Summary of the invention
In view of the above problems, the present invention has been proposed to a kind of recognition methods of recognition device and corresponding Denial of Service attack of the Denial of Service attack that overcomes the problems referred to above or address the above problem is at least in part provided.Further object of the present invention is the Denial of Service attack that will identify for destination host.
According to one aspect of the present invention, provide a kind of recognition methods of Denial of Service attack.The recognition methods of this Denial of Service attack comprises the following steps: obtain the access request total amount of sending to destination host in the first predetermined amount of time, be designated as the first request amount; Judge whether the first request amount exceeds threshold value, threshold value is by adding up and draw the visit capacity of destination host; If so, determine that destination host is subject to Denial of Service attack.
Alternatively, the statistical computation step of threshold value comprises: at interval of first request amount of the first scheduled time segment record, obtain a plurality of the first request amount; From a plurality of the first request amount, according to preset rules, pick out a plurality of sample values; Calculate the mean value of a plurality of sample values, according to mean value setting threshold.
Alternatively, from a plurality of the first request amount, according to preset rules, picking out a plurality of sample values comprises: be chosen at a plurality of the first request amount that produce in the second predetermined amount of time, the second predetermined amount of time is the integral multiple of the first predetermined amount of time, and the maximum in a plurality of the first request amount that produce in the second predetermined amount of time is designated as to the second request amount; In continuous a plurality of the second predetermined amount of time, select respectively and draw a plurality of the second request amount, and after the data that filtering deviation is larger from a plurality of the second request amount, obtain a plurality of sample values.
Alternatively, according to mean value setting threshold, comprise: the product of calculating mean value and pre-determined factor, the span of pre-determined factor is: 1.05 to 1.3; Using product as threshold value.
Alternatively, obtaining the access request total amount of sending to destination host in the first predetermined amount of time comprises: the running log file that reads the web application guard system being connected with destination host data; The access request of sending to destination host that statistics records in running log file in the first predetermined amount of time, obtains the first request amount.
Alternatively, after definite destination host is subject to Denial of Service attack, also comprise: the requesting party that subtend destination host sends access request sends authorization information, and receive requesting party's subsequent request information; Judge that whether subsequent request information mates with authorization information, if so, sends to destination host by requesting party's access request.
Alternatively, after being subject to malicious attack, definite destination host also comprises: running log file is analyzed, shown that request amount exists the abnormal requesting party who sends access request to destination host; The access request that filter request side sends.
A kind of recognition device of Denial of Service attack is also provided according to another aspect of the present invention.The recognition device of this Denial of Service attack comprises: access request acquisition module, for obtain the access request total amount of sending to destination host in the first predetermined amount of time, is designated as the first request amount; Judge module, for judging whether the first request amount exceeds threshold value, threshold value is by adding up and draw the visit capacity of destination host; Identification module, in the situation that judge module is output as is to determine that destination host is subject to Denial of Service attack.
Alternatively, the recognition device of this Denial of Service attack also comprises: threshold value statistical module, at interval of first request amount of the first scheduled time segment record, obtains a plurality of the first request amount; From a plurality of the first request amount, according to preset rules, pick out a plurality of sample values; Calculate the mean value of a plurality of sample values, according to mean value setting threshold.
Threshold value statistical module is configured to: be chosen at a plurality of the first request amount that produce in the second predetermined amount of time, the second predetermined amount of time is the integral multiple of the first predetermined amount of time, and the maximum in a plurality of the first request amount that produce in the second predetermined amount of time is designated as to the second request amount; In continuous a plurality of the second predetermined amount of time, select respectively and draw a plurality of the second request amount, and after the data that filtering deviation is larger from a plurality of the second request amount, obtain a plurality of sample values; The product of calculating mean value and pre-determined factor, the span of pre-determined factor is: 1.05 to 1.3; Using product as threshold value.
Alternatively, access request acquisition module is configured to: the running log file that reads the web application guard system being connected with destination host data; The access request of sending to main frame that statistics records in running log file in the first predetermined amount of time, obtains the first request amount.
Alternatively, the recognition device of above Denial of Service attack also comprises: the first protection module, and the requesting party who sends access request for subtend destination host sends authorization information, and receives requesting party's subsequent request information; Judge whether subsequent request information mates with authorization information, if so, requesting party's access request is sent to destination host, and/or the second protection module, for running log file is analyzed, show that request amount exists the abnormal requesting party who sends access request to destination host; The access request that filter request side sends.
