CN102769549B - The method and apparatus of network security monitoring - Google Patents
The method and apparatus of network security monitoring Download PDFInfo
- Publication number
- CN102769549B CN102769549B CN201110115158.XA CN201110115158A CN102769549B CN 102769549 B CN102769549 B CN 102769549B CN 201110115158 A CN201110115158 A CN 201110115158A CN 102769549 B CN102769549 B CN 102769549B
- Authority
- CN
- China
- Prior art keywords
- terminal use
- monitoring period
- request
- request number
- described terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of method and apparatus of network security monitoring, belong to internet arena.Described method comprises: the solicited message obtaining terminal use; Calculate the request number of times in the monitoring period before any trigger instants; Judge whether described request number of times exceedes the default access upper limit; If so, then issue shutoff message, in Preset Time, refuse the subsequent request of described terminal use.By calculating the request number of times in the monitoring period section before any trigger instants in the embodiment of the present invention, the object of malicious attack can be judged accurately, and shutoff is implemented to it, thus the core data of protecting network resource.
Description
Technical field
The present invention relates to internet arena, particularly a kind of method and apparatus of network security monitoring.
Background technology
Along with the development that Web (the Internet) serves, user more and more participates in network event, and particularly the proposition of Web2.0 in recent years, more emphasizes the participation of user.Meanwhile, as the side that Web service provides, also subject more and more Cyberthreat from different aspect.Wherein, malicious requests is that the one that must take precautions against is attacked, and relates to the protection of core data.When magnanimity request, how could find efficiently and corresponding restriction is made to malicious user, normal users can be protected again simultaneously interference-free, need a limiting access scheme for different user request.
In prior art, the scheme of restricting user access is: for the request of (as T minute) in certain hour, implements shutoff to the request exceeding setpoint frequency by the mode of blacklist.Concrete, in units of T, multiple time period is divided into by 24 of every day hours, the number of request received is added up within each time period, wherein, for Web service, each request can the url (Uniform/UniversalResourceLocator of a corresponding request, URL(uniform resource locator)), receive the server of request according to asked url or the ip (InternetProtocol to request, net association) directly count, and judge whether this number of request has exceeded the request number of times preset, if exceed request number of times, then this user is drawn in blacklist, limit the request of this user within a certain period of time.
After prior art is analyzed, inventor finds that prior art at least has following shortcoming: can only make statistics according to the request in certain time period, hacker may test out the upper limit of each gate time point, and each request is all no more than ceiling restriction, carrying out a small amount of is continuously asked, problem may be there will not be from counting aspect like this, but from the amount of entirety, just may cause the loss of core data.Such as: what limit certain ip+url operates in T
limbe no more than N time in minute, if but each < T
limtime in, ask M time (1 ~ N-1), such every day just can pull (24*60/T
lim) record of * M.If T
limif obtain too low, the operation that server detects is more frequent, affects the performance of server, reports probability by mistake higher simultaneously; If but T
limif get Tai Gao, again reduce the correctness of detection, be difficult to distinguish normal running and malicious operation.
Summary of the invention
In order to solve the problems of the prior art, embodiments provide a kind of method and apparatus of network security monitoring.Described technical scheme is as follows:
On the one hand, provide a kind of method of network security monitoring, described method comprises:
Obtain the solicited message of terminal use;
Calculate the monitoring period T before any trigger instants T
wthe request number of times of interior described terminal use;
Judge whether described request number of times exceedes the default access upper limit;
If so, then issue shutoff message, in Preset Time, refuse the subsequent request of described terminal use.
The monitoring period T of described calculating before any trigger instants T
wthe request number of times of interior described terminal use, comprising:
According to the solicited message of described terminal use, obtain the entry that described request information is corresponding, described entry comprises, monitoring period T
w, final updating time T
lastwith circulation array, described circulation array is for storing the access times of the described terminal use in the described monitoring period before the described final updating time;
According to any trigger instants T and T
last, calculate the described monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use.
Any trigger instants T and T of described basis
last, calculate the described monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use, comprising:
Calculate any trigger instants T and T
lastdifference, obtain T
lastt ' interval time between moment and described any trigger instants T;
Judge whether described T ' is less than or equal to described monitoring period T
w;
If so, then basis
obtain the described monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use, wherein A is circulation array, and i is natural number;
Otherwise, judge whether described T ' is more than or equal to 2T
w;
If so, then loop-around data is emptied, by the described monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use is designated as zero;
Otherwise, according to
obtain the described monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use.
