CN104468554A - Attack detection method and device based on IP and HOST - Google Patents
Attack detection method and device based on IP and HOST Download PDFInfo
- Publication number
- CN104468554A CN104468554A CN201410715281.9A CN201410715281A CN104468554A CN 104468554 A CN104468554 A CN 104468554A CN 201410715281 A CN201410715281 A CN 201410715281A CN 104468554 A CN104468554 A CN 104468554A
- Authority
- CN
- China
- Prior art keywords
- host
- access data
- network access
- data bag
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an attack detection method and device based on an IP and a HOST, and an attack intercepting method and device based on the IP and the HOST. The attack detection method based on the IP and the HOST comprises the following steps that a network access data packet is obtained, the IP and the HOST are analyzed out of the network access data packet, wherein the IP is a source IP address of the network access data packet, and the HOST is a target website domain name of the network access data packet; statistics is carried out on the first number of the network access data packet of the specified IP on the specified HOST within a preset time period; if the first number reaches a preset threshold value, the network access including the IP and the HOST is determined as a network attack. Therefore, according to the technical scheme, network access data packets sent when a single host of the specified IP or part of hosts of a local area network carry out network access on remaining internet servers corresponding to the HOST cannot be wrongly intercepted.
Description
Technical field
The present invention relates to technical field of network security, be specifically related to a kind of attack detection method based on IP and HOST and device, and a kind of attack hold-up interception method based on IP and HOST and device.
Background technology
Along with the development of the Internet, the attack on network gets more and more, and brings a lot of adverse influence to Internet Server.Wherein DOS (Denial Of Service, denial of service) and information bomb are two kinds of more common attack methods.The machine of attacker, by sending a large amount of requests to target machine, to consume system resource and the bandwidth resources of target machine, causes destination server excess load, network congestion, and the normal use affecting Network.
And most Internet Server attack protection means are all based on IP (Internet Protocol at present, Internet protocol) address tackles, the fineness ratio of this defense schemes is more coarse, cannot realize carrying out interception with strong points for the network access data bag of certain IP to certain Internet Server.
Such as, as user because infect the reasons such as wooden horse, network attack is carried out to the specific webserver of part, and user itself, access to netwoks for remaining webserver belongs to normal access, now adopt above-mentioned IP-based interception means, user to the access of remaining webserver be also easily mistaken as be network attack and tackle by network security server.
Or; in prior art; in local area network (LAN), multiple user often can share same gateway and outlet IP; when certain customers in local area network (LAN) carry out network attack to some webserver specific; the normal access that in local area network (LAN), other users carry out remaining Internet Server, also can be blocked.A more common scene is, the certain customers of certain local area network (LAN) to an Internet Server (such as, domain name is www.sina.com) when launching a offensive, the IP of internet security server to this LAN subscriber tackles, owing to using same gateway and outlet IP, the normal access request of other users to remaining Internet Server (such as, domain name is www.sohu.com) of local area network (LAN) also can be blocked.
Summary of the invention
In view of the above problems, propose the present invention to provide a kind of overcoming the problems referred to above or a kind of attack detection method based on IP and HOST solved the problem at least in part and device, and a kind of attack hold-up interception method based on IP and HOST and device.
According to one aspect of the present invention, provide a kind of attack detection method based on IP and HOST, comprise: obtain network access data bag, IP and HOST is parsed from described network access data bag, wherein, described IP is the source IP addresses of described network packet, and described HOST is the object website domain name of described network packet; Within a predetermined period of time assigned ip is added up it for first quantity of network access data bag of specifying HOST; If described first quantity reaches predetermined threshold, then the access to netwoks comprising this IP and HOST is defined as network attack.
Wherein, describedly from described network access data bag, parse IP and HOST, comprising: obtain IP header from network access data bag, capture IP field from IP header; And, obtain http head, from http head grabs HOST header field field from network access data bag.
According to a further aspect in the invention, provide a kind of attack hold-up interception method based on IP and HOST, comprise: obtain network access data bag, IP and HOST is parsed from described network access data bag, wherein, described IP is the source IP addresses of described network packet, and described HOST is the object website domain name of described network packet; Within a predetermined period of time assigned ip is added up it for first quantity of network access data bag of specifying HOST; If described first quantity reaches predetermined threshold, then the access to netwoks comprising this IP and HOST is defined as network attack; Described IP and HOST is added IP-HOST blacklist; According to described IP-HOST blacklist, described network access data bag is tackled.
Wherein, describedly from described network access data bag, parse IP and HOST, comprising: obtain IP header from network access data bag, capture IP field from IP header; And, obtain http head, from http head grabs HOST header field field from network access data bag.
Wherein, describedly according to described IP-HOST blacklist, described network access data bag to be tackled, comprise the following steps: S1, obtain the IP of network access data bag, judge whether the IP of network access data bag hits the IP recorded in IP-HOST blacklist; If then perform step S2; The HOST of S2, acquisition network access data bag, judges whether the HOST of network access data bag hits the HOST corresponding with the IP of described network access data bag recorded in IP-HOST blacklist; If then perform step S3; S3, tackle described network access data bag.
Wherein, further comprising the steps of between described step S1 and S2: S21, judgement interception rule are IP-based interception rule or the interception rule based on IP and HOST; If IP-based interception rule, then perform described step S3 and do not perform described step S2, if regular based on the interception of IP and HOST, then performing described step S2.
Wherein, the method also comprises: before acquisition network access data bag, read the IP-HOST blacklist obtained by off-line learning.
According to a further aspect in the invention, provide a kind of attack detecting device based on IP and HOST, this device comprises: resolution unit, be suitable for obtaining network access data bag, IP and HOST is parsed from described network access data bag, wherein, described IP is the source IP addresses of described network packet, and described HOST is the object website domain name of described network packet; Statistic unit, is suitable for adding up it for first quantity of network access data bag of specifying HOST for assigned ip within a predetermined period of time; Detecting unit, is suitable for, when described first quantity reaches predetermined threshold, the access to netwoks comprising this IP and HOST being defined as network attack.
