CN102769549A - Network security monitoring method and device - Google Patents
Network security monitoring method and device Download PDFInfo
- Publication number
- CN102769549A CN102769549A CN201110115158XA CN201110115158A CN102769549A CN 102769549 A CN102769549 A CN 102769549A CN 201110115158X A CN201110115158X A CN 201110115158XA CN 201110115158 A CN201110115158 A CN 201110115158A CN 102769549 A CN102769549 A CN 102769549A
- Authority
- CN
- China
- Prior art keywords
- terminal use
- monitoring period
- request
- request number
- triggers
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a network security monitoring method and device, belonging to the field of internet. The method comprises the steps of: acquiring the requesting information of a terminal user; calculating the requesting times within the monitoring time interval before any triggering time; judging whether the requesting times surpass the predetermined access upper limit; if yes, transmitting the plugging information, and refusing the subsequent request of the terminal user in the predetermined time. The requesting times within the monitoring time before any triggering time can be calculated, so that the malicious attack object can be accurately judged and can blocked to protect the core data of the network resource.
Description
Technical field
The present invention relates to internet arena, particularly a kind of method and apparatus of network security monitoring.
Background technology
Along with the development of Web (the Internet) service, the user is increasing to participate in the network event, and user's participation is more stressed in the particularly proposition of Web2.0 in recent years.Simultaneously, as the side that Web service provides, also bearing more and more Cyberthreats from different aspect.Wherein, malicious requests is a kind of attack that must take precautions against, relates to the protection of core data.Under the situation of magnanimity request, how could find efficiently and malicious user is made respective limits, can protect normal users interference-free again simultaneously, need a limiting access scheme to the different user request.
The scheme of restricting user access is in the prior art: to the request of (as T minute) in the certain hour, the request that surpasses setpoint frequency is implemented shutoff through the mode of blacklist.Concrete, be that unit is divided into a plurality of time periods with 24 hours of every day with T, the request number that statistics receives in each time period; Wherein, for Web service, url (the Uniform/Universal ResourceLocator that each request all can a corresponding request; URL), receive the requested service device and carry out direct count according to the url that is asked or to the ip (Internet Protocol, net association) that asks; And judge whether this request number has surpassed preset request number of times; If surpass request number of times, then this user is drawn in blacklist, limit this user's request within a certain period of time.
After prior art is analyzed; The inventor finds that prior art has following shortcoming at least: can only make statistics according to the request in certain time period, the hacker possibly test out the upper limit of each gate time point, and each request all is no more than ceiling restriction; Continuous a spot of the request; Possibly can not go wrong from the counting aspect like this, still, just possibly cause the loss of core data from the amount of integral body.Such as: the T that operates in that limits certain ip+url
LimBe no more than N time in minute, if but each<T
LimTime in, ask M time (1~N-1), just can pull (24*60/T every day like this
Lim) record of * M.If T
LimIf must be too low, the operation that server detects be frequent more, influences the performance of server, and it is higher to report probability simultaneously by mistake; If but T
LimIf De Taigao has reduced the correctness that detects again, be difficult to distinguish normal running and malicious operation.
Summary of the invention
In order to solve the problems of the prior art, the embodiment of the invention provides a kind of method and apparatus of network security monitoring.Said technical scheme is following:
On the one hand, a kind of method of network security monitoring is provided, said method comprises:
Obtain terminal use's solicited message;
Calculating is triggering T monitoring period T before constantly arbitrarily
wInterior said terminal use's request number of times;
Judge whether the described request number of times surpasses the preset visit upper limit;
If then issue shutoff message, the said terminal use's of refusal subsequent request in Preset Time.
Said calculating is triggering T monitoring period T before constantly arbitrarily
wInterior said terminal use's request number of times comprises:
According to said terminal use's solicited message, obtain the corresponding record item of described request information, said record item comprises, monitoring period T
w, the final updating time T
LastWith the circulation array, said circulation array is used to store the said access times of monitoring the said terminal use in the period of said final updating times prior;
According to any triggering moment T and T
Last, calculate at said any T said monitoring period T before constantly that triggers
wInterior said terminal use's request number of times.
Said basis triggers T and T constantly arbitrarily
Last, calculate at said any T said monitoring period T before constantly that triggers
wInterior said terminal use's request number of times comprises:
Calculate and trigger T and T constantly arbitrarily
LastDifference, obtain T
LastThe moment and said any T ' blanking time between the T constantly that triggers;
Judge that whether said T ' is smaller or equal to said monitoring period T
w
If, basis then
Obtain said any T said monitoring period T before constantly that triggers
wInterior said terminal use's request number of times, wherein A is the circulation array, i is a natural number;
Otherwise, judge that whether said T ' is more than or equal to 2T
w
If then empty loop-around data, with said any T said monitoring period T before constantly that triggers
wInterior said terminal use's request number of times is designated as zero;
Otherwise, according to
Obtain said any T said monitoring period T before constantly that triggers
wInterior said terminal use's request number of times.
Said solicited message according to said terminal use is obtained the corresponding record item of described request information, also comprises before:
Judge the record item that whether has said solicited message corresponding in the buffer memory;
If have then continue execution in step; Otherwise be the new record item of described request information creating, and with the zero setting of circulation array.