The recognition methods of Denial of Service attack of the present invention and device are because the access request total amount of sending to destination host within the scheduled time is as judgement target, utilize the visit capacity statistics of destination host to show that threshold value is as the criterion that whether is subject to Denial of Service attack, by summing up the phenomenon of Denial of Service attack, identify Denial of Service attack, to take corresponding measure, greatly improve the accuracy of the identification of Denial of Service attack, realized the security protection of main frame.
Further, threshold value draws according to certain statistic algorithm, and without carrying out human intervention, Auto-matching destination host is processed access request ability, thereby meets the requirement of shelter of different target main frame.
Again further, after identifying Denial of Service attack, open corresponding preventing mechanism, the safe operation of protection destination host, and can find out the attack source of carrying out Denial of Service attack according to recognition result, for follow-up safe handling provides Data support.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of specification, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
According to the detailed description to the specific embodiment of the invention by reference to the accompanying drawings below, those skilled in the art will understand above-mentioned and other objects, advantage and feature of the present invention more.
Embodiment
The algorithm providing at this is intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with demonstration.Various general-purpose systems also can with based on using together with this teaching.According to description above, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.It should be understood that and can utilize various programming languages to realize content of the present invention described here, and the description of above language-specific being done is in order to disclose preferred forms of the present invention.
Fig. 1 is the schematic diagram of network application environment of the recognition device 200 of Denial of Service attack according to an embodiment of the invention, in the drawings, during webpage client 110 access destination website, need to the main frame 130 of targeted website, send access request by the Internet, between webpage client 110 and destination host 130, be provided with web application guard system (Web Application Firewall, be called for short WAF), the access request that webpage client 110 is sent must could arrive destination host 130 through WAF120.WAF120, as the website fire compartment wall of preventing fires, provides acceleration and the buffer memory service of website, can prevent that hacker from utilizing across leaks such as station injection with invasion website, and protection website is not tampered and invades, the fail safe of raising web host.The recognition device 200 of the Denial of Service attack of the embodiment of the present invention is connected with a plurality of WAF130 data, and the access request sending to destination host 130 of receiving according to WAF130 is carried out the identification of Denial of Service attack.
Fig. 2 is the schematic diagram of the recognition device 200 of Denial of Service attack according to an embodiment of the invention.The recognition device 200 of this Denial of Service attack can comprise in general manner: access request acquisition module 210, judge module 220, identification module 230 can also increase and be provided with threshold value statistical module 240, the first protection module 250 and the second protection module 260 in the scheme of some optimizations.
In with upper-part, access request acquisition module 210, for obtain the access request total amount of sending to destination host in the first predetermined amount of time, is designated as the first request amount; Judge module 220 is for judging whether the first request amount exceeds threshold value, and this threshold value is by adding up and draw the visit capacity of destination host; Identification module 230 is in the situation that judge module is output as is to determine that destination host is subject to Denial of Service attack.
The recognition device 200 of the Denial of Service attack of the present embodiment, because the access request total amount of sending to destination host within the scheduled time is as judgement target, identifies Denial of Service attack by summing up the phenomenon of Denial of Service attack, to take corresponding measure.
In the situation that being subject to Denial of Service attack, in the short period of time, the request amount that the destination host 130 of access request is received can be apparently higher than normal request amount, yet for different websites, its visit capacity is different.In order to make the threshold value of destination host 130 settings meet the access ability of destination host 130, in the recognition device 200 of the Denial of Service attack of the present embodiment, can also include threshold value statistical module 240.Threshold value statistical module 240, at interval of first request amount of the first scheduled time segment record, obtains a plurality of the first request amount; From a plurality of the first request amount, according to preset rules, pick out a plurality of sample values; Calculate the mean value of a plurality of sample values, according to mean value setting threshold.
A kind of configuration mode of realizing of threshold value statistical module 240 is: be chosen at a plurality of the first request amount that produce in the second predetermined amount of time, the second predetermined amount of time is the integral multiple of the first predetermined amount of time, and the maximum in a plurality of the first request amount that produce in the second predetermined amount of time is designated as to the second request amount; In continuous a plurality of the second predetermined amount of time, select respectively and draw a plurality of the second request amount, and after the data that filtering deviation is larger from a plurality of the second request amount, obtain a plurality of sample values; The product of calculating mean value and pre-determined factor, the span of pre-determined factor is: 1.05 to 1.3; Using product as threshold value.
