) according to the statistics of the network communication of obtaining, also can appropriate combination analyze other emerging attack types.In addition in actual environment, once attacking many times is that attack by several types combines, and this is to judge respectively according to top feature.
Determining of b, attack scale
According to the attack type of determining among a, obtain the present attack traffic of corresponding types, comprehensively contrast the threshold value flow and the historical normal discharge of the type packet, assess out the attack scale of current this attack type.
C, target of attack analysis
Purpose IP to these abnormal data bags adds up, and the packet number that mails to same purpose IP address is added up, and the purpose IP that relatively concentrates is carried out rank, and the IP that rank is forward is defined as the target of being attacked.
D, attack source IP analyze
Source IP address to the abnormal data bag carries out statistical analysis, and according to from high to low the arrangement how much carried out that sends the packet number, the IP that rank is forward is defined as attack source IP.
(7) examining report generation module
Major function is the data that obtain according in the top module, generates analysis report automatically.
Concrete can generate two kinds of reports:
First kind, the network monitor daily paper mainly comprises the broken line graph of different time points network traffics on the same day; The broken line graph of various types of packet proportions; The same day all types of packet proportion mean value cake chart; The broken line graph of all types of packet mean number in the same day different time spot net.The key data source of these charts is " network data monitoring modules ", in real-time data presented on the same day.This examining report belongs to the examining report of routine.
Second kind, the network attack analysis report.In case system detects network when being attacked, system generates this report by analyzing attack data at that time.
Main contents have: the scale of attack
The situation of change of attacking (the gathering way of attack traffic, duration etc.)
Attack type: may be single attack type, also may be multiple comprehensive attack type
Target of attack information: comprise IP address, physical location information etc.
The information of attack source: comprise IP address, physical location information etc., the source IP in distributed attack once may have a lot, can be sorted in the IP address according to the size of the attack scale of different IP addresses here.
2, networking data display subsystem
The data of getting up are also preserved in statistical analysis in the network data detection subsystem to be shown in real time.
The form that shows mainly is linear graph, pie chart form.
The granularity of demonstration time can be adjusted as the case may be, can serve as to show granularity with sky, week also with a minute granularity.Indication range also can show the data in previous hour according to the actual conditions adjustment, also can show the data in nearest a week or month.
Main content displayed has:
(1) the real-time demonstration of network data total flow is with the linear list form.
(2) the real-time demonstration of tcp data flow in the network data is with the linear list form.
(3) the real-time demonstration of TCP-syn data traffic in the network data is with the form of linear list.
(4) the real-time demonstration of TCP-syn-ack data traffic in the data of networking is with the form of linear list.
(5) the real-time demonstration of UDP message flow in the network data is with the form of linear list.
(6) the real-time demonstration of DNS data traffic in the network data is with the form of linear list.
(7) the real-time demonstration of http traffic amount in the network data is with the form of linear list.
(8) in the network data, the real-time demonstration of other application layer data flows is with the form of linear list.The flow of the variety of protocol in the network application layer of the selection needs key monitoring that native system can be selected according to the needs cause of user's concrete concern.
(9) linear list of UDP message bag average length shows in real time.
(10) linear list of tcp data bag average length shows in real time.
(11) UDP, TCP account for what cake chart of whole network traffics respectively
(12) TCP-syn, TCP-syn-ack packet account for the pie chart of tcp data total flow.
(13) pie chart of the application layer protocol proportion of various concerns.
3, attack the warning subsystem
When the network data detection subsystem detects, have in each data target of network certain or certain several when surpassing threshold values, start the warning subsystem, report the related personnel by modes such as display image, sound, institute's monitor network is received attack this moment.Meanwhile the examining report generation module of network data detection subsystem generates strike report and submits to the user.
Advantage of the present invention and good effect:
The characteristics of distributed attack detection method of the present invention are:
1, takes all factors into consideration the feature of variety of network data, ddos is attacked discerned.
2, the historical data of integrated network transmission is analysed in depth current network data, finally makes judgement to network is whether under attack.
Description of drawings
Fig. 1, detection system deployed position figure;
Fig. 2, device structure body;
Fig. 3, detection method flow chart of the present invention.
Embodiment
Below in conjunction with the drawings and specific embodiments the present invention is described in further detail:
1, with bypass mode network traffics is inserted watch-dog.
According to the difference of the target of protecting, can there be following two kinds of selections the position of access.
(1) in protected local area network (LAN) and external the Internet junction, network data is carried out bypass.
(2) at inter-provincial network exit, the bypass checkout equipment detects network traffics, at this moment because the network data amount is very big, can use many checkout equipments to carry out Distributed Detection.