Wherein, described resolution unit, is suitable for obtaining IP header from network access data bag, captures IP field from IP header; And, obtain http head, from http head grabs HOST header field field from network access data bag.
According to a further aspect in the invention, provide a kind of attack blocking apparatus based on IP and HOST, this device comprises: resolution unit, be suitable for obtaining network access data bag, IP and HOST is parsed from described network access data bag, wherein, described IP is the source IP addresses of described network packet, and described HOST is the object website domain name of described network packet; Statistic unit, is suitable for adding up it for first quantity of network access data bag of specifying HOST for assigned ip within a predetermined period of time; Detecting unit, is suitable for, when described first quantity reaches predetermined threshold, the access to netwoks comprising this IP and HOST being defined as network attack; Maintenance unit, is suitable for described IP and HOST to add IP-HOST blacklist; Interception unit, is suitable for tackling described network access data bag according to described IP-HOST blacklist.
Wherein, described resolution unit, is suitable for obtaining IP header from network access data bag, captures IP field from IP header; And, obtain http head, from http head grabs HOST header field field from network access data bag.
Wherein, described interception unit, be suitable for the IP obtaining network access data bag, judge whether the IP of network access data bag hits the IP recorded in IP-HOST blacklist, if be judged as YES, obtain the HOST of network access data bag, judge whether the HOST of network access data bag hits the HOST corresponding with the IP of described network access data bag recorded in IP-HOST blacklist; If be judged as YES, tackle described network access data bag.
Wherein, described interception unit, is suitable for when judging that the IP of network access data bag hits the IP recorded in IP-HOST blacklist, judges that interception rule is IP-based interception rule or the interception rule based on IP and HOST; If IP-based interception rule, then tackle described network access data bag, if based on the interception rule of IP and HOST, then obtain the HOST of network access data bag, judge whether the HOST of network access data bag hits the HOST corresponding with the IP of described network access data bag recorded in IP-HOST blacklist; If be judged as YES, tackle described network access data bag.
Wherein, described maintenance unit, was further adapted for before acquisition network access data bag, reads the IP-HOST blacklist obtained by off-line learning.
According to the attack detection method based on IP and HOST of the present invention and device and based on the attack hold-up interception method of IP and HOST and device, IP and HOST can be obtained by resolving network access data bag, add up IP and the HOST group obtained within a predetermined period of time, obtain specific user's (main frame that namely specific IP is corresponding or local area network (LAN)) within a predetermined period of time and specific Internet Server (server that namely specific HOST is corresponding) is sent to the number of times of access request, and if the number of access request is excessive, think that the access to netwoks of this user to this Internet Server is network attack, thus interception comprises the network access data bag of this IP and HOST.Solve thus use prior art carry out tackling the caused easy interception network user by mistake to the technical problem of the normal access request of all the other Internet Servers based on IP.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows according to an embodiment of the invention based on the flow chart of the attack detection method of IP and HOST;
Fig. 2 shows according to an embodiment of the invention based on the block diagram of the attack detecting device of IP and HOST;
Fig. 3 shows according to an embodiment of the invention based on the flow chart of the attack hold-up interception method of IP and HOST;
Fig. 4 shows step S310, S320 as shown in Figure 3, and the detail flowchart of S330 embodiment;
Fig. 5 shows the detail flowchart of an embodiment of step S350 as shown in Figure 3;
Fig. 6 shows the detail flowchart of another embodiment of step S350 as shown in Figure 3; And
Fig. 7 shows according to an embodiment of the invention based on the block diagram of the attack blocking apparatus of IP and HOST.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and those skilled in the art can be conveyed to by complete for the scope of the present disclosure.
The technical conceive of the application is mainly, by obtaining IP and HOST from the network access data Packet analyzing obtained, add up it for first quantity of network access data bag of specifying HOST for assigned ip within a predetermined period of time, the first quantity is exactly the number of resolving the network access data bag obtaining this IP and this HOST; If the first quantity reaches predetermined threshold value, the number of times that the main frame that namely this specific IP is corresponding or the local area network (LAN) Internet Server corresponding to specific HOST send access request is enough large, then the access to netwoks comprising this IP and HOST can be defined as network attack.
Further, if the first quantity reaches predetermined threshold value, above-mentioned IP and HOST are added IP-HOST blacklist, achieve the real-time servicing to blacklist, according to IP-HOST blacklist, the network access data bag received is tackled, thus exactly network attack is tackled, and the network access data bag that the part main frame by mistake can not tackling individual host corresponding to this specific IP or the local area network (LAN) Internet Server corresponding to remaining HOST conducts interviews.
According to an aspect of the application, provide a kind of attack detection method based on IP and HOST.Fig. 1 shows according to an embodiment of the invention based on the flow chart of the attack detection method of IP and HOST.Wherein, method as shown in Figure 1 comprises step S110 as described below, S120, and S130:
Step S110, acquisition network access data bag, parse IP and HOST from network access data bag.
Wherein, IP is the source IP addresses of network packet, namely send the main frame of network packet or the IP address corresponding to local area network (LAN) at main frame place, HOST is the object website domain name of network packet, i.e. the domain name of the Internet Server of the required access of network packet.
Then step S110 from network access data bag, parse IP and HOST, comprising: obtain IP header from network access data bag, capture IP field from IP header; And, obtain http head, from http head grabs HOST header field field from network access data bag.
Step S120, within a predetermined period of time assigned ip is added up it for first quantity of network access data bag of specifying HOST.
Wherein, the first quantity is exactly the number of resolving the network access data bag obtaining this assigned ip and this appointment HOST within a predetermined period of time.
If step S130 first quantity reaches predetermined threshold, then the access to netwoks comprising this IP and HOST is defined as network attack.
If the number of times that the main frame that namely this specific IP is corresponding or the local area network (LAN) Internet Server corresponding to specific HOST send access request is enough large, then the access to netwoks comprising this IP and HOST can be defined as network attack.