In order to guarantee the accuracy of identification, above first scheduled time and second scheduled time have all passed through a large amount of time and have tested, if wherein first scheduled time was set too short, its fluctuation is larger, easily there is the situation of mistake identification, if set longly, its fluctuation is too level and smooth, cannot reflect the variation of request amount; Through the result of a large amount of tests, first scheduled time can be set to 3 to 8 minutes, and optimal value is 5 minutes, namely at interval of 5 minutes, determines that the access request total amount of sending to destination host 130 is as the first request amount in these 5 minutes.
In order to determine with upper threshold value, need to determine maximum access request amount in normal access situation, due to the access Dou Shitianwei unit fluctuation of general website, therefore, threshold value statistical module 240 is chosen the cycle of sample value, and second scheduled time can be used the time of one day, thereby the process of choosing sample value can be: obtain in the time, the first request amount every 5 minutes, thus in 288 first request amount of a day, select maximum as the second request amount.Because the second request amount may be subject to the impact of abnormal factors, can cause some value obviously to occur relatively large deviation, for example one day, statistics was made mistakes, and causing request amount is zero; Or within certain day, be subject to Denial of Service attack, visit capacity increases, and the data that this obvious deviation is larger abnormal access cause, and need to carry out filtering.The straightforward procedure of choosing sample value from the second request amount can be: select 30 second request amount in nearest 30 days, filter out maximum three data and three minimum data, using remaining 24 the second request amount as sample value.This mode is calculated simply, and validity is higher.From the second request amount, choose in addition the method for sample value and can also use the method for variance to add up, the second request amount that variance is greater than to certain predetermined value is deleted.
In the recognition device 200 of the Denial of Service attack of the present embodiment, threshold value statistical module 240 can be multiplied by pre-determined factor by the mean value of the sample value drawing and draw final threshold value, the effect of above pre-determined factor is in order to reserve certain abundant value to web site requests amount, prevent the situation of by mistake blocking, the span of pre-determined factor is: 1.05 to 1.3, and the optimal value of generally choosing can be 1.2.Namely using 20% the situation of maximum visit capacity that exceeds normal access as the condition of determining Denial of Service attack.
The threshold value that threshold value statistical module 240 is determined can be dynamically to adjust, for example regularly utilize every day the visit data of 30 days before this to carry out the calculating of threshold value, thereby judge more accurate, for example in the situation that the visit capacity of website increase gradually, dynamically increase threshold value, prevent because business changes and cause the situation that occurs Denial of Service attack identification error to occur.The computational process of threshold value is also not limited to adding with average sample value, as long as can reflect that the peaked statistical calculation method of the normal visit capacity in website all can be for the calculating to threshold value, the present embodiment preferably adds and is on average only a kind of mode that amount of calculation is less.
Above the first Preset Time, the second Preset Time, pre-determined factor are all the empirical values that draw according to the situation statistics of access to netwoks, can adjust flexibly according to the variation of Denial of Service attack.
The request amount data that access request acquisition module 210 obtains, it is the data basis that the present embodiment carries out Denial of Service attack, because general WAF120 preserves running log, record the access request through this WAF120, so access request acquisition module 210 can be configured to: the running log file that reads the WAF120 being connected with destination host data; The access request of sending to main frame that statistics records in running log file in the first predetermined amount of time, obtains the first request amount.For example access request acquisition module 210 obtains running log in real time from all WAF120, and running log is carried out to statistical analysis both can obtain needing access request data.
The recognition device 200 of Denial of Service attack, after identifying attack, can start preventing mechanism, and destination host is protected.In the case, can dispose the first protection module 250 and/or the second protection module 260.The requesting party that the first protection module 250 sends access request for subtend destination host sends authorization information, and receives requesting party's subsequent request information; Judge that whether subsequent request information mates with authorization information, if so, sends to destination host by requesting party's access request.Above verification msg can comprise browser client information cookie, script file JavaScript, image data.
When verification msg is browser client information cookie, request transmit leg obtains after browser client information cookie, normal running is for to resend to WAF120 the request that jumps to described host address with this cookie information, if the request that request transmit leg returns is not processed cookie, can illustrate that the request of request transmit leg is attack.
When verification msg is script file JavaScript, request transmit leg obtains after javascript, normal running is for carrying out this javascript, and return to the execution result of script, if javascript is not carried out in the request that request transmit leg returns, also can illustrate that the request of request transmit leg is attack.