The described solicited message according to described terminal use, obtains the entry that described request information is corresponding, also comprises before:
Judge the entry whether having described solicited message corresponding in buffer memory;
If had, continue to perform step; Otherwise be the entry that described request information creating is new, and by the zero setting of circulation array.
Arrange the different monitoring periods to different monitored item, and arrange the access upper limit of each monitoring period, then described method also comprises:
Within the described different monitoring period, add up the request number of times of described terminal use;
Judge whether the request number of times of described terminal use exceedes the access upper limit of described monitored item within the described monitoring period;
If so, then according to the shutoff policy distribution shutoff message that described terminal use triggers, in Preset Time, the subsequent request of described terminal use is refused.
Described different monitored item type, comprising:
Described terminal use by the request of ip and url or described terminal use by the request of uin and url or the described terminal use request by url.
On the other hand, provide a kind of device of network security monitoring, described device comprises:
Acquisition module, for obtaining the solicited message of terminal use;
Computing module, for calculating the monitoring period T before any trigger instants T
wthe request number of times of interior described terminal use;
First judge module, for judging whether described request number of times exceedes the default access upper limit; If so, then issue shutoff message, in Preset Time, refuse the subsequent request of described terminal use.
Described computing module, comprising:
Acquiring unit, for the solicited message according to described terminal use, obtain the entry that described request information is corresponding, described entry comprises, monitoring period T
w, final updating time T
lastwith circulation array, described circulation array is for storing the access times of the described terminal use in the described monitoring period before the described final updating time;
Computing unit, for according to any trigger instants T and T
last, calculate the described monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use.
Described computing unit, specifically for:
Calculate any trigger instants T and T
lastdifference, obtain T
lastt ' interval time between moment and described any trigger instants T;
Judge whether described T ' is less than or equal to described monitoring period T
w;
If so, then basis
obtain the described monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use, wherein A is circulation array, and i is natural number;
Otherwise, judge whether described T ' is more than or equal to 2T
w;
If so, then loop-around data is emptied, by the described monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use is designated as zero;
Otherwise, according to
obtain the monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use.
Described device also comprises:
Second judge module, for the solicited message of described acquiring unit according to described terminal use, before obtaining entry corresponding to described request information, judges the entry whether having described solicited message corresponding in buffer memory; If had, continue to perform step; Otherwise be the entry that described request information creating is new, and by the zero setting of circulation array.
Described device also comprises:
Various dimensions monitoring module, for arranging the different monitoring periods to different monitored item, and arranging the access upper limit of each monitoring period, within the described different monitoring period, adding up the request number of times of described terminal use; Judge whether the request number of times of described terminal use exceedes the access upper limit of described monitored item within the described monitoring period; If so, then according to the shutoff policy distribution shutoff message that described terminal use triggers, in Preset Time, follow-up all requests of described terminal use are refused.
Described device also comprises:
Hypertext link extraction module, for directly capturing HTTP packet from network interface card in the mode of bypass, and after being processed by described HTTP packet, sends to described acquisition module by the result after described process.
The technical scheme that the embodiment of the present invention provides, by calculating the request number of times in the monitoring period section before any trigger instants, can judge the object of malicious attack accurately, and implements shutoff to it, thus the core data of protecting network resource.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart of the method for a kind of network security monitoring that the embodiment of the present invention 1 provides;
Fig. 2 is the flow chart of the method for a kind of network security monitoring that the embodiment of the present invention 2 provides;
Fig. 3 is the one circulation array that the embodiment of the present invention 2 provides;
Fig. 4 is the schematic diagram of the device of a kind of network security monitoring that the embodiment of the present invention 3 provides;
Fig. 5 is the schematic diagram of the device of the another kind of network security monitoring that the embodiment of the present invention 3 provides.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with accompanying drawing, embodiment of the present invention is described further in detail.