The step S110 of the present embodiment, S120, and S130, respectively with step S310 as shown in Figure 3, S320, and S330 is corresponding, implementation more specifically, refers to the following explanation to Fig. 3 and Fig. 4.
According to the another one aspect of the application, provide a kind of attack detecting device based on IP and HOST.Fig. 2 shows according to an embodiment of the invention based on the block diagram of the attack detecting device of IP and HOST.Wherein, device as shown in Figure 2, comprises resolution unit 110, statistic unit 120, and detecting unit 130.
Wherein, resolution unit 110, is suitable for obtaining network access data bag, from network access data bag, parses IP and HOST.
Wherein, IP is the source IP addresses of network packet, namely send the main frame of network packet or the IP address corresponding to local area network (LAN) at main frame place, HOST is the object website domain name of network packet, i.e. the domain name of the Internet Server of the required access of network packet.
Then resolution unit 110, is suitable for obtaining IP header from network access data bag, captures IP field from IP header; And, obtain http head, from http head grabs HOST header field field from network access data bag.
Statistic unit 120, is suitable for adding up it for first quantity of network access data bag of specifying HOST for assigned ip within a predetermined period of time.
Wherein, the first quantity is exactly that resolution unit 110 parsing within a predetermined period of time obtains the number of the network access data bag of this assigned ip and this appointment HOST.
Detecting unit 130, is suitable for, when the first quantity reaches predetermined threshold, the access to netwoks comprising this IP and HOST being defined as network attack.
If namely statistic unit 120 statistics obtains main frame corresponding to this specific IP or the local area network (LAN) Internet Server corresponding to specific HOST to send the number of times of access request enough large, then the access to netwoks comprising this IP and HOST can be defined as network attack.
By the attack detection method based on IP and HOST and the device of the application, specific user in the scheduled time can be detected and specific Internet Server is sent to the number of times of access request, if the number of access request is excessive, think that the access to netwoks of this user to this Internet Server is network attack, thus block the network access data bag comprising this IP and HOST is identified as network attack packet.Therefore, be not easy to tackle the access to netwoks (namely do not tackle the network access data bag that comprise this IP and all the other HOSTs) of this user to remaining Internet Server by mistake.
According to a further aspect in the invention, a kind of attack hold-up interception method based on IP and HOST is provided.Fig. 3 shows according to an embodiment of the invention based on the flow chart of the attack hold-up interception method of IP and HOST.Wherein, method as shown in Figure 3 comprises step S310 as described below, S320, S330, S340, and S350:
Step S310, acquisition network access data bag, parse IP and HOST from network access data bag.
Wherein, IP is the source IP addresses of network packet, namely send the main frame of network packet or the IP address corresponding to local area network (LAN) at main frame place, HOST is the object website domain name of network packet, i.e. the domain name of the Internet Server of the required access of network packet.
Then step S310 from network access data bag, parse IP and HOST, comprising: obtain IP header from network access data bag, capture IP field from IP header; And, obtain http head, from http head grabs HOST header field field from network access data bag.
Step S320, within a predetermined period of time assigned ip is added up it for first quantity of network access data bag of specifying HOST.
Wherein, the first quantity is exactly the number of resolving the network access data bag obtaining this assigned ip and this appointment HOST within a predetermined period of time.
If step S330 first quantity reaches predetermined threshold, then the access to netwoks comprising this IP and HOST is defined as network attack.
If the number of times that the individual host that namely this specific IP is corresponding or the part main frame of the local area network (LAN) Internet Server corresponding to specific HOST send access request is enough large, then the access to netwoks comprising this IP and HOST can be defined as network attack.
Step S340, IP and HOST is added IP-HOST blacklist.
Step S350, according to IP-HOST blacklist, network access data bag to be tackled.
Because the access to netwoks comprising this IP and HOST is network attack, therefore, IP and HOST added IP-HOST blacklist and according to IP-HOST blacklist, network access data bag being tackled by step S340 and S350, network attack can be tackled accurately and effectively, and for comprising this IP but not comprising the network access data bag of this HOST, then can not be blocked.
Fig. 4 shows step S310, S320 as shown in Figure 3, and the detail flowchart of S330 embodiment.Flow chart shown in Fig. 4, describe a concrete industrial realization scheme, comprise step S410-S480, certainly, the protection range of the application, is not limited with the embodiment shown in Fig. 4.
Among a concrete industrial realization scheme, IP-HOST blacklist comprises IP hash table, at least one HOST hash table, and at least one polling pointer.
Wherein, IP hash table comprises at least one IP node, and IP node preserves an IP respectively; HOST hash table corresponds respectively to an IP node and comprises the HOST statistics node of multiple preservation HOST information.Further, HOST adds up node and also preserves HOST statistical information respectively, specifically comprises temperature, timing statistics sheet and statistics token.
Certain those skilled in the art can make IP hash table correspond respectively to a HOST by adjustment data structure and add up node and preserve IP statistical information, and such as temperature, timing statistics sheet and statistics token etc., repeat no more herein.
Each polling pointer of the present embodiment corresponds respectively to an IP node, points to the HOST corresponded in the HOST hash table of identical IP node with this polling pointer and adds up node; More specifically, polling pointer is round-robin-point pointer, can point to HOST travellingly and add up node, and according to following step S410-S480, the cold and hot degree that can realize adding up HOST node by arranging polling pointer adjusts.
The IP that the network packet that S410, acquisition detect comprises; Judge in IP hash table, whether to comprise corresponding IP node; If then perform step S420, if not then newly-built this IP of preservation IP node and perform step S420.
S420, from the network packet detected, parse http packet, obtain http head, thus obtain HOST information, judge that whether comprising corresponding HOST in the HOST hash table corresponding with IP node adds up node; If then perform step S430, then perform step S440 if not.
S430, polling pointer is pointed to corresponding HOST add up node, the temperature of HOST being added up node adds 1, judge whether the number comprising the network packet of specific IP and HOST information detected in predetermined time reaches default threshold value according to timing statistics sheet and statistics token, and perform step S470.
