CN101841533A - Method and device for detecting distributed denial-of-service attack - Google Patents

Method and device for detecting distributed denial-of-service attack Download PDF

Info

Publication number
CN101841533A
CN101841533A CN201010129304A CN201010129304A CN101841533A CN 101841533 A CN101841533 A CN 101841533A CN 201010129304 A CN201010129304 A CN 201010129304A CN 201010129304 A CN201010129304 A CN 201010129304A CN 101841533 A CN101841533 A CN 101841533A
Authority
CN
China
Prior art keywords
ddos attack
dns server
log information
characteristic vector
distributed denial
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201010129304A
Other languages
Chinese (zh)
Other versions
CN101841533B (en
Inventor
李晓东
毛伟
吴军
王欣
金键
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Internet Network Information Center
Original Assignee
Computer Network Information Center of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Computer Network Information Center of CAS filed Critical Computer Network Information Center of CAS
Priority to CN201010129304.XA priority Critical patent/CN101841533B/en
Publication of CN101841533A publication Critical patent/CN101841533A/en
Application granted granted Critical
Publication of CN101841533B publication Critical patent/CN101841533B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a method and a device for detecting a distributed denial-of-service attack. The method comprises the following steps of: acquiring search log information recorded on a DNS (Domain Name Sever); and detecting whether a DDoS (Distributed Denial of Service) attack behavior aiming at the DNS exists or not according to the obtained search log information. The device comprises an information acquisition module and a detection module. According to the search log information on the DNS, the technical scheme of the invention can effectively detect the DDoS attack behavior and prevent the DNS from being attacked by DDoS.