Before the method introducing network security monitoring provided by the invention, first concise and to the point introduction is carried out to rudimentary knowledge of the present invention:
Memcache: be a high performance distributed memory object caching system, by safeguarding the huge hash table of a unification at internal memory, it can be used for storing the data of various form, comprises the result etc. of image, video, file and database retrieval.Its buffer memory is a kind of distributed, the multiple users on different main frame namely can be allowed simultaneously to access this caching system, this solves the drawback that shared drive can only be unit, and maximum advantage improves the speed that access obtains data.
Embodiment 1
See Fig. 1, embodiments provide a kind of method of network security monitoring, comprising:
Step 101: the solicited message obtaining terminal use;
Step 102: calculate the monitoring period T before any trigger instants T
win, the request number of times of terminal use;
Step 103: judge whether request number of times exceedes the default access upper limit; If so, then issue shutoff message, in Preset Time, refuse the subsequent request of terminal use.
Wherein, the monitoring period T before any trigger instants T is calculated
winterior request number of times, comprising:
According to the solicited message of terminal use, obtain the entry that solicited message is corresponding, entry comprises monitoring period T
w, final updating time T
lastwith circulation array, circulation array is for storing the access times of the terminal use in the monitoring period before the final updating time;
According to any trigger instants T and T
last, calculate the monitoring period T before any trigger instants T
winterior request number of times.
In the present embodiment, according to T and T
last, calculate the monitoring period T before any trigger instants T
winterior request number of times, comprising:
Calculate T and T
lastdifference, obtain T
lastt ' interval time between the request in moment and the request of T;
Judge whether T ' is less than or equal to T
w;
If so, then basis
t before obtaining T
winterior request number of times, wherein A is circulation array, and i is natural number;
Otherwise, judge whether T ' is more than or equal to 2T
w;
If so, then loop-around data is emptied, by the monitoring period T before any trigger instants T
winterior request number of times is designated as zero;
Otherwise, according to
obtain the monitoring period T before any trigger instants T
winterior request number of times.
Alternatively, in the present embodiment, according to the solicited message of terminal use, obtain the entry that solicited message is corresponding, also comprise before:
Judge the entry whether having solicited message corresponding in buffer memory;
If had, continue to perform step; Otherwise for solicited message creates new entry, and by the zero setting of circulation array.
In the present embodiment, method also comprises:
The different monitoring periods is arranged to different monitored item, and the access upper limit of each monitoring period is set;
Within the different monitoring periods, the request number of times of statistics terminal use;
Judge whether the request number of times of terminal use exceedes the access upper limit of monitored item within the monitoring period;
If so, then according to the shutoff policy distribution shutoff message that terminal use triggers, in Preset Time, follow-up all requests of terminal use are refused.
Wherein, different monitored item, comprising:
Terminal use by the request of ip and url or terminal use by the request of uin and url or the terminal use request by url.
The technical scheme that the embodiment of the present invention provides, by calculating the request number of times in the monitoring period section before any trigger instants, can judge the object of malicious attack accurately, and implements shutoff to it, thus the core data of protecting network resource.
Embodiment 2
See Fig. 2, embodiments provide a kind of method of network security monitoring, comprising:
Step 201: statistical server obtains the solicited message of terminal use.
In the present embodiment, receive Servers-all arrangement HttpDumpServer (hypertext link extraction module) of user's request, in the mode of bypass, directly capture HTTP packet from network interface card.In order to the url of all requests to server can be detected, comprises legal and illegal request like this.In the present embodiment, by monitoring the monitored item of the different rule type of ip+url, uin+url, url tri-kinds simultaneously, change the drawback that single dependence ip carries out monitoring counting, avoid the situation (not embodying in the claims) reported by mistake to greatest extent.Wherein uin is Subscriber Number mark, and the Subscriber Number mark of such as Tencent QQ software, by numerals more than 5 figure places, as the unique identities of user, all business are all the differences using uin as different user.The request msg that HttpDumpServer will grab, form a tlv triple <uin, ip, url> is aggregated into UDPProxyServer (proxy server), then is forwarded to StatisticServer (statistical server) by UDPProxy.
Wherein, read in policy configuration file when statistical server starts, therefore after configuration file upgrades, statistical server can upgrade in time.Wherein, the description of the policing rule of policy configuration file can adopt as given a definition:
< rule name, url, monitoring period, the access upper limit, binding hours, shutoff type >
Rule name: the policing rule title identifying this configuration, for rule searching.
Url: the detailed chained address of user's request.
