CN103095711A - Application layer distributed denial of service (DDoS) attack detection method and defensive system aimed at website - Google Patents

Application layer distributed denial of service (DDoS) attack detection method and defensive system aimed at website Download PDF

Info

Publication number
CN103095711A
CN103095711A CN2013100187988A CN201310018798A CN103095711A CN 103095711 A CN103095711 A CN 103095711A CN 2013100187988 A CN2013100187988 A CN 2013100187988A CN 201310018798 A CN201310018798 A CN 201310018798A CN 103095711 A CN103095711 A CN 103095711A
Authority
CN
China
Prior art keywords
sequence
user
website
application layer
page
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2013100187988A
Other languages
Chinese (zh)
Other versions
CN103095711B (en
Inventor
徐川
唐红
赵国锋
杜成
张毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fuzhou Qilian Information Consulting Co ltd
Original Assignee
Chongqing University of Post and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Post and Telecommunications filed Critical Chongqing University of Post and Telecommunications
Priority to CN201310018798.8A priority Critical patent/CN103095711B/en
Publication of CN103095711A publication Critical patent/CN103095711A/en
Application granted granted Critical
Publication of CN103095711B publication Critical patent/CN103095711B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to an application layer distributed denial of service (DDoS) attack detection method and defensive system and relates to network safety, in particular to application layer DDoS attack detection and defend. The invention provides a detection method and the defensive system based on user click sequence forecasting. Firstly, a page table uniform resource locator (URL) of a website is extracted, a clustering algorithm is utilized to conduct clustering, page table classification Vj and a user click sequence of the website are obtained, then the user click sequence is utilized to construct a random wandering image, a next observation period click sequence of a user is calculated through a process of random wandering, at last, similarity of a predict sequence and a click sequence is calculated, and abnormity of the user click sequence is judged through training threshold. The application layer DDoS attack detection method and defensive system can effectively detect attacking of an application layer, particularly stimulate an attack request of normal user behavior, and can be widely applied to safe defend of a data center website server.