2, at first network data flow flows into " network data detection subsystem ", to the processing method of network data flow as shown in Figure 3:
(1) by " packet interception module " subsystem of " network data detection subsystem " packet that bypass inserts is resolved.
(2) by " packet characteristic statistics module " each the protocol data index that parses is added up.
(3) statistics is further processed.
(4) data that obtain are stored, as the historical data of this network.
(5) on the basis of accumulation historical data, the networking data are further analyzed, calculated the threshold value of variety of network data.
(6) be coordinate with each network data threshold value, the disparate networks monitor data is monitored.
(7) generate the network measuring analysis report according to the network data that monitors.
3, " networking data display subsystem " can carry out real-time screen display to the various data that obtain from " network data detection subsystem ", so that the monitor staff understands the latest network situation.
4, exceed the map network data threshold that calculates before in case find to occur some network data, this message will be delivered to " attacking the warning subsystem "
Send warning message by this subsystem, meanwhile, " examining report generation module " module generates a network attack analysis report.
Claims (10)
1. a DDOS attack detection method the steps include:
1) the packet interception module is resolved the network data package informatin that inserts; Described network packet information comprises: type of data packet, IP address, port;
2) packet characteristic statistics module is added up the network data package informatin that parses, the IP address sum and the port sum of the packet sum that obtains intercepting in the unit interval, network layer data of different types bag quantity, transport layer data of different types bag quantity, application layer data of different types bag quantity, packet;
3) the statistics processing module calculates the ratio distribution that all types of packets account for the packet sum in the unit interval;
4) data analysis module is according to the step 2 of storage) and the historical data that calculated of step 3), the alarm threshold value of computing network data;
5) data analysis module judges whether the network data value in the current unit interval surpasses the alarm threshold value of map network data, if surpass then this network data value is submitted to the attack analysis module;
6) attack analysis module and generate examining report according to the network data value that receives.
2. the method for claim 1 is characterized in that described network data package informatin also comprises the data packet length of various types of data bag; Simultaneously described packet characteristic statistics module is added up the data packet length of all types of packets that parse.
3. method as claimed in claim 2 is characterized in that described statistics processing module calculates the average length of all types of packets in the unit interval.
4. as claim 1 or 3 described methods, it is characterized in that the alarm threshold value of all types of packets of described data analysis module real-time update; The computational methods of described alarm threshold value are: at first calculate the mean value F1 that a certain interior the type packet of one time period of the front and back moment of certain type data packets accounts for total data bag ratio; Calculate then this moment a few days ago, in the synchronization in former week and former months, the type packet accounts for the mean value Fn of the ratio of total data bag; At last according to formula
Calculate the alarm threshold value F of the type packet; N time hop count wherein, kn is the weight of Fn correspondence, Q is a factor, and Q>1.
5. method as claimed in claim 4 is characterized in that the type of data packet of described network layer comprises: IP packet, ICMP packet, ARP packet; The type of data packet of described transport layer comprises: tcp data bag, TCPsyn packet, TCPsyn-ack packet, UDP message bag; The type of data packet of described application layer comprises: DNS packet, RTP packet, QQ packet, HTTP packet.
6. as claim 1 or 5 described methods, it is characterized in that described examining report is the network attack report, it comprises: attack type, target of attack, attack source, attack scale.
7. method as claimed in claim 6 is characterized in that described attack type comprises:
1) UDPfloor attack type, its recognition methods is: total network traffics surpass the total flow alarm threshold value, and the flow of UDP message bag surpasses UDP bag flow alarm threshold value, and the ratio that the UDP message bag accounts for the network packet sum reaches UDP bag accounting alarm threshold value, and the bag average length of UDP message bag is reduced to sets the long alarm threshold value of UDP bag, and the bag average length of UDP message bag is reduced to the long alarm threshold value of setting UDP bag;
2) TCPsynfloor attack type, its recognition methods is: total network traffics surpass the total flow alarm threshold value, and the TCPsyn data packet flow surpasses TCPsyn bag flow alarm threshold value, and the ratio of TCPsyn packet and TCPsynack packet surpasses TCPsyn-ACK bag accounting alarm threshold value, and the ratio of TCPsyn packet and tcp data bag total amount surpasses TCPsyn bag accounting alarm threshold value, and the average length of tcp data bag surpasses TCP packet length alarm threshold value;
3) TCPfloor attack type, its recognition methods is: total network traffics surpass the total flow alarm threshold value, and the TCP network traffics surpass TCP bag flow alarm threshold value, and the ratio that the tcp data bag accounts for the network packet sum surpasses TCP bag accounting alarm threshold value;
4) DNS attack type, other in fact method is: the DNS data packet flow surpasses DNS bag flow alarm threshold value, and the DNS data packet flow accounts for the ratio of total flow above DNS flow accounting alarm threshold value.