Description

Detecting method of distributed denial of service attacking and device
Technical field
The embodiment of the invention relates to the Detection of Distributed Denial of Service Attacks technical field, relates in particular to a kind of detecting method of distributed denial of service attacking and device.
Background technology
Along with the continuous development of network technology, the hacker's behavior that utilizes the Internet to attack is also more and more, and wherein, (Distribution Denial of Service, DDoS) attacking is exactly a kind of common assault means in distributed denial of service.
The means and the form of expression of ddos attack are a lot, but its common attack strategies is utilized protocol bug exactly, and send to victim host by a lot " corpse main frames " and to seem legal network packet in a large number, thereby cause network congestion or cause denial of service because of server resource exhausts, wherein, (Domain Name System, attack DNS) promptly is a kind of common attack behavior of hacker to domain name system to utilize DDoS.DNS is the kernel service that the Internet infrastructure provides, DNS comprises domain name and Internet protocol (Internet Protocol, IP) distributed data base of address mutual mapping, and the software systems that realize the IP address transition that domain name and network can be discerned, DNS has important effect in network.In a single day dns server suffers ddos attack, will cause whole network to seriously influence, and produces catastrophic consequence.At present, mainly comprise at the method for among the DNS ddos attack being taken precautions against: adopt the high performance network equipment, perhaps guarantee the sufficient network bandwidth, the perhaps hardware of upgrade server, perhaps strengthen the ICP/IP protocol stack of operating system, the anti-DDoS fire compartment wall of specialty perhaps is installed.
The inventor finds that in realizing process of the present invention prior art is in the ddos attack at dns server, fail effectively ddos attack to be carried out active detecting, it mainly is the influence of taking precautions against ddos attack or minimizing ddos attack in the mode of Passive Defence, make that the defence cost of ddos attack is higher, and protection effect is relatively poor.
Summary of the invention
The invention provides a kind of detecting method of distributed denial of service attacking and device, can detect the ddos attack behavior in real time and on one's own initiative based on the DNS data query, the behavior of being convenient in time ddos attack is handled, and eliminates the influence of ddos attack to dns server.
The embodiment of the invention provides a kind of detecting method of distributed denial of service attacking, comprising:
Obtain the inquiry log information that writes down on the dns server;
According to the described inquiry log information that obtains, detect the ddos attack behavior that whether exists at described dns server.
Wherein, described according to the described inquiry log information that obtains, whether detection exists the ddos attack behavior at described dns server to comprise:
Based on the current inquiry log information that writes down on multi-layered perception neural networks and the described dns server, detect the ddos attack behavior that whether exists at described dns server.
Described based on the current inquiry log information that writes down on multi-layered perception neural networks and the described dns server, detect the ddos attack behavior that whether exists at described dns server and also comprise before:
According to all inquiry log information that write down on the described dns server, extract the characteristic vector of reflection ddos attack feature;
Based on the characteristic vector of the described reflection ddos attack feature of extracting, train and obtain described multi-layered perception neural networks.
The characteristic vector of described extraction reflection ddos attack feature comprises:
Granularity is extracted the characteristic vector of described reflection ddos attack feature at preset timed intervals.
Described multi-layered perception neural networks comprises: input layer, hiding layer and output layer, wherein, the input information of input layer is the characteristic vector of described reflection ddos attack feature.
The characteristic vector of described reflection ddos attack feature comprises:
The standard deviation of DNS inquiry amount, inquiry rate, IP space size, name space size, source port are set to average length at least a of situation of change, the ratio that recursive query is set and domain name of the entropy of 53 inquiry quantity, query note type.
The embodiment of the invention provides a kind of Detection of Distributed Denial of Service Attacks device, comprising:
The information acquisition module is used to obtain the inquiry log information that writes down on the dns server;
Detection module according to the described inquiry log information that obtains, detects the ddos attack behavior that whether exists at described dns server.
Wherein, described detection module specifically is used for based on the current inquiry log information that writes down on multi-layered perception neural networks and the described dns server, detects the ddos attack behavior that whether exists at described dns server.
Above-mentioned device also can comprise:
The characteristic vector extraction module is used for according to all inquiry log information that write down on the described dns server, extracts the characteristic vector of reflection ddos attack feature;
The neural metwork training module is used for the characteristic vector based on the described reflection ddos attack feature of extracting, and trains and obtain described multi-layered perception neural networks.
Described characteristic vector extraction module specifically is used for according to all inquiry log information that write down on the described dns server, and granularity is extracted the characteristic vector of described reflection ddos attack feature at preset timed intervals.
The embodiment of the invention detects by the ddos attack behavior at dns server that exists according to DNS inquiry log information, can be on one's own initiative to detecting the ddos attack behavior, and have higher DNS detection efficiency and detect effect, improve accuracy and reliability that ddos attack detects, and testing result can be notified associated processing device or administrative staff handle, eliminate the influence that ddos attack causes dns server.In addition, the embodiment of the invention is by extracting the characteristic vector of reflection ddos attack, and behavior detects to ddos attack to utilize multi-layered perception neural networks, make ddos attack detection accurately, reliable, amount of calculation and lower deployment cost that ddos attack detects are low, the detection efficiency height.
Description of drawings
Fig. 1 is the schematic flow sheet of detecting method of distributed denial of service attacking embodiment one of the present invention;
Fig. 2 is the schematic flow sheet of detecting method of distributed denial of service attacking embodiment two of the present invention;
Fig. 3 is the schematic flow sheet of training multi-layered perception neural networks among the detecting method of distributed denial of service attacking embodiment two of the present invention;
Fig. 4 is the structural representation of multi-layered perception neural networks in the embodiment of the invention;
