CN101841533B - Method and device for detecting distributed denial-of-service attack - Google Patents
Method and device for detecting distributed denial-of-service attack Download PDFInfo
- Publication number
- CN101841533B CN101841533B CN201010129304.XA CN201010129304A CN101841533B CN 101841533 B CN101841533 B CN 101841533B CN 201010129304 A CN201010129304 A CN 201010129304A CN 101841533 B CN101841533 B CN 101841533B
- Authority
- CN
- China
- Prior art keywords
- ddos attack
- dns server
- log information
- characteristic vector
- inquiry log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a method and a device for detecting a distributed denial-of-service attack. The method comprises the following steps of: acquiring search log information recorded on a DNS (Domain Name Sever); and detecting whether a DDoS (Distributed Denial of Service) attack behavior aiming at the DNS exists or not according to the obtained search log information. The device comprises an information acquisition module and a detection module. According to the search log information on the DNS, the technical scheme of the invention can effectively detect the DDoS attack behavior and prevent the DNS from being attacked by DDoS.
Description
Technical field
The embodiment of the present invention relates to Detection of Distributed Denial of Service Attacks technical field, relates in particular to a kind of detecting method of distributed denial of service attacking and device.
Background technology
Along with the development of network technology, the hacker's behavior that utilizes the Internet to attack is also more and more, and wherein, it is exactly a kind of common assault means that distributed denial of service (Distribution Denial of Service, DDoS) is attacked.
Means and the form of expression of ddos attack are a lot, but its common attack strategies is utilized protocol bug exactly, and send and seem in a large number legal network packet to victim host by a lot " corpse main frame ", thereby cause network congestion or cause denial of service because server resource exhausts, wherein, utilizing DDoS is a kind of common attack behavior of hacker to the attack of domain name system (Domain Name System, DNS).DNS is the kernel service that the Internet infrastructure provides, DNS comprises domain name and Internet protocol (Internet Protocol, IP) distributed data base that address is shone upon mutually, and the software systems that realize the IP address transition that domain name and network can identify, DNS has very important effect in network.Once dns server suffers ddos attack, will cause serious impact to whole network, produce catastrophic consequence.At present, for the method for in DNS, ddos attack being taken precautions against, mainly comprise: adopt the high performance network equipment, or guarantee the sufficient network bandwidth, or the hardware of upgrade server, or strengthen the ICP/IP protocol stack of operating system, or the anti-DDoS fire compartment wall of specialty is installed.
Inventor finds that in realizing process of the present invention prior art is in the ddos attack for dns server, fail effectively ddos attack to be carried out to active detecting, mainly in the mode of Passive Defence, to take precautions against the impact of ddos attack or minimizing ddos attack, make the defence cost of ddos attack higher, and protection effect is poor.
Summary of the invention
The invention provides a kind of detecting method of distributed denial of service attacking and device, can detect in real time and on one's own initiative ddos attack behavior based on DNS data query, the behavior to ddos attack of being convenient to is in time processed, and eliminates the impact of ddos attack on dns server.
The embodiment of the present invention provides a kind of detecting method of distributed denial of service attacking, comprising:
Obtain the inquiry log information recording on dns server;
According to the described inquiry log information obtaining, detect the ddos attack behavior for described dns server that whether exists.
Wherein, described according to the described inquiry log information obtaining, detect and whether exist the ddos attack behavior for described dns server to comprise:
Current inquiry log information based on recording on multi-layered perception neural networks and described dns server, detects the ddos attack behavior for described dns server that whether exists.
The described current inquiry log information based on recording on multi-layered perception neural networks and described dns server, detects the ddos attack behavior whether existing for described dns server and also comprises before:
According to all inquiry log information that record on described dns server, extract the characteristic vector of reflection ddos attack feature;
The characteristic vector of the described reflection ddos attack feature based on extracting, trains and obtains described multi-layered perception neural networks.
The characteristic vector of described extraction reflection ddos attack feature comprises:
Granularity is extracted the characteristic vector of described reflection ddos attack feature at preset timed intervals.