Different monitored item is provided with the different monitoring periods, and the visit upper limit of each monitoring period is set, then said method also comprises:
In the said different monitoring period, the request number of times of adding up said terminal use;
Whether the request number of times of judging said terminal use surpasses the visit upper limit of said monitored item in the said monitoring period;
If, the shutoff policy distribution shutoff message that then triggers, the said terminal use's of refusal subsequent request in Preset Time according to said terminal use.
Said different monitored item type comprises:
Request that request or the said terminal use of said terminal use through ip and url passes through uin and url or said terminal use are through the request of url.
On the other hand, a kind of device of network security monitoring is provided, said device comprises:
Acquisition module is used to obtain terminal use's solicited message;
Computing module is used to calculate and is triggering T monitoring period T before constantly arbitrarily
wInterior said terminal use's request number of times;
First judge module is used to judge whether the described request number of times surpasses the preset visit upper limit; If then issue shutoff message, the said terminal use's of refusal subsequent request in Preset Time.
Said computing module comprises:
Acquiring unit is used for the solicited message according to said terminal use, obtains the corresponding record item of described request information, and said record item comprises, monitoring period T
w, the final updating time T
LastWith the circulation array, said circulation array is used to store the said access times of monitoring the said terminal use in the period of said final updating times prior;
Computing unit is used for according to triggering T and T constantly arbitrarily
Last, calculate at said any T said monitoring period T before constantly that triggers
wInterior said terminal use's request number of times.
Said computing unit specifically is used for:
Calculate and trigger T and T constantly arbitrarily
LastDifference, obtain T
LastThe moment and said any T ' blanking time between the T constantly that triggers;
Judge that whether said T ' is smaller or equal to said monitoring period T
w
If, basis then
Obtain said any T said monitoring period T before constantly that triggers
wInterior said terminal use's request number of times, wherein A is the circulation array, i is a natural number;
Otherwise, judge that whether said T ' is more than or equal to 2T
w
If then empty loop-around data, with said any T said monitoring period T before constantly that triggers
wInterior said terminal use's request number of times is designated as zero;
Otherwise, according to
Obtain said any T monitoring period T before constantly that triggers
wInterior said terminal use's request number of times.
Said device also comprises:
Second judge module is used for the solicited message of said acquiring unit according to said terminal use, obtains before the corresponding record item of described request information, judges the record item that whether has said solicited message corresponding in the buffer memory; If have then continue execution in step; Otherwise be the new record item of described request information creating, and with the zero setting of circulation array.
Said device also comprises:
The various dimensions monitoring module is used for different monitored item is provided with the different monitoring periods, and the visit upper limit of each monitoring period is set, in the said different monitoring period, and the request number of times of adding up said terminal use; Whether the request number of times of judging said terminal use surpasses the visit upper limit of said monitored item in the said monitoring period; If, the shutoff policy distribution shutoff message that then triggers, follow-up all requests of the said terminal use of refusal in Preset Time according to said terminal use.
Said device also comprises:
The hypertext link extraction module is used for directly grasping the HTTP packet from network interface card with the mode of bypass, and after said HTTP packet handled, the result after the said processing is sent to said acquisition module.
The technical scheme that the embodiment of the invention provides through calculating any request number of times that triggers in the moment monitoring period section before, can be judged the object of malicious attack accurately, and it is implemented shutoff, thus the core data of protecting network resource.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work property, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of the method for a kind of network security monitoring of providing of the embodiment of the invention 1;
Fig. 2 is the flow chart of the method for a kind of network security monitoring of providing of the embodiment of the invention 2;
Fig. 3 is a kind of circulation array that the embodiment of the invention 2 provides;
Fig. 4 is the schematic representation of apparatus of a kind of network security monitoring of providing of the embodiment of the invention 3;
Fig. 5 is the schematic representation of apparatus of the another kind of network security monitoring that provides of the embodiment of the invention 3.
Embodiment
For making the object of the invention, technical scheme and advantage clearer, embodiment of the present invention is done to describe in detail further below in conjunction with accompanying drawing.
Before introducing the method for network security monitoring provided by the invention, at first rudimentary knowledge of the present invention is carried out concise and to the point introduction:
Memcache: be a high performance distributed memory object caching system, through safeguard the huge hash table of a unification at internal memory, it can be used for storing the data of various forms, comprises the result of image, video, file and database retrieval etc.Its buffer memory is a kind of distributed, just can allow a plurality of users on the different main frames to visit this caching system simultaneously, and it can only be the drawback of unit that this method has solved shared drive, and biggest advantage is to have improved the speed of obtaining data of visiting.
Referring to Fig. 1, the embodiment of the invention provides a kind of method of network security monitoring, comprising:
Step 101: the solicited message of obtaining the terminal use;
Step 102: calculate and triggering T monitoring period T before constantly arbitrarily
wIn, terminal use's request number of times;
Step 103: judge whether request number of times surpasses the preset visit upper limit; If then issue shutoff message, refusal terminal use's subsequent request in Preset Time.
Wherein, calculate at any T monitoring period T before constantly that triggers
wInterior request number of times comprises:
According to terminal use's solicited message, obtain the corresponding record item of solicited message, the record item comprises monitoring period T
w, the final updating time T
LastWith the circulation array, the circulation array is used to store the terminal use's in monitoring period of final updating times prior access times;
According to any triggering moment T and T
Last, calculate and triggering T monitoring period T before constantly arbitrarily
wInterior request number of times.
