CN102821081A - Method and system for monitoring DDOS (distributed denial of service) attacks in small flow - Google Patents
Method and system for monitoring DDOS (distributed denial of service) attacks in small flow Download PDFInfo
- Publication number
- CN102821081A CN102821081A CN201110155058XA CN201110155058A CN102821081A CN 102821081 A CN102821081 A CN 102821081A CN 201110155058X A CN201110155058X A CN 201110155058XA CN 201110155058 A CN201110155058 A CN 201110155058A CN 102821081 A CN102821081 A CN 102821081A
- Authority
- CN
- China
- Prior art keywords
- value
- flow
- ddos
- base station
- summation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a system for monitoring DDOS (distributed denial of service) attacks in small flow, solves the problems that the existing DDOS attack detection technology is high in cost, complex to implement and high in misjudgment rate, cannot respond to DDOS attacks aiming at an application layer and the like, and provides the monitoring scheme of an integrated DPI (dots per inch) technology. A baseline analysis, component analysis and similarity analysis method is used to establish a normal use model, characteristics are accurately matched to detect the attacks in small flow and the application layer attacks, deployment at one point of an operator network and complete coverage of the operator network are achieved, and detection accuracy is increased.
Description
Technical field
The invention belongs to mobile Internet safe practice field, relate in particular to low discharge DDOS is attacked the method and system of monitoring.
Background technology
Distributed denial of service attack (distributed denial of service attack; Be called for short DDOS) be through many machine while target of attack systems that Prevention-Security is relatively weaker on the control Internet; Cause victim host system or network load overweight; Can't in time receive or respond extraneous request, thereby reach denial of service purpose.
Generally on broadband networks, the concrete manifestation form that DDOS attacks is to make the high flow capacity hash, causes network congestion, makes the network service disruption.At present the website on the Internet is the main frame of high bandwidth mostly, from principle, simple passes through the attack of directly giving out a contract for a project, and possibly cause any obstruction hardly.Because the machine bandwidth of launching a offensive maybe be well below these main frames, the attack packets of sending does not constitute attack for being attacked main frame.But feasible the launching a offensive to the high bandwidth main frame from the low bandwidth main frame of the appearance of DDOS technology becomes very easy.But in the mobile network; Be subject to the wireless bandwidth bottleneck, show that on core network link the flow of these attacks is little, belong to normal low discharge; But because the concurrent quantity of mobile subscriber is big; Characteristics such as mobility through a large amount of concurrent resource consumptions that produce goal systems, produce Denial of Service attack.
In recent years; Assailants utilize Botnet (Botnet) as attacking platform again, and the ddos attack that the formation scale is huger makes that the distributed degrees of attack stream is wider, harm is bigger; The detection of ddos attack is more difficult, has brought the threat that can not be ignored for current network and the computer on the network.The socialization of network security requires the safety of everyone all obligated guarantee Internet on the network, and this point is being taken precautions against embody in the DDOS attack particularly evident.
Telecom operators' mobile Internet number of users is many, along with popularizing of smart mobile phone, uses the line that becomes increasingly abundant and might be everlasting on the mobile phone terminal, becomes " meat machine " easily.The network security problem that ddos attack causes happens occasionally; The shared IP core network of mobile Internet and broadband network; Cause the IP network overall quality of service to descend; Telecom operators must strengthen the supervision and the control ability of network, alleviate Denial of Service attack to the influence that network causes, and ensure its user's rights and interests.
Existing DDOS attacks monitoring method and mainly contains following two kinds:
(1) disposing IDS (Invasion Detect System, intruding detection system) equipment near user side, it is found possible invasion activity, and reports to the police through detecting the data and the activity of network and internal system.But when facing ddos attack, the IDS system often can not meet the demands, and main cause is:
First; Though intruding detection system can detect the attack of application layer, fundamental mechanism all is based on rule, need reduce to protocol conversation; And the ddos attack major part all is the attack traffic that adopts based on legal data packet at present, so the IDS system is difficult to these are attacked effective the detection.Though some IDS system itself also possesses the ability that some protocol anomaly detects, this all needs security expert's manual configuration really to come into force, and its implementation cost is high, ease for use is extremely low;
The second, because the rate of false alarm of IDS under being in not possibly form new denial of service, cause the validated user can't accessing network resources.