Described multi-layered perception neural networks comprises: input layer, hidden layer and output layer, wherein, the input message of input layer is the characteristic vector of described reflection ddos attack feature.
The characteristic vector of described reflection ddos attack feature comprises:
The standard deviation of DNS inquiry amount, query rate, IP space size, name space size, source port be set to the entropy of 53 inquiry quantity, query note type situation of change, at least one of the ratio of recursive query and the average length of domain name is set.
The embodiment of the present invention provides a kind of Detection of Distributed Denial of Service Attacks device, comprising:
Acquisition of information module, for obtaining the inquiry log information recording on dns server;
Detection module, according to the described inquiry log information obtaining, detects the ddos attack behavior for described dns server that whether exists.
Wherein, described detection module, specifically for the current inquiry log information based on recording on multi-layered perception neural networks and described dns server, detects the ddos attack behavior for described dns server that whether exists.
Above-mentioned device also can comprise:
Characteristic vector extraction module, for according to all inquiry log information that record on described dns server, extracts the characteristic vector of reflection ddos attack feature;
Neural metwork training module, for the characteristic vector of the described reflection ddos attack feature based on extracting, trains and obtains described multi-layered perception neural networks.
Described characteristic vector extraction module, specifically for according to all inquiry log information that record on described dns server, granularity is extracted the characteristic vector of described reflection ddos attack feature at preset timed intervals.
The embodiment of the present invention detects by the ddos attack behavior for dns server existing according to DNS inquiry log information, can be on one's own initiative to detecting ddos attack behavior, and there is higher DNS detection efficiency and detect effect, improve accuracy and reliability that ddos attack detects, and testing result can be notified associated processing device or administrative staff process, eliminate the impact that ddos attack causes dns server.In addition, the embodiment of the present invention reflects the characteristic vector of ddos attack by extraction, behavior detects to ddos attack to utilize multi-layered perception neural networks, makes the detection of ddos attack accurately, reliably, amount of calculation and lower deployment cost that ddos attack detects are low, and detection efficiency is high.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of detecting method of distributed denial of service attacking embodiment mono-of the present invention;
Fig. 2 is the schematic flow sheet of detecting method of distributed denial of service attacking embodiment bis-of the present invention;
Fig. 3 trains the schematic flow sheet of multi-layered perception neural networks in detecting method of distributed denial of service attacking embodiment bis-of the present invention;
Fig. 4 is the structural representation of multi-layered perception neural networks in the embodiment of the present invention;
Fig. 5 trains schematic diagram to multi-layered perception neural networks in embodiment of the present invention practical application;
Fig. 6 is ddos attack verification and measurement ratio schematic diagram in embodiment of the present invention practical application;
Fig. 7 is the situation of change schematic diagram that in embodiment of the present invention practical application, ddos attack detects accuracy and rate of false alarm;
Fig. 8 is the structural representation of Detection of Distributed Denial of Service Attacks device embodiment mono-of the present invention;
Fig. 9 is the structural representation of Detection of Distributed Denial of Service Attacks device embodiment bis-of the present invention.
Embodiment
For making object, technical scheme and the advantage of the embodiment of the present invention clearer, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
Because DNS is a distributed data base, between server internal module and server, can to database, carry out this locality by DNS Protocol controls, also allow the user in network to utilize the mode of client or server to access the data of wherein each part simultaneously, therefore, when other host subscriber accesses dns server, dns server can record All hosts user's User behavior, each User behavior is all recorded as data, as inquiry log information, save, wherein, the inquiry log information spinner of dns server record will comprise following field information, be respectively described below:
(1) timestamp, represents that inquiry request arrives the time of dns server, generally can be accurate to millisecond; (2) source IP address, expression sends the IP address of the main frame of inquiry request; (3) source port number, expression sends the set port numbers of main frame of inquiry request; (4) query contents, target domain name or the target ip address of expression inquiry request; (5) query note type, represents inquiry request is for which kind of record type in dns server; (6) flag bit, the facilities of various flag bits in the DNS inquiry packet of expression inquiry request, it is mainly used to indicate dns server to do relevant operation.