Picture verification msg is also a kind of effective means of defence, for example current accessed amount exceeds threshold value, can send picture to all request transmit legs, be similar to the mode of identifying code, requesting party need to by the word comprising in picture or other guide be inputted and to destination host feedback, if the recognition result of picture is corresponding with picture, prove that current accessed is normal access.
Above picture verification mode can affect the experience of normal calling party to a certain extent, and therefore, the second protection module 260 can further be analyzed running log file, show that request amount exists the abnormal requesting party who sends access request to destination host; The access request that filter request side sends.The principle of analyzing can comprise whether analysis exists the ip of a certain request source obviously abnormal and obviously abnormal to the access of a certain url of destination host, by accurate identification, aligns the impact that frequentation is asked after can avoiding opening security protection.
The embodiment of the present invention also provides a kind of recognition methods of Denial of Service attack, and the recognition device 200 of the Denial of Service attack that the recognition methods of this Denial of Service attack can be in above embodiment is carried out, to identify the Denial of Service attack for destination host.Fig. 3 is the schematic diagram of the recognition methods of Denial of Service attack according to an embodiment of the invention, and the recognition methods of this Denial of Service attack comprises the following steps:
Step S302, obtains the access request total amount of sending to destination host in the first predetermined amount of time, is designated as the first request amount;
Step S304, judges whether the first request amount exceeds threshold value, and this threshold value is by adding up and draw the visit capacity of destination host;
Step S306, if so, determines that destination host is subject to Denial of Service attack.
Statistical computation step with upper threshold value can comprise: at interval of first request amount of the first scheduled time segment record, obtain a plurality of the first request amount; From a plurality of the first request amount, according to preset rules, pick out a plurality of sample values; Calculate the mean value of a plurality of sample values, according to mean value setting threshold.
Wherein, from a plurality of the first request amount, according to preset rules, picking out a plurality of sample values can comprise: be chosen at a plurality of the first request amount that produce in the second predetermined amount of time, the second predetermined amount of time is the integral multiple of the first predetermined amount of time, and the maximum in a plurality of the first request amount that produce in the second predetermined amount of time is designated as to the second request amount; In continuous a plurality of the second predetermined amount of time, select respectively and draw a plurality of the second request amount, and after the data that filtering deviation is larger from a plurality of the second request amount, obtain a plurality of sample values.According to the process of mean value setting threshold, can comprise: the product of calculating mean value and pre-determined factor, the span of pre-determined factor is: 1.05 to 1.3; Using product as threshold value.
The source that step S302 obtains data can be the running log file of web application guard system, thereby step S302 can comprise: the running log file that reads the web application guard system being connected with destination host data; The access request of sending to destination host that statistics records in running log file in the first predetermined amount of time, obtains the first request amount.
Computational process with upper threshold value can be dynamically to adjust, for example regularly utilize every day the daily record operating file of 30 days before this to calculate, thereby judge more accurate, for example in the situation that the visit capacity of website increase gradually, capable of dynamic is adjusted threshold value, prevents because business changes and causes the situation that occurs Denial of Service attack identification error to occur.The computational process of threshold value is also not limited to adding with average sample value, as long as can reflect that the peaked statistical calculation method of the normal visit capacity in website all can be for the calculating to threshold value, the present embodiment preferably adds and is on average only a kind of mode that amount of calculation is less.
Above the first Preset Time, the second Preset Time, pre-determined factor are all the empirical values that draw according to the situation statistics of access to netwoks, can adjust flexibly according to the variation of Denial of Service attack.For example, first scheduled time can be set to 3 to 8 minutes, and optimal value is 5 minutes, and second scheduled time can be used the time of one day, and the span of pre-determined factor is: 1.05 to 1.3, and the optimal value of generally choosing can be 1.2.
After identifying Denial of Service attack, can start corresponding preventing mechanism, concrete preventing mechanism can be: after step S306, the requesting party that subtend destination host sends access request sends authorization information, and receives requesting party's subsequent request information; Judge that whether subsequent request information mates with authorization information, if so, sends to destination host by requesting party's access request.
After opening security protection, align the impact that frequentation is asked, after step S306, can also analyze visiting running log file, show that request amount exists the abnormal requesting party who sends access request to destination host; The access request that filter request side sends.
Application example for the recognition methods of the Denial of Service attack of the above embodiment of application of a medium site is introduced below.
Fig. 4 is the statistical chart of 5 minutes high accesses in continuous 30 days in the recognition methods of Denial of Service attack according to an embodiment of the invention, and Fig. 5 is the statistical chart of the request amount that in the recognition methods of Denial of Service attack according to an embodiment of the invention, destination host receives.