(2) monitor at metropolitan area network export deployment NetFlow equipment; Its principle is to utilize NetFlow according to sampling than image data information; Many aspects such as the kind of image data, the flow direction, generation consequence, type of data packet, address, port are analyzed the monitoring abnormal flow.Can issue the drainage strategy automatically to the core routing device through cleaning equipment after producing unusually, abnormal flow introduced cleaning equipment clean, report attack and cleaning situation through reporting system.This kind mode is adopted in present most DDOS monitoring, and subject matter is:
The first, the netflow data form can not provide meticulous L4-L7 layer information, can't respond to the DDoS of those aiming application layers;
Second; Owing to consider the CPU and the Memory Load of egress router, the sample rate of NetFlow all can be transferred than higher usually, as 3000: 1 or 5000: 1; Because sampling error; Can only can't realize the security protection of fine granular to whether existing the big capaciated flow network layer attacks that exceeds predetermined threshold value to make judgement, thereby can't detect the ddos attack of low rate.
Through above analysis, industry is attacked monitoring to low discharge DDOS and is also lacked effective method.
Summary of the invention
Seeing that more than, the present invention proposes to monitor the method and system that low discharge DDOS attacks.
The method that monitoring low discharge DDOS attacks may further comprise the steps:
In the export deployment DDOS of metropolitan area network monitoring system, the flow of visit initialization system is carried out 1: 1 4-7 layer sampling, according to sampled data calculated flow rate threshold curve, whether flow continues to surpass the flow threshold curve in the judgement time S;
When whether flow in the time S continues to surpass the flow threshold curve; Read the content of IP payload package; Calculating composition accounting threshold curve judges that whether current composition accounting surpasses composition accounting threshold curve number of times greater than N time in time S, and N is the integer more than or equal to 1;
Current composition accounting surpasses composition accounting threshold curve number of times greater than N time; Extract the IP source address of visit initialization system; Obtain the base station information that the user connects according to IP source address from AAA, between the calculation base station apart from the summation threshold value, judge between the current base station apart from summation whether less than between the base station apart from the summation threshold value; If be judged to be the DDOS attack take place.
The DDOS monitoring system that monitoring low discharge DDOS attacks comprises:
The baseline analysis filter carries out 1: 1 4-7 layer sampling to the flow of visit initialization system, and according to sampled data calculated flow rate threshold curve, whether flow continues to surpass the flow threshold curve in the judgement time S, if, notice constituent analysis filter;
The constituent analysis filter reads the content of IP payload package, calculating composition accounting threshold curve; Whether judgement current composition accounting in time S surpasses composition accounting threshold curve number of times greater than N time; N is the integer more than or equal to 1, if, notice similarity analysis filter;
The similarity analysis filter extracts the IP source address of visit initialization system, obtains the base station information that the user connects according to IP source address from AAA, between the calculation base station apart from the summation threshold value; Judge between the current base station apart from summation whether less than between the base station apart from the summation threshold value, if think that DDOS takes place to be attacked.
The present invention utilizes DPI (Deep packet inspection, deep-packet detection) technology to obtain the 4-7 layer data, remedies the deficiency that netflow technology can't detect the low rate ddos attack;
Adopt the heuristic detection method of baseline analysis+constituent analysis+similarity analysis, remedy the high rate of false alarm of IDS, realize the security protection of fine granular, effectively prevent the Denial of Service attack of unknown method, improve the level of security of carrier network;
Workable, with the AAA control that links, the flow and cleaning of in time noting abnormalities, remedied the dedicated system lower deployment cost high, implement complicated deficiency, can realize a bit disposing the whole network and cover, have the potentiality of large scale deployment, improve defence efficient.
Description of drawings
Fig. 1 disposes the sketch map of ddos attack monitoring system for the present invention in network, in carrier network, place the DPI system, and the flow of user capture the Internet is carried out analyzing and testing.
Fig. 2 monitors the structural representation of DDOS attacking system for the present invention.
Fig. 3 monitors the method flow sketch map that DDOS attacks for the present invention.
Embodiment
The present invention carries out baseline analysis, constituent analysis and flow similarity analysis, in case after mating above three models the threshold value alarm takes place, is judged to be the DDOS attack takes place.After DDOS takes place attacking, AAA can also carry out PPP to the mobile phone terminal with corresponding IMSI number according to source address and take out stitches, and timely and effective stopping attacked, and discharges the wireless side resource.To combine accompanying drawing to specify below.
Fig. 1 monitors the system configuration sketch map that low discharge DDOS attacks for the present invention, and this DDOS monitoring system is deployed in the outlet of metropolitan area network.
This system's concrete structure is as shown in Figure 2, comprises baseline analysis filter, constituent analysis filter and similarity analysis filter.Wherein:
1, baseline analysis filter
The flow of visit initialization system is carried out 1: 1 4-7 layer sampling, according to sampled data calculated flow rate threshold curve.