The inquiry log information recording due to above-mentioned dns server is the record of the corelation behaviour of a large amount of DNS inquiries, these inquiry log message reflections the behavior of current accessed dns server, therefore, the embodiment of the present invention is passed through based on inquiry log information, the technical scheme of a kind of active detecting ddos attack behavior has been proposed, to find timely and effectively the attack for dns server, avoid dns server to exempt from malicious attack, improve the safety and reliability of dns server.Below in conjunction with embodiment, technical solution of the present invention is described in detail.
Fig. 1 is the schematic flow sheet of detecting method of distributed denial of service attacking embodiment mono-of the present invention.Particularly, as shown in Figure 1, the present embodiment detection method can comprise the steps:
The embodiment of the present invention can be applicable in the detection for the ddos attack of dns server, particularly, can be according to the inquiry log information of the various inquiries for dns server of recording on dns server, whether active detecting there is the ddos attack for dns server, and can be when the ddos attack detect existing for dns server, notice associated processing device or administrative staff process accordingly, with the destruction of avoiding ddos attack to cause dns server.Because the inquiry log information recording on dns server can go out various ddos attack behaviors by effective Feedback, therefore, according to the inquiry log information recording on dns server, can detect exactly the ddos attack behavior of existence.
Can find out, in the embodiment of the present invention, by the ddos attack behavior for dns server existing according to DNS inquiry log information, detect, can be on one's own initiative to detecting ddos attack behavior, and there is higher DNS detection efficiency and detect effect, improve accuracy and reliability that ddos attack detects, and testing result can be notified associated processing device or administrative staff process, eliminate the impact that ddos attack causes dns server.
Fig. 2 is the schematic flow sheet of detecting method of distributed denial of service attacking embodiment bis-of the present invention.On the basis of above-mentioned technical scheme embodiment illustrated in fig. 1, in the present embodiment, can to the inquiry log information recording on dns server, process by multi-layered perception neural networks, to obtain ddos attack testing result, particularly, as shown in Figure 2, the present embodiment comprises the following steps:
Because mostly ddos attack is jointly to be implemented by many assailants, User behavior for dns server in ddos attack is more, dns server records a large amount of data and is mostly nonlinear data, therefore, by multi-layered perception neural networks, to ddos attack, behavior detects the present embodiment, and can by study, sum up the feature of various attack behavior, identify ddos attack behavior.Particularly, can be by the inquiry log information neural network training recording from dns server, extract the characteristic vector of reflection ddos attack feature, training multi-layered perception neural networks, and according to the characteristic vector of reflection ddos attack of extracting from current dns server and the neural net of training, obtain ddos attack testing result.
Fig. 3 trains the schematic flow sheet of multi-layered perception neural networks in detecting method of distributed denial of service attacking embodiment bis-of the present invention.As shown in Figure 3, in the present embodiment, multi-layered perception neural networks is trained specifically and can be comprised the steps:
In this enforcement, granularity is extracted the characteristic vector of this reflection ddos attack feature at preset timed intervals, and particularly, in the present embodiment, Preset Time is set to 1 minute, take minute as unit is from the inquiry log information of record, obtain the characteristic vector of reflection ddos attack feature.
In this enforcement, the characteristic vector of described reflection ddos attack feature can comprise that standard deviation, IP space size, name space size, the source port of DNS inquiry amount, query rate are set to the situation of change of the entropy of 53 inquiry quantity, query note type, at least one in the ratio of recursive query and the average length of domain name is set particularly, generally speaking, the kind of the characteristic vector of obtaining is more, the multi-layered perception neural networks obtaining after training is just stronger to the discrimination of ddos attack behavior, and the accuracy rate of the ddos attack behavior detecting will be improved.In the embodiment of the present invention, be exactly to utilize 8 above-mentioned feature vectors to train multilayer neural network, the accuracy and the reliability that to carry ddos attack, detect.