Description

A kind of application layer ddos attack detection method and system of defense for the website
Technical field
The present invention relates to network safety filed, especially relate to application layer ddos attack detection method and system of defense for the website.
Background technology
Distributed denial of service attack (Distributed Denial of Service, DDoS) is one of the most serious threat of facing of Internet service supplier-Web server always.The ddos attack mode of tradition layer Network Based or transport layer is detected well by increasingly mature network protection technology (fire compartment wall, Intrusion Detection Technique etc.), the variation of computation schema simultaneously makes more service be undertaken alternately by Web, and this has accelerated the ddos attack mode and has developed to application layer.The ddos attack that occurs in application layer adopts real IP address as attacking node usually, utilize the leak of application layer protocol, send a large amount of query-attacks based on the legal agreement of HTTP to destination server, light passing through network guard system, this makes undoubtedly it become the current Web server and is badly in need of the safety problem that solves.
Yet most achievement in research is that network layer or transport layer ddos attack are detected, and has been not suitable for the detection based on the application layer ddos attack.Existing application layer ddos attack detection method is also mainly for the big vast formula attack detecting based on http protocol, realize attack detecting by the traffic characteristic of HTTP request or protocol characteristic are carried out statistical analysis, this is invalid for the asymmetrical attack mode that adopts the normal speed query-attack.
Ranjan has proposed the detection method of dialogue-based middle HTTP request statistics abnormality degree, at first the method classifies to Website page, then add up the classification situation of the user HTTP request in each session, and train the HTTP request model of normal users with this, at last by identifying query-attack with the departure degree of normal users model.The method has been carried out page classifications with the HTTP request to the resource consumption situation first for the characteristic of asymmetrical attack; But it adopts the HTTP request statistical nature in session to carry out the training of normal model, the feature that remains flow that embodies, yet asymmetrical attack person's discharge characteristic is consistent with normal users, and the unified model that adopts can not be described all types user access characteristic.
Summary of the invention
The objective of the invention is: for the website based on application layer http protocol ddos attack, a kind of method and system of defense that can detect the attack traffic that adopts big vast formula and asymmetrical attack mode is provided; Under the asymmetrical attack mode, assailant's discharge characteristic is consistent with normal users, brings difficulty for attack detecting and defence, and for this reason, the inventor proposes corresponding solution.
A kind of application layer ddos attack detection method for the website comprises the steps:
Extract the page URL of website, utilize the K-means clustering algorithm that HTTP is asked to classify according to the website, obtain the page classifications set of this website V j , jBe page type, with HTTP request and page classifications set V j Mate, and then obtain the user and click sequence u i = x 1 , x 2 ..., x n , x i Expression user's one click, iBe the isolated user number.
Utilize the user to click sequence u i = x 1 , x 2 ..., x n Training obtains page transition probability matrix P Vj
Click sequence according to the user u i = x 1 , x 2 ..., x n , construct this user accession page random walk figure of institute.
User in observation cycle current according to the user clicks sequence u i = x 1 , x 2 ..., x n , page transition probability matrix P Vj Carry out random walk with page random walk figure and calculate, the user that prediction obtains next observation cycle of user clicks sequence u ' i = x ' 1 , x ' 2 ..., x ' n .Probability distribution vector calculation formula during random walk is calculated is , wherein pBe adjacency matrix, s 0Be the initial probability distribution vector, Be the redirect probability of happening, dJump to the probability distribution vector on each summit during for the generation redirect. pBe specially page transition probability matrix P Vj s 0Obtain from random walk figure; dBe specially page transition probability matrix P Vj In a column vector; The redirect probability of happening
Figure 299572DEST_PATH_IMAGE004
Be set to 0.15.
The user who calculates in current observation cycle clicks sequence u i = x 1 , x 2 ..., x n And the user of next observation cycle click sequence u ' i = x ' 1 , x ' 2 ..., x ' n The sequence similarity degree.The computing formula of sequence similarity degree is
Figure 2013100187988100002DEST_PATH_IMAGE006
, u i Represent that the user in current observation cycle clicks sequence, u ' The user who represents next observation cycle clicks sequence.
Compare the judgement user according to sequence similarity degree and threshold value and click sequence u i Whether normal, if the sequence similarity degree is less than threshold value show that this user clicks sequence u i Be attack sequence, otherwise be normal access sequence.
A kind of application layer ddos attack system of defense for the website, comprise request processing module, model training module, sequence prediction module and abnormality detection module, wherein, request processing module utilizes the K-means clustering algorithm that HTTP is asked to classify according to the website, obtains the classification set V j , and then obtain the user and click sequence u i , and the user is clicked sequence u i Biography is sent to model training module and sequence prediction module; The model training module is clicked sequence according to the user u i Structure random walk figure obtains the Website page transition probability matrix P Vj , and submit to the Sequence Detection module; The sequence prediction module is clicked sequence the user u i The basis of current observation cycle on, predict that according to random walk figure next observation cycle user clicks sequence u ' i The abnormality detection module is clicked sequence with the user in current observation cycle u i Click sequence with next observation cycle user u ' i Carrying out the sequence similarity degree calculates.
The present invention can effectively detect the application layer ddos attack, particularly simulates the query-attack of normal users behavior, can be widely used in data center's Website server Prevention-Security.
Description of drawings
Fig. 1 is that application layer ddos attack system of defense is disposed schematic diagram;
Fig. 2 is application layer ddos attack system of defense architectural schematic;
Fig. 3 is application layer ddos attack detection mode schematic diagram;
Fig. 4 clicks sequence prediction and abnormality detection schematic diagram for the user;
Fig. 5 is the random walk schematic diagram.
Embodiment