In the present embodiment, according to T and T
Last, calculate and triggering T monitoring period T before constantly arbitrarily
wInterior request number of times comprises:
Calculate T and T
LastDifference, obtain T
LastT ' blanking time between the request of request constantly and T;
Judge that whether T ' is smaller or equal to T
w
If, basis then
Obtain T T before
wInterior request number of times, wherein A is the circulation array, i is a natural number;
Otherwise, judge that whether T ' is more than or equal to 2T
w
If then empty loop-around data, with triggering T monitoring period T before constantly arbitrarily
wInterior request number of times is designated as zero;
Otherwise, according to
Triggered T monitoring period T before constantly arbitrarily
wInterior request number of times.
Alternatively, in the present embodiment,, obtain the corresponding record item of solicited message, also comprise before based on terminal use's solicited message:
Judge the record item that whether has solicited message corresponding in the buffer memory;
If have then continue execution in step; Otherwise for solicited message is created new record item, and with the zero setting of circulation array.
In the present embodiment, method also comprises:
Different monitored item is provided with the different monitoring periods, and the visit upper limit of each monitoring period is set;
In the different monitoring periods, statistics terminal use's request number of times;
Whether the request number of times of judging the terminal use surpasses the visit upper limit of monitored item in the monitoring period;
If, the shutoff policy distribution shutoff message that then triggers, follow-up all requests of refusal terminal use in Preset Time according to the terminal use.
Wherein, different monitored item comprises:
Request that request or the terminal use of terminal use through ip and url passes through uin and url or terminal use are through the request of url.
The technical scheme that the embodiment of the invention provides through calculating any request number of times that triggers in the moment monitoring period section before, can be judged the object of malicious attack accurately, and it is implemented shutoff, thus the core data of protecting network resource.
Embodiment 2
Referring to Fig. 2, the embodiment of the invention provides a kind of method of network security monitoring, comprising:
Step 201: statistical server obtains terminal use's solicited message.
In the present embodiment, the HttpDump Server of Servers-all arrangement (hypertext link extraction module) receiving user's request is used for the mode with bypass, directly grasps the HTTP packet from network interface card.Be in order to detect the url that all ask server, to comprise legal and illegal request like this.In the present embodiment,, changed the drawback that single dependence ip monitors counting, avoided the situation of reporting by mistake (in claim, not embodying) to greatest extent through monitoring the monitored item of ip+url, uin+url, three kinds of different rules types of url simultaneously.Wherein uin is a Subscriber Number sign, the Subscriber Number of Tencent QQ software sign for example, and by the numeral more than one 5 figure place, as unique identity of user, all business all are with the difference of uin as different user.HttpDump Server forms the request msg that grabs a tlv triple <uin, ip, url>and is aggregated into UDPProxy Server (acting server), is forwarded to StatisticServer (statistical server) by UDPProxy again.
Wherein, when statistical server starts, read in the policy configurations file, therefore after configuration file upgraded, statistical server can both upgrade in time.Wherein, the description of the policing rule of policy configurations file can be adopted as giving a definition:
< rule name, url, monitoring period, the visit upper limit, binding hours, shutoff type >
Rule name: identify this configured strategy rule name, be used for rule searching.
Url: the detailed chained address of user's request.
Monitoring period/visit the upper limit: refer to that in the monitoring period access times can not surpass visits the upper limit, otherwise will trigger this rule.
Binding hours: after this rule triggers, implement shutoff the binding hours that will be provided with, in the time of this setting, the same request of same subscriber will be rejected.
The shutoff type: after this rule triggers, implement the type of shutoff, the front end request returns to the user according to the shutoff type.
Step 202: judge the record item that whether has solicited message corresponding in the buffer memory; If then obtain this record item and execution in step 203; Otherwise for solicited message is created new record item, and with the zero setting of circulation array.
In the present embodiment,, the record item that saves as the key/value form is set to the request of each url, as shown in table 1:
Table 1
Wherein, comprise in the record item: monitoring period, final updating time and circulation array.Wherein, the monitoring period: the monitoring period strategy of setting in the multidimensional monitoring table according to table 1 introduction, set the statistics of this record count and monitor the period; The final updating time: the last record of a record time of upgrading; Circulation array: the interior request number of times of monitoring period that is used to be recorded in the final updating times prior.The core method of counting of present embodiment is exactly through being provided with a circulation array A; Use the mode of sliding window; Calculate the request sum in the nearest monitoring period, circulation array as shown in Figure 3 leaves in the user's of the statistics in the Preset Time request number of times in the sequential cells of an array by clockwise order; Among Fig. 3 access times with statistics in each minute; Leaving in by clockwise order in the sequential cells of circulation array, is 16 times like first minute access times, and second minute access times are 34 times.What sequential cells the needs of concrete circulation array are divided into was decided with concrete needs according to the monitoring period, and the embodiment of the invention is not done concrete qualification to this.
In the present embodiment; All statistical informations are kept in the middle of the memcache, and the statistical server that makes many tablecloths affix one's name to can be shared information, avoid being confined to the visit of this machine; Carry out horizontal extension easily, so that the user who provides the mode of cluster to tackle magnanimity asks counting.