The characteristic vector of the reflection DDoS feature of below embodiment of the present invention being extracted is respectively described below:
(1) DNS inquiry amount, this characteristic vector averages to calculate by the inquiry amount to a minute and obtains;
(2) standard deviation of query rate, this characteristic vector is that specific formula for calculation is as follows by arriving that query rate in a minutes window is calculated:
Wherein, n represents the number of seconds recording in data query in a minute, x
i(i=1,2 ..., n) representing the i inquiry amount in second, m represents the average of inquiry each second amount in a minute;
(3) IP space size, this characteristic vector represents to send in one minute host subscriber's quantity of DNS inquiry request;
(4) name space size, this characteristic vector represents the quantity of domain name accessed in a minute;
(5) source port is set to 53 inquiry quantity, this characteristic vector represents to be set to for source port number 53 inquiry quantity, because some ddos attack source port for DNS is set to 53, therefore the extraction of the characteristic vector of the inquiry of this setting is necessary very much;
(6) situation of change of the entropy of query note type, the formula of this characteristic vector can be expressed as follows:
Wherein, n represents the species number of record type in time window, P
i(i=1,2 ..., n) represent the probability that i kind record type occurs, x
i(i=1,2 ..., n) represent i kind record type;
(7) ratio of recursive query is set, because some ddos attack can be set to recursive query by inquiry, increases attack effect, therefore the extraction of this characteristic vector is necessary very much;
(8) average length of domain name, the domain name of inquiring about due to some ddos attack produces by program is random, and this inevitable variation that causes domain name average length on data query is therefore necessary the extraction of the characteristic vector of the average length of domain name very much.
The characteristic vector of step 302, the described reflection ddos attack feature based on extracting, trains and obtains described multi-layered perception neural networks.
8 feature vectors that obtain according to step 301 can accurately be trained multi-layered perception neural networks, the characteristic vector of said extracted is summarized to a great extent and has been embodied ddos attack feature, therefore, the multi-layered perception neural networks that characteristic vector based on said extracted trains has higher discrimination, thereby ddos attack is detected more accurately with reliable.
Fig. 4 is the structural representation of multi-layered perception neural networks in the embodiment of the present invention.In the present embodiment, described multi-layered perception neural networks can comprise input layer, hidden layer and output layer, and wherein, the input message of input layer is the characteristic vector of described reflection ddos attack feature.Particularly, as shown in Figure 4, the present embodiment input layer comprises 8 input unit X1, X2, X3, X4, X5, X6, X7 and X8, respectively as the input interface of 8 characteristic vectors of above-mentioned reflection ddos attack, hidden layer comprises 20 unit, output layer comprises a unit, for output detections result, and Output rusults is " 0 " or " 1 ", according to this output valve, can determine whether to exist the ddos attack for dns server, wherein, " 1 " represents to be attacked, and " 0 " represents that service is normal.
In the present embodiment, when multi-layered perception neural networks is trained, the input matrix that the characteristic vector that the data of training are extracted by the inquiry log information recording from dns server forms, and the object vector setting in advance, and utilize back-propagating training algorithm to train, after making training, the multi-layered perception neural networks that obtains is high to the discrimination of ddos attack, can effectively improve accuracy and reliability that ddos attack detects.After multi-layered perception neural networks training, can read DNS inquiry log information by enforcement, and therefrom extract corresponding characteristic vector and be input to multi-layered perception neural networks, and by multi-layered perception neural networks output detections result, if testing result is 1, illustrate that dns server is suffering ddos attack, if testing result is 0, illustrate that dns server is working properly.
In the embodiment of the present invention, multi-layered perception neural networks can be processed incomplete, distortion, or even nonlinear data, therefore, can effectively meet the processing of the data query to recording on dns server in ddos attack; Simultaneously, multi-layered perception neural networks also has the response time faster, the ddos attack that can detect in real time existence detects behavior, make to send ddos attack signal before dns server is subjected to catastrophic collapse, thereby the intrusion behavior to ddos attack is predicted, improves the validity and reliability that DDoS detects; In addition, multi-layered perception neural networks can be summed up various ddos attack behavioural characteristics by study, identifies and the unmatched various attack behavior of current normal behaviour, improves accuracy and reliability that ddos attack detects.