Be illustrated in figure 1 as application layer ddos attack system of defense and dispose schematic diagram, Account Dept is deployed on data center's web server 1.2 front ends, for the protection of all web servers 1.2 of data center.Request detects to the HTTP of visit data central server 80 port one .1 in system, if for query-attack abandon, if for normal request be transmitted to server.
Be illustrated in figure 2 as application layer ddos attack system of defense architectural schematic, this system mainly is comprised of following four modules:
Request processing module 1, this module are responsible for preliminary treatment is carried out in the HTTP request of access services device, and at first the clustering algorithm of K-means(distance-based is adopted in request according to HTTP) clustering algorithm classifies to the page of a website, obtains the classification set V j J is page type, secondly according to HTTP request and page classifications set V j Mate, obtain user's click sequence u i = x 1 , x 2 ..., x n , u i In element x i V j , the user is clicked sequence gives model training module 2 and sequence prediction module 3.
Model training module 2, this module are responsible for training the website user access activity, the transition probability matrix of structuring user's accession page random walk figure and Website page P Vj , submit to the sequence prediction module and use.Figure is for unique user in the user to access pages random walk, can be used for distinguishing the access behavior of unique user; The transition probability matrix of Website page is used for describing access all users' of this website clustering behavior, is used for the otherness of avoiding unique user behavior difference to bring.
Sequence prediction module 3, this module are responsible for clicking sequence the user u i = x 1 , x 2 ..., x n The basis of current observation cycle on, predict that according to random walk figure next observation cycle user clicks sequence u ' i = x ' 1 , x ' 2 ..., x ' n .
The normality that abnormality detection module 4, this module are responsible for the user is clicked sequence detects, and user in observation cycle is clicked sequence u i = x 1 , x 2 ..., x n And predict that the user who obtains clicks sequence u ' i = x ' 1 , x ' 2 ..., x ' n Carry out the calculating of sequence similarity degree, if similarity higher than threshold value, is the normal users request, be transmitted to server; If similarity lower than threshold value, is the ddos attack request, abandon this user's HTTP request.
Pretend the normal users access process in order to solve the assailant, system clicks the user Forecasting Methodology that has adopted in recognition sequence based on random walk, can carry out Accurate Prediction to the access behavior of user's next cycle.
The application layer ddos attack detection method that adopts the present invention to propose, make up tradition and be characterized as the deficiency of basic methods with customer flow, can be effectively the high asymmetric HTTP query-attack of resource consumption detects to traffic characteristic is normal, avoided legacy system to use same model to describe the error that all user behaviors bring.
Be illustrated in figure 3 as application layer ddos attack detection method schematic diagram, the method comprises following six steps:
1, at first extracting the page URL of website, according to the URL degree of depth, URL popularity and consumer loyalty degree, utilize the clustering algorithm of K-means(distance-based) clustering algorithm carries out cluster, obtains the page classifications of this website V j , jBe page type.
2, distinguish a user by IP, obtain the click sequence in a session of this user u i = x 1 , x 2 ..., x n , iBe the isolated user number, utilize all users' click sequence training page transition probability matrix P Vj
3, click sequence according to user's a session u i = x 1 , x 2 ..., x n , construct the random walk figure of this user institute accession page.
4, the click sequence in observation time current according to the user u i = x 1 , x 2 ..., x n , page transition probability matrix P Vj Figure carries out the random walk process computation with page random walk, and the user that prediction obtains next observation cycle of user clicks sequence u ' i = x ' 1 , x ' 2 ..., x ' n .
5, calculating observation sequence u i = x 1 , x 2 ..., x n And forecasting sequence u ' i = x ' 1 , x ' 2 ..., x ' n The sequence similarity degree, computing formula is
Figure 905128DEST_PATH_IMAGE006
, u i Represent that the user in current observation cycle clicks sequence, u ' The user who represents next observation cycle clicks sequence.
6, compare the normality of this sequence of judgement according to sequence similarity degree and threshold value, if the sequence similarity degree less than threshold value show that this user's access sequence is attack sequence, otherwise be normal access sequence.
The below clicks sequence random walk figure building method with an instantiation to the user and analyzes, example: page set
Figure DEST_PATH_IMAGE008
In 5 pages are arranged, namely k=5, the training set DIn have 4 user's access sequences to be respectively u 1=1,2,3,4,4}, u 2=3,4,5,2}, u 3=3,5,2,4,1,3}, u 4={ 2,1,5} is by page set
Figure 684865DEST_PATH_IMAGE008
With the training set DThe oriented random walk figure that derives as shown in Figure 5.
Figure 4 shows that the user clicks sequence prediction and abnormality detection schematic diagram, this method is clicked sequence by the user who obtains in observation cycle T u i ( k)={ x 1 , x 2 ..., x n , click sequence by the user in the next observation cycle T+1 of random walk process computation u i `( k+ 1)= x n+ 1 , x n+ 2 ..., x m+ n , concrete computational process is as follows:
Click sequence with the user in observation cycle T u i ( k)={ x 1 , x 2 ..., x n For input, click by random walk process computation user next time x n+ 1 , 4 input parameters of random walk process need: adjacency matrix p, the initial probability distribution vector s 0, the redirect probability of happening , the probability distribution that jumps to each summit in figure when redirect occurs is vectorial dAdjacency matrix wherein pBe the Website page transition probability matrix P Vj The initial probability distribution vector s 0Obtain from random walk figure; Redirect probability distribution vector dBe the Website page transition probability matrix P Vj In a column vector; The redirect probability of happening
Figure 832130DEST_PATH_IMAGE004
Be set to 0.15.
Output probability distribution vector after each migration process is denoted as s, sComputational methods be shown below:
(1)
With vector sInput as formula (1)
Figure DEST_PATH_IMAGE010
, the formula that iterates (1) until the convergence, with this moment the probability distribution vector be denoted as
Figure DEST_PATH_IMAGE012
, vector
Figure 108576DEST_PATH_IMAGE012
Be the probability distribution vector of stable state, from vector
Figure 307477DEST_PATH_IMAGE012
In choose x n+ 1 Click next time x n+ 1
According to the click that newly obtains x n+ 1 Consist of and click sequence u i ( k)={ x 2 , x 2 ..., x n+ 1 , it is clicked by the random walk process computation as input next time x n+ 2 , so double counting mInferior, the user who obtains in observation cycle T+1 clicks sequence u i `( k+ 1)= x n+ 1 , x n+ 2 ..., x m+ n .Observation sequence in calculating observation cycle T+1 u i ( k+ 1)= x 1, x 2..., x m And forecasting sequence u i `( k+ 1)= x n+ 1 , x n+ 2 ..., x m+ n Similarity, realize that sequence variation detects.