8. method as claimed in claim 6 is characterized in that definite method of described attack scale is: at first according to the attack type of determining, obtain the present attack traffic of corresponding types; Comprehensively contrast the flow alarm threshold value and the historical normal discharge of the type packet then, assess out the attack scale of current this attack type.
9. method as claimed in claim 6 is characterized in that definite method of described target of attack is: at first the packet number that mails to same purpose IP address is added up; Then the purpose IP that relatively concentrates is carried out rank, the IP that rank is forward is defined as the target of being attacked; Definite method of described attack source IP is: the source IP address to packet is added up, and carries out from high to low arrangement according to sending the packet number, and the IP that rank is forward is defined as attack source IP.
10. as claim 1 or 5 described methods, it is characterized in that described examining report is the network monitor daily paper, it comprises: the same day different time points network traffics broken line graph; The same day various types of data bag proportion broken line graph; The same day all types of packet proportion mean value cake chart; The broken line graph of all types of packet average lengths in the same day different time spot net.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102434413A CN101741847B (en) | 2009-12-22 | 2009-12-22 | Detecting method of DDOS (distributed denial of service) attacks |
| PCT/CN2010/000050 WO2011075922A1 (en) | 2009-12-22 | 2010-01-12 | Method for detecting distributed denial of service attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102434413A CN101741847B (en) | 2009-12-22 | 2009-12-22 | Detecting method of DDOS (distributed denial of service) attacks |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101741847A true CN101741847A (en) | 2010-06-16 |
| CN101741847B CN101741847B (en) | 2012-11-07 |
Family
ID=42464733
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102434413A Active CN101741847B (en) | 2009-12-22 | 2009-12-22 | Detecting method of DDOS (distributed denial of service) attacks |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101741847B (en) |
| WO (1) | WO2011075922A1 (en) |
Cited By (49)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102123136A (en) * | 2010-12-26 | 2011-07-13 | 广州大学 | Method for identifying DDoS (distributed denial of service) attack flow |
| CN102394786A (en) * | 2011-12-14 | 2012-03-28 | 武汉钢铁(集团)公司 | Hand-held network protocol and threat analyzer |
| CN103001958A (en) * | 2012-11-27 | 2013-03-27 | 北京百度网讯科技有限公司 | Exception transmission control protocol (TCP) message processing method and device |
| CN103561011A (en) * | 2013-10-28 | 2014-02-05 | 中国科学院信息工程研究所 | Method and system for preventing blind DDoS attacks on SDN controllers |
| CN103685168A (en) * | 2012-09-07 | 2014-03-26 | 中国科学院计算机网络信息中心 | Query request service method for DNS (Domain Name System) recursive server |
| CN103888282A (en) * | 2013-08-19 | 2014-06-25 | 中广核工程有限公司 | Network intrusion alarm method and system based on nuclear power plant |
| CN104243408A (en) * | 2013-06-14 | 2014-12-24 | 中国移动通信集团公司 | Method, device and system for monitoring messages in domain name resolution service DNS system |
| CN104348811A (en) * | 2013-08-05 | 2015-02-11 | 深圳市腾讯计算机系统有限公司 | Method and device for detecting attack of DDoS (distributed denial of service) |
| CN104660459A (en) * | 2015-01-15 | 2015-05-27 | 北京奥普维尔科技有限公司 | FPGA-based system and FPGA-based method for realizing online business scanning of 10 gigabit Ethernet |
| CN105119735A (en) * | 2015-07-15 | 2015-12-02 | 百度在线网络技术(北京)有限公司 | Method and device for determining flow types |
| CN105337966A (en) * | 2015-10-16 | 2016-02-17 | 中国联合网络通信集团有限公司 | Processing method for network attacks and device |
| CN105516151A (en) * | 2015-12-15 | 2016-04-20 | 北京奇虎科技有限公司 | Scanning-killing method and device of backdoor file |
| CN105554016A (en) * | 2015-12-31 | 2016-05-04 | 山石网科通信技术有限公司 | Network attack processing method and device |
| CN105656848A (en) * | 2014-11-13 | 2016-06-08 | 腾讯数码(深圳)有限公司 | Method and related device for detecting quick attack of application layer |