In the present embodiment, by adopting multi-layered perception neural networks, carry out ddos attack, and by extracting the characteristic vector of reflection ddos attack feature the inquiry log information from DNS record, multilayer neural network is trained, the testing result of output suffers ddos attack or service is normally provided for dns server, therefore, the ddos attack that dns server can be subject to detects and changes into binary classification problems, can effectively improve agility and accuracy that whole ddos attack detects.Meanwhile, in the embodiment of the present invention, only relate to the extraction of feature, and the training of multi-layered perception neural networks, amount of calculation and lower deployment cost that ddos attack is detected are all lower.
Can find out, the embodiment of the present invention is carried out the detection of ddos attack by the inquiry log information recording on multi-layered perception neural networks and dns server, the ddos attack of dns server can be detected and changes into binary classification problems, can effectively improve rapidity and convenience that ddos attack detects, ddos attack be detected and there is higher accuracy and reliability; Simultaneously, the present embodiment ddos attack detect there is less amount of calculation, lower lower deployment cost, detection speed and higher Detection accuracy faster, can initiatively to the ddos attack of dns server, detect in real time, avoid dns server to suffer the impact of ddos attack.
Fig. 5 trains schematic diagram to multi-layered perception neural networks in embodiment of the present invention practical application.According to embodiment of the present invention technical scheme, first can be by having extracted the characteristic vector of reflection ddos attack the log query information from dns server record, and 8 feature vectors of obtaining are formed to input matrix, the input message of the sample of training as multi-layered perception neural networks, set object vector simultaneously, and utilize back-propagation training algorithm to train.In practical application, the training data of neural net can be divided into three data sets: training set, checking collection and test set, wherein, training set is used for neural network training, makes network link weight and deviate to be adjusted, to be revised by the error of relatively exporting between classification and target classification; The generality that checking collection is used for measuring network, and can be when generality no longer improves timely deconditioning process, can avoid like this network to occur " over-fitting " problem; Test set is independent of training process, is used for separately network being tested after training process finishes, to check its discrimination.Overall performance when Fig. 5 represents to utilize the present embodiment to carry out neural metwork training, from finding out shown in Fig. 5, propelling along with cycle of training, the mean square error of three data sets (Mean SquareError, MSE) all reduce gradually, when the 39th cycle, there is flex point in checking collection MSE change curve, this some checking collection MSE reaches minimum, and training process stops.That is to say, in to 39 cycles of this neural metwork training to the, it is optimum that performance reaches, and training finishes.
Fig. 6 is ddos attack verification and measurement ratio schematic diagram in embodiment of the present invention practical application.As shown in Figure 6, when the present embodiment is applied to ddos attack detection, there is higher detection efficiency, wherein, the output sample number consistent with target of the numeral neural network classifier in the diagonal of the confusion matrix in Fig. 6 in unit 1 and unit 2, also identify correct sample number, the percentage on unit 1 and unit 2 represents that they account for respectively the ratio of total sample number; Percentage 98.2% in the diagonal of this confusion matrix in unit 3 represents total accuracy of identification, and percentage 1.8% represents error rate or mismatch ratio; Percentage in the unit 4 in the diagonal lower left corner of this confusion matrix 86.4% is correct verification and measurement ratio (True Positive Rate, TPR), and important criterion in its etection theory, is the bigger the better, and can be used to reflect the sensitivity of neural net; In below temporary location 5 in this confusion matrix, percentage 0.0% represents failure detection rate (False Positive Rate, FPR), it is also criterion important in etection theory, numerical value is the smaller the better, be used for reflecting the rate of false alarm of neural net, be about to the ratio of normal discharge wrong report for attacking.As can be seen from Figure 5, while utilizing the present embodiment to carry out ddos attack detection, TPR=86.4%, FPR=0.0%, this neural net has very high sensitivity, and can not report by mistake.
Fig. 7 is the situation of change schematic diagram that in embodiment of the present invention practical application, ddos attack detects accuracy and rate of false alarm.Fig. 7 has reflected while utilizing the present embodiment to carry out ddos attack detection, detect the situation of change of accuracy and rate of false alarm, wherein, ROC curve (Receiver Operating Curve) is illustrated in situation of change and the correlation of TPR and FPR in neural network classification process, as can be seen from Figure 7, ROC curve approaches the upper left corner, illustrates that this neural net has more satisfactory detection effect, wherein TPR > 0.8, and FPR is close to 0.