Wherein, if there is the respective record item of this request type in the buffer memory, then obtain this record item; If in buffer memory, do not obtain corresponding record entry, then be the newly-built list item structure of this solicited message, and the circulation array is put 0, deposit buffer memory in.Wherein, new record item is based on the policy configurations file and creates, and can choose different request types, is used as the key in the buffer memory like ip, url or ip+url, and based on the different request types of choosing, sets the different monitoring periods.
Step 203: statistical server calculates and is triggering T monitoring period T before constantly arbitrarily
wInterior request number of times.
In the present embodiment, in triggering arbitrarily constantly T, receive certain url request of user after, from buffer memory, obtain the corresponding record item earlier, in the present embodiment, the final updating time in the record is T
Last, the monitoring period is T
w, the circulation array is A.
Wherein, according to final updating time T in the record item
LastAnd T, calculate the T before T
wRequest number of times in minute.Concrete:
1) calculates T and T
LastDifference, obtain T
LastThe moment and the blanking time T ' of T between the moment;
2) judge that whether T ' is smaller or equal to T
w
3) if, then from subscript (T '-1+T
w) mod T
wBeginning, according to
Obtain the request number of times of T in the monitoring period before, wherein A is the circulation array, and i is a natural number; Otherwise, judge that whether T ' is more than or equal to 2T
w
4) if, then empty loop-around data, the request number of times in the monitoring period before the T is designated as zero, again counting; Otherwise, obtain the request number of times of T in the monitoring period before according to
.
Step 204: judge whether request number of times surpasses the preset visit upper limit; If then execution in step 205; Otherwise return step 201.
In the present embodiment, every kind of request type is provided with the visit upper limit, in order to monitor the whether triggering shutoff rule of this request type; If but do not trigger the shutoff rule, then return step 201, continue the next request of statistics.
Step 205: issue shutoff message, follow-up all requests of refusal terminal use in Preset Time.
In the present embodiment, when detecting the policing rule that triggers shutoff, relevant shutoff information is sent to Block Server (shutoff module).Block Server also need be deployed into each and accept user's requested service device simultaneously.Block Server writes shared drive with the user uin/ip that needs shutoff when receiving shutoff message.Like this, be deployed in other business service on the same server, when each request that receives the user, through searching shared drive, whether the uin/ip that judges this user is by shutoff, to confirm to continue to provide perhaps denial of service.Wherein, alternatively, the shutoff binding hours according on every shutoff information band that issues automatically terminates behind overstepping the time limit.
Alternatively, in the present embodiment, different monitored item is provided with the different monitoring periods, and the visit upper limit of each monitoring period is set, in the different monitoring periods, statistics terminal use's request number of times; Whether the request number of times of judging the terminal use surpasses the visit upper limit of request type in the monitoring period; If, the shutoff policy distribution shutoff message that then triggers, follow-up all requests of the said terminal use of refusal in Preset Time according to said terminal use.Concrete, can the monitoring of various dimensions be provided according to the demand of different business, as shown in table 2:
Table 2
Monitored item through ip+url, uin+url, three kinds of different rules types of url; Dispose different monitoring period points: 10 minutes; 60 minutes, 1440 minutes (monitoring period can according to policy configurations file flexible configuration) be provided with the corresponding visit upper limit for every kind of composite type simultaneously; As long as any one control point of request trigger of user; The capital issues shutoff message immediately to Block Server server, and in binding hours, refuses this user's subsequent request, thereby reaches the purpose that malicious requests is limited.Based on the mode that Policy Table's coupling is put, also can adjust strategy neatly to different monitoring, carry out frequency limitation comprehensively and accurately.
The beneficial effect of the technical scheme that the embodiment of the invention provides is: through calculating any request number of times that triggers in the moment monitoring period section before; Can judge the object of malicious attack accurately; And can be according to dissimilar different collocation strategies, the monitor network user of various dimensions, detection of malicious user; And to its enforcement shutoff, thereby the core data of protecting network resource.
Referring to Fig. 4, the embodiment of the invention provides a kind of device of network security monitoring, comprising: acquisition module 301, computing module 302, first judge module 303.
Referring to Fig. 5, in the present embodiment, computing module 302 comprises:
Acquiring unit 302a is used for the solicited message according to the terminal use, obtains the corresponding record item of solicited message, and the record item comprises, monitoring period T
w, the final updating time T
LastWith the circulation array, the circulation array is used to store the terminal use's in monitoring period of final updating times prior access times;
Wherein, computing unit specifically is used for:
Calculate and trigger T and T constantly arbitrarily
LastDifference, obtain T
LastT ' blanking time between the request of request constantly and any triggering moment T;
Judge that whether T ' is smaller or equal to monitoring period T
w
If, basis then
Obtain T monitoring period T before
wInterior terminal use's request number of times, wherein A is the circulation array, i is a natural number;
Otherwise, judge that whether T ' is more than or equal to 2T
w
If then empty loop-around data, with triggering T monitoring period T before constantly arbitrarily
wInterior terminal use's request number of times is designated as zero;
Otherwise, according to
Triggered T monitoring period T before constantly arbitrarily
wInterior terminal use's request number of times.