Fig. 5 trains schematic diagram in the embodiment of the invention practical application to multi-layered perception neural networks;
Fig. 6 is a ddos attack verification and measurement ratio schematic diagram in the embodiment of the invention practical application;
Fig. 7 is the situation of change schematic diagram that ddos attack detects accuracy and rate of false alarm in the embodiment of the invention practical application;
Fig. 8 is the structural representation of Detection of Distributed Denial of Service Attacks device embodiment one of the present invention;
Fig. 9 is the structural representation of Detection of Distributed Denial of Service Attacks device embodiment two of the present invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Because DNS is a distributed data base, can carry out this locality control to database by DNS Protocol between server internal module and the server, simultaneously also allow the user in the network to utilize the mode of client or server to visit wherein each partial data, therefore, when other host subscriber visits dns server, dns server can write down All hosts user's inquiry behavior, each inquiry behavior all is recorded as data, preserve as inquiry log information, wherein, the inquiry log information spinner of dns server record will comprise following field information, is respectively described below:
(1) timestamp, the expression query requests arrives the time of dns server, generally can be accurate to millisecond; (2) source IP address, expression sends the IP address of the main frame of query requests; (3) source port number, expression sends the set port numbers of main frame of query requests; (4) query contents, the target domain name or the target ip address of expression query requests; (5) query note type, the expression query requests is at which kind of record type in the dns server; (6) flag bit, the situation that is provided with of various flag bits in the DNS inquiry packet of expression query requests, it is mainly used to indicate dns server to do relevant operation.
Because the inquiry log information of above-mentioned dns server record is the record of the corelation behaviour of a large amount of DNS inquiries, these inquiry log message reflections the behavior of current accessed dns server, therefore, the embodiment of the invention is passed through based on inquiry log information, the technical scheme of a kind of active detecting ddos attack behavior has been proposed, to find attack timely and effectively at dns server, avoid dns server to exempt from malicious attack, improve the fail safe and the reliability of dns server.Below in conjunction with embodiment technical solution of the present invention is described in detail.
Fig. 1 is the schematic flow sheet of detecting method of distributed denial of service attacking embodiment one of the present invention.Particularly, as shown in Figure 1, the present embodiment detection method can comprise the steps:
Step 101, obtain the inquiry log information that writes down on the dns server;
Step 102, according to the described inquiry log information that obtains, detect the ddos attack behavior that whether exists at described dns server.
The embodiment of the invention can be applicable in the detection at the ddos attack of dns server, particularly, can be according to the inquiry log information that writes down on the dns server at the various inquiries of dns server, whether active detecting exists the ddos attack at dns server, and can be when the ddos attack that detect to exist at dns server, notice associated processing device or administrative staff handle accordingly, with the destruction of avoiding ddos attack that dns server is caused.Because the inquiry log information that writes down on the dns server can effectively feed back various ddos attack behaviors, therefore, can detect the ddos attack behavior of existence exactly according to the inquiry log information that writes down on the dns server.
As can be seen, in the embodiment of the invention, detect by the ddos attack behavior that exists according to DNS inquiry log information at dns server, can be on one's own initiative to detecting the ddos attack behavior, and have higher DNS detection efficiency and detect effect, improve accuracy and reliability that ddos attack detects, and testing result can be notified associated processing device or administrative staff handle, eliminate the influence that ddos attack causes dns server.
Fig. 2 is the schematic flow sheet of detecting method of distributed denial of service attacking embodiment two of the present invention.On the basis of above-mentioned technical scheme embodiment illustrated in fig. 1, can handle the inquiry log information that writes down on the dns server by multi-layered perception neural networks in the present embodiment, to obtain the ddos attack testing result, particularly, as shown in Figure 2, present embodiment may further comprise the steps:
Step 201, obtain the inquiry log information that writes down on the dns server;
Step 202, based on the current inquiry log information that writes down on multi-layered perception neural networks and the dns server, detect the ddos attack behavior whether exist at dns server.
Because mostly ddos attack is jointly to be implemented by many assailants, inquiry behavior at dns server in the ddos attack is more, mostly dns server record lot of data is nonlinear data, therefore, behavior detects present embodiment to ddos attack by multi-layered perception neural networks, and can sum up the feature of various attack behavior by study, identify the ddos attack behavior.Particularly, can be by the inquiry log information neural network training that writes down from dns server, extract the characteristic vector of reflection ddos attack feature, the training multi-layered perception neural networks, and, obtain the ddos attack testing result according to the characteristic vector of the reflection ddos attack that extracts from current dns server and the neural net of training.
Fig. 3 is the schematic flow sheet of training multi-layered perception neural networks among the detecting method of distributed denial of service attacking embodiment two of the present invention.As shown in Figure 3, in the present embodiment multi-layered perception neural networks is trained specifically and can be comprised the steps:
Step 301, according to all inquiry log information that write down on the described dns server, extract the characteristic vector of reflection ddos attack feature;
In this enforcement, granularity is extracted the characteristic vector of this reflection ddos attack feature at preset timed intervals, and particularly, Preset Time is set to 1 minute in the present embodiment, promptly with minute be unit from the inquiry log information of record, obtain the characteristic vector of reflection ddos attack feature.
In this enforcement, the characteristic vector of described reflection ddos attack feature can comprise that particularly standard deviation, IP space size, name space size, the source port of DNS inquiry amount, inquiry rate are set at least a in the average length of situation of change, the ratio that recursive query is set and domain name of entropy of 53 inquiry quantity, query note type, generally speaking, the kind of the characteristic vector of obtaining is many more, then the multi-layered perception neural networks that obtains after the training is just strong more to the discrimination of ddos attack behavior, and the accuracy rate of detected ddos attack behavior will be improved.Be exactly to utilize 8 above-mentioned feature vectors that multilayer neural network is trained in the embodiment of the invention, to put forward accuracy and the reliability that ddos attack detects.