Fig. 8 is the structural representation of Detection of Distributed Denial of Service Attacks device embodiment mono-of the present invention.Particularly, as shown in Figure 8, the present embodiment device comprises acquisition of information module 1 and detection module 2, wherein:
Acquisition of information module 1, for obtaining the inquiry log information recording on dns server;
The embodiment of the present invention can be applicable in the detection for the ddos attack of dns server, by according to the various inquiries for dns server of recording on dns server inquiry log information, whether active detecting there is the ddos attack for dns server, its specific implementation process can, with reference to the explanation of the invention described above embodiment of the method, not repeat them here.
The embodiment of the present invention detects by the ddos attack behavior for dns server existing according to DNS inquiry log information, can be on one's own initiative to detecting ddos attack behavior, and there is higher DNS detection efficiency and detect effect, improve accuracy and reliability that ddos attack detects, and testing result can be notified associated processing device or administrative staff process, eliminate the impact that ddos attack causes dns server.
Fig. 9 is the structural representation of Detection of Distributed Denial of Service Attacks device embodiment bis-of the present invention.As shown in Figure 9, the present embodiment comprises acquisition of information module 1, detection module 2, characteristic vector extraction module 3 and neural metwork training module 4, wherein:
Acquisition of information module 1, for obtaining the inquiry log information recording on dns server;
Characteristic vector extraction module 3, for according to all inquiry log information that record on described dns server, extracts the characteristic vector of reflection ddos attack feature;
Neural metwork training module 4, for the characteristic vector of the described reflection ddos attack feature based on extracting, trains and obtains described multi-layered perception neural networks.
In the present embodiment, when acquisition of information module 1 obtains after the inquiry log information recording on dns server, can first by characteristic vector extraction module 3 and 4 pairs of multi-layered perception neural networks of neural metwork training module, train, finally can train multi-layered perception neural networks by detection module 2 utilizations and carry out ddos attack detection, its specific implementation process can, with reference to the explanation of the invention described above embodiment of the method two, not repeat them here.
The embodiment of the present invention is carried out the detection of ddos attack by the inquiry log information recording on multi-layered perception neural networks and dns server, the ddos attack of dns server can be detected and changes into binary classification problems, can effectively improve rapidity and convenience that ddos attack detects, ddos attack be detected and there is higher accuracy and reliability; Simultaneously, the present embodiment ddos attack detect there is less amount of calculation, lower lower deployment cost, detection speed and higher Detection accuracy faster, can initiatively to the ddos attack of dns server, detect in real time, avoid dns server to suffer the impact of ddos attack.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can complete by the relevant hardware of program command, aforesaid program can be stored in a computer read/write memory medium, this program, when carrying out, is carried out the step that comprises said method embodiment; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CDs.
Finally it should be noted that: above embodiment only, in order to technical scheme of the present invention to be described, is not intended to limit; Although the present invention is had been described in detail with reference to previous embodiment, those of ordinary skill in the art is to be understood that: its technical scheme that still can record aforementioned each embodiment is modified, or part technical characterictic is wherein equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (4)
1. a detecting method of distributed denial of service attacking, is characterized in that, comprising:
Obtain the inquiry log information recording on dns server;
According to the described inquiry log information obtaining, detect the ddos attack behavior for described dns server that whether exists;
Wherein, described according to the described inquiry log information obtaining, whether detect exists the ddos attack behavior for described dns server to comprise: the current inquiry log information based on recording on multi-layered perception neural networks and described dns server, detects the ddos attack behavior for described dns server that whether exists;
The described current inquiry log information based on recording on multi-layered perception neural networks and described dns server, detects the ddos attack behavior whether existing for described dns server and also comprises before:
According to all inquiry log information that record on described dns server, extract the characteristic vector of reflection ddos attack feature;
The characteristic vector of the described reflection ddos attack feature based on extracting, trains and obtains described multi-layered perception neural networks;
Wherein, the characteristic vector of described extraction reflection ddos attack feature comprises: granularity is extracted the characteristic vector of described reflection ddos attack feature at preset timed intervals.