Monitoring period/the access upper limit: refer to that monitoring in the period, access times can not exceed the access upper limit, otherwise will trigger this rule.
Binding hours: this rule will implement the binding hours that shutoff will be arranged after triggering, within the time of this setting, the same request of same subscriber will be rejected.
Shutoff type: after this rule triggers, implement the type of shutoff, front end request returns to user according to shutoff type.
Step 202: judge the entry whether having solicited message corresponding in buffer memory; If so, then obtain this entry and perform step 203; Otherwise for solicited message creates new entry, and by the zero setting of circulation array.
In the present embodiment, for the request of each url, the entry saving as key/value form is set, as shown in table 1:
Table 1
Wherein, entry comprises: monitoring period, final updating time and circulation array.Wherein, the monitoring period: the monitoring period strategy set in the multidimensional monitoring table introduced according to table 1, sets the Statistical monitor period of this record count; The final updating time: record the time that last entry upgrades; Circulation array: for being recorded in the request number of times in the monitoring period before the final updating time.The core method of counting of the present embodiment is exactly by arranging a circulation array A, use the mode of sliding window, calculate the request sum in the monitoring period recently, circulation array as shown in Figure 3, the request number of times of the user of the statistics in Preset Time is left in by clock-wise order in the sequential cells of an array, by the access times of statistics in each minute in Fig. 3, leave in the sequential cells of circulation array by clockwise order, if the access times of first minute are 16 times, the access times of second minute are 34 times.The needing of concrete circulation array is divided into how many sequential cells and determines according to monitoring periods and concrete needs, and the embodiment of the present invention is not specifically limited this.
In the present embodiment, all statistical informations are kept in the middle of memcache, make the statistical server of multiple stage arrangement to share information, avoid being confined to the machine access, carry out horizontal extension easily, so that the user providing the mode of cluster to tackle magnanimity asks counting.
Wherein, if there is the respective record item of this request type in buffer memory, then this entry is obtained; If do not obtain corresponding record entry in the buffer, be then the newly-built list item structure of this solicited message, and circulation array is set to 0, stored in buffer memory.Wherein, new entry creates according to policy configuration file, can choose different request types, be used as the key in buffer memory as ip, url or ip+url, and according to the different request types chosen, set the different monitoring periods.
Step 203: statistical server calculates the monitoring period T before any trigger instants T
winterior request number of times.
In the present embodiment, receive certain url request of user in any trigger instants T after, first from buffer memory, obtain corresponding record item, in the present embodiment, the final updating time in entry is T
last, the monitoring period is T
w, circulation array is A.
Wherein, according to final updating time T in entry
lastand T, calculate the T before T
wrequest number of times in minute.Concrete:
1) T and T is calculated
lastdifference, obtain T
lastt ' interval time between moment and T moment;
2) judge whether T ' is less than or equal to T
w;
3) if, then from subscript (T '-1+T
w) modT
wstart, according to
request number of times in the monitoring period before obtaining T, wherein A is circulation array, and i is natural number; Otherwise, judge whether T ' is more than or equal to 2T
w;
4) if then empty loop-around data, the request number of times in the monitoring period before T is designated as zero, again counts; Otherwise, according to
request number of times in the monitoring period before obtaining T.
Step 204: judge whether request number of times exceedes the default access upper limit; If so, then step 205 is performed; Otherwise return step 201.
In the present embodiment, the access upper limit is arranged to often kind of request type, in order to monitor the whether triggering shutoff rule of this request type; If but do not trigger shutoff rule, then return step 201, continue the next request of statistics.
Step 205: issue shutoff message, refuses follow-up all requests of terminal use in Preset Time.
In the present embodiment, when the policing rule triggering shutoff being detected, relevant shutoff information is sent to BlockServer (plugging module).BlockServer also needs to be deployed into each server accepting user's request simultaneously.BlockServer, when receiving shutoff message, writes shared drive by needing the user uin/ip of shutoff.Like this, being deployed in other business service on same server, when each request receiving user, by searching shared drive, judging that whether the uin/ip of this user is by shutoff, to determine to continue to provide or denial of service.Wherein, alternatively, according to the shutoff binding hours on the shutoff information band that every bar issues, automatically terminate after overstepping the time limit.