More specifically, S430 specifically comprises step S431 and S432.Wherein, polling pointer is pointed to corresponding HOST to add up node by step S431, and the temperature of HOST being added up node adds 1; According to timing statistics sheet and statistics token, step S432 judges whether the number comprising the network packet of specific IP and HOST information detected in predetermined time reaches default threshold value, if be judged as otherwise perform step S470, if be judged as YES, then determine that the access to netwoks comprising this IP and HOST is defined as network attack thus performs step S340 as shown in Figure 3, also perform step S470 simultaneously.
Preferably, the time span of statistics can be judged by timeslice, such as, add up one minute or ten minutes or one hour etc.; Can by statistics token statistic mixed-state to the number comprising the network packet of specific IP and HOST information.
Whether the number that S440, the HOST judged in this HOST hash table corresponding with IP node add up node reaches maximum, then performs step S450 if not, if then perform step S460.
Because memory space is limited often, along with passage of time, easily because the memory space inadequate distributing to specific HOST hash table, the number causing HOST to add up node reaches maximum.
S450, insertion HOST add up node, arrange timing statistics sheet and statistics token, polling pointer are pointed to this HOST and add up node, and the temperature of this HOST statistics node is set to 1 and performs step S470; Wherein, the HOST of insertion adds up node and preserves the HOST statistical information that the network packet that detects comprises.
If the memory space distributing to specific HOST hash table is sufficient, then add up node by the newly-built HOST of step S450.Wherein, this programme can arrange timing statistics sheet and statistics token as required neatly.
S460, this polling pointer pointed to the minimum HOST of temperature corresponding to this IP node and add up node, make this HOST add up node and preserve HOST information that the network packet that detects comprises and its temperature be set to 1 and execution step S470.
If give the memory space inadequate that specific HOST hash table distributes, then add up node by the HOST that the multiplexing temperature of step S460 is minimum.
S470, this polling pointer pointed to next HOST and add up node; The HOST that polling pointer corresponding for all the other IP nodes is pointed to add up the temperature of node reduce a predetermined value (in the present embodiment, this predetermined value can be 1 or be less than 1 numerical value) and point to next HOST and add up node.
S480, selection and deletion temperature are the HOST statistics node of 0; If the temperature that HOST corresponding to IP node adds up node is 0, or multiple HOST of correspondence temperature sum of adding up nodes is less than a default threshold value, and the HOST deleting IP node and correspondence adds up node.Add up node and IP node by deletion HOST, IP and HOST less for visit capacity is deleted.
Fig. 5 shows the detail flowchart of an embodiment of step S350 as shown in Figure 3, the embodiment shown in Fig. 5, is included in the step S351, the S352 that perform the following stated when network access data bag being detected, and S353;
The IP of step S351, acquisition network access data bag, judges whether the IP of network access data bag hits the IP recorded in IP-HOST blacklist; If then perform step S352, then exit flow process if not and continue Sampling network visit data bag.Wherein, obtaining the concrete grammar of the IP of network access data bag, can be the IP obtained in direct invocation step S310, also can be to obtain IP header from network access data bag, captures IP field from IP header.
The HOST of step S352, acquisition network access data bag, judges whether the HOST of network access data bag hits the HOST corresponding with the IP of network access data bag recorded in IP-HOST blacklist; If then perform step S353, then exit flow process if not and continue Sampling network visit data bag.Wherein, obtaining the concrete grammar of the HOST of network access data bag, can be the HOST obtained in direct invocation step S310, also can be to obtain http head, from http head grabs HOST header field field from network access data bag.
Step S353, intercepting network access packet.
Fig. 6 shows the detail flowchart of another embodiment of step S350 as shown in Figure 3.Embodiment shown in Fig. 6 is roughly the same with the embodiment shown in Fig. 5, difference is, also comprises the step S351 ' between S351 and S352, namely, embodiment shown in Fig. 6, comprises the step S351 of the following stated, S351 ', S352 and S353;
The IP of step S351, acquisition network access data bag, judges whether the IP of network access data bag hits the IP recorded in IP-HOST blacklist; If then perform step S351 ', then exit flow process if not and continue Sampling network visit data bag.
Step S351 ', judgement interception rule (being identified by the interception rule preset) are IP-based interception rule or the interception rule based on IP and HOST; If IP-based interception rule, then perform described step S353 and do not perform described step S352, if based on the interception rule of IP and HOST, then perform described step S352, in other words, judge that whether tackle rule is regular based on the interception of IP and HOST, if be judged as YES, performs step S352, otherwise performs step S353 and do not perform step S352.
The HOST of step S352, acquisition network access data bag, judges whether the HOST of network access data bag hits the HOST corresponding with the IP of network access data bag recorded in IP-HOST blacklist; If then perform step S353, then exit flow process if not and continue Sampling network visit data bag.
Step S353, intercepting network access packet.
Embodiment shown in Fig. 6, by setting up step S351 ', step S350 can be applicable to the regular and IP-based interception rule of interception based on IP and HOST simultaneously.
Therefore, the application conceives based on the basic fundamental of the attack hold-up interception method of IP and HOST, be to capture network access data bag, analyze and statistics IP and HOST, obtain specific user within a predetermined period of time to the number of times that specific Internet Server conducts interviews, if number of times enough large expression specific user (at least one main frame in individual host or local area network (LAN), referred to as A) network attack (referred to as B) is carried out to particular interconnect network server, thus create or amendment IP-HOST blacklist; Further, when the network access data bag detected afterwards is analyzed, obtain HOST corresponding to IP and B corresponding to A if analyzed, then network access data bag is tackled.
Preferably, the method for the present embodiment also comprises: before acquisition network access data bag, read the IP-HOST blacklist obtained by off-line learning.That is, before performing step as shown in Figure 3, be first loaded into existing IP-HOST blacklist, then by step S310 as shown in Figure 3, S320, S330 and S340, upgrade IP-HOST blacklist in real time, more effectively ensure network security.
In accordance with a further aspect of the present invention, a kind of attack blocking apparatus based on IP and HOST is provided.Fig. 7 shows according to an embodiment of the invention based on the block diagram of the attack blocking apparatus of IP and HOST.This device specifically comprises:
Wherein, resolution unit 710, is suitable for obtaining network access data bag, from network access data bag, parses IP and HOST.