2. detecting method of distributed denial of service attacking according to claim 1, it is characterized in that, described multi-layered perception neural networks comprises: input layer, hidden layer and output layer, wherein, the input message of input layer is the characteristic vector of described reflection ddos attack feature.
3. detecting method of distributed denial of service attacking according to claim 1, is characterized in that, the characteristic vector of described reflection ddos attack feature comprises at least one in following vector:
The standard deviation of query rate, DNS inquiry amount, IP space size, name space size, source port be set to the entropy of 53 inquiry quantity, query note type situation of change, the ratio of recursive query and the average length of domain name are set.
4. a Detection of Distributed Denial of Service Attacks device, is characterized in that, comprising:
Acquisition of information module, for obtaining the inquiry log information recording on dns server;
Detection module, according to the described inquiry log information obtaining, detects the ddos attack behavior for described dns server that whether exists;
Wherein, described detection module, specifically for the current inquiry log information based on recording on multi-layered perception neural networks and described dns server, detects the ddos attack behavior for described dns server that whether exists;
Characteristic vector extraction module, for according to all inquiry log information that record on described dns server, extracts the characteristic vector of reflection ddos attack feature;
Neural metwork training module, for the characteristic vector of the described reflection ddos attack feature based on extracting, trains and obtains described multi-layered perception neural networks;
Wherein, described characteristic vector extraction module, specifically for according to all inquiry log information that record on described dns server, granularity is extracted the characteristic vector of described reflection ddos attack feature at preset timed intervals.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010129304.XA CN101841533B (en) | 2010-03-19 | 2010-03-19 | Method and device for detecting distributed denial-of-service attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010129304.XA CN101841533B (en) | 2010-03-19 | 2010-03-19 | Method and device for detecting distributed denial-of-service attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101841533A CN101841533A (en) | 2010-09-22 |
| CN101841533B true CN101841533B (en) | 2014-04-09 |
Family
ID=42744657
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010129304.XA Active CN101841533B (en) | 2010-03-19 | 2010-03-19 | Method and device for detecting distributed denial-of-service attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101841533B (en) |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102164135B (en) * | 2011-04-14 | 2014-02-19 | 上海红神信息技术有限公司 | Device and method for defending prepositioned reconfigurable DDoS (distributed denial of service) attack |
| CN103139166A (en) * | 2011-11-30 | 2013-06-05 | 中国民航大学 | Low-rate denial of service (LDoS) attack detection method based on small signal detection theory |
| CN102624716B (en) * | 2012-03-01 | 2014-08-06 | 上海交通大学 | Prevention method and device for domain name system (DNS) denial of service |
| CN103001825B (en) * | 2012-11-15 | 2016-03-02 | 中国科学院计算机网络信息中心 | The detection method of DNS Traffic Anomaly and system |
| CN103152442B (en) * | 2013-01-31 | 2016-06-01 | 中国科学院计算机网络信息中心 | A kind of detection and treatment method of corpse domain names and system |
| CN103905456B (en) * | 2014-04-08 | 2017-02-15 | 上海交通大学 | DNS inverse solution attack detecting method based on entropy model |
| CN103916406B (en) * | 2014-04-25 | 2017-10-03 | 上海交通大学 | A kind of APT attack detection methods based on DNS log analysis |
| CN104202336A (en) * | 2014-09-22 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | DDoS (distributed denial of service) attach detection method based on information entropy |
| CN104486141B (en) * | 2014-11-26 | 2018-10-23 | 国家电网公司 | A kind of network security situation prediction method that wrong report is adaptive |
| CN105306618B (en) * | 2015-09-25 | 2018-09-25 | 互联网域名系统北京市工程研究中心有限公司 | The method and device of ddos attack is asked in automatic defense dns resolution |
| CN106060008B (en) * | 2016-05-10 | 2019-11-19 | 中国人民解放军61599部队计算所 | A kind of network intrusions method for detecting abnormality |