Referring to Fig. 5, device also comprises in the present embodiment:
Referring to Fig. 5, device also comprises in the present embodiment:
Various dimensions monitoring module 305 is used for different monitored item is provided with the different monitoring periods, and the visit upper limit of each monitoring period is set, in the said different monitoring period, and statistics terminal use's request number of times; Whether the request number of times of judging the terminal use surpasses the visit upper limit of monitored item in the monitoring period; If, the shutoff policy distribution shutoff message that then triggers, follow-up all requests of refusal terminal use in Preset Time according to the terminal use.
Referring to Fig. 5, device also comprises in the present embodiment:
Hypertext link extraction module 306 is used for directly grasping the HTTP packet from network interface card with the mode of bypass, and after the HTTP packet handled, the result after handling is sent to acquisition module.
The technical scheme that the embodiment of the invention provides through calculating any request number of times that triggers in the moment monitoring period section before, can be judged the object of malicious attack accurately, and it is implemented shutoff, thus the core data of protecting network resource.
The device that present embodiment provides, specifically can, belong to same design with method embodiment, its concrete implementation procedure sees method embodiment for details, repeats no more here.
The all or part of of the technique scheme that the embodiment of the invention provides can be accomplished through the relevant hardware of program command; Said program can be stored in the storage medium that can read, and this storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (12)
1. the method for a network security monitoring is characterized in that, said method comprises:
Obtain terminal use's solicited message;
Calculating is triggering T monitoring period T before constantly arbitrarily
wIn, said terminal use's request number of times;
Judge whether the described request number of times surpasses the preset visit upper limit;
If then issue shutoff message, the said terminal use's of refusal subsequent request in Preset Time.
2. method according to claim 1 is characterized in that, said calculating is triggering T monitoring period T before constantly arbitrarily
wIn, said terminal use's request number of times specifically comprises:
According to said terminal use's solicited message, obtain the corresponding record item of described request information, said record item comprises, monitoring period T
w, the final updating time T
LastWith the circulation array, said circulation array is used to store said final updating time T
LastSaid monitoring period T before
wIn, said terminal use's access times;
According to any triggering moment T and final updating time T
Last, calculate at said any T said monitoring period T before constantly that triggers
wInterior said terminal use's request number of times.
3. method according to claim 2 is characterized in that, said basis triggers T and update time T constantly arbitrarily
Last, calculate at said any T said monitoring period T before constantly that triggers
wInterior said terminal use's request number of times comprises:
Calculate and trigger T and said final updating time T constantly arbitrarily
LastDifference, obtain said T
LastAnd the T ' blanking time between the said T;
Judge that whether said T ' is smaller or equal to said T
w
If, basis then
Obtain said any T said monitoring period T before constantly that triggers
wInterior said terminal use's request number of times, wherein A is the circulation array, i is a natural number;
Otherwise, judge that whether said T ' is more than or equal to 2T
w
If then empty the circulation array, with said any T said monitoring period T before constantly that triggers
wInterior said terminal use's request number of times is designated as zero;
Otherwise, according to
Obtain said any T said monitoring period T before constantly that triggers
wInterior said terminal use's request number of times.
4. method according to claim 2 is characterized in that, said solicited message according to said terminal use is obtained the corresponding record item of described request information, also comprises before:
Judge the record item that whether has said solicited message corresponding in the buffer memory;
If have then continue execution in step; Otherwise be the new record item of described request information creating, and with the zero setting of circulation array.
5. method according to claim 1 is characterized in that, said method also comprises:
Different monitored item is provided with the different monitoring periods, and the visit upper limit of each monitoring period is set;
In the said different monitoring period, the request number of times of adding up said terminal use respectively;
Whether the request number of times of judging said terminal use surpasses the visit upper limit of said monitored item in the said monitoring period;
If then issue shutoff message, the said terminal use's of refusal subsequent request in Preset Time.
6. method according to claim 5 is characterized in that, said different monitored item comprises:
Request that request or the said terminal use of said terminal use through ip of net association and URL url passes through user identification code uin and url or said terminal use are through the request of url.
7. the device of a network security monitoring is characterized in that, said device comprises:
Acquisition module is used to obtain terminal use's solicited message;
Computing module is used to calculate and is triggering T monitoring period T before constantly arbitrarily
wInterior said terminal use's request number of times;
First judge module is used to judge whether the described request number of times surpasses the preset visit upper limit; If then issue shutoff message, the said terminal use's of refusal subsequent request in Preset Time.
8. device according to claim 7 is characterized in that, said computing module comprises:
Acquiring unit is used for the solicited message according to said terminal use, obtains the corresponding record item of described request information, and said record item comprises, monitoring period T
w, the final updating time T
LastWith the circulation array, said circulation array is used to store the said access times of monitoring the said terminal use in the period of said final updating times prior;
Computing unit is used for according to triggering T and T constantly arbitrarily
Last, calculate at said any T said monitoring period T before constantly that triggers
wInterior said terminal use's request number of times.
9. device according to claim 8 is characterized in that, said computing unit specifically is used for:
Calculate and trigger T and T constantly arbitrarily
LastDifference, obtain T
LastThe moment and said any T ' blanking time between the T constantly that triggers;
Judge that whether said T ' is smaller or equal to said monitoring period T
w
If, basis then
Obtain said any T said monitoring period T before constantly that triggers
wInterior said terminal use's request number of times, wherein A is the circulation array, i is a natural number;
Otherwise, judge that whether said T ' is more than or equal to 2T
w
If then empty loop-around data, with said any T said monitoring period T before constantly that triggers
wInterior said terminal use's request number of times is designated as zero;
Otherwise, according to
Obtain the said any moment said monitoring period T before that triggers
wInterior said terminal use's request number of times.