Wherein, Initialization system refers to the target that needs protection or monitor, and like the Sina server, 1: 1 4-7 layer sampling is exactly to utilize DPI (Deep packet inspection; Deep-packet detection) technology is obtained the 4-7 layer data; All grab all flows get off, all packets are done the analysis of application layer, remedy the deficiency that netflow technology can't detect the low rate ddos attack.
As one embodiment of the present of invention, the method for calculating flow threshold curve in the setting-up time zone according to sampled data can be following.It will be understood by those skilled in the art that corresponding deformation or the modification on this basis computational methods carried out, all belong to the scope that this claim covers.
Obtain the flow curve of (like a week) every day in the setting-up time zone, calculate flow mean value A in the setting-up time zone (with in this time zone every day synchronization actual flow average) and peak flow value B (getting the actual maximum stream flow of this time zone interior every day of synchronization).
F=B A<B<=nA n>1
F=uB B>nA n>1,u<1
Train n and u value in the formula according to flow mean value A and peak flow value B, obtain flow threshold curve F.The training method that adopts is a prior art, such as, through neural net train, according to the Markov model training etc.
Behavior compares to current target to utilize this pattern, and whether flow surpasses the flow threshold curve in the judgement time S.It specifically is the flow that whether each present flow rate constantly surpasses the identical moment on the flow threshold curve in the judgement time S.Such as, current time is a point in afternoon 1, so, just 1 the flow in afternoon with threshold curve compares.If in time S, continue to surpass threshold curve, notice constituent analysis filter is proceeded constituent analysis.Otherwise, think do not have under attack.Time S can be wherein one or more snippets in the setting-up time zone, according to the difference of scene, can be set at 15 minutes-30 minutes.
2, constituent analysis filter
Data to above-mentioned collection are carried out application layer analysis, are mainly used in user behavior analysis.Through reading the content of IP payload package, calculating composition accounting threshold curve.
As one embodiment of the present of invention, the method for calculating composition accounting threshold curve can be following.It will be understood by those skilled in the art that corresponding deformation or the modification on this basis computational methods carried out, all belong to the scope that this claim covers.
Obtain (like a week) application composition (UDP in the setting-up time zone; TCP; ICMP; HTTP, DNS etc.) accounting, calculate composition accounting mean value I in this time zone (with in this time zone every day synchronization practical application composition accounting average) with peak value composition accounting value J (getting the actual maximum application composition accounting of this time zone interior every day of synchronization).
Z=J I<J<=mI m>1
Z=pJ J>mI ?m>1,p<1
Train m and p value according to composition accounting mean value I and peak value composition accounting value J, obtain composition accounting threshold curve Z.The training method that adopts is a prior art, such as, through neural net train, according to the Markov model training etc.
Behavior compares to current target to utilize this pattern, judges that whether current composition accounting surpasses composition accounting threshold curve number of times greater than N time in time S, and N is the integer more than or equal to 1.If notice similarity analysis filter carries out the flow similarity analysis, further judges whether to have taken place the DDOS attack.Here said is for N time to same composition accounting, such as, calculate the accounting of HTTP, only when the current accounting of HTTP surpasses HTTP accounting threshold curve N time, carry out similarity analysis.Here the value of said N can be set according to concrete business or other factors, and such as for video traffic, the value of N can be 3 or 4 or 5.It will be understood by those skilled in the art that the value of N is given an example that the explanation of being for the purpose of illustration only property should not be construed as limitation of the present invention.
Each was used shared bandwidth and possibly be merely several k or tens k during mobile Internet was used, if user's application traffic has increased 20k suddenly, then for mobile Internet is used, the DDOS attack had taken place probably.Especially the number of users of mobile Internet application is very big, initiates the DDOS attack simultaneously if having many consumers, and can cause the mobile Internet paralysis, and other users can't access network.For fixed network, its bandwidth is 2M, 4M, 8M even higher, if flow has increased 20k suddenly, maybe not can bandwidth be had much impact.So, in view of the above characteristics that mobile Internet is used, need carry out flow monitoring to it, find that in time DDOS attacks, prevent the mobile Internet paralysis.
Still can there be the situation of erroneous judgement in the constituent analysis of low discharge, such as, the user is through the HTTP browsing page before; Afterwards the information on this webpage was downloaded; So, can cause the composition accounting of HTTP to increase within a certain period of time, and the number of times that surpasses threshold value is greater than N time.Therefore, find that in time S the composition accounting surpasses the threshold curve number of times greater than under N time the situation, notice similarity analysis filter carries out the flow similarity analysis, further judges whether to have taken place the DDOS attack.