The characteristic vector of the reflection DDoS feature that the embodiment of the invention is extracted is respectively described below below:
(1) DNS inquiry amount, this characteristic vector obtains by one minute inquiry amount being averaged calculate;
The standard deviation of (2) inquiry rate, this characteristic vector are by arriving that inquiry rate in one minute time window is calculated, and concrete computing formula is as follows:
S = 1 n [ ( x 1 - m ) 2 + ( x 2 - m ) 2 + . . . + ( x n - m ) 2 ]
Wherein, the second number that n represents to write down in the data query in a minute, x i(i=1,2 ..., n) representing the i inquiry amount in second, m represents the average of inquiry each second amount in a minute;
(3) IP space size, this characteristic vector represent to send in one minute host subscriber's quantity of DNS query requests;
(4) name space size, this characteristic vector is represented the quantity of domain name accessed in a minute;
(5) source port is set to 53 inquiry quantity, this characteristic vector represents to be set at source port number 53 inquiry quantity, because some ddos attack source port at DNS is set to 53, therefore the extraction to the characteristic vector of the inquiry of this setting is necessary very much;
(6) situation of change of the entropy of query note type, the formula of this characteristic vector can be expressed as follows:
H ( P 1 , . . . , P n ) = - Σ 1 n P ( x i ) log 2 P ( x i )
Wherein, the species number of record type in the n express time window, P i(i=1,2 ..., the n) probability of expression i kind record type appearance, x i(i=1,2 ..., n) expression i kind record type;
(7) ratio of recursive query is set, because some ddos attack can be set to recursive query by inquiry and increase attack effect, therefore the extraction to this characteristic vector is necessary very much;
(8) average length of domain name, because some ddos attack domain name of inquiring about produces at random by program, this inevitable variation that on data query, cause the domain name average length, therefore the extraction to the characteristic vector of the average length of domain name is necessary very much.
Step 302, based on the characteristic vector of the described reflection ddos attack feature of extracting, train and obtain described multi-layered perception neural networks.
Can accurately train according to 8 feature vectors that step 301 obtains multi-layered perception neural networks, the characteristic vector of said extracted is summarized to a great extent and has been embodied the ddos attack feature, therefore, the multi-layered perception neural networks that trains based on the characteristic vector of said extracted has higher discrimination, thereby makes ddos attack detect more accurately and reliable.
Fig. 4 is the structural representation of multi-layered perception neural networks in the embodiment of the invention.In the present embodiment, described multi-layered perception neural networks can comprise input layer, hide layer and output layer, and wherein, the input information of input layer is the characteristic vector of described reflection ddos attack feature.Particularly, as shown in Figure 4, the present embodiment input layer comprises 8 input unit X1, X2, X3, X4, X5, X6, X7 and X8, respectively as the input interface of 8 characteristic vectors of above-mentioned reflection ddos attack, hiding layer comprises 20 unit, output layer comprises a unit, be used to export testing result, and the output result is " 0 " or " 1 ", can determine whether to exist ddos attack according to this output valve at dns server, wherein, " 1 " expression is attacked, and " 0 " expression service is normal.
In the present embodiment, when multi-layered perception neural networks is trained, the input matrix that the characteristic vector that the data of training are extracted by the inquiry log information that writes down from dns server is formed, and the object vector that sets in advance, and utilize the back-propagating training algorithm to train, the multi-layered perception neural networks that obtains after the feasible training can effectively improve accuracy and reliability that ddos attack detects to the discrimination height of ddos attack.After the multi-layered perception neural networks training, can be by implementing to read DNS inquiry log information, and therefrom extract corresponding characteristic vector and be input to multi-layered perception neural networks, and by multi-layered perception neural networks output testing result, if testing result is 1, illustrate that then dns server is suffering ddos attack,, illustrate that then dns server is working properly if testing result is 0.
In the embodiment of the invention, multi-layered perception neural networks can be handled incomplete, distortion, or even nonlinear data, therefore, can effectively satisfy processing to the data query that writes down on the dns server in the ddos attack; Simultaneously, multi-layered perception neural networks also has the response time faster, the ddos attack that can detect existence in real time detects behavior, make and before dns server is subjected to catastrophic collapse, send the ddos attack signal, thereby the intrusion behavior to ddos attack is predicted, improves validity and reliability that DDoS detects; In addition, multi-layered perception neural networks can be summed up various ddos attack behavioural characteristics by study, identifies and the unmatched various attack behavior of current normal behaviour, improves accuracy and reliability that ddos attack detects.
In the present embodiment, carry out ddos attack by adopting multi-layered perception neural networks, and multilayer neural network is trained by the characteristic vector of from the inquiry log information of DNS record, extracting reflection ddos attack feature, the testing result of output suffers ddos attack or service normally is provided for dns server, therefore, the ddos attack that dns server can be subjected to detects and changes into binary classification problems, can effectively improve agility and accuracy that whole ddos attack detects.Simultaneously, in the embodiment of the invention, only relate to Feature Extraction, and the training of multi-layered perception neural networks, the amount of calculation and the lower deployment cost that make ddos attack detect are all lower.
As can be seen, the embodiment of the invention is carried out the detection of ddos attack by the inquiry log information that writes down on multi-layered perception neural networks and the dns server, the ddos attack of dns server can be detected and change into binary classification problems, can effectively improve rapidity and convenience that ddos attack detects, make ddos attack detect and have higher accuracy and reliability; Simultaneously, the present embodiment ddos attack detect have smaller calculation, lower lower deployment cost, detection speed and higher detection accuracy rate faster, can active in real time the ddos attack of dns server be detected, avoid dns server to suffer the influence of ddos attack.