Alternatively, in the present embodiment, arranged to different monitored item the different monitoring periods, and the access upper limit of each monitoring period is set, within the different monitoring periods, the request number of times of statistics terminal use; Judge whether the request number of times of terminal use exceedes the access upper limit of request type within the monitoring period; If so, then according to the shutoff policy distribution shutoff message that described terminal use triggers, in Preset Time, follow-up all requests of described terminal use are refused.Concrete, according to the demand of different business, the monitoring of various dimensions can be provided, as shown in table 2:
Table 2
By the monitored item of the different rule type of ip+url, uin+url, url tri-kinds, configure different monitoring period points: 10 minutes, 60 minutes, 1440 minutes (monitoring period can according to policy configuration file flexible configuration), access the upper limit accordingly for often kind of composite type is arranged simultaneously, as long as the request of user triggers any one control point, capital issues shutoff message immediately to BlockServer server, and in binding hours, refuse the subsequent request of this user, thus reach the object that malicious requests is limited.Mate the mode of putting based on Policy Table, also for different monitoring adjustable strategies neatly, frequency limitation comprehensively and accurately can be carried out.
The beneficial effect of the technical scheme that the embodiment of the present invention provides is: by calculating the request number of times in the monitoring period section before any trigger instants; the object of malicious attack can be judged accurately; and can according to dissimilar different collocation strategies; the monitor network user of various dimensions; detection of malicious user; and shutoff is implemented to it, thus the core data of protecting network resource.
Embodiment 3
See Fig. 4, embodiments provide a kind of device of network security monitoring, comprising: acquisition module 301, computing module 302, first judge module 303.
Acquisition module 301, for obtaining the solicited message of terminal use;
Computing module 302, for calculating the monitoring period T before any trigger instants T
wthe request number of times of interior terminal use;
First judge module 303, for judging whether request number of times exceedes the default access upper limit; If so, then issue shutoff message, in Preset Time, refuse the subsequent request of terminal use.
See Fig. 5, in the present embodiment, computing module 302, comprising:
Acquiring unit 302a, for the solicited message according to terminal use, obtain the entry that solicited message is corresponding, entry comprises, monitoring period T
w, final updating time T
lastwith circulation array, circulation array is for storing the access times of the terminal use in the monitoring period before the final updating time;
Computing unit 302b, for according to any trigger instants T and T
last, calculate the monitoring period T before any trigger instants T
wthe request number of times of interior terminal use.
Wherein, computing unit, specifically for:
Calculate any trigger instants T and T
lastdifference, obtain T
lastt ' interval time between the request in moment and the request of any trigger instants T;
Judge whether T ' is less than or equal to monitoring period T
w;
If so, then basis
monitoring period T before obtaining T
wthe request number of times of interior terminal use, wherein A is circulation array, and i is natural number;
Otherwise, judge whether T ' is more than or equal to 2T
w;
If so, then loop-around data is emptied, by the monitoring period T before any trigger instants T
wthe request number of times of interior terminal use is designated as zero;
Otherwise, according to
obtain the monitoring period T before any trigger instants T
wthe request number of times of interior terminal use.
See Fig. 5, in the present embodiment, device also comprises:
Second judge module 304, for the solicited message of acquiring unit according to terminal use, before obtaining entry corresponding to solicited message, judges the entry whether having solicited message corresponding in buffer memory; If had, continue to perform step; Otherwise for solicited message creates new entry, and by the zero setting of circulation array.
See Fig. 5, in the present embodiment, device also comprises:
Various dimensions monitoring module 305, for arranging the different monitoring periods to different monitored item, and arranges the access upper limit of each monitoring period, within the described different monitoring period, and the request number of times of statistics terminal use; Judge whether the request number of times of terminal use exceedes the access upper limit of monitored item within the monitoring period; If so, then according to the shutoff policy distribution shutoff message that terminal use triggers, in Preset Time, follow-up all requests of terminal use are refused.
See Fig. 5, in the present embodiment, device also comprises:
Hypertext link extraction module 306, for directly capturing HTTP packet from network interface card in the mode of bypass, and after being processed by HTTP packet, sends to acquisition module by the result after process.
The technical scheme that the embodiment of the present invention provides, by calculating the request number of times in the monitoring period section before any trigger instants, can judge the object of malicious attack accurately, and implements shutoff to it, thus the core data of protecting network resource.