| CN105743913A (en) * | 2016-03-31 | 2016-07-06 | 广州华多网络科技有限公司 | Method and device for detecting network attack |
| CN106027549A (en) * | 2016-06-30 | 2016-10-12 | 大连楼兰科技股份有限公司 | Early warning method and device for address resolution protocol (ARP) flooding attacks in local area network |
| CN106034105A (en) * | 2015-03-09 | 2016-10-19 | 国家计算机网络与信息安全管理中心 | OpenFlow switch and method for processing DDoS attack |
| CN106330746A (en) * | 2016-08-30 | 2017-01-11 | 成都科来软件有限公司 | Method and device for carrying out statistics on country traffic in network |
| CN106375235A (en) * | 2016-08-30 | 2017-02-01 | 成都科来软件有限公司 | Method and device for obtaining specified IP (Internet Protocol) traffic information by statistics |
| CN106411934A (en) * | 2016-11-15 | 2017-02-15 | 平安科技(深圳)有限公司 | DoS(denial of service)/DDoS(distributed denial of service) attack detection method and device |
| CN106534068A (en) * | 2016-09-29 | 2017-03-22 | 广州华多网络科技有限公司 | Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system |
| CN106537872A (en) * | 2014-07-18 | 2017-03-22 | 德国电信股份有限公司 | Method for detecting an attack in a communication network |
| CN106899608A (en) * | 2017-03-21 | 2017-06-27 | 杭州迪普科技股份有限公司 | A kind of method and device of the attack purpose IP for determining DDOS attack |
| CN107277073A (en) * | 2017-08-16 | 2017-10-20 | 北京新网数码信息技术有限公司 | A kind of method for monitoring network and device |
| CN107623685A (en) * | 2017-09-08 | 2018-01-23 | 杭州安恒信息技术有限公司 | The method and device of quick detection SYN Flood attacks |
| CN107666383A (en) * | 2016-07-29 | 2018-02-06 | 阿里巴巴集团控股有限公司 | Message processing method and device based on HTTPS agreements |
| CN107800674A (en) * | 2016-09-07 | 2018-03-13 | 百度在线网络技术(北京)有限公司 | A kind of method and apparatus for being used to detect the attack traffic of distributed denial of service |
| CN107819606A (en) * | 2017-09-29 | 2018-03-20 | 北京金山安全软件有限公司 | Network attack alarm method and device |
| CN107995046A (en) * | 2017-12-20 | 2018-05-04 | 北京搜狐新媒体信息技术有限公司 | A kind of network alarming analysis method, device and electronic equipment |
| CN108111476A (en) * | 2017-08-08 | 2018-06-01 | 西安交大捷普网络科技有限公司 | C&C channel detection methods |
| CN108768942A (en) * | 2018-04-20 | 2018-11-06 | 武汉绿色网络信息服务有限责任公司 | A kind of ddos attack detection method and detection device based on adaptive threshold |
| CN108924127A (en) * | 2018-06-29 | 2018-11-30 | 新华三信息安全技术有限公司 | A kind of generation method and device of flow baseline |
| CN109005181A (en) * | 2018-08-10 | 2018-12-14 | 深信服科技股份有限公司 | A kind of detection method, system and the associated component of DNS amplification attack |
| CN109194661A (en) * | 2018-09-13 | 2019-01-11 | 网易(杭州)网络有限公司 | Network attack alarm threshold configuration method, medium, device and calculating equipment |
| CN110519413A (en) * | 2019-09-10 | 2019-11-29 | 赛尔网络有限公司 | Ranking statistics method, apparatus, system and medium based on DNS over QUIC |
| US10547556B2 (en) | 2015-02-27 | 2020-01-28 | Nec Corporation | Control device, traffic control method, and computer readable medium |
| CN110784458A (en) * | 2019-10-21 | 2020-02-11 | 新华三信息安全技术有限公司 | Flow abnormity detection method and device and network equipment |
| CN110808994A (en) * | 2019-11-11 | 2020-02-18 | 杭州安恒信息技术股份有限公司 | Method and device for detecting brute force cracking operation and server |
| CN111181910A (en) * | 2019-08-12 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Protection method and related device for distributed denial of service attack |
| CN111431852A (en) * | 2020-02-21 | 2020-07-17 | 厦门大学 | Browser history sniffing method and browser history monitoring method |
| CN111901284A (en) * | 2019-05-06 | 2020-11-06 | 阿里巴巴集团控股有限公司 | Flow control method and system |
| CN112333168A (en) * | 2020-10-27 | 2021-02-05 | 杭州安恒信息技术股份有限公司 | Attack identification method, device, equipment and computer readable storage medium |
| CN112491906A (en) * | 2020-12-01 | 2021-03-12 | 中山职业技术学院 | Parallel network intrusion detection system and control method thereof |
| CN113452651A (en) * | 2020-03-24 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Network attack detection method, device, equipment and storage medium |