Fig. 5 trains schematic diagram in the embodiment of the invention practical application to multi-layered perception neural networks.According to embodiment of the invention technical scheme, at first can be by from the log query information of dns server record, having extracted the characteristic vector of reflection ddos attack, and 8 feature vectors that will obtain are formed input matrix, input information as the sample of multi-layered perception neural networks training, set object vector simultaneously, and utilize and to propagate training algorithm backward and train.In the practical application, the training data of neural net can be divided into three data sets: training set, checking collection and test set, wherein, training set is used for neural network training, makes network to adjust, to revise link weight and deviate by the error of relatively exporting between classification and the target classification; The generality that the checking collection is used for measuring network, and can when generality no longer improves, in time stop training process, can avoid network " over-fitting " problem to occur like this; Test set is independent of training process, is used for separately network being tested after training process finishes, to check its discrimination.Overall performance when Fig. 5 represents to utilize present embodiment to carry out neural metwork training, from as can be seen shown in Figure 5, propelling along with cycle of training, the mean square error of three data sets (Mean SquareError, MSE) all reduce gradually, when the 39th cycle, flex point appears in checking collection MSE change curve, this some checking collection MSE reaches minimum, and training process stops.That is to say that in to this neural metwork training to the 39 cycles, it is optimum that performance reaches, training finishes.
Fig. 6 is a ddos attack verification and measurement ratio schematic diagram in the embodiment of the invention practical application.As shown in Figure 6, when present embodiment is applied to the ddos attack detection, has higher detection efficient, wherein, the output of the numeral neural network classifier in the diagonal of the confusion matrix among Fig. 6 in unit 1 and the unit 2 and the corresponding to sample number of target, also promptly discern correct sample number, the percentage on unit 1 and the unit 2 represents that they account for the ratio of total sample number respectively; Total accuracy of the percentage 98.2% expression identification in the diagonal of this confusion matrix in the unit 3, percentage 1.8% is represented error rate or mismatch ratio; Percentage in the unit 4 in the diagonal lower left corner of this confusion matrix 86.4% be correct verification and measurement ratio (True Positive Rate, TPR), important criterion in its etection theory is the bigger the better, and can be used to reflect the sensitivity of neural net; Percentage 0.0% expression failure detection rate (False Positive Rate in the below temporary location 5 in this confusion matrix, FPR), it also is a criterion important in the etection theory, numerical value is the smaller the better, be used for reflecting the rate of false alarm of neural net, be about to the ratio of normal discharge wrong report for attacking.As can be seen from Figure 5, when utilizing present embodiment to carry out the ddos attack detection, TPR=86.4%, FPR=0.0%, this neural network has very high sensitivity, and can not report by mistake.
Fig. 7 is the situation of change schematic diagram that ddos attack detects accuracy and rate of false alarm in the embodiment of the invention practical application.Fig. 7 has reflected when utilizing present embodiment to carry out the ddos attack detection, detect the situation of change of accuracy and rate of false alarm, wherein, ROC curve (Receiver Operating Curve) is illustrated in situation of change and the correlation of TPR and FPR in the neural network classification process, as can be seen from Figure 7, the ROC curve illustrates that near the upper left corner this neural network has more satisfactory detection effect, TPR>0.8 wherein, FPR approaches 0.
Fig. 8 is the structural representation of Detection of Distributed Denial of Service Attacks device embodiment one of the present invention.Particularly, as shown in Figure 8, the present embodiment device comprises information acquisition module 1 and detection module 2, wherein:
Information acquisition module 1 is used to obtain the inquiry log information that writes down on the dns server;
Detection module 2 is used for detecting the ddos attack behavior that whether exists at described dns server according to the described inquiry log information that obtains.
The embodiment of the invention can be applicable in the detection at the ddos attack of dns server, by according to write down on the dns server at the various inquiries of dns server inquiry log information, whether active detecting exists the ddos attack at dns server, its specific implementation process can not repeat them here with reference to the explanation of the invention described above method embodiment.
The embodiment of the invention detects by the ddos attack behavior at dns server that exists according to DNS inquiry log information, can be on one's own initiative to detecting the ddos attack behavior, and have higher DNS detection efficiency and detect effect, improve accuracy and reliability that ddos attack detects, and testing result can be notified associated processing device or administrative staff handle, eliminate the influence that ddos attack causes dns server.
Fig. 9 is the structural representation of Detection of Distributed Denial of Service Attacks device embodiment two of the present invention.As shown in Figure 9, present embodiment comprises information acquisition module 1, detection module 2, characteristic vector extraction module 3 and neural metwork training module 4, wherein:
Information acquisition module 1 is used to obtain the inquiry log information that writes down on the dns server;
Detection module 2 is used for based on the current inquiry log information that writes down on multi-layered perception neural networks and the described dns server, detects the ddos attack behavior that whether exists at described dns server;
Characteristic vector extraction module 3 is used for according to all inquiry log information that write down on the described dns server, extracts the characteristic vector of reflection ddos attack feature;
Neural metwork training module 4 is used for the characteristic vector based on the described reflection ddos attack feature of extracting, and trains and obtain described multi-layered perception neural networks.
In the present embodiment, after the inquiry log information that information acquisition module 1 obtains to write down on the dns server, can at first train by characteristic vector extraction module 3 and 4 pairs of multi-layered perception neural networks of neural metwork training module, can train multi-layered perception neural networks by detection module 2 utilizations at last and carry out the ddos attack detection, its specific implementation process can not repeat them here with reference to the explanation of the invention described above method embodiment two.
The embodiment of the invention is carried out the detection of ddos attack by the inquiry log information that writes down on multi-layered perception neural networks and the dns server, the ddos attack of dns server can be detected and change into binary classification problems, can effectively improve rapidity and convenience that ddos attack detects, make ddos attack detect and have higher accuracy and reliability; Simultaneously, the present embodiment ddos attack detect have smaller calculation, lower lower deployment cost, detection speed and higher detection accuracy rate faster, can active in real time the ddos attack of dns server be detected, avoid dns server to suffer the influence of ddos attack.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (10)