Claims (5)

1. the application layer ddos attack detection method for the website, is characterized in that, comprises the steps:
Extract the page URL of website, utilize the K-means clustering algorithm that HTTP is asked to classify according to the website, obtain the page classifications set of this website V j , jBe page type, and then obtain the user and click sequence u i = x 1 , x 2 ..., x n , iBe the isolated user number;
Utilize the user to click sequence u i = x 1 , x 2 ..., x n Training obtains page transition probability matrix P Vj
Click sequence according to the user u i = x 1 , x 2 ..., x n , construct this user accession page random walk figure of institute;
User in observation cycle current according to the user clicks sequence u i = x 1 , x 2 ..., x n , page transition probability matrix P Vj Carry out random walk with page random walk figure and calculate, the user that prediction obtains next observation cycle of user clicks sequence u ' i = x ' 1 , x ' 2 ..., x ' n ;
The user who calculates in current observation cycle clicks sequence u i = x 1 , x 2 ..., x n And the user of next observation cycle click sequence u ' i = x ' 1 , x ' 2 ..., x ' n The sequence similarity degree;
Compare the judgement user according to sequence similarity degree and threshold value and click sequence u i Whether normal, if the sequence similarity degree is less than threshold value show that this user clicks sequence u i Be attack sequence, otherwise be normal access sequence.
2. a kind of application layer ddos attack detection method for the website according to claim 1 is characterized in that: describedly obtain the page classifications set V j After, with HTTP request and page classifications set V j Mate, and then obtain the user and click sequence u i = x 1 , x 2 ..., x n .
3. a kind of application layer ddos attack detection method for the website according to claim 1, it is characterized in that: the probability distribution vector calculation formula during described random walk is calculated is
Figure DEST_PATH_IMAGE002
, wherein pBe adjacency matrix, s 0Be the initial probability distribution vector,
Figure DEST_PATH_IMAGE004
Be the redirect probability of happening, dJump to the probability distribution vector on each summit during for the generation redirect.
4. a kind of application layer ddos attack detection method for the website according to claim 1, it is characterized in that: the computing formula of described sequence similarity degree is
Figure DEST_PATH_IMAGE006
, u i Represent that the user in current observation cycle clicks sequence, u ' The user who represents next observation cycle clicks sequence.
5. application layer ddos attack system of defense for the website, it is characterized in that: comprise request processing module (1), model training module (2), sequence prediction module (3) and abnormality detection module (4), wherein, request processing module (1) utilizes the K-means clustering algorithm that HTTP is asked to classify according to the website, obtains the classification set V j , and then obtain the user and click sequence u i , and the user is clicked sequence u i Biography is sent to model training module (2) and sequence prediction module (3); Model training module (2) is clicked sequence according to the user u i Structure random walk figure obtains the Website page transition probability matrix P Vj , and submit to Sequence Detection module (3); Sequence prediction module (3) is clicked sequence the user u i The basis of current observation cycle on, predict that according to random walk figure next observation cycle user clicks sequence u ' i Abnormality detection module (4) is clicked sequence with the user in current observation cycle u i Click sequence with next observation cycle user u ' i Carrying out the sequence similarity degree calculates.
CN201310018798.8A 2013-01-18 2013-01-18 A kind of application layer ddos attack detection method for website and system of defense Active CN103095711B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310018798.8A CN103095711B (en) 2013-01-18 2013-01-18 A kind of application layer ddos attack detection method for website and system of defense