| CN106911669B (en) * | 2017-01-10 | 2020-04-28 | 浙江工商大学 | DDOS detection method based on deep learning |
| CN108737344B (en) * | 2017-04-20 | 2021-08-24 | 腾讯科技(深圳)有限公司 | Network attack protection method and device |
| CN108768917B (en) * | 2017-08-23 | 2021-05-11 | 长安通信科技有限责任公司 | Botnet detection method and system based on weblog |
| CN107404496A (en) * | 2017-09-05 | 2017-11-28 | 成都知道创宇信息技术有限公司 | A kind of ddos attack defence and source tracing method based on HTTP DNS |
| CN111988421B (en) * | 2020-08-28 | 2021-04-16 | 清华大学 | Method and system for recording DDoS attack log abstract based on block chain |
| CN115001845B (en) * | 2022-06-28 | 2024-02-02 | 天翼数字生活科技有限公司 | DNS (Domain name System) safety protection method and system in home gateway |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1466343A (en) * | 2002-06-12 | 2004-01-07 | 华为技术有限公司 | Method for realizing domain name system address convertion applied gateway based on inner server |
| CN101399658A (en) * | 2007-09-24 | 2009-04-01 | 北京启明星辰信息技术有限公司 | Safe log analyzing method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7093294B2 (en) * | 2001-10-31 | 2006-08-15 | International Buisiness Machines Corporation | System and method for detecting and controlling a drone implanted in a network attached device such as a computer |
-
2010
- 2010-03-19 CN CN201010129304.XA patent/CN101841533B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1466343A (en) * | 2002-06-12 | 2004-01-07 | 华为技术有限公司 | Method for realizing domain name system address convertion applied gateway based on inner server |
| CN101399658A (en) * | 2007-09-24 | 2009-04-01 | 北京启明星辰信息技术有限公司 | Safe log analyzing method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101841533A (en) | 2010-09-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101841533B (en) | Method and device for detecting distributed denial-of-service attack | |
| US10867034B2 (en) | Method for detecting a cyber attack | |
| CN100448203C (en) | System and method for identifying and preventing malicious intrusions | |
| CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
| CN111131260B (en) | Mass network malicious domain name identification and classification method and system | |
| CN108924118B (en) | Method and system for detecting database collision behavior | |
| CN114003903B (en) | Network attack tracing method and device | |
| CN111859393A (en) | Risk assessment system and method based on situation awareness alarm | |
| CN111865982B (en) | Threat assessment system and method based on situation awareness alarm | |
| CN112866185A (en) | Network traffic monitoring device and abnormal traffic detection method | |
| CN110313147A (en) | Data processing method, device and system | |
| CN107733699B (en) | Internet asset security management method, system, device and readable storage medium | |
| CN110351291A (en) | Ddos attack detection method and device based on multiple dimensioned convolutional neural networks | |
| CN108040039A (en) | A kind of method, apparatus, equipment and system for identifying attack source information | |
| CN114531283B (en) | Method, system, storage medium and terminal for measuring robustness of intrusion detection model | |
| CN113486343A (en) | Attack behavior detection method, device, equipment and medium | |
| CN108282446A (en) | Identify the method and apparatus of scanner | |
| CN111526109B (en) | Method and device for automatically detecting running state of web threat recognition defense system | |
| CN109005181B (en) | Detection method, system and related components for DNS amplification attack | |
| KR101488271B1 (en) | Apparatus and method for ids false positive detection | |
| CN108650274B (en) | Network intrusion detection method and system | |
| CN115208679B (en) | Attacker IP defending method and defending system based on honey array cooperation | |
| CN115378643B (en) | Network attack defense method and system based on honey points | |
| CN114006719B (en) | AI verification method, device and system based on situation awareness | |
| CN112953956B (en) | Reflection amplifier identification method based on active and passive combination |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210302 Address after: 100190 room 506, building 2, courtyard 4, South 4th Street, Zhongguancun, Haidian District, Beijing Patentee after: CHINA INTERNET NETWORK INFORMATION CENTER Address before: 100190 No. four, four South Street, Haidian District, Beijing, Zhongguancun Patentee before: Computer Network Information Center, Chinese Academy of Sciences |