1. a detecting method of distributed denial of service attacking is characterized in that, comprising:
Obtain the inquiry log information that writes down on the dns server;
According to the described inquiry log information that obtains, detect the ddos attack behavior that whether exists at described dns server.
2. whether detecting method of distributed denial of service attacking according to claim 1 is characterized in that, and is described according to the described inquiry log information that obtains, detect to exist the ddos attack behavior at described dns server to comprise:
Based on the current inquiry log information that writes down on multi-layered perception neural networks and the described dns server, detect the ddos attack behavior that whether exists at described dns server.
3. detecting method of distributed denial of service attacking according to claim 2, it is characterized in that, described based on the current inquiry log information that writes down on multi-layered perception neural networks and the described dns server, detect the ddos attack behavior that whether exists at described dns server and also comprise before:
According to all inquiry log information that write down on the described dns server, extract the characteristic vector of reflection ddos attack feature;
Based on the characteristic vector of the described reflection ddos attack feature of extracting, train and obtain described multi-layered perception neural networks.
4. detecting method of distributed denial of service attacking according to claim 3 is characterized in that, the characteristic vector of described extraction reflection ddos attack feature comprises:
Granularity is extracted the characteristic vector of described reflection ddos attack feature at preset timed intervals.
5. detecting method of distributed denial of service attacking according to claim 3, it is characterized in that, described multi-layered perception neural networks comprises: input layer, hiding layer and output layer, wherein, the input information of input layer is the characteristic vector of described reflection ddos attack feature.
6. detecting method of distributed denial of service attacking according to claim 3 is characterized in that, the characteristic vector of described reflection ddos attack feature comprises:
The standard deviation of DNS inquiry amount, inquiry rate, IP space size, name space size, source port are set to average length at least a of situation of change, the ratio that recursive query is set and domain name of the entropy of 53 inquiry quantity, query note type.
7. a Detection of Distributed Denial of Service Attacks device is characterized in that, comprising:
The information acquisition module is used to obtain the inquiry log information that writes down on the dns server;
Detection module according to the described inquiry log information that obtains, detects the ddos attack behavior that whether exists at described dns server.
8. Detection of Distributed Denial of Service Attacks device according to claim 7, it is characterized in that, described detection module, specifically be used for based on the current inquiry log information that writes down on multi-layered perception neural networks and the described dns server, detect the ddos attack behavior that whether exists at described dns server.
9. Detection of Distributed Denial of Service Attacks device according to claim 8 is characterized in that, also comprises:
The characteristic vector extraction module is used for according to all inquiry log information that write down on the described dns server, extracts the characteristic vector of reflection ddos attack feature;
The neural metwork training module is used for the characteristic vector based on the described reflection ddos attack feature of extracting, and trains and obtain described multi-layered perception neural networks.
10. Detection of Distributed Denial of Service Attacks device according to claim 9, it is characterized in that, described characteristic vector extraction module, specifically be used for according to all inquiry log information that write down on the described dns server, granularity is extracted the characteristic vector of described reflection ddos attack feature at preset timed intervals.
CN201010129304.XA 2010-03-19 2010-03-19 Method and device for detecting distributed denial-of-service attack Active CN101841533B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201010129304.XA CN101841533B (en) 2010-03-19 2010-03-19 Method and device for detecting distributed denial-of-service attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010129304.XA CN101841533B (en) 2010-03-19 2010-03-19 Method and device for detecting distributed denial-of-service attack

