CN104935609A - Network attack detection method and detection apparatus - Google Patents

Network attack detection method and detection apparatus Download PDF

Info

Publication number
CN104935609A
CN104935609A CN201510423996.1A CN201510423996A CN104935609A CN 104935609 A CN104935609 A CN 104935609A CN 201510423996 A CN201510423996 A CN 201510423996A CN 104935609 A CN104935609 A CN 104935609A
Authority
CN
China
Prior art keywords
network attack
access request
attack
network
visit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510423996.1A
Other languages
Chinese (zh)
Inventor
沈陈乐
闫国旗
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Century Trading Co Ltd
Beijing Jingdong Shangke Information Technology Co Ltd
Original Assignee
Beijing Jingdong Century Trading Co Ltd
Beijing Jingdong Shangke Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Century Trading Co Ltd, Beijing Jingdong Shangke Information Technology Co Ltd filed Critical Beijing Jingdong Century Trading Co Ltd
Priority to CN201510423996.1A priority Critical patent/CN104935609A/en
Publication of CN104935609A publication Critical patent/CN104935609A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The present invention provides a network attack detection method and apparatus capable of accurately and effectively detecting network attacks to a website. The network attack detection method aims at the situation that an access request for the website is automatically initiated through a tool script or a program for performing network attack, and comprises: an access data acquisition step (S1) of acquiring time information of each access request within a predetermined period of time, and calculating access time interval data between every two adjacent access requests according to the time information to form an access time interval data set; an access data discrete degree calculating step (S2) of calculating the discrete degree of the access time interval data set according to the access time interval data set; and an attack data determining step (S3) of determining whether the access request is a network attack according to the discrete degree.

Description

Network attack detecting method and checkout equipment
Technical field
The present invention relates to technical field of network security, be specifically related to a kind of network attack detecting method and checkout equipment.
Background technology
The base attribute main manifestations of network security is confidentiality, integrality, legitimacy and availability.And network attack person is exactly the attribute being destroyed network security by every ways and means.
In recent years, in Internet service, Web service has occupied increasing ratio, and the network attack harm therefore for Web service is also increasing.For in the network attack of Web service, distributed denial of service attack (Distributed Denialof Service, referred to as DDoS) is the most prevailing and