10. device according to claim 8 is characterized in that, said device also comprises:
Second judge module is used for the solicited message of said acquiring unit according to said terminal use, obtains before the corresponding record item of described request information, judges the record item that whether has said solicited message corresponding in the buffer memory; If have then continue execution in step; Otherwise be the new record item of described request information creating, and with the zero setting of circulation array.
11. device according to claim 7 is characterized in that, said device also comprises:
The various dimensions monitoring module is used for different monitored item is provided with the different monitoring periods, and the visit upper limit of each monitoring period is set, in the said different monitoring period, and the request number of times of adding up said terminal use; Whether the request number of times of judging said terminal use surpasses the visit upper limit of said monitored item in the said monitoring period; If, the shutoff policy distribution shutoff message that then triggers, the said terminal use's of refusal subsequent request in Preset Time according to said terminal use.
12. device according to claim 7 is characterized in that, said device also comprises:
The hypertext link extraction module is used for directly grasping HTTP HTTP packet from network interface card with the mode of bypass, and after said HTTP packet handled, the result after the said processing is sent to said acquisition module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110115158.XA CN102769549B (en) | 2011-05-05 | 2011-05-05 | The method and apparatus of network security monitoring |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110115158.XA CN102769549B (en) | 2011-05-05 | 2011-05-05 | The method and apparatus of network security monitoring |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102769549A true CN102769549A (en) | 2012-11-07 |
| CN102769549B CN102769549B (en) | 2016-02-17 |
Family
ID=47096807
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110115158.XA Active CN102769549B (en) | 2011-05-05 | 2011-05-05 | The method and apparatus of network security monitoring |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102769549B (en) |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103117997A (en) * | 2012-11-19 | 2013-05-22 | 苏州亿倍信息技术有限公司 | Method and system achieving communication safety control |
| CN103632085A (en) * | 2013-08-28 | 2014-03-12 | 广州品唯软件有限公司 | Blacklist management method and system |
| CN104253687A (en) * | 2013-06-26 | 2014-12-31 | 深圳市腾讯计算机系统有限公司 | Method for reducing verification efficiency, method for generating captcha, correlated system, and server |
| CN104486298A (en) * | 2014-11-27 | 2015-04-01 | 小米科技有限责任公司 | Method and device for user behavior recognition |
| CN104519069A (en) * | 2014-12-27 | 2015-04-15 | 广州华多网络科技有限公司 | Method and device for intercepting resource requests |
| CN104580228A (en) * | 2015-01-16 | 2015-04-29 | 北京京东尚科信息技术有限公司 | System and method for generating blacklist for access requests from network |
| CN104754645A (en) * | 2013-12-25 | 2015-07-01 | 中国移动通信集团公司 | Network connection control method and device |
| CN105100070A (en) * | 2015-06-29 | 2015-11-25 | 北京奇虎科技有限公司 | Method and device for preventing malicious attacks to interface service |
| CN105282047A (en) * | 2015-09-25 | 2016-01-27 | 小米科技有限责任公司 | Access request processing method and device |
| CN105681353A (en) * | 2016-03-22 | 2016-06-15 | 浙江宇视科技有限公司 | Method and device of defending port scanning invasion |
| CN105939326A (en) * | 2016-01-18 | 2016-09-14 | 杭州迪普科技有限公司 | Message processing method and device |
| CN106101059A (en) * | 2016-05-23 | 2016-11-09 | 微梦创科网络科技(中国)有限公司 | A kind of web-page requests processing method and processing device |
| CN106294529A (en) * | 2015-06-29 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of identification user's abnormal operation method and apparatus |
| CN107704761A (en) * | 2017-09-27 | 2018-02-16 | 北京小度信息科技有限公司 | Data processing method, device, electronic equipment and storage medium |
| CN108134803A (en) * | 2018-01-29 | 2018-06-08 | 杭州迪普科技股份有限公司 | A kind of URL attack guarding methods and device |
| CN108694074A (en) * | 2017-04-07 | 2018-10-23 | 腾讯科技(深圳)有限公司 | A kind of method and server obtaining count information |
| CN108833450A (en) * | 2018-08-22 | 2018-11-16 | 网宿科技股份有限公司 | A kind of realization server anti-attack method and device |
| CN108874948A (en) * | 2018-06-05 | 2018-11-23 | 中国农业银行股份有限公司 | A kind of site resource access method and device |
| CN109275145A (en) * | 2018-09-21 | 2019-01-25 | 腾讯科技(深圳)有限公司 | Equipment behavior detection and barrier processing method, medium and electronic equipment |
| CN109639674A (en) * | 2018-12-11 | 2019-04-16 | 广州猎萌网络科技有限公司 | A kind of access safety control method |
| CN109756528A (en) * | 2017-11-01 | 2019-05-14 | 广州腾讯科技有限公司 | Control method for frequency and device, equipment, storage medium, server |