Wherein, the IP that resolution unit 710 obtains is the source IP addresses of network packet, namely the main frame of network packet or the IP address corresponding to local area network (LAN) at main frame place is sent, HOST is the object website domain name of network packet, i.e. the domain name of the Internet Server of the required access of network packet.
Then resolution unit 710, is suitable for obtaining IP header from network access data bag, captures IP field from IP header; And, obtain http head, from http head grabs HOST header field field from network access data bag.
Statistic unit 720, is suitable for adding up it for first quantity of network access data bag of specifying HOST for assigned ip within a predetermined period of time.
Wherein, the first quantity is exactly the number that statistic unit 720 resolves the network access data bag obtaining this assigned ip and this appointment HOST within a predetermined period of time.
Detecting unit 730, is suitable for, when the first quantity reaches predetermined threshold, the access to netwoks comprising this IP and HOST being defined as network attack.
If the number of times that the individual host that namely this specific IP is corresponding or the part main frame of the local area network (LAN) Internet Server corresponding to specific HOST send access request is enough large, then the access to netwoks comprising this IP and HOST can be defined as network attack by detecting unit 730.
Maintenance unit 740, is suitable for IP and HOST to add IP-HOST blacklist.
Interception unit 750, is suitable for tackling network access data bag according to IP-HOST blacklist.
Because the access to netwoks comprising this IP and HOST is network attack, therefore, IP and HOST added IP-HOST blacklist by maintenance unit 740 and interception unit 750 and according to IP-HOST blacklist, network access data bag tackled, network attack can be tackled accurately and effectively, and for comprising this IP but not comprising the access to netwoks of this HOST, then can not be blocked.
Particularly, interception unit 750, be suitable for the IP obtaining network access data bag, judge whether the IP of network access data bag hits the IP recorded in IP-HOST blacklist, if be judged as YES, obtain the HOST of network access data bag, judge whether the HOST of network access data bag hits the HOST corresponding with the IP of network access data bag recorded in IP-HOST blacklist; If be judged as YES, intercepting network access packet.Or, interception unit 750, being suitable for when judging that the IP of network access data bag hits the IP recorded in IP-HOST blacklist, judging that interception rule (judging by tackling rule mark) is IP-based interception rule or the interception rule based on IP and HOST; If IP-based interception rule, then intercepting network access packet, if based on the interception rule of IP and HOST, then obtain the HOST of network access data bag, judge whether the HOST of network access data bag hits the HOST corresponding with the IP of network access data bag recorded in IP-HOST blacklist; If be judged as YES, intercepting network access packet.More specifically, the present embodiment interception unit 750 obtains the mode of IP and HOST of network access data bag, can be to obtain IP header from network access data bag, captures IP field from IP header; And, obtain http head, from http head grabs HOST header field field from network access data bag; Also can be IP and HOST directly calling the network access data bag that resolution unit 710 obtains.
Further, the maintenance unit 710 of the present embodiment, was further adapted for before acquisition network access data bag, reads the IP-HOST blacklist obtained by off-line learning.
Therefore, the application conceives based on the basic fundamental of the attack blocking apparatus of IP and HOST, be to capture network access data bag by maintenance unit 710 and statistic unit 720, analyze and statistics IP and HOST, obtain specific user within a predetermined period of time to the number of times that specific Internet Server conducts interviews, if number of times enough large expression specific user (at least one main frame in individual host or local area network (LAN), referred to as A) network attack (referred to as B) is carried out to particular interconnect network server, by detecting unit 730, the access to netwoks comprising this IP and HOST is defined as network attack.And created or amendment IP-HOST blacklist according to the testing result of detecting unit 730 by maintenance unit 740; Further, when the network access data bag detected afterwards is analyzed, if analyze and obtain HOST corresponding to IP and B corresponding to A, then network access data bag is tackled by interception unit 750, network attack can be tackled accurately and effectively, and for comprising this IP but not comprising the access to netwoks of this HOST, then can not be blocked.
Embodiments of the invention disclose:
A1, a kind of attack detection method based on IP and HOST, is characterized in that, comprising:
Obtain network access data bag, from described network access data bag, parse IP and HOST, wherein, described IP is the source IP addresses of described network packet, and described HOST is the object website domain name of described network packet;
Within a predetermined period of time assigned ip is added up it for first quantity of network access data bag of specifying HOST;
If described first quantity reaches predetermined threshold, then the access to netwoks comprising this IP and HOST is defined as network attack.
A2, method according to A1, wherein, describedly parse IP and HOST, comprising from described network access data bag:
Obtain IP header from network access data bag, capture IP field from IP header; And
Http head is obtained, from http head grabs HOST header field field from network access data bag.
B3, a kind of attack hold-up interception method based on IP and HOST, is characterized in that, comprising:
Obtain network access data bag, from described network access data bag, parse IP and HOST, wherein, described IP is the source IP addresses of described network packet, and described HOST is the object website domain name of described network packet;
Within a predetermined period of time assigned ip is added up it for first quantity of network access data bag of specifying HOST;
If described first quantity reaches predetermined threshold, then the access to netwoks comprising this IP and HOST is defined as network attack;
Described IP and HOST is added IP-HOST blacklist;
According to described IP-HOST blacklist, described network access data bag is tackled.
B4, method according to B3, wherein, describedly parse IP and HOST, comprising from described network access data bag:
Obtain IP header from network access data bag, capture IP field from IP header; And
Http head is obtained, from http head grabs HOST header field field from network access data bag.
B5, method according to B3, wherein, describedly according to described IP-HOST blacklist, described network access data bag to be tackled, comprise the following steps:
The IP of S1, acquisition network access data bag, judges whether the IP of network access data bag hits the IP recorded in IP-HOST blacklist; If then perform step S2;
The HOST of S2, acquisition network access data bag, judges whether the HOST of network access data bag hits the HOST corresponding with the IP of described network access data bag recorded in IP-HOST blacklist; If then perform step S3;
S3, tackle described network access data bag.