Publications (2)

Publication Number Publication Date
CN101841533A true CN101841533A (en) 2010-09-22
CN101841533B CN101841533B (en) 2014-04-09

Family

ID=42744657

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010129304.XA Active CN101841533B (en) 2010-03-19 2010-03-19 Method and device for detecting distributed denial-of-service attack

Country Status (1)

Country Link
CN (1) CN101841533B (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102164135A (en) * 2011-04-14 2011-08-24 上海红神信息技术有限公司 Device and method for defending prepositioned reconfigurable DDoS (distributed denial of service) attack
CN102624716A (en) * 2012-03-01 2012-08-01 上海交通大学 P
CN103001825A (en) * 2012-11-15 2013-03-27 中国科学院计算机网络信息中心 Method and system for detecting DNS (domain name system) traffic abnormality
CN103139166A (en) * 2011-11-30 2013-06-05 中国民航大学 Low-rate denial of service (LDoS) attack detection method based on small signal detection theory
CN103152442A (en) * 2013-01-31 2013-06-12 中国科学院计算机网络信息中心 Detection and processing method and system for botnet domain names
CN103916406A (en) * 2014-04-25 2014-07-09 上海交通大学 System and method for detecting APT attacks based on DNS log analysis
CN104202336A (en) * 2014-09-22 2014-12-10 浪潮电子信息产业股份有限公司 DDoS (distributed denial of service) attach detection method based on information entropy
CN104486141A (en) * 2014-11-26 2015-04-01 国家电网公司 Misdeclaration self-adapting network safety situation predication method
CN106060008A (en) * 2016-05-10 2016-10-26 中国人民解放军61599部队计算所 Network invasion abnormity detection method
CN103905456B (en) * 2014-04-08 2017-02-15 上海交通大学 DNS inverse solution attack detecting method based on entropy model
CN106911669A (en) * 2017-01-10 2017-06-30 浙江工商大学 A kind of DDOS detection methods based on deep learning
CN107404496A (en) * 2017-09-05 2017-11-28 成都知道创宇信息技术有限公司 A kind of ddos attack defence and source tracing method based on HTTP DNS
CN105306618B (en) * 2015-09-25 2018-09-25 互联网域名系统北京市工程研究中心有限公司 The method and device of ddos attack is asked in automatic defense dns resolution
CN108737344A (en) * 2017-04-20 2018-11-02 腾讯科技(深圳)有限公司 A kind of network attack protection method and device
CN108768917A (en) * 2017-08-23 2018-11-06 长安通信科技有限责任公司 A kind of Botnet detection method and system based on network log
CN111988421A (en) * 2020-08-28 2020-11-24 清华大学 Method and system for recording DDoS attack log abstract based on block chain
CN115001845A (en) * 2022-06-28 2022-09-02 天翼数字生活科技有限公司 DNS (Domain name System) safety protection method and system in home gateway

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030084327A1 (en) * 2001-10-31 2003-05-01 International Business Machines Corporation System and method for detecting and controlling a drone implanted in a network attached device such as a computer
CN1466343A (en) * 2002-06-12 2004-01-07 华为技术有限公司 Method for realizing domain name system address convertion applied gateway based on inner server
CN101399658A (en) * 2007-09-24 2009-04-01 北京启明星辰信息技术有限公司 Safe log analyzing method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030084327A1 (en) * 2001-10-31 2003-05-01 International Business Machines Corporation System and method for detecting and controlling a drone implanted in a network attached device such as a computer
CN1466343A (en) * 2002-06-12 2004-01-07 华为技术有限公司 Method for realizing domain name system address convertion applied gateway based on inner server
CN101399658A (en) * 2007-09-24 2009-04-01 北京启明星辰信息技术有限公司 Safe log analyzing method and system