| CN113518057A (en) * | 2020-04-09 | 2021-10-19 | 腾讯科技(深圳)有限公司 | Detection method and device for distributed denial of service attack and computer equipment thereof |
| CN113645624A (en) * | 2021-08-25 | 2021-11-12 | 广东省高峰科技有限公司 | Abnormal network data checking method and device |
| CN115118464A (en) * | 2022-06-10 | 2022-09-27 | 深信服科技股份有限公司 | Method and device for detecting defect host, electronic equipment and storage medium |
| TWI784938B (en) * | 2017-01-24 | 2022-12-01 | 香港商阿里巴巴集團服務有限公司 | Message cleaning method and device |
| US20230269270A1 (en) * | 2019-07-03 | 2023-08-24 | Netflix, Inc. | Attack mitigation in a packet-switched network |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106911578B (en) * | 2015-12-23 | 2020-09-08 | 中国移动通信集团公司 | Service data transmission method and device |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1156762C (en) * | 2001-12-04 | 2004-07-07 | 上海复旦光华信息科技股份有限公司 | By-pass investigation and remisson method for rejecting service attack |
| CN101465760A (en) * | 2007-12-17 | 2009-06-24 | 北京启明星辰信息技术股份有限公司 | Method and system for detecting abnegation service aggression |
| CN101572609A (en) * | 2008-04-29 | 2009-11-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting and refusing service attack |
| CN101321171A (en) * | 2008-07-04 | 2008-12-10 | 北京锐安科技有限公司 | Method and apparatus for detecting distributed refusal service attack |
| CN101355463B (en) * | 2008-08-27 | 2011-04-20 | 成都市华为赛门铁克科技有限公司 | Method, system and equipment for judging network attack |
-
2009
- 2009-12-22 CN CN2009102434413A patent/CN101741847B/en active Active
-
2010
- 2010-01-12 WO PCT/CN2010/000050 patent/WO2011075922A1/en active Application Filing
Cited By (82)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102123136A (en) * | 2010-12-26 | 2011-07-13 | 广州大学 | Method for identifying DDoS (distributed denial of service) attack flow |
| CN102394786A (en) * | 2011-12-14 | 2012-03-28 | 武汉钢铁(集团)公司 | Hand-held network protocol and threat analyzer |
| CN103685168A (en) * | 2012-09-07 | 2014-03-26 | 中国科学院计算机网络信息中心 | Query request service method for DNS (Domain Name System) recursive server |
| CN103685168B (en) * | 2012-09-07 | 2016-12-07 | 中国科学院计算机网络信息中心 | A kind of inquiry request method of servicing of DNS recursion server |
| CN103001958A (en) * | 2012-11-27 | 2013-03-27 | 北京百度网讯科技有限公司 | Exception transmission control protocol (TCP) message processing method and device |
| CN103001958B (en) * | 2012-11-27 | 2016-03-16 | 北京百度网讯科技有限公司 | Abnormal T CP message processing method and device |
| CN104243408B (en) * | 2013-06-14 | 2017-11-21 | 中国移动通信集团公司 | The method, apparatus and system of message are monitored in domain name resolution service DNS systems |
| CN104243408A (en) * | 2013-06-14 | 2014-12-24 | 中国移动通信集团公司 | Method, device and system for monitoring messages in domain name resolution service DNS system |
| CN104348811B (en) * | 2013-08-05 | 2018-01-26 | 深圳市腾讯计算机系统有限公司 | Detecting method of distributed denial of service attacking and device |
| CN104348811A (en) * | 2013-08-05 | 2015-02-11 | 深圳市腾讯计算机系统有限公司 | Method and device for detecting attack of DDoS (distributed denial of service) |
| WO2015018303A1 (en) * | 2013-08-05 | 2015-02-12 | Tencent Technology (Shenzhen) Company Limited | Method and device for detecting distributed denial of service attack |
| CN103888282A (en) * | 2013-08-19 | 2014-06-25 | 中广核工程有限公司 | Network intrusion alarm method and system based on nuclear power plant |
| GB2532630B (en) * | 2013-08-19 | 2018-04-25 | China Nuclear Power Eng Co Ltd | Network intrusion alarm method and system for nuclear power plant |
| WO2015024315A1 (en) * | 2013-08-19 | 2015-02-26 | 中广核工程有限公司 | Network intrusion alarm method and system for nuclear power station |
| GB2532630A (en) * | 2013-08-19 | 2016-05-25 | China Nuclear Power Eng Co Ltd | Network intrusion alarm method and system for nuclear power station |
| CN103561011A (en) * | 2013-10-28 | 2014-02-05 | 中国科学院信息工程研究所 | Method and system for preventing blind DDoS attacks on SDN controllers |
| CN103561011B (en) * | 2013-10-28 | 2016-09-07 | 中国科学院信息工程研究所 | A kind of SDN controller method and system for preventing blind DDoS attacks on |