B6, method according to B5, wherein, further comprising the steps of between described step S1 and S2:
S21, judgement interception rule are IP-based interception rule or the interception rule based on IP and HOST; If IP-based interception rule, then perform described step S3 and do not perform described step S2, if regular based on the interception of IP and HOST, then performing described step S2.
B7, method according to B3, wherein, the method also comprises: before acquisition network access data bag, read the IP-HOST blacklist obtained by off-line learning.
C8, a kind of attack detecting device based on IP and HOST, this device comprises:
Resolution unit, be suitable for obtaining network access data bag, from described network access data bag, parse IP and HOST, wherein, described IP is the source IP addresses of described network packet, and described HOST is the object website domain name of described network packet;
Statistic unit, is suitable for adding up it for first quantity of network access data bag of specifying HOST for assigned ip within a predetermined period of time;
Detecting unit, is suitable for, when described first quantity reaches predetermined threshold, the access to netwoks comprising this IP and HOST being defined as network attack.
C9, device according to C8, wherein,
Described resolution unit, is suitable for obtaining IP header from network access data bag, captures IP field from IP header; And, obtain http head, from http head grabs HOST header field field from network access data bag.
D10, a kind of attack blocking apparatus based on IP and HOST, this device comprises:
Resolution unit, be suitable for obtaining network access data bag, from described network access data bag, parse IP and HOST, wherein, described IP is the source IP addresses of described network packet, and described HOST is the object website domain name of described network packet;
Statistic unit, is suitable for adding up it for first quantity of network access data bag of specifying HOST for assigned ip within a predetermined period of time;
Detecting unit, is suitable for, when described first quantity reaches predetermined threshold, the access to netwoks comprising this IP and HOST being defined as network attack;
Maintenance unit, is suitable for described IP and HOST to add IP-HOST blacklist;
Interception unit, is suitable for tackling described network access data bag according to described IP-HOST blacklist.
D11, device according to D10, wherein,
Described resolution unit, is suitable for obtaining IP header from network access data bag, captures IP field from IP header; And, obtain http head, from http head grabs HOST header field field from network access data bag.
D12, device according to D10, wherein, described interception unit, be suitable for the IP obtaining network access data bag, judge whether the IP of network access data bag hits the IP recorded in IP-HOST blacklist, if be judged as YES, obtain the HOST of network access data bag, judge whether the HOST of network access data bag hits the HOST corresponding with the IP of described network access data bag recorded in IP-HOST blacklist; If be judged as YES, tackle described network access data bag.
D13, device according to D10, wherein,
Described interception unit, is suitable for when judging that the IP of network access data bag hits the IP recorded in IP-HOST blacklist, judges that interception rule is IP-based interception rule or the interception rule based on IP and HOST; If IP-based interception rule, then tackle described network access data bag, if based on the interception rule of IP and HOST, then obtain the HOST of network access data bag, judge whether the HOST of network access data bag hits the HOST corresponding with the IP of described network access data bag recorded in IP-HOST blacklist; If be judged as YES, tackle described network access data bag.
D14, device according to D10, wherein,
Described maintenance unit, was further adapted for before acquisition network access data bag, reads the IP-HOST blacklist obtained by off-line learning.
It should be noted that:
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that and microprocessor or digital signal processor (DSP) can be used in practice to realize according to the attack detecting based on IP and HOST of the embodiment of the present invention and the some or all functions of attacking the some or all parts in interception equipment.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
Claims (10)
1. based on an attack detection method of IP and HOST, it is characterized in that, comprising:
Obtain network access data bag, from described network access data bag, parse IP and HOST, wherein, described IP is the source IP addresses of described network packet, and described HOST is the object website domain name of described network packet;
Within a predetermined period of time assigned ip is added up it for first quantity of network access data bag of specifying HOST;
If described first quantity reaches predetermined threshold, then the access to netwoks comprising this IP and HOST is defined as network attack.
2. method according to claim 1, wherein, describedly parses IP and HOST, comprising from described network access data bag:
Obtain IP header from network access data bag, capture IP field from IP header; And
Http head is obtained, from http head grabs HOST header field field from network access data bag.
3., based on an attack hold-up interception method of IP and HOST, it is characterized in that, comprising:
Obtain network access data bag, from described network access data bag, parse IP and HOST, wherein, described IP is the source IP addresses of described network packet, and described HOST is the object website domain name of described network packet;
Within a predetermined period of time assigned ip is added up it for first quantity of network access data bag of specifying HOST;
If described first quantity reaches predetermined threshold, then the access to netwoks comprising this IP and HOST is defined as network attack;
Described IP and HOST is added IP-HOST blacklist;
According to described IP-HOST blacklist, described network access data bag is tackled.
4. method according to claim 3, wherein, describedly parses IP and HOST, comprising from described network access data bag:
Obtain IP header from network access data bag, capture IP field from IP header; And
Http head is obtained, from http head grabs HOST header field field from network access data bag.
5. method according to claim 3, wherein, describedly according to described IP-HOST blacklist, described network access data bag to be tackled, comprise the following steps:
The IP of S1, acquisition network access data bag, judges whether the IP of network access data bag hits the IP recorded in IP-HOST blacklist; If then perform step S2;
The HOST of S2, acquisition network access data bag, judges whether the HOST of network access data bag hits the HOST corresponding with the IP of described network access data bag recorded in IP-HOST blacklist; If then perform step S3;
S3, tackle described network access data bag.
6. method according to claim 5, wherein, further comprising the steps of between described step S1 and S2:
S21, judgement interception rule are IP-based interception rule or the interception rule based on IP and HOST; If IP-based interception rule, then perform described step S3 and do not perform described step S2, if regular based on the interception of IP and HOST, then performing described step S2.
7. method according to claim 3, wherein, the method also comprises: before acquisition network access data bag, read the IP-HOST blacklist obtained by off-line learning.