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102164135B (en) * 2011-04-14 2014-02-19 上海红神信息技术有限公司 Device and method for defending prepositioned reconfigurable DDoS (distributed denial of service) attack
CN102164135A (en) * 2011-04-14 2011-08-24 上海红神信息技术有限公司 Device and method for defending prepositioned reconfigurable DDoS (distributed denial of service) attack
CN103139166A (en) * 2011-11-30 2013-06-05 中国民航大学 Low-rate denial of service (LDoS) attack detection method based on small signal detection theory
CN102624716B (en) * 2012-03-01 2014-08-06 上海交通大学 Prevention method and device for domain name system (DNS) denial of service
CN102624716A (en) * 2012-03-01 2012-08-01 上海交通大学 P
CN103001825A (en) * 2012-11-15 2013-03-27 中国科学院计算机网络信息中心 Method and system for detecting DNS (domain name system) traffic abnormality
CN103001825B (en) * 2012-11-15 2016-03-02 中国科学院计算机网络信息中心 The detection method of DNS Traffic Anomaly and system
CN103152442A (en) * 2013-01-31 2013-06-12 中国科学院计算机网络信息中心 Detection and processing method and system for botnet domain names
CN103152442B (en) * 2013-01-31 2016-06-01 中国科学院计算机网络信息中心 A kind of detection and treatment method of corpse domain names and system
CN103905456B (en) * 2014-04-08 2017-02-15 上海交通大学 DNS inverse solution attack detecting method based on entropy model
CN103916406A (en) * 2014-04-25 2014-07-09 上海交通大学 System and method for detecting APT attacks based on DNS log analysis
CN103916406B (en) * 2014-04-25 2017-10-03 上海交通大学 A kind of APT attack detection methods based on DNS log analysis
CN104202336A (en) * 2014-09-22 2014-12-10 浪潮电子信息产业股份有限公司 DDoS (distributed denial of service) attach detection method based on information entropy
CN104486141B (en) * 2014-11-26 2018-10-23 国家电网公司 A kind of network security situation prediction method that wrong report is adaptive
CN104486141A (en) * 2014-11-26 2015-04-01 国家电网公司 Misdeclaration self-adapting network safety situation predication method
CN105306618B (en) * 2015-09-25 2018-09-25 互联网域名系统北京市工程研究中心有限公司 The method and device of ddos attack is asked in automatic defense dns resolution
CN106060008A (en) * 2016-05-10 2016-10-26 中国人民解放军61599部队计算所 Network invasion abnormity detection method
CN106060008B (en) * 2016-05-10 2019-11-19 中国人民解放军61599部队计算所 A kind of network intrusions method for detecting abnormality
CN106911669A (en) * 2017-01-10 2017-06-30 浙江工商大学 A kind of DDOS detection methods based on deep learning
CN108737344A (en) * 2017-04-20 2018-11-02 腾讯科技(深圳)有限公司 A kind of network attack protection method and device
CN108768917A (en) * 2017-08-23 2018-11-06 长安通信科技有限责任公司 A kind of Botnet detection method and system based on network log
CN108768917B (en) * 2017-08-23 2021-05-11 长安通信科技有限责任公司 Botnet detection method and system based on weblog
CN107404496A (en) * 2017-09-05 2017-11-28 成都知道创宇信息技术有限公司 A kind of ddos attack defence and source tracing method based on HTTP DNS
CN111988421A (en) * 2020-08-28 2020-11-24 清华大学 Method and system for recording DDoS attack log abstract based on block chain
CN115001845A (en) * 2022-06-28 2022-09-02 天翼数字生活科技有限公司 DNS (Domain name System) safety protection method and system in home gateway
CN115001845B (en) * 2022-06-28 2024-02-02 天翼数字生活科技有限公司 DNS (Domain name System) safety protection method and system in home gateway

Also Published As

Publication number Publication date
CN101841533B (en) 2014-04-09

Similar Documents

Publication Publication Date Title
CN101841533B (en) Method and device for detecting distributed denial-of-service attack
US10867034B2 (en) Method for detecting a cyber attack
CN100448203C (en) System and method for identifying and preventing malicious intrusions
CN108932426B (en) Unauthorized vulnerability detection method and device
CN112866023B (en) Network detection method, model training method, device, equipment and storage medium
CN111131260B (en) Mass network malicious domain name identification and classification method and system
CN107786545A (en) A kind of attack detection method and terminal device
CN108881250B (en) Power communication network security situation prediction method, device, equipment and storage medium
CN109600362B (en) Zombie host recognition method, device and medium based on recognition model
KR102120214B1 (en) Cyber targeted attack detect system and method using ensemble learning
CN114003903B (en) Network attack tracing method and device
CN110313147A (en) Data processing method, device and system
CN112866185A (en) Network traffic monitoring device and abnormal traffic detection method
CN103139138A (en) Application layer denial of service (DoS) protective method and system based on client detection
CN101848092A (en) Malicious code detection method and device
CN106790062A (en) A kind of method for detecting abnormality and system based on the polymerization of inverse dns nailing attribute
CN110351291A (en) Ddos attack detection method and device based on multiple dimensioned convolutional neural networks
CN108040039A (en) A kind of method, apparatus, equipment and system for identifying attack source information
CN114531283B (en) Method, system, storage medium and terminal for measuring robustness of intrusion detection model
CN111131309A (en) Distributed denial of service detection method and device and model creation method and device
CN109005181B (en) Detection method, system and related components for DNS amplification attack
KR101488271B1 (en) Apparatus and method for ids false positive detection
CN115208679B (en) Attacker IP defending method and defending system based on honey array cooperation
CN112953956B (en) Reflection amplifier identification method based on active and passive combination
CN114006719B (en) AI verification method, device and system based on situation awareness

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210302

Address after: 100190 room 506, building 2, courtyard 4, South 4th Street, Zhongguancun, Haidian District, Beijing

Patentee after: CHINA INTERNET NETWORK INFORMATION CENTER

Address before: 100190 No. four, four South Street, Haidian District, Beijing, Zhongguancun

Patentee before: Computer Network Information Center, Chinese Academy of Sciences