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310018798.8A CN103095711B (en) 2013-01-18 2013-01-18 A kind of application layer ddos attack detection method for website and system of defense

Publications (2)

Publication Number Publication Date
CN103095711A true CN103095711A (en) 2013-05-08
CN103095711B CN103095711B (en) 2016-10-26

Family

ID=48207844

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310018798.8A Active CN103095711B (en) 2013-01-18 2013-01-18 A kind of application layer ddos attack detection method for website and system of defense

Country Status (1)

Country Link
CN (1) CN103095711B (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103810241A (en) * 2013-11-22 2014-05-21 北京奇虎科技有限公司 Filtering method and device for low-frequency clicks
CN104901971A (en) * 2015-06-23 2015-09-09 北京东方棱镜科技有限公司 Method and device for carrying out safety analysis on network behaviors
CN105510971A (en) * 2016-02-18 2016-04-20 福建师范大学 Seismic data abnormality detection method based on random walk
CN105592070A (en) * 2015-11-16 2016-05-18 中国银联股份有限公司 Application level DDoS defense method and system
CN105812280A (en) * 2016-05-05 2016-07-27 四川九洲电器集团有限责任公司 Classification method and electronic equipment
CN106209861A (en) * 2016-07-14 2016-12-07 南京邮电大学 A kind of based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method and device
CN106330852A (en) * 2015-07-06 2017-01-11 纬创资通股份有限公司 Abnormality prediction method, abnormality prediction system, and abnormality prediction device
CN106778259A (en) * 2016-12-28 2017-05-31 北京明朝万达科技股份有限公司 A kind of abnormal behaviour based on big data machine learning finds method and system
CN107204991A (en) * 2017-07-06 2017-09-26 深信服科技股份有限公司 A kind of server exception detection method and system
CN107491970A (en) * 2017-08-17 2017-12-19 北京三快在线科技有限公司 Anti- cheating detection monitoring method and system and computing device in real time
CN107707547A (en) * 2017-09-29 2018-02-16 北京神州绿盟信息安全科技股份有限公司 The detection method and equipment of a kind of ddos attack
WO2018040944A1 (en) * 2016-08-31 2018-03-08 阿里巴巴集团控股有限公司 System, method, and device for identifying malicious address/malicious purchase order
WO2018095192A1 (en) * 2016-11-23 2018-05-31 腾讯科技(深圳)有限公司 Method and system for website attack detection and prevention
CN108540440A (en) * 2018-02-02 2018-09-14 努比亚技术有限公司 DDOS attack solution, server and computer readable storage medium
CN108874813A (en) * 2017-05-10 2018-11-23 腾讯科技(北京)有限公司 A kind of information processing method, device and storage medium
CN111476610A (en) * 2020-04-16 2020-07-31 腾讯科技(深圳)有限公司 Information detection method and device and computer readable storage medium
CN112231700A (en) * 2020-12-17 2021-01-15 腾讯科技(深圳)有限公司 Behavior recognition method and apparatus, storage medium, and electronic device
CN112488321A (en) * 2020-12-07 2021-03-12 重庆邮电大学 Antagonistic machine learning defense method oriented to generalized nonnegative matrix factorization algorithm

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102184406A (en) * 2009-11-11 2011-09-14 索尼公司 Information processing device, information processing method, and program
CN102487293A (en) * 2010-12-06 2012-06-06 中国人民解放军理工大学 Satellite communication network abnormity detection method based on network control

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102184406A (en) * 2009-11-11 2011-09-14 索尼公司 Information processing device, information processing method, and program
CN102487293A (en) * 2010-12-06 2012-06-06 中国人民解放军理工大学 Satellite communication network abnormity detection method based on network control

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
肖喜 翟起滨 田新广 陈小娟 叶润国: "基于shell命令和多阶Markov链模型的用户伪装攻击检测", 《电子学报》 *
赵国锋 喻守成 文晟: "基于用户行为分析的应用层DDoS攻击检测方法", 《计算机应用研究》 *