8., based on an attack detecting device of IP and HOST, this device comprises:
Resolution unit, be suitable for obtaining network access data bag, from described network access data bag, parse IP and HOST, wherein, described IP is the source IP addresses of described network packet, and described HOST is the object website domain name of described network packet;
Statistic unit, is suitable for adding up it for first quantity of network access data bag of specifying HOST for assigned ip within a predetermined period of time;
Detecting unit, is suitable for, when described first quantity reaches predetermined threshold, the access to netwoks comprising this IP and HOST being defined as network attack.
9. device according to claim 8, wherein,
Described resolution unit, is suitable for obtaining IP header from network access data bag, captures IP field from IP header; And, obtain http head, from http head grabs HOST header field field from network access data bag.
10., based on an attack blocking apparatus of IP and HOST, this device comprises:
Resolution unit, be suitable for obtaining network access data bag, from described network access data bag, parse IP and HOST, wherein, described IP is the source IP addresses of described network packet, and described HOST is the object website domain name of described network packet;
Statistic unit, is suitable for adding up it for first quantity of network access data bag of specifying HOST for assigned ip within a predetermined period of time;
Detecting unit, is suitable for, when described first quantity reaches predetermined threshold, the access to netwoks comprising this IP and HOST being defined as network attack;
Maintenance unit, is suitable for described IP and HOST to add IP-HOST blacklist;
Interception unit, is suitable for tackling described network access data bag according to described IP-HOST blacklist.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410715281.9A CN104468554A (en) | 2014-11-28 | 2014-11-28 | Attack detection method and device based on IP and HOST |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410715281.9A CN104468554A (en) | 2014-11-28 | 2014-11-28 | Attack detection method and device based on IP and HOST |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104468554A true CN104468554A (en) | 2015-03-25 |
Family
ID=52913926
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410715281.9A Pending CN104468554A (en) | 2014-11-28 | 2014-11-28 | Attack detection method and device based on IP and HOST |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104468554A (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105187424A (en) * | 2015-08-31 | 2015-12-23 | 广州市优普计算机有限公司 | Network security detection method and device |
| CN105357180A (en) * | 2015-09-30 | 2016-02-24 | 华为技术有限公司 | Network system, attack message intercepting method, attack message intercepting apparatus, and device |
| CN105516200A (en) * | 2016-01-19 | 2016-04-20 | 中国联合网络通信集团有限公司 | Cloud system security processing method and device |
| CN106067879A (en) * | 2016-06-07 | 2016-11-02 | 腾讯科技(深圳)有限公司 | The detection method of information and device |
| CN106789831A (en) * | 2015-11-19 | 2017-05-31 | 阿里巴巴集团控股有限公司 | The method and apparatus for recognizing network attack |
| CN106921671A (en) * | 2017-03-22 | 2017-07-04 | 杭州迪普科技股份有限公司 | The detection method and device of a kind of network attack |
| CN107241304A (en) * | 2016-03-29 | 2017-10-10 | 阿里巴巴集团控股有限公司 | A kind of detection method and device of DDos attacks |
| CN107483514A (en) * | 2017-10-13 | 2017-12-15 | 北京知道创宇信息技术有限公司 | Attack monitoring device and smart machine |
| WO2018095192A1 (en) * | 2016-11-23 | 2018-05-31 | 腾讯科技(深圳)有限公司 | Method and system for website attack detection and prevention |
| CN108111476A (en) * | 2017-08-08 | 2018-06-01 | 西安交大捷普网络科技有限公司 | C&C channel detection methods |
| CN108200076A (en) * | 2018-01-17 | 2018-06-22 | 杭州迪普科技股份有限公司 | The means of defence and device of Host header field forgery attacks |
| CN108270839A (en) * | 2017-01-04 | 2018-07-10 | 腾讯科技(深圳)有限公司 | Access frequency control system and method |
| CN112910839A (en) * | 2021-01-12 | 2021-06-04 | 杭州迪普科技股份有限公司 | DNS attack defense method and device |
| CN113051570A (en) * | 2021-05-25 | 2021-06-29 | 深圳市积汇天成科技有限公司 | Server access monitoring method and device |
| CN114389856A (en) * | 2021-12-23 | 2022-04-22 | 南京理工大学 | Network attack detection system |
| CN115883254A (en) * | 2023-01-28 | 2023-03-31 | 北京亿赛通科技发展有限责任公司 | DoS attack defense method and device, electronic equipment and storage medium |
| CN116366372A (en) * | 2023-05-31 | 2023-06-30 | 北京嘉铭创新科技有限公司 | Network attack interception method, device, equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102404285A (en) * | 2010-09-09 | 2012-04-04 | 富士通株式会社 | Device and method for realizing information safety and communication system comprising device |
| US20120331544A1 (en) * | 2011-06-27 | 2012-12-27 | International Business Machines Corporation | Detection of rogue client-agnostic nat device tunnels |
| CN103825900A (en) * | 2014-02-28 | 2014-05-28 | 广州云宏信息科技有限公司 | Website access method and device and filter form downloading and updating method and system |
-
2014
- 2014-11-28 CN CN201410715281.9A patent/CN104468554A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102404285A (en) * | 2010-09-09 | 2012-04-04 | 富士通株式会社 | Device and method for realizing information safety and communication system comprising device |
| US20120331544A1 (en) * | 2011-06-27 | 2012-12-27 | International Business Machines Corporation | Detection of rogue client-agnostic nat device tunnels |
| CN103825900A (en) * | 2014-02-28 | 2014-05-28 | 广州云宏信息科技有限公司 | Website access method and device and filter form downloading and updating method and system |
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105187424A (en) * | 2015-08-31 | 2015-12-23 | 广州市优普计算机有限公司 | Network security detection method and device |