The device that the present embodiment provides, specifically passable, belong to same design with embodiment of the method, its specific implementation process refers to embodiment of the method, repeats no more here.
The all or part of of the technique scheme that the embodiment of the present invention provides can have been come by the hardware that program command is relevant, described program can be stored in the storage medium that can read, and this storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (12)
1. a method for network security monitoring, is characterized in that, described method comprises:
Obtain the solicited message of terminal use;
Calculate the monitoring period T before any trigger instants T
win, the request number of times of described terminal use;
Judge whether described request number of times exceedes the default access upper limit;
If so, then issue shutoff message, in Preset Time, refuse the subsequent request of described terminal use.
2. method according to claim 1, is characterized in that, the monitoring period T of described calculating before any trigger instants T
win, the request number of times of described terminal use, specifically comprises:
According to the solicited message of described terminal use, obtain the entry that described request information is corresponding, described entry comprises, monitoring period T
w, final updating time T
lastwith circulation array, described circulation array is for storing described final updating time T
lastdescribed monitoring period T before
win, the access times of described terminal use;
According to any trigger instants T and final updating time T
last, calculate the described monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use.
3. method according to claim 2, is characterized in that, any trigger instants T of described basis and update time T
last, calculate the described monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use, comprising:
Calculate any trigger instants T and described final updating time T
lastdifference, obtain described T
lastand the T ' interval time between described T;
Judge whether described T ' is less than or equal to described T
w;
If so, then basis
obtain the described monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use, wherein A is circulation array, and i is natural number;
Otherwise, judge whether described T ' is more than or equal to 2T
w;
If so, then circulation array is emptied, by the described monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use is designated as zero;
Otherwise, according to
obtain the described monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use.
4. method according to claim 2, is characterized in that, the described solicited message according to described terminal use, obtains the entry that described request information is corresponding, also comprises before:
Judge the entry whether having described solicited message corresponding in buffer memory;
If had, continue to perform step; Otherwise be the entry that described request information creating is new, and by the zero setting of circulation array.
5. method according to claim 1, is characterized in that, described method also comprises:
The different monitoring periods is arranged to different monitored item, and the access upper limit of each monitoring period is set;
Within the described different monitoring period, add up the request number of times of described terminal use respectively;
Judge whether the request number of times of described terminal use exceedes the access upper limit of described monitored item within the described monitoring period;
If so, then issue shutoff message, in Preset Time, refuse the subsequent request of described terminal use.
6. method according to claim 5, is characterized in that, described different monitored item, comprising:
Described terminal use by net association's request of ip and URL(uniform resource locator) url or described terminal use by the request of user identification code uin and url or the described terminal use request by url.
7. a device for network security monitoring, is characterized in that, described device comprises:
Acquisition module, for obtaining the solicited message of terminal use;
Computing module, for calculating the monitoring period T before any trigger instants T
wthe request number of times of interior described terminal use;
First judge module, for judging whether described request number of times exceedes the default access upper limit; If so, then issue shutoff message, in Preset Time, refuse the subsequent request of described terminal use.
8. device according to claim 7, is characterized in that, described computing module, comprising:
Acquiring unit, for the solicited message according to described terminal use, obtain the entry that described request information is corresponding, described entry comprises, monitoring period T
w, final updating time T
lastwith circulation array, described circulation array is for storing the access times of the described terminal use in the described monitoring period before the described final updating time;
Computing unit, for according to any trigger instants T and T
last, calculate the described monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use.
9. device according to claim 8, is characterized in that, described computing unit, specifically for:
Calculate any trigger instants T and T
lastdifference, obtain T
lastt ' interval time between moment and described any trigger instants T;
Judge whether described T ' is less than or equal to described monitoring period T
w;
If so, then basis
obtain the described monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use, wherein A is circulation array, and i is natural number;
Otherwise, judge whether described T ' is more than or equal to 2T
w;
If so, then loop-around data is emptied, by the described monitoring period T before described any trigger instants T
wthe request number of times of interior described terminal use is designated as zero;
Otherwise, according to
obtain the described monitoring period T before described any trigger instants
wthe request number of times of interior described terminal use.
10. device according to claim 8, is characterized in that, described device also comprises:
Second judge module, for the solicited message of described acquiring unit according to described terminal use, before obtaining entry corresponding to described request information, judges the entry whether having described solicited message corresponding in buffer memory; If had, continue to perform step; Otherwise be the entry that described request information creating is new, and by the zero setting of circulation array.