3, similarity analysis filter
Extract the IP source address of visit initialization system, obtain the base station information that the user connects from AAA according to IP source address, between the calculation base station apart from the summation threshold value.In AAA, preserve form, put down in writing information such as IP source address, base station information, terminal, so, can obtain base station information according to IP source address.
As one embodiment of the present of invention, the method apart from the summation threshold value between the calculation base station can be following.It will be understood by those skilled in the art that corresponding deformation or the modification on this basis computational methods carried out, all belong to the scope that this claim covers.
Obtain the mean base station in (like a week) in the setting-up time zone apart from the actual minimum range summation T (getting the actual minimum base station distance summation of this time zone interior every day of synchronization) in summation D (the base station distance summation of this time zone interior every day of synchronization is averaged) and the setting-up time zone.Base station distance is meant the distance between base station and the base station, such as, user 1 finds corresponding base station A1, and user 2 finds corresponding base station B1, and the distance between calculation base station A1 and the base station B1 is base station distance.Again all users are carried out aforesaid operations, accumulative total is between the base station apart from summation.The setting-up time zone of in baseline analysis filter, constituent analysis filter and similarity analysis filter, mentioning is consistent, such as, the setting-up time zone was 1 week, then above-mentioned three models all are to be as the criterion with 1 week when calculating.
X=T D>T>=gD g<1
X=yT T<gD g<1,y>1
Train g and y value according to mean base station apart from summation D and actual minimum range summation T, obtain between the base station apart from the summation threshold X.The training method that adopts is a prior art, such as, through neural net train, according to the Markov model training etc.
Utilize this pattern that current user behavior is compared, judge between the current base station apart from summation whether less than between the base station apart from the summation threshold value, if think that DDOS takes place to be attacked.
The attack stream of mobile Internet user low discharge often has similitude within the specific limits, can precisely judge the DDOS attack has taken place according to similitude.With visit Sina server is example; According between the existing base station apart from summation, confirmed the scope of frequent visit Sina server, if be significantly less than between the base station apart from the summation threshold value apart from summation between the base station of access server; Promptly the scope of visit is dwindled suddenly; Abnormal conditions then having taken place, had and initiate DDOS from a certain regional meat machine and attack, thereby can precisely judge the DDOS attack has taken place.
The integrated DPI technology of the present invention is carried out 1: 1 check and analysis to network traffics, realizes the degree of depth identification from four layers to seven layers, remedies the high rate of false alarm of IDS, realizes the security protection of fine granular.
The present invention adopts the heuristic detection method of baseline analysis+constituent analysis+similarity analysis, and the complexity of three models increases progressively gradually, and accuracy improves.In the big capaciated flow network of operator, consider real-time and equipment tenability, identify suspicious flow earlier as far as possible, do further analysis again, can not take a large amount of software and hardware resources and performance like this.Effectively prevent the Denial of Service attack of unknown method, improve the level of security of carrier network, improve monitoring accuracy.
DDOS monitoring system as shown in Figure 2 again can also comprise alarm and clean filter for molten, is used for the interlock with AAA, the DDOS that takes place is attacked handle.
4, alarm and filter rinsed
In case after mating above three models the threshold value alarm takes place; The alarm of DDOS monitoring system and filter rinsed are to the AAA distributing policy; Inform the source address of attack stream, AAA can be according to these source addresses, the mobile phone terminal with corresponding IMSI number is carried out PPP take out stitches; Timely and effective stopping attacked, and discharges the wireless side resource.
Prior art issues the drainage strategy to the core routing device, even after cleaning, dismounting be merely being connected between base station and the server, and also keeping being connected between user and the base station, cause other users to insert.And among the present invention, take out stitches owing to directly mobile phone terminal is carried out PPP, so discharged Radio Resource, other users can also insert.
The present invention is workable, and with the AAA control that links, flow and cleaning in time notes abnormalities; Remedied the deficiency that the dedicated system lower deployment cost is high, implement complicacy; Can realize a bit disposing the whole network and cover, have the potentiality of large scale deployment, improve defence efficient.
Fig. 3 may further comprise the steps for the present invention monitors the method flow diagram that low discharge DDOS attacks:
In step 301,, the flow of visit initialization system is carried out 1: 1 4-7 layer sampling, according to sampled data calculated flow rate threshold curve in the export deployment DDOS of metropolitan area network monitoring system.