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103810241B (en) * 2013-11-22 2017-04-05 北京奇虎科技有限公司 Filter method and device that a kind of low frequency is clicked on
CN103810241A (en) * 2013-11-22 2014-05-21 北京奇虎科技有限公司 Filtering method and device for low-frequency clicks
CN104901971A (en) * 2015-06-23 2015-09-09 北京东方棱镜科技有限公司 Method and device for carrying out safety analysis on network behaviors
CN104901971B (en) * 2015-06-23 2019-03-15 北京东方棱镜科技有限公司 The method and apparatus that safety analysis is carried out to network behavior
CN106330852B (en) * 2015-07-06 2019-06-25 纬创资通股份有限公司 Abnormality prediction method, abnormality prediction system, and abnormality prediction device
CN106330852A (en) * 2015-07-06 2017-01-11 纬创资通股份有限公司 Abnormality prediction method, abnormality prediction system, and abnormality prediction device
CN105592070A (en) * 2015-11-16 2016-05-18 中国银联股份有限公司 Application level DDoS defense method and system
CN105592070B (en) * 2015-11-16 2018-10-23 中国银联股份有限公司 Application layer DDoS defence methods and system
CN105510971A (en) * 2016-02-18 2016-04-20 福建师范大学 Seismic data abnormality detection method based on random walk
CN105812280A (en) * 2016-05-05 2016-07-27 四川九洲电器集团有限责任公司 Classification method and electronic equipment
CN105812280B (en) * 2016-05-05 2019-06-04 四川九洲电器集团有限责任公司 A kind of classification method and electronic equipment
CN106209861B (en) * 2016-07-14 2019-07-12 南京邮电大学 One kind being based on broad sense Jie Kade similarity factor Web application layer ddos attack detection method and device
CN106209861A (en) * 2016-07-14 2016-12-07 南京邮电大学 A kind of based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method and device
CN107798571B (en) * 2016-08-31 2019-08-30 阿里巴巴集团控股有限公司 Malice address/malice order identifying system, method and device
WO2018040944A1 (en) * 2016-08-31 2018-03-08 阿里巴巴集团控股有限公司 System, method, and device for identifying malicious address/malicious purchase order
CN107798571A (en) * 2016-08-31 2018-03-13 阿里巴巴集团控股有限公司 Identifying system, the method and device of malice address/malice order
US10715546B2 (en) 2016-11-23 2020-07-14 Tencent Technology (Shenzhen) Company Limited Website attack detection and protection method and system
WO2018095192A1 (en) * 2016-11-23 2018-05-31 腾讯科技(深圳)有限公司 Method and system for website attack detection and prevention
CN106778259B (en) * 2016-12-28 2020-01-10 北京明朝万达科技股份有限公司 Abnormal behavior discovery method and system based on big data machine learning
CN106778259A (en) * 2016-12-28 2017-05-31 北京明朝万达科技股份有限公司 A kind of abnormal behaviour based on big data machine learning finds method and system
CN108874813A (en) * 2017-05-10 2018-11-23 腾讯科技(北京)有限公司 A kind of information processing method, device and storage medium
CN108874813B (en) * 2017-05-10 2022-07-29 腾讯科技(北京)有限公司 Information processing method, device and storage medium
CN107204991A (en) * 2017-07-06 2017-09-26 深信服科技股份有限公司 A kind of server exception detection method and system
CN107491970B (en) * 2017-08-17 2021-04-02 北京三快在线科技有限公司 Real-time anti-cheating detection monitoring method and system and computing equipment
CN107491970A (en) * 2017-08-17 2017-12-19 北京三快在线科技有限公司 Anti- cheating detection monitoring method and system and computing device in real time
CN107707547A (en) * 2017-09-29 2018-02-16 北京神州绿盟信息安全科技股份有限公司 The detection method and equipment of a kind of ddos attack
CN108540440A (en) * 2018-02-02 2018-09-14 努比亚技术有限公司 DDOS attack solution, server and computer readable storage medium
CN111476610A (en) * 2020-04-16 2020-07-31 腾讯科技(深圳)有限公司 Information detection method and device and computer readable storage medium
CN111476610B (en) * 2020-04-16 2023-06-09 腾讯科技(深圳)有限公司 Information detection method, device and computer readable storage medium
CN112488321A (en) * 2020-12-07 2021-03-12 重庆邮电大学 Antagonistic machine learning defense method oriented to generalized nonnegative matrix factorization algorithm
CN112488321B (en) * 2020-12-07 2022-07-01 重庆邮电大学 Antagonistic machine learning defense method oriented to generalized nonnegative matrix factorization algorithm
CN112231700B (en) * 2020-12-17 2021-05-11 腾讯科技(深圳)有限公司 Behavior recognition method and apparatus, storage medium, and electronic device
CN112231700A (en) * 2020-12-17 2021-01-15 腾讯科技(深圳)有限公司 Behavior recognition method and apparatus, storage medium, and electronic device