| CN106537872A (en) * | 2014-07-18 | 2017-03-22 | 德国电信股份有限公司 | Method for detecting an attack in a communication network |
| CN105656848B (en) * | 2014-11-13 | 2020-05-05 | 腾讯数码(深圳)有限公司 | Application layer rapid attack detection method and related device |
| CN105656848A (en) * | 2014-11-13 | 2016-06-08 | 腾讯数码(深圳)有限公司 | Method and related device for detecting quick attack of application layer |
| CN104660459A (en) * | 2015-01-15 | 2015-05-27 | 北京奥普维尔科技有限公司 | FPGA-based system and FPGA-based method for realizing online business scanning of 10 gigabit Ethernet |
| US10547556B2 (en) | 2015-02-27 | 2020-01-28 | Nec Corporation | Control device, traffic control method, and computer readable medium |
| CN106034105A (en) * | 2015-03-09 | 2016-10-19 | 国家计算机网络与信息安全管理中心 | OpenFlow switch and method for processing DDoS attack |
| CN105119735B (en) * | 2015-07-15 | 2018-07-06 | 百度在线网络技术(北京)有限公司 | A kind of method and apparatus for determining discharge pattern |
| CN105119735A (en) * | 2015-07-15 | 2015-12-02 | 百度在线网络技术(北京)有限公司 | Method and device for determining flow types |
| CN105337966A (en) * | 2015-10-16 | 2016-02-17 | 中国联合网络通信集团有限公司 | Processing method for network attacks and device |
| CN105337966B (en) * | 2015-10-16 | 2018-10-02 | 中国联合网络通信集团有限公司 | For the treating method and apparatus of network attack |
| CN105516151A (en) * | 2015-12-15 | 2016-04-20 | 北京奇虎科技有限公司 | Scanning-killing method and device of backdoor file |
| CN105516151B (en) * | 2015-12-15 | 2019-02-12 | 北京奇虎科技有限公司 | The checking and killing method and device of backdoor file |
| CN105554016A (en) * | 2015-12-31 | 2016-05-04 | 山石网科通信技术有限公司 | Network attack processing method and device |
| CN105743913A (en) * | 2016-03-31 | 2016-07-06 | 广州华多网络科技有限公司 | Method and device for detecting network attack |
| CN105743913B (en) * | 2016-03-31 | 2019-07-09 | 广州华多网络科技有限公司 | The method and apparatus for detecting network attack |
| CN106027549A (en) * | 2016-06-30 | 2016-10-12 | 大连楼兰科技股份有限公司 | Early warning method and device for address resolution protocol (ARP) flooding attacks in local area network |
| CN107666383A (en) * | 2016-07-29 | 2018-02-06 | 阿里巴巴集团控股有限公司 | Message processing method and device based on HTTPS agreements |
| CN106330746A (en) * | 2016-08-30 | 2017-01-11 | 成都科来软件有限公司 | Method and device for carrying out statistics on country traffic in network |
| CN106330746B (en) * | 2016-08-30 | 2019-04-16 | 成都科来软件有限公司 | The method and device of national flow in a kind of statistics network |
| CN106375235A (en) * | 2016-08-30 | 2017-02-01 | 成都科来软件有限公司 | Method and device for obtaining specified IP (Internet Protocol) traffic information by statistics |
| CN107800674A (en) * | 2016-09-07 | 2018-03-13 | 百度在线网络技术(北京)有限公司 | A kind of method and apparatus for being used to detect the attack traffic of distributed denial of service |
| CN106534068A (en) * | 2016-09-29 | 2017-03-22 | 广州华多网络科技有限公司 | Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system |
| CN106534068B (en) * | 2016-09-29 | 2023-12-22 | 广州华多网络科技有限公司 | Method and device for cleaning counterfeit source IP in DDOS defense system |
| WO2018090544A1 (en) * | 2016-11-15 | 2018-05-24 | 平安科技(深圳)有限公司 | Method and device for detecting dos/ddos attack, server, and storage medium |
| CN106411934B (en) * | 2016-11-15 | 2017-11-21 | 平安科技(深圳)有限公司 | DoS/DDoS attack detection methods and device |
| JP2019501547A (en) * | 2016-11-15 | 2019-01-17 | 平安科技(深▲せん▼)有限公司 | Method, apparatus, server, and storage medium for detecting DoS / DDoS attack |
| CN106411934A (en) * | 2016-11-15 | 2017-02-15 | 平安科技(深圳)有限公司 | DoS(denial of service)/DDoS(distributed denial of service) attack detection method and device |
| US10404743B2 (en) | 2016-11-15 | 2019-09-03 | Ping An Technology (Shenzhen) Co., Ltd. | Method, device, server and storage medium of detecting DoS/DDoS attack |
| TWI784938B (en) * | 2017-01-24 | 2022-12-01 | 香港商阿里巴巴集團服務有限公司 | Message cleaning method and device |
| CN106899608A (en) * | 2017-03-21 | 2017-06-27 | 杭州迪普科技股份有限公司 | A kind of method and device of the attack purpose IP for determining DDOS attack |
| CN108111476A (en) * | 2017-08-08 | 2018-06-01 | 西安交大捷普网络科技有限公司 | C&C channel detection methods |