In some day, the protection daily record of many WAF that this medium site is protected is added up, draw in 30 days before this, the 5 minutes the highest numerical value of visit capacity, Fig. 4 shows the broken line graph in this high access, as can be seen from the figure, there is significantly fluctuation, as there is unexpected peak on 8th, likely to have received CC attack, and the same day on the 15th without visit capacity, may be that periods of network disruption causes, 3 maximum numerical value in 30 the second visit capacities of threshold value filtering of calculating Denial of Service attack, and 3 numerical value of numerical value minimum, remaining 14 numerical value check that the numerical value on average obtaining is 300,000, shown generally, the peak value of 5 minutes visit capacities of this medium site is 300,000, thereby calculating the recognition threshold that carries out Denial of Service attack is 300,000 * 1.2 times=360,000.
Fig. 5 shows in 12 o'clock same day to 12 thirty the visit capacity statistical value of every 5 minutes, draw 6 the first visit capacities, wherein last visit capacity is 500,000, has surpassed the threshold value 360,000 calculating, in this case, can determine that current main frame is subject to Denial of Service attack.
Determine and suffer after Denial of Service attack, by WAF, open picture checking preventing mechanism, requesting party to all request access sends predetermined picture, only allows to contain the request access that matches with image content and to the server of this medium site, sends access request by WAF.The recognition device of Denial of Service attack is further analyzed refusing the request that protection produces in attack process, determines attack source, and the request of attack source is filtered, and in visit capacity, drops to 360,000 threshold value when following, closes protection.
Utilize recognition methods and the device of the Denial of Service attack of the present embodiment, the access request total amount of sending to destination host within the scheduled time is as judgement target, utilize the visit capacity statistics of destination host to show that threshold value is as the criterion that whether is subject to Denial of Service attack, by summing up the phenomenon of Denial of Service attack, identify Denial of Service attack, to take corresponding measure, the identification accuracy that has greatly improved Denial of Service attack, has realized the security protection of main frame.
Further, threshold value draws according to certain statistic algorithm, and without carrying out human intervention, Auto-matching destination host is processed access request ability, thereby meets the requirement of shelter of different target main frame.
Again further, after identifying Denial of Service attack, open corresponding preventing mechanism, the safe operation of protection destination host, and can find out the attack source of carrying out Denial of Service attack according to recognition result, for follow-up safe handling provides Data support.
Embodiments of the invention disclose:
A1. a recognition methods for Denial of Service attack, comprising:
Obtain the access request total amount of sending to destination host in the first predetermined amount of time, be designated as the first request amount;
Judge whether described the first request amount exceeds threshold value, and described threshold value is by adding up and draw the visit capacity of described destination host;
If so, determine that described destination host is subject to Denial of Service attack.
A2. according to the method described in A1, wherein, the statistical computation step of described threshold value comprises:
At interval of described the first scheduled time segment record described the first request amount once, obtain a plurality of described the first request amount;
From described a plurality of the first request amount, according to preset rules, pick out a plurality of sample values;
Calculate the mean value of described a plurality of sample values, according to described mean value, set described threshold value.
A3. according to the method described in A2, wherein, from described a plurality of the first request amount, according to preset rules, pick out a plurality of sample values and comprise:
Be chosen at a plurality of described the first request amount producing in the second predetermined amount of time, described the second predetermined amount of time is the integral multiple of described the first predetermined amount of time, and the maximum in a plurality of described the first request amount producing in described the second predetermined amount of time is designated as to the second request amount;
In continuous a plurality of described the second predetermined amount of time, select respectively and draw a plurality of described the second request amount, and after the data that filtering deviation is larger from described a plurality of the second request amount, obtain described a plurality of sample value.
A4. according to the method described in A2 or A3, wherein, according to described mean value, set described threshold value and comprise:
Calculate the product of described mean value and pre-determined factor, the span of described pre-determined factor is: 1.05 to 1.3;
Using described product as described threshold value.
A5. according to the method described in any one in A1 to A4, wherein, obtain the access request total amount of sending to destination host and comprise in the first predetermined amount of time:
Read the running log file of the web application guard system being connected with described destination host data;
The access request of sending to described destination host that statistics records in described running log file in described the first predetermined amount of time, obtains described the first request amount.