Also Published As

Publication number Publication date
CN103095711B (en) 2016-10-26

Similar Documents

Publication Publication Date Title
CN103095711A (en) Application layer distributed denial of service (DDoS) attack detection method and defensive system aimed at website
Yavuz et al. Deep learning for detection of routing attacks in the internet of things
Huang et al. An efficient intrusion detection approach for visual sensor networks based on traffic pattern learning
Xing et al. Survey on botnet detection techniques: Classification, methods, and evaluation
CN106209861B (en) One kind being based on broad sense Jie Kade similarity factor Web application layer ddos attack detection method and device
CN109600363A (en) A kind of internet-of-things terminal network portrait and abnormal network access behavioral value method
Lu et al. BotCop: An online botnet traffic classifier
Kato et al. An intelligent ddos attack detection system using packet analysis and support vector machine
CN105187437B (en) A kind of centralized detecting system of SDN network Denial of Service attack
CN106685984A (en) Network threat analysis system and method based on data pocket capture technology
Krishnaveni et al. Ensemble approach for network threat detection and classification on cloud computing
Xu et al. Detection on application layer DDoS using random walk model
Patil et al. S-DDoS: Apache spark based real-time DDoS detection system
CN107248996A (en) A kind of detection of DNS amplification attacks and filter method
Silveira et al. Smart detection-IoT: A DDoS sensor system for Internet of Things
Beckett et al. New sensing technique for detecting application layer DDoS attacks targeting back-end database resources
Chwalinski et al. Detection of application layer DDoS attacks with clustering and Bayes factors
Lei et al. Detecting malicious domains with behavioral modeling and graph embedding
Singh et al. Impact analysis of application layer DDoS attacks on web services: a simulation study
Agrawal et al. Estimating strength of a DDoS attack in real time using ANN based scheme
CN103501302A (en) Method and system for automatically extracting worm features
Manandhar et al. Towards practical anomaly-based intrusion detection by outlier mining on TCP packets
CN105404797A (en) Dual-redundancy based active network flow digital watermarking method
Gupta et al. Predicting number of zombies in a DDoS attack using ANN based scheme
CN109246157A (en) A kind of HTTP requests at a slow speed the association detection method of dos attack

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20221104

Address after: 710061 Room 222, East of Floor 2, Office Building, Hanguang Community, No. 10, Hanguang South Section, Yanta District, Xi'an, Shaanxi

Patentee after: Xi'an Longhe Linchuang Intellectual Property Agency Co.,Ltd.

Address before: 400065 Chongqing Nan'an District huangjuezhen pass Chongwen Road No. 2

Patentee before: CHONGQING University OF POSTS AND TELECOMMUNICATIONS

Effective date of registration: 20221104

Address after: Room 1111, Building 1, Wanting Building, Labor Community, Xixiang Street, Bao'an District, Shenzhen City, Guangdong Province, 518101

Patentee after: Shenzhen Occupy Information Technology Co.,Ltd.

Address before: 710061 Room 222, East of Floor 2, Office Building, Hanguang Community, No. 10, Hanguang South Section, Yanta District, Xi'an, Shaanxi

Patentee before: Xi'an Longhe Linchuang Intellectual Property Agency Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20240408

Address after: Room 05-5, 8th Floor, Hesheng Industrial and Commercial Building, No. 89 Fuxin Middle Road, Wangzhuang Street, Jin'an District, Fuzhou City, Fujian Province, 350000

Patentee after: Fuzhou Qilian Information Consulting Co.,Ltd.

Country or region after: China

Address before: Room 1111, Building 1, Wanting Building, Labor Community, Xixiang Street, Bao'an District, Shenzhen City, Guangdong Province, 518101

Patentee before: Shenzhen Occupy Information Technology Co.,Ltd.

Country or region before: China

TR01 Transfer of patent right