In step 302, whether flow continues to surpass the flow threshold curve in the judgement time S, if, execution in step 303, otherwise, jump to step 307.
In step 303, read the content of IP payload package, calculating composition accounting threshold curve.
In step 304, judge that whether current composition accounting surpasses composition accounting threshold curve number of times greater than N time in time S, N is the integer more than or equal to 1, if, execution in step 305, otherwise, jump to step 307.
In step 305, extract the IP source address of visit initialization system, obtain the base station information that the user connects according to IP source address from AAA, between the calculation base station apart from the summation threshold value.
In step 306, judge between the current base station apart from summation whether less than between the base station apart from the summation threshold value, if, execution in step 308, otherwise, jump to step 307.
In step 307, think that present flow rate is a legitimate traffic, DDOS does not take place to be attacked.
In step 308, be judged to be the DDOS attack takes place.
Be judged to be and take place can also continue execution in step 309 after the DDOS attack, the DDOS monitoring system is to the AAA distributing policy; Inform the source address of attack stream; AAA can be according to source address, the mobile phone terminal with corresponding IMSI number is carried out PPP take out stitches, and discharges the wireless side resource.
Description of the invention provides for example with for the purpose of describing, and is not the disclosed form that exhaustively perhaps limit the invention to.A lot of modifications and variation are obvious for those of ordinary skill in the art.Selecting and describing embodiment is for better explanation principle of the present invention and practical application, thereby and makes those of ordinary skill in the art can understand the various embodiment that have various modifications that the present invention's design is suitable for special-purpose.
Claims (10)
1. monitor the method that low discharge DDOS attacks, may further comprise the steps:
In the export deployment DDOS of metropolitan area network monitoring system, the flow of visit initialization system is carried out 1: 1 4-7 layer sampling, according to sampled data calculated flow rate threshold curve, whether flow continues to surpass the flow threshold curve in the judgement time S;
When whether flow in the time S continues to surpass the flow threshold curve; Read the content of IP payload package; Calculating composition accounting threshold curve judges that whether current composition accounting surpasses composition accounting threshold curve number of times greater than N time in time S, and N is the integer more than or equal to 1;
Current composition accounting surpasses composition accounting threshold curve number of times greater than N time; Extract the IP source address of visit initialization system; Obtain the base station information that the user connects according to IP source address from AAA, between the calculation base station apart from the summation threshold value, judge between the current base station apart from summation whether less than between the base station apart from the summation threshold value; If be judged to be the DDOS attack take place.
2. the method for attacking according to the said monitoring low discharge of claim 1 DDOS is judged to be and takes place after the DDOS attack, and is further comprising the steps of:
The DDOS monitoring system is informed the source address of attack stream to the AAA distributing policy, and AAA is according to source address, the mobile phone terminal with corresponding IMSI number is carried out PPP take out stitches, and discharges the wireless side resource.
3. according to the method for claim 1 or 2 said monitoring low discharge DDOS attacks, the operation according to sampled data calculated flow rate threshold curve may further comprise the steps:
Obtain the flow curve of every day in the setting-up time zone, calculate flow mean value A and peak flow value B in the setting-up time zone;
F=B A<B<=nA n>1
F=uB B>nA u<1
Train n and u value according to flow mean value and peak flow value, obtain flow threshold curve F.
4. according to the method for claim 1 or 2 said monitoring low discharge DDOS attacks, the operation of calculating composition accounting threshold curve may further comprise the steps:
Obtain the accounting of using composition in the setting-up time zone, calculate composition accounting mean value I and peak value composition accounting value J in this time zone;
Z=J I<J<=mI m>1
Z=pJ J>mI p<1
Train m and p value according to composition accounting mean value and peak value composition accounting value, obtain composition accounting threshold curve Z.
5. according to the method for claim 1 or 2 said monitoring low discharge DDOS attacks, apart from the operation of summation threshold value, may further comprise the steps between the calculation base station:
Obtain mean base station in the setting-up time zone apart from the actual minimum range summation T in summation D and the setting-up time zone;
X=T D>T>=gD g<1
X=yT T<gD ?y>1
Train g and y value according to mean base station apart from total value and actual minimum range total value, obtain between the base station apart from the summation threshold X.