A6. according to the method described in A5, wherein, after being subject to Denial of Service attack, definite described destination host also comprises:
The requesting party that described in subtend, destination host sends access request sends authorization information, and receives the subsequent request information of described request side;
Judge that whether described subsequent request information mates with described authorization information, if so, sends to described destination host by the access request of described request side.
A7. according to the method described in A5, wherein, after being subject to malicious attack, definite described destination host also comprises:
Described running log file is analyzed, shown that request amount exists the abnormal requesting party who sends access request to described destination host;
Filter the access request that described request side sends.
B8. a recognition device for Denial of Service attack, comprising:
Access request acquisition module, for obtain the access request total amount of sending to destination host in the first predetermined amount of time, is designated as the first request amount;
Judge module, for judging whether described the first request amount exceeds threshold value, and described threshold value is by adding up and draw the visit capacity of described destination host;
Identification module, in the situation that described judge module is output as is to determine that described destination host is subject to Denial of Service attack.
B9. according to the device described in B8, wherein, also comprise:
Threshold value statistical module, at interval of described the first scheduled time segment record described the first request amount once, obtains a plurality of described the first request amount; From described a plurality of the first request amount, according to preset rules, pick out a plurality of sample values; Calculate the mean value of described a plurality of sample values, according to described mean value, set described threshold value.
B10. according to the device described in B9, wherein, described threshold value statistical module is configured to:
Be chosen at a plurality of described the first request amount producing in the second predetermined amount of time, described the second predetermined amount of time is the integral multiple of described the first predetermined amount of time, and the maximum in a plurality of described the first request amount producing in described the second predetermined amount of time is designated as to the second request amount;
In continuous a plurality of described the second predetermined amount of time, select respectively and draw a plurality of described the second request amount, and after the data that filtering deviation is larger from described a plurality of the second request amount, obtain described a plurality of sample value;
Calculate the product of described mean value and pre-determined factor, the span of described pre-determined factor is: 1.05 to 1.3;
Using described product as described threshold value.
B11. according to the device described in any one in B8 to B10, wherein, described access request acquisition module is configured to:
Read the running log file of the web application guard system being connected with described destination host data;
The access request of sending to described main frame that statistics records in described running log file in described the first predetermined amount of time, obtains described the first request amount.
B12. according to the device described in B11, wherein, also comprise:
The first protection module, the requesting party who sends access request for destination host described in subtend sends authorization information, and receives the subsequent request information of described request side; Judge whether described subsequent request information mates with described authorization information, if so, the access request of described request side is sent to described destination host, and/or
The second protection module, for described running log file is analyzed, show that request amount exists the abnormal requesting party who sends access request to described destination host;
Filter the access request that described request side sends.
In the specification that provided herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can not put into practice in the situation that there is no these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is grouped together into single embodiment, figure or sometimes in its description.Yet, the method for the disclosure should be construed to the following intention of reflection: the present invention for required protection requires than the more feature of feature of clearly recording in each claim.Or rather, as reflected in claims below, inventive aspect is to be less than all features of disclosed single embodiment above.Therefore, claims of following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can the module in the equipment in embodiment are adaptively changed and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and can put them into a plurality of submodules or subelement or sub-component in addition.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to combine all processes or the unit of disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and disclosed any method like this or equipment.Unless clearly statement in addition, in this specification (comprising claim, summary and the accompanying drawing followed) disclosed each feature can be by providing identical, be equal to or the alternative features of similar object replaces.
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included in other embodiment, the combination of the feature of different embodiment means within scope of the present invention and forms different embodiment.For example, in claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, or realizes with the software module moved on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that and can use in practice microprocessor or digital signal processor (DSP) to realize the some or all functions according to the some or all parts in the device of the Denial of Service attack of the embodiment of the present invention.The present invention for example can also be embodied as, for carrying out part or all equipment or device program (, computer program and computer program) of method as described herein.Realizing program of the present invention and can be stored on computer-readable medium like this, or can there is the form of one or more signal.Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation that do not depart from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed as element or step in the claims.Being positioned at word " " before element or " one " does not get rid of and has a plurality of such elements.The present invention can be by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to carry out imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title by these word explanations.
So far, those skilled in the art will recognize that, although detailed, illustrate and described a plurality of exemplary embodiment of the present invention herein, but, without departing from the spirit and scope of the present invention, still can directly determine or derive many other modification or the modification that meets the principle of the invention according to content disclosed by the invention.Therefore, scope of the present invention should be understood and regard as and cover all these other modification or modifications.