| CN108111476B (en) * | 2017-08-08 | 2021-01-19 | 西安交大捷普网络科技有限公司 | C & C channel detection method |
| CN107277073A (en) * | 2017-08-16 | 2017-10-20 | 北京新网数码信息技术有限公司 | A kind of method for monitoring network and device |
| CN107623685B (en) * | 2017-09-08 | 2020-04-07 | 杭州安恒信息技术股份有限公司 | Method and device for rapidly detecting SYN Flood attack |
| CN107623685A (en) * | 2017-09-08 | 2018-01-23 | 杭州安恒信息技术有限公司 | The method and device of quick detection SYN Flood attacks |
| CN107819606A (en) * | 2017-09-29 | 2018-03-20 | 北京金山安全软件有限公司 | Network attack alarm method and device |
| CN107995046B (en) * | 2017-12-20 | 2021-08-24 | 北京搜狐新媒体信息技术有限公司 | Network alarm analysis method and device and electronic equipment |
| CN107995046A (en) * | 2017-12-20 | 2018-05-04 | 北京搜狐新媒体信息技术有限公司 | A kind of network alarming analysis method, device and electronic equipment |
| CN108768942A (en) * | 2018-04-20 | 2018-11-06 | 武汉绿色网络信息服务有限责任公司 | A kind of ddos attack detection method and detection device based on adaptive threshold |
| CN108768942B (en) * | 2018-04-20 | 2020-10-30 | 武汉绿色网络信息服务有限责任公司 | DDoS attack detection method and detection device based on self-adaptive threshold |
| CN108924127B (en) * | 2018-06-29 | 2020-12-04 | 新华三信息安全技术有限公司 | Method and device for generating flow baseline |
| CN108924127A (en) * | 2018-06-29 | 2018-11-30 | 新华三信息安全技术有限公司 | A kind of generation method and device of flow baseline |
| CN109005181A (en) * | 2018-08-10 | 2018-12-14 | 深信服科技股份有限公司 | A kind of detection method, system and the associated component of DNS amplification attack |
| CN109005181B (en) * | 2018-08-10 | 2021-07-02 | 深信服科技股份有限公司 | Detection method, system and related components for DNS amplification attack |
| CN109194661A (en) * | 2018-09-13 | 2019-01-11 | 网易(杭州)网络有限公司 | Network attack alarm threshold configuration method, medium, device and calculating equipment |
| CN111901284A (en) * | 2019-05-06 | 2020-11-06 | 阿里巴巴集团控股有限公司 | Flow control method and system |
| US11985164B2 (en) * | 2019-07-03 | 2024-05-14 | Netflix, Inc. | Attack mitigation in a packet-switched network |
| US20230269270A1 (en) * | 2019-07-03 | 2023-08-24 | Netflix, Inc. | Attack mitigation in a packet-switched network |
| CN111181910A (en) * | 2019-08-12 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Protection method and related device for distributed denial of service attack |
| CN111181910B (en) * | 2019-08-12 | 2021-10-08 | 腾讯科技(深圳)有限公司 | Protection method and related device for distributed denial of service attack |
| CN110519413A (en) * | 2019-09-10 | 2019-11-29 | 赛尔网络有限公司 | Ranking statistics method, apparatus, system and medium based on DNS over QUIC |
| CN110784458A (en) * | 2019-10-21 | 2020-02-11 | 新华三信息安全技术有限公司 | Flow abnormity detection method and device and network equipment |
| CN110808994A (en) * | 2019-11-11 | 2020-02-18 | 杭州安恒信息技术股份有限公司 | Method and device for detecting brute force cracking operation and server |
| CN110808994B (en) * | 2019-11-11 | 2022-01-25 | 杭州安恒信息技术股份有限公司 | Method and device for detecting brute force cracking operation and server |
| CN111431852B (en) * | 2020-02-21 | 2021-06-25 | 厦门大学 | Browser history sniffing method and browser history monitoring method |
| CN111431852A (en) * | 2020-02-21 | 2020-07-17 | 厦门大学 | Browser history sniffing method and browser history monitoring method |
| CN113452651B (en) * | 2020-03-24 | 2022-10-21 | 百度在线网络技术(北京)有限公司 | Network attack detection method, device, equipment and storage medium |
| CN113452651A (en) * | 2020-03-24 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Network attack detection method, device, equipment and storage medium |
| CN113518057A (en) * | 2020-04-09 | 2021-10-19 | 腾讯科技(深圳)有限公司 | Detection method and device for distributed denial of service attack and computer equipment thereof |
| CN113518057B (en) * | 2020-04-09 | 2024-03-08 | 腾讯科技(深圳)有限公司 | Method and device for detecting distributed denial of service attack and computer equipment thereof |
| CN112333168A (en) * | 2020-10-27 | 2021-02-05 | 杭州安恒信息技术股份有限公司 | Attack identification method, device, equipment and computer readable storage medium |
| CN112491906B (en) * | 2020-12-01 | 2022-07-15 | 中山职业技术学院 | Parallel network intrusion detection system and control method thereof |