| CN110336881A (en) * | 2019-07-10 | 2019-10-15 | 北京三快在线科技有限公司 | The method and apparatus for executing business processing request |
| CN111294412A (en) * | 2018-12-06 | 2020-06-16 | 贵州白山云科技股份有限公司 | Processing method and device for exception of content distribution network node server |
| CN111355626A (en) * | 2018-12-24 | 2020-06-30 | 中移(杭州)信息技术有限公司 | Request processing method and device |
| CN111585914A (en) * | 2019-02-15 | 2020-08-25 | 阿里巴巴集团控股有限公司 | Service current limiting method and device and electronic equipment |
| CN112839008A (en) * | 2019-11-22 | 2021-05-25 | 北京沃东天骏信息技术有限公司 | Access monitoring method, device and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1816215A (en) * | 2005-01-12 | 2006-08-09 | 株式会社Ntt都科摩 | A data communication restriction method, data communication restriction system and mobile terminal |
| CN101203052A (en) * | 2007-12-24 | 2008-06-18 | 华为技术有限公司 | Method and apparatus for preventing malice business request |
| CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
-
2011
- 2011-05-05 CN CN201110115158.XA patent/CN102769549B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1816215A (en) * | 2005-01-12 | 2006-08-09 | 株式会社Ntt都科摩 | A data communication restriction method, data communication restriction system and mobile terminal |
| CN101203052A (en) * | 2007-12-24 | 2008-06-18 | 华为技术有限公司 | Method and apparatus for preventing malice business request |
| CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
Cited By (44)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103117997A (en) * | 2012-11-19 | 2013-05-22 | 苏州亿倍信息技术有限公司 | Method and system achieving communication safety control |
| CN104253687A (en) * | 2013-06-26 | 2014-12-31 | 深圳市腾讯计算机系统有限公司 | Method for reducing verification efficiency, method for generating captcha, correlated system, and server |
| CN104253687B (en) * | 2013-06-26 | 2018-08-03 | 深圳市腾讯计算机系统有限公司 | It reduces verification efficiency method, generate identifying code method, related system and server |
| CN103632085A (en) * | 2013-08-28 | 2014-03-12 | 广州品唯软件有限公司 | Blacklist management method and system |
| CN104754645A (en) * | 2013-12-25 | 2015-07-01 | 中国移动通信集团公司 | Network connection control method and device |
| CN104754645B (en) * | 2013-12-25 | 2018-10-23 | 中国移动通信集团公司 | A kind of network connection control method and device |
| JP2017503293A (en) * | 2014-11-27 | 2017-01-26 | シャオミ・インコーポレイテッド | User action identification method, user action identification device, program, and recording medium |
| CN104486298A (en) * | 2014-11-27 | 2015-04-01 | 小米科技有限责任公司 | Method and device for user behavior recognition |
| WO2016082462A1 (en) * | 2014-11-27 | 2016-06-02 | 小米科技有限责任公司 | Method and device for recognizing user behavior |
| CN104486298B (en) * | 2014-11-27 | 2018-03-09 | 小米科技有限责任公司 | Identify the method and device of user behavior |
| CN104519069A (en) * | 2014-12-27 | 2015-04-15 | 广州华多网络科技有限公司 | Method and device for intercepting resource requests |
| CN104580228A (en) * | 2015-01-16 | 2015-04-29 | 北京京东尚科信息技术有限公司 | System and method for generating blacklist for access requests from network |
| CN105100070A (en) * | 2015-06-29 | 2015-11-25 | 北京奇虎科技有限公司 | Method and device for preventing malicious attacks to interface service |
| CN106294529A (en) * | 2015-06-29 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of identification user's abnormal operation method and apparatus |
| CN105282047A (en) * | 2015-09-25 | 2016-01-27 | 小米科技有限责任公司 | Access request processing method and device |
| CN105939326B (en) * | 2016-01-18 | 2020-12-04 | 杭州迪普科技股份有限公司 | Method and device for processing message |
| CN105939326A (en) * | 2016-01-18 | 2016-09-14 | 杭州迪普科技有限公司 | Message processing method and device |
| CN105681353B (en) * | 2016-03-22 | 2019-06-11 | 浙江宇视科技有限公司 | Defend the method and device of port scan invasion |
| CN105681353A (en) * | 2016-03-22 | 2016-06-15 | 浙江宇视科技有限公司 | Method and device of defending port scanning invasion |
| CN106101059A (en) * | 2016-05-23 | 2016-11-09 | 微梦创科网络科技(中国)有限公司 | A kind of web-page requests processing method and processing device |
| CN106101059B (en) * | 2016-05-23 | 2019-05-17 | 微梦创科网络科技(中国)有限公司 | A kind of web-page requests processing method and processing device |
| CN108694074A (en) * | 2017-04-07 | 2018-10-23 | 腾讯科技(深圳)有限公司 | A kind of method and server obtaining count information |
| CN107704761B (en) * | 2017-09-27 | 2020-09-01 | 北京星选科技有限公司 | Data processing method and device, electronic equipment and storage medium |
| CN107704761A (en) * | 2017-09-27 | 2018-02-16 | 北京小度信息科技有限公司 | Data processing method, device, electronic equipment and storage medium |
| CN109756528B (en) * | 2017-11-01 | 2022-03-11 | 广州腾讯科技有限公司 | Frequency control method and device, equipment, storage medium and server |
| CN109756528A (en) * | 2017-11-01 | 2019-05-14 | 广州腾讯科技有限公司 | Control method for frequency and device, equipment, storage medium, server |
| CN108134803B (en) * | 2018-01-29 | 2021-02-26 | 杭州迪普科技股份有限公司 | URL attack protection method and device |
| CN108134803A (en) * | 2018-01-29 | 2018-06-08 | 杭州迪普科技股份有限公司 | A kind of URL attack guarding methods and device |