6. monitor the DDOS monitoring system that low discharge DDOS attacks, comprising:
The baseline analysis filter carries out 1: 1 4-7 layer sampling to the flow of visit initialization system, and according to sampled data calculated flow rate threshold curve, whether flow continues to surpass the flow threshold curve in the judgement time S, if, notice constituent analysis filter;
The constituent analysis filter reads the content of IP payload package, calculating composition accounting threshold curve; Whether judgement current composition accounting in time S surpasses composition accounting threshold curve number of times greater than N time; N is the integer more than or equal to 1, if, notice similarity analysis filter;
The similarity analysis filter extracts the IP source address of visit initialization system, obtains the base station information that the user connects according to IP source address from AAA, between the calculation base station apart from the summation threshold value; Judge between the current base station apart from summation whether less than between the base station apart from the summation threshold value, if think that DDOS takes place to be attacked.
7. according to the said DDOS monitoring system of claim 6, also comprise:
Alarm and filter rinsed to the AAA distributing policy, are informed the source address of attack stream, and AAA is according to source address, the mobile phone terminal with corresponding IMSI number is carried out PPP take out stitches, and discharge the wireless side resource.
8. according to claim 6 or 7 said DDOS monitoring systems, wherein:
The baseline analysis filter obtains the flow curve of every day in the setting-up time zone, calculates flow mean value A and peak flow value B in the setting-up time zone, trains n and u value according to flow mean value and peak flow value; Obtain flow threshold curve F; F=B, A<B<=nA, n>1; F=uB, B>nA, u<1.
9. according to claim 6 or 7 said DDOS monitoring systems, wherein:
The constituent analysis filter obtains the accounting of using composition in the setting-up time zone, calculates composition accounting mean value I and peak value composition accounting value J in this time zone; Train m and p value according to composition accounting mean value and peak value composition accounting value, obtain composition accounting threshold curve Z, Z=J, I<J<=mI, m>1; Z=pJ, J>mI, p<1.
10. according to claim 6 or 7 said DDOS monitoring systems, wherein:
The similarity analysis filter obtains mean base station in the setting-up time zone apart from the actual minimum range summation T in summation D and the setting-up time zone; Train g and y value according to mean base station apart from total value and actual minimum range total value, obtain between the base station apart from the summation threshold X X=T, D>T>=gD, g<1; X=yT, T<gD, y>1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110155058.XA CN102821081B (en) | 2011-06-10 | 2011-06-10 | Method and system for monitoring DDOS (distributed denial of service) attacks in small flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110155058.XA CN102821081B (en) | 2011-06-10 | 2011-06-10 | Method and system for monitoring DDOS (distributed denial of service) attacks in small flow |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102821081A true CN102821081A (en) | 2012-12-12 |
| CN102821081B CN102821081B (en) | 2014-12-17 |
Family
ID=47304940
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110155058.XA Active CN102821081B (en) | 2011-06-10 | 2011-06-10 | Method and system for monitoring DDOS (distributed denial of service) attacks in small flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102821081B (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103036741A (en) * | 2012-12-19 | 2013-04-10 | 北京神州绿盟信息安全科技股份有限公司 | Determination method and determination device of flow monitoring base line |
| CN103763703A (en) * | 2014-01-09 | 2014-04-30 | 广州中国科学院先进技术研究所 | Wireless network attack detection method based on mathematical morphology |
| CN104125213A (en) * | 2014-06-18 | 2014-10-29 | 汉柏科技有限公司 | Distributed denial of service DDOS attack resisting method and device for firewall |
| CN104753863A (en) * | 2013-12-26 | 2015-07-01 | 中国移动通信集团公司 | DDoS (Distributed Denial of Service) attack prevention method, device and system |
| CN105049291A (en) * | 2015-08-20 | 2015-11-11 | 广东睿江科技有限公司 | Method for detecting network traffic anomaly |
| CN105429820A (en) * | 2015-11-05 | 2016-03-23 | 武汉烽火网络有限责任公司 | Deep packet detection system and method based on software defined network |