| CN112491906A (en) * | 2020-12-01 | 2021-03-12 | 中山职业技术学院 | Parallel network intrusion detection system and control method thereof |
| CN113645624A (en) * | 2021-08-25 | 2021-11-12 | 广东省高峰科技有限公司 | Abnormal network data checking method and device |
| CN115118464A (en) * | 2022-06-10 | 2022-09-27 | 深信服科技股份有限公司 | Method and device for detecting defect host, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2011075922A1 (en) | 2011-06-30 |
| CN101741847B (en) | 2012-11-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101741847B (en) | Detecting method of DDOS (distributed denial of service) attacks | |
| CN106357673B (en) | A kind of multi-tenant cloud computing system ddos attack detection method and system | |
| Chen et al. | CBF: a packet filtering method for DDoS attack defense in cloud environment | |
| US8438639B2 (en) | Apparatus for detecting and filtering application layer DDoS attack of web service | |
| CN109005157A (en) | Ddos attack detection and defence method and system in a kind of software defined network | |
| KR101519623B1 (en) | DDoS detection apparatus and method, DDoS detection and prevention apparatus for reducing positive false | |
| Bethencourt et al. | Mapping Internet Sensors with Probe Response Attacks. | |
| US8001601B2 (en) | Method and apparatus for large-scale automated distributed denial of service attack detection | |
| CA2499938C (en) | Network bandwidth anomaly detector apparatus and method for detecting network attacks using correlation function | |
| US20110107412A1 (en) | Apparatus for detecting and filtering ddos attack based on request uri type | |
| CN108289088A (en) | Abnormal traffic detection system and method based on business model | |
| CN107623685B (en) | Method and device for rapidly detecting SYN Flood attack | |
| CN110225037B (en) | DDoS attack detection method and device | |
| CN101383694A (en) | Defense method and system rejecting service attack based on data mining technology | |
| CN101369897B (en) | Method and equipment for detecting network attack | |
| CN109561051A (en) | Content distributing network safety detection method and system | |
| CN107864155A (en) | A kind of DDOS attack detection method of high-accuracy | |
| CN108632224A (en) | A kind of APT attack detection methods and device | |
| CN109617868A (en) | A kind of detection method of DDOS attack, device and detection service device | |
| CN106254318A (en) | A kind of Analysis of Network Attack method | |
| CN105282152A (en) | Abnormal flow detection method | |
| CN106027546A (en) | Network attack detection method, device and system | |
| JP2008118242A (en) | Method and device for detecting abnormal traffic, and program | |
| CN116760649B (en) | Data security protection and early warning method based on big data | |
| CN116633685A (en) | Analysis method based on IPv6 development situation monitoring |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Detecting method of DDOS (distributed denial of service) attacks Effective date of registration: 20150723 Granted publication date: 20121107 Pledgee: China Co truction Bank Corp Beijing Zhongguancun branch Pledgor: Rui-an Science and Technology Co., Ltd., Beijing Registration number: 2014990000497 |
|
| PLDC | Enforcement, change and cancellation of contracts on pledge of patent right or utility model | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20180327 Granted publication date: 20121107 Pledgee: China Co truction Bank Corp Beijing Zhongguancun branch Pledgor: Rui-an Science and Technology Co., Ltd., Beijing Registration number: 2014990000497 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Detecting method of DDOS (distributed denial of service) attacks Effective date of registration: 20180627 Granted publication date: 20121107 Pledgee: China Co truction Bank Corp Beijing Zhongguancun branch Pledgor: Rui-an Science and Technology Co., Ltd., Beijing Registration number: 2018110000015 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20210128 Granted publication date: 20121107 Pledgee: China Co. truction Bank Corp Beijing Zhongguancun branch Pledgor: Run Technologies Co.,Ltd. Beijing Registration number: 2018110000015 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right |