| CN105357180A (en) * | 2015-09-30 | 2016-02-24 | 华为技术有限公司 | Network system, attack message intercepting method, attack message intercepting apparatus, and device |
| CN110233834A (en) * | 2015-09-30 | 2019-09-13 | 华为技术有限公司 | Network system, the hold-up interception method of attack message, device and equipment |
| CN105357180B (en) * | 2015-09-30 | 2019-06-07 | 华为技术有限公司 | Network system, the hold-up interception method of attack message, device and equipment |
| CN106789831B (en) * | 2015-11-19 | 2020-10-23 | 阿里巴巴集团控股有限公司 | Method and device for identifying network attack |
| CN106789831A (en) * | 2015-11-19 | 2017-05-31 | 阿里巴巴集团控股有限公司 | The method and apparatus for recognizing network attack |
| CN105516200A (en) * | 2016-01-19 | 2016-04-20 | 中国联合网络通信集团有限公司 | Cloud system security processing method and device |
| CN107241304A (en) * | 2016-03-29 | 2017-10-10 | 阿里巴巴集团控股有限公司 | A kind of detection method and device of DDos attacks |
| CN107241304B (en) * | 2016-03-29 | 2021-02-02 | 阿里巴巴集团控股有限公司 | Method and device for detecting DDoS attack |
| CN106067879A (en) * | 2016-06-07 | 2016-11-02 | 腾讯科技(深圳)有限公司 | The detection method of information and device |
| CN106067879B (en) * | 2016-06-07 | 2019-03-15 | 腾讯科技(深圳)有限公司 | The detection method and device of information |
| WO2018095192A1 (en) * | 2016-11-23 | 2018-05-31 | 腾讯科技(深圳)有限公司 | Method and system for website attack detection and prevention |
| US10715546B2 (en) | 2016-11-23 | 2020-07-14 | Tencent Technology (Shenzhen) Company Limited | Website attack detection and protection method and system |
| CN108270839B (en) * | 2017-01-04 | 2022-03-25 | 腾讯科技(深圳)有限公司 | Access frequency control system and method |
| CN108270839A (en) * | 2017-01-04 | 2018-07-10 | 腾讯科技(深圳)有限公司 | Access frequency control system and method |
| CN106921671A (en) * | 2017-03-22 | 2017-07-04 | 杭州迪普科技股份有限公司 | The detection method and device of a kind of network attack |
| CN108111476A (en) * | 2017-08-08 | 2018-06-01 | 西安交大捷普网络科技有限公司 | C&C channel detection methods |
| CN107483514A (en) * | 2017-10-13 | 2017-12-15 | 北京知道创宇信息技术有限公司 | Attack monitoring device and smart machine |
| CN108200076A (en) * | 2018-01-17 | 2018-06-22 | 杭州迪普科技股份有限公司 | The means of defence and device of Host header field forgery attacks |
| CN112910839A (en) * | 2021-01-12 | 2021-06-04 | 杭州迪普科技股份有限公司 | DNS attack defense method and device |
| CN112910839B (en) * | 2021-01-12 | 2023-04-25 | 杭州迪普科技股份有限公司 | Method and device for defending DNS attack |
| CN113051570B (en) * | 2021-05-25 | 2021-08-17 | 深圳市积汇天成科技有限公司 | Server access monitoring method and device |
| CN113051570A (en) * | 2021-05-25 | 2021-06-29 | 深圳市积汇天成科技有限公司 | Server access monitoring method and device |
| CN114389856A (en) * | 2021-12-23 | 2022-04-22 | 南京理工大学 | Network attack detection system |
| CN115883254A (en) * | 2023-01-28 | 2023-03-31 | 北京亿赛通科技发展有限责任公司 | DoS attack defense method and device, electronic equipment and storage medium |
| CN115883254B (en) * | 2023-01-28 | 2023-05-23 | 北京亿赛通科技发展有限责任公司 | DoS attack defense method and device, electronic equipment and storage medium |
| CN116366372A (en) * | 2023-05-31 | 2023-06-30 | 北京嘉铭创新科技有限公司 | Network attack interception method, device, equipment and medium |
| CN116366372B (en) * | 2023-05-31 | 2023-08-04 | 北京嘉铭创新科技有限公司 | Network attack interception method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104468554A (en) | Attack detection method and device based on IP and HOST | |
| KR101010302B1 (en) | Security management system and method of irc and http botnet | |
| CN103701795B (en) | The recognition methods of the attack source of Denial of Service attack and device | |
| US8844034B2 (en) | Method and apparatus for detecting and defending against CC attack | |
| US7865953B1 (en) | Methods and arrangement for active malicious web pages discovery | |
| US8375120B2 (en) | Domain name system security network | |
| US9258289B2 (en) | Authentication of IP source addresses | |
| US20140047543A1 (en) | Apparatus and method for detecting http botnet based on densities of web transactions | |
| JP6315640B2 (en) | Communication destination correspondence collection apparatus, communication destination correspondence collection method, and communication destination correspondence collection program | |
| CN101460983A (en) | Malicious attack detection system and an associated method of use | |
| US10135785B2 (en) | Network security system to intercept inline domain name system requests | |
| CN103685294A (en) | Method and device for identifying attack sources of denial of service attack | |
| KR20060013491A (en) | Network attack signature generation | |
| CN106453229B (en) | For detecting newer method, system and medium to record of domain name system system | |
| CN103701816A (en) | Scanning method and scanning device of server executing DOS (Denial Of service) | |
| CN108234486A (en) | A kind of network monitoring method and monitoring server | |
| CN102664872A (en) | System used for detecting and preventing attack to server in computer network and method thereof | |
| US8001243B2 (en) | Distributed denial of service deterrence using outbound packet rewriting | |
| CN103685253A (en) | Method and device for defending CDN flow amplification attacks | |
| CN114205169B (en) | Network security defense method, device and system | |
| CN115664833A (en) | Network hijacking detection method based on local area network security equipment | |
| CN110769004B (en) | DNS anti-pollution method used in DNS client or proxy server | |
| CN111371917B (en) | Domain name detection method and system | |
| KR101084681B1 (en) | Behavior pattern modelling system of network traffic for botnet detecting and behavior pattern modelling method of network traffic for botnet detecting | |
| CN112565259A (en) | Method and device for filtering DNS tunnel Trojan communication data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150325 |
|
| RJ01 | Rejection of invention patent application after publication |