| CN106209861A (en) * | 2016-07-14 | 2016-12-07 | 南京邮电大学 | A kind of based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method and device |
| WO2017084529A1 (en) * | 2015-11-19 | 2017-05-26 | 阿里巴巴集团控股有限公司 | Network attacks identifying method and device |
| CN108234155A (en) * | 2016-12-13 | 2018-06-29 | 中国电信股份有限公司 | Packet capture method, apparatus and server |
| CN108696498A (en) * | 2017-03-31 | 2018-10-23 | 三星电子株式会社 | Detect and take precautions against the system to the Denial of Service attack of computer storage array |
| CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
| CN110071934A (en) * | 2019-04-30 | 2019-07-30 | 中国人民解放军国防科技大学 | local sensitivity counting abstract method and system for network anomaly detection |
| CN110557371A (en) * | 2019-07-31 | 2019-12-10 | 中至数据集团股份有限公司 | Access limiting method, system, readable storage medium and game server |
| CN111177513A (en) * | 2019-12-31 | 2020-05-19 | 北京百度网讯科技有限公司 | Method and device for determining abnormal access address, electronic equipment and storage medium |
| CN111343206A (en) * | 2020-05-19 | 2020-06-26 | 上海飞旗网络技术股份有限公司 | Active defense method and device for data flow attack |
| CN113760664A (en) * | 2021-09-10 | 2021-12-07 | 哈尔滨工业大学 | Two-stage threshold attack detection method, computer and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1764126A (en) * | 2005-11-11 | 2006-04-26 | 上海交通大学 | Method for detecting and monitoring gusty abnormal network flow |
| CN101540761A (en) * | 2009-04-24 | 2009-09-23 | 成都市华为赛门铁克科技有限公司 | Method and equipment for monitoring distributed denial of service attack |
| CN101980506A (en) * | 2010-10-29 | 2011-02-23 | 北京航空航天大学 | Flow characteristic analysis-based distributed intrusion detection method |
-
2011
- 2011-06-10 CN CN201110155058.XA patent/CN102821081B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1764126A (en) * | 2005-11-11 | 2006-04-26 | 上海交通大学 | Method for detecting and monitoring gusty abnormal network flow |
| CN101540761A (en) * | 2009-04-24 | 2009-09-23 | 成都市华为赛门铁克科技有限公司 | Method and equipment for monitoring distributed denial of service attack |
| CN101980506A (en) * | 2010-10-29 | 2011-02-23 | 北京航空航天大学 | Flow characteristic analysis-based distributed intrusion detection method |
Cited By (31)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103036741B (en) * | 2012-12-19 | 2016-02-03 | 北京神州绿盟信息安全科技股份有限公司 | The defining method of flow monitoring baseline and device |
| CN103036741A (en) * | 2012-12-19 | 2013-04-10 | 北京神州绿盟信息安全科技股份有限公司 | Determination method and determination device of flow monitoring base line |
| CN104753863A (en) * | 2013-12-26 | 2015-07-01 | 中国移动通信集团公司 | DDoS (Distributed Denial of Service) attack prevention method, device and system |
| CN104753863B (en) * | 2013-12-26 | 2018-10-26 | 中国移动通信集团公司 | A kind of defence method of distributed denial of service attack, equipment and system |
| CN103763703B (en) * | 2014-01-09 | 2017-05-10 | 广州中国科学院先进技术研究所 | Wireless network attack detection method based on mathematical morphology |
| CN103763703A (en) * | 2014-01-09 | 2014-04-30 | 广州中国科学院先进技术研究所 | Wireless network attack detection method based on mathematical morphology |
| CN104125213A (en) * | 2014-06-18 | 2014-10-29 | 汉柏科技有限公司 | Distributed denial of service DDOS attack resisting method and device for firewall |
| CN105049291A (en) * | 2015-08-20 | 2015-11-11 | 广东睿江科技有限公司 | Method for detecting network traffic anomaly |
| CN105429820A (en) * | 2015-11-05 | 2016-03-23 | 武汉烽火网络有限责任公司 | Deep packet detection system and method based on software defined network |
| CN105429820B (en) * | 2015-11-05 | 2018-10-09 | 武汉烽火网络有限责任公司 | Deep-packet detection system based on software defined network and method |
| WO2017084529A1 (en) * | 2015-11-19 | 2017-05-26 | 阿里巴巴集团控股有限公司 | Network attacks identifying method and device |
| CN106789831A (en) * | 2015-11-19 | 2017-05-31 | 阿里巴巴集团控股有限公司 | The method and apparatus for recognizing network attack |
| US11240258B2 (en) | 2015-11-19 | 2022-02-01 | Alibaba Group Holding Limited | Method and apparatus for identifying network attacks |
| CN106789831B (en) * | 2015-11-19 | 2020-10-23 | 阿里巴巴集团控股有限公司 | Method and device for identifying network attack |
| CN106209861A (en) * | 2016-07-14 | 2016-12-07 | 南京邮电大学 | A kind of based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method and device |
| CN106209861B (en) * | 2016-07-14 | 2019-07-12 | 南京邮电大学 | One kind being based on broad sense Jie Kade similarity factor Web application layer ddos attack detection method and device |