| CN108874948A (en) * | 2018-06-05 | 2018-11-23 | 中国农业银行股份有限公司 | A kind of site resource access method and device |
| CN108874948B (en) * | 2018-06-05 | 2021-04-02 | 中国农业银行股份有限公司 | Website resource access method and device |
| CN108833450B (en) * | 2018-08-22 | 2020-07-10 | 网宿科技股份有限公司 | Method and device for preventing server from being attacked |
| CN108833450A (en) * | 2018-08-22 | 2018-11-16 | 网宿科技股份有限公司 | A kind of realization server anti-attack method and device |
| WO2020037781A1 (en) * | 2018-08-22 | 2020-02-27 | 网宿科技股份有限公司 | Anti-attack method and device for server |
| CN109275145A (en) * | 2018-09-21 | 2019-01-25 | 腾讯科技(深圳)有限公司 | Equipment behavior detection and barrier processing method, medium and electronic equipment |
| CN111294412A (en) * | 2018-12-06 | 2020-06-16 | 贵州白山云科技股份有限公司 | Processing method and device for exception of content distribution network node server |
| CN111294412B (en) * | 2018-12-06 | 2022-09-23 | 贵州白山云科技股份有限公司 | Processing method and device for exception of content distribution network node server |
| CN109639674A (en) * | 2018-12-11 | 2019-04-16 | 广州猎萌网络科技有限公司 | A kind of access safety control method |
| CN111355626A (en) * | 2018-12-24 | 2020-06-30 | 中移(杭州)信息技术有限公司 | Request processing method and device |
| CN111585914A (en) * | 2019-02-15 | 2020-08-25 | 阿里巴巴集团控股有限公司 | Service current limiting method and device and electronic equipment |
| CN111585914B (en) * | 2019-02-15 | 2024-03-22 | 阿里巴巴集团控股有限公司 | Service current limiting method and device and electronic equipment |
| CN110336881A (en) * | 2019-07-10 | 2019-10-15 | 北京三快在线科技有限公司 | The method and apparatus for executing business processing request |
| CN110336881B (en) * | 2019-07-10 | 2020-11-20 | 北京三快在线科技有限公司 | Method and device for executing service processing request |
| CN112839008A (en) * | 2019-11-22 | 2021-05-25 | 北京沃东天骏信息技术有限公司 | Access monitoring method, device and system |
| CN112839008B (en) * | 2019-11-22 | 2024-02-06 | 北京沃东天骏信息技术有限公司 | Access monitoring method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102769549B (en) | 2016-02-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102769549A (en) | Network security monitoring method and device | |
| EP2563062B1 (en) | Long connection management apparatus and link resource management method for long connection communication | |
| US20190222603A1 (en) | Method and apparatus for network forensics compression and storage | |
| US8938534B2 (en) | Automatic provisioning of new users of interest for capture on a communication network | |
| CN102999716B (en) | virtual machine monitoring system and method | |
| CN106972985B (en) | Method for accelerating data processing and forwarding of DPI (deep packet inspection) equipment and DPI equipment | |
| CN108337652B (en) | Method and device for detecting flow fraud | |
| CN108259425A (en) | The determining method, apparatus and server of query-attack | |
| CN112016030B (en) | Message pushing method, device, server and computer storage medium | |
| CN104253714A (en) | Monitoring method, system, browser and server | |
| CN108900374A (en) | A kind of data processing method and device applied to DPI equipment | |
| CN110944016B (en) | DDoS attack detection method, device, network equipment and storage medium | |
| CN114268957B (en) | Abnormal business data processing method, device, server and storage medium | |
| CN109561051A (en) | Content distributing network safety detection method and system | |
| CN106790299B (en) | Wireless attack defense method and device applied to wireless Access Point (AP) | |
| CN111065061A (en) | Short message request sending system and method based on multiple channels and storage medium | |
| CN108924159B (en) | Verification method and device of message feature recognition library | |
| US20170149821A1 (en) | Method And System For Protection From DDoS Attack For CDN Server Group | |
| CN107959696A (en) | A kind of daily record bill processing method and system | |
| CN109600395A (en) | A kind of device and implementation method of terminal network access control system | |
| CN115801305B (en) | Network attack detection and identification method and related equipment | |
| CN111901199A (en) | Mass data-based quick early warning matching implementation method | |
| CN106254375B (en) | A kind of recognition methods of hotspot equipment and device | |
| CN109495544A (en) | A kind of message data treating method and apparatus and computer equipment | |
| CN115333791A (en) | Cloud-based vehicle safety protection method and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20211223 Address after: Room 19F, Kungang science and technology building, 777 Huancheng South Road, Xishan District, Kunming City, Yunnan Province, 650000 Patentee after: Yunnan Tengyun Information Industry Co.,Ltd. Address before: 2 East 403 room, SEG science and technology garden, Futian District, Guangdong, Shenzhen 518000, China Patentee before: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. |
|
| TR01 | Transfer of patent right |