11. devices according to claim 7, is characterized in that, described device also comprises:
Various dimensions monitoring module, for arranging the different monitoring periods to different monitored item, and arranging the access upper limit of each monitoring period, within the described different monitoring period, adding up the request number of times of described terminal use; Judge whether the request number of times of described terminal use exceedes the access upper limit of described monitored item within the described monitoring period; If so, then according to the shutoff policy distribution shutoff message that described terminal use triggers, in Preset Time, the subsequent request of described terminal use is refused.
12. devices according to claim 7, is characterized in that, described device also comprises:
Hypertext link extraction module, for directly capturing HTML (Hypertext Markup Language) HTTP packet from network interface card in the mode of bypass, and after being processed by described HTTP packet, sends to described acquisition module by the result after described process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110115158.XA CN102769549B (en) | 2011-05-05 | 2011-05-05 | The method and apparatus of network security monitoring |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110115158.XA CN102769549B (en) | 2011-05-05 | 2011-05-05 | The method and apparatus of network security monitoring |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102769549A CN102769549A (en) | 2012-11-07 |
| CN102769549B true CN102769549B (en) | 2016-02-17 |
Family
ID=47096807
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110115158.XA Active CN102769549B (en) | 2011-05-05 | 2011-05-05 | The method and apparatus of network security monitoring |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102769549B (en) |
Families Citing this family (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103117997A (en) * | 2012-11-19 | 2013-05-22 | 苏州亿倍信息技术有限公司 | Method and system achieving communication safety control |
| CN104253687B (en) * | 2013-06-26 | 2018-08-03 | 深圳市腾讯计算机系统有限公司 | It reduces verification efficiency method, generate identifying code method, related system and server |
| CN103632085A (en) * | 2013-08-28 | 2014-03-12 | 广州品唯软件有限公司 | Blacklist management method and system |
| CN104754645B (en) * | 2013-12-25 | 2018-10-23 | 中国移动通信集团公司 | A kind of network connection control method and device |
| CN104486298B (en) * | 2014-11-27 | 2018-03-09 | 小米科技有限责任公司 | Identify the method and device of user behavior |
| CN104519069A (en) * | 2014-12-27 | 2015-04-15 | 广州华多网络科技有限公司 | Method and device for intercepting resource requests |
| CN104580228A (en) * | 2015-01-16 | 2015-04-29 | 北京京东尚科信息技术有限公司 | System and method for generating blacklist for access requests from network |
| CN105100070A (en) * | 2015-06-29 | 2015-11-25 | 北京奇虎科技有限公司 | Method and device for preventing malicious attacks to interface service |
| CN106294529A (en) * | 2015-06-29 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of identification user's abnormal operation method and apparatus |
| CN105282047B (en) * | 2015-09-25 | 2020-04-14 | 小米科技有限责任公司 | Access request processing method and device |
| CN105939326B (en) * | 2016-01-18 | 2020-12-04 | 杭州迪普科技股份有限公司 | Method and device for processing message |
| CN105681353B (en) * | 2016-03-22 | 2019-06-11 | 浙江宇视科技有限公司 | Defend the method and device of port scan invasion |
| CN106101059B (en) * | 2016-05-23 | 2019-05-17 | 微梦创科网络科技(中国)有限公司 | A kind of web-page requests processing method and processing device |
| CN108694074B (en) * | 2017-04-07 | 2023-04-07 | 腾讯科技(深圳)有限公司 | Method for acquiring counting information and server |
| CN107704761B (en) * | 2017-09-27 | 2020-09-01 | 北京星选科技有限公司 | Data processing method and device, electronic equipment and storage medium |
| CN109756528B (en) * | 2017-11-01 | 2022-03-11 | 广州腾讯科技有限公司 | Frequency control method and device, equipment, storage medium and server |
| CN108134803B (en) * | 2018-01-29 | 2021-02-26 | 杭州迪普科技股份有限公司 | URL attack protection method and device |
| CN108874948B (en) * | 2018-06-05 | 2021-04-02 | 中国农业银行股份有限公司 | Website resource access method and device |
| CN108833450B (en) * | 2018-08-22 | 2020-07-10 | 网宿科技股份有限公司 | Method and device for preventing server from being attacked |
| CN109275145B (en) * | 2018-09-21 | 2022-04-12 | 腾讯科技(深圳)有限公司 | Device behavior detection and barrier processing method, medium and electronic device |
| CN111294412B (en) * | 2018-12-06 | 2022-09-23 | 贵州白山云科技股份有限公司 | Processing method and device for exception of content distribution network node server |
| CN109639674A (en) * | 2018-12-11 | 2019-04-16 | 广州猎萌网络科技有限公司 | A kind of access safety control method |
| CN111355626A (en) * | 2018-12-24 | 2020-06-30 | 中移(杭州)信息技术有限公司 | Request processing method and device |
| CN111585914B (en) * | 2019-02-15 | 2024-03-22 | 阿里巴巴集团控股有限公司 | Service current limiting method and device and electronic equipment |
| CN110336881B (en) * | 2019-07-10 | 2020-11-20 | 北京三快在线科技有限公司 | Method and device for executing service processing request |
| CN112839008B (en) * | 2019-11-22 | 2024-02-06 | 北京沃东天骏信息技术有限公司 | Access monitoring method, device and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1816215A (en) * | 2005-01-12 | 2006-08-09 | 株式会社Ntt都科摩 | A data communication restriction method, data communication restriction system and mobile terminal |
| CN101203052A (en) * | 2007-12-24 | 2008-06-18 | 华为技术有限公司 | Method and apparatus for preventing malice business request |
| CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
-
2011
- 2011-05-05 CN CN201110115158.XA patent/CN102769549B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1816215A (en) * | 2005-01-12 | 2006-08-09 | 株式会社Ntt都科摩 | A data communication restriction method, data communication restriction system and mobile terminal |
| CN101203052A (en) * | 2007-12-24 | 2008-06-18 | 华为技术有限公司 | Method and apparatus for preventing malice business request |
| CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102769549A (en) | 2012-11-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102769549B (en) | The method and apparatus of network security monitoring | |
| US10652265B2 (en) | Method and apparatus for network forensics compression and storage | |
| US20230177008A1 (en) | Session-Based Processing Method and System | |
| EP3496338A1 (en) | Method for identifying application information in network traffic, and apparatus | |
| CN107770132B (en) | Method and device for detecting algorithmically generated domain name | |
| CN111447102B (en) | SDN network device access method and device, computer device and storage medium | |
| CN108900374B (en) | Data processing method and device applied to DPI equipment | |
| CN108337652B (en) | Method and device for detecting flow fraud | |
| CN106972985B (en) | Method for accelerating data processing and forwarding of DPI (deep packet inspection) equipment and DPI equipment | |
| CN102281540B (en) | Method and system for searching and killing mobile phone malicious software | |
| EP3860121B1 (en) | Video service quality assessment method and apparatus | |
| CN103179132A (en) | Method and device for detecting and defending CC (challenge collapsar) | |
| CN107454120A (en) | The method of network attack defending system and defending against network attacks | |
| CN113225339B (en) | Network security monitoring method and device, computer equipment and storage medium | |
| CN111740868A (en) | Alarm data processing method and device and storage medium | |
| CN105577670A (en) | Warning system of database-hit attack | |
| CN103236940A (en) | Method and device for content processing and network equipment | |
| CN118041660A (en) | High-speed large-scale concurrent full-volume network flow intrusion detection method and system | |
| CN112688924A (en) | Network protocol analysis system | |
| CN113595958B (en) | Security detection system and method for Internet of things equipment | |
| CN112399209B (en) | Video service identification processing method and device | |
| CN110908798B (en) | Multi-process cooperative network traffic analysis method and device | |
| JP2002108659A (en) | Method for collecting data access history and apparatus for the same | |
| CN114124555A (en) | Message playback method and device, electronic equipment and computer readable medium | |
| CN108768779B (en) | Statistical method and device for network resources |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20211223 Address after: Room 19F, Kungang science and technology building, 777 Huancheng South Road, Xishan District, Kunming City, Yunnan Province, 650000 Patentee after: Yunnan Tengyun Information Industry Co.,Ltd. Address before: 2 East 403 room, SEG science and technology garden, Futian District, Guangdong, Shenzhen 518000, China Patentee before: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. |
|
| TR01 | Transfer of patent right |