| CN108234155A (en) * | 2016-12-13 | 2018-06-29 | 中国电信股份有限公司 | Packet capture method, apparatus and server |
| CN108234155B (en) * | 2016-12-13 | 2021-03-30 | 中国电信股份有限公司 | Data packet acquisition method and device and server |
| CN108696498A (en) * | 2017-03-31 | 2018-10-23 | 三星电子株式会社 | Detect and take precautions against the system to the Denial of Service attack of computer storage array |
| CN108696498B (en) * | 2017-03-31 | 2022-11-15 | 三星电子株式会社 | System for detecting and protecting against denial of service attacks on computer storage arrays |
| US11140198B2 (en) | 2017-03-31 | 2021-10-05 | Samsung Electronics Co., Ltd. | System and method of detecting and countering denial-of-service (DoS) attacks on an NVMe-oF-based computer storage array |
| CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
| CN110071934B (en) * | 2019-04-30 | 2021-03-26 | 中国人民解放军国防科技大学 | Local sensitivity counting abstract method and system for network anomaly detection |
| CN110071934A (en) * | 2019-04-30 | 2019-07-30 | 中国人民解放军国防科技大学 | local sensitivity counting abstract method and system for network anomaly detection |
| CN110557371A (en) * | 2019-07-31 | 2019-12-10 | 中至数据集团股份有限公司 | Access limiting method, system, readable storage medium and game server |
| CN111177513A (en) * | 2019-12-31 | 2020-05-19 | 北京百度网讯科技有限公司 | Method and device for determining abnormal access address, electronic equipment and storage medium |
| CN111177513B (en) * | 2019-12-31 | 2023-10-31 | 北京百度网讯科技有限公司 | Determination method and device of abnormal access address, electronic equipment and storage medium |
| CN111343206B (en) * | 2020-05-19 | 2020-08-21 | 上海飞旗网络技术股份有限公司 | Active defense method and device for data flow attack |
| CN111343206A (en) * | 2020-05-19 | 2020-06-26 | 上海飞旗网络技术股份有限公司 | Active defense method and device for data flow attack |
| CN113760664A (en) * | 2021-09-10 | 2021-12-07 | 哈尔滨工业大学 | Two-stage threshold attack detection method, computer and storage medium |
| CN113760664B (en) * | 2021-09-10 | 2022-09-27 | 哈尔滨工业大学 | Two-stage threshold attack detection method, computer and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102821081B (en) | 2014-12-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102821081B (en) | Method and system for monitoring DDOS (distributed denial of service) attacks in small flow | |
| CN110249603B (en) | Method and apparatus for detecting distributed attacks in a wireless network | |
| KR101077135B1 (en) | Apparatus for detecting and filtering application layer DDoS Attack of web service | |
| CN108063765B (en) | SDN system suitable for solving network security | |
| Dharma et al. | Time-based DDoS detection and mitigation for SDN controller | |
| EP1964366B1 (en) | Methods and devices for defending a 3g wireless network against malicious attacks | |
| KR101424490B1 (en) | Reverse access detecting system and method based on latency | |
| KR101574193B1 (en) | Apparatus and method for defending DDoS attack | |
| US20070248084A1 (en) | Symmetric connection detection | |
| Alenezi et al. | Methodologies for detecting DoS/DDoS attacks against network servers | |
| CN104202336A (en) | DDoS (distributed denial of service) attach detection method based on information entropy | |
| CN101631026A (en) | Method and device for defending against denial-of-service attacks | |
| CN103281293A (en) | Network flow rate abnormity detection method based on multi-dimension layering relative entropy | |
| CN102271068A (en) | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack | |
| CN106357685A (en) | Method and device for defending distributed denial of service attack | |
| CN100502356C (en) | Multilevel aggregation-based abnormal flow control method and system | |
| CN107864110A (en) | Botnet main control end detection method and device | |
| Bhatnagar et al. | The proposal of hybrid intrusion detection for defence of sync flood attack in wireless sensor network | |
| KR20140117217A (en) | Method and apparatus of the traffic classification using big data analysis | |
| Dressler et al. | Attack detection using cooperating autonomous detection systems (CATS) | |
| Granjal et al. | Intrusion Detection and Prevention with Internet-integrated CoAP Sensing Applications. | |
| KR101587845B1 (en) | Method for detecting distributed denial of services attack apparatus thereto | |
| Paulauskas et al. | Investigation of the intrusion detection system “snort” performance | |
| Gamer et al. | A granularity-adaptive system for in-network attack detection | |
| Falletta et al. | Detecting Scanners: Empirical Assessment on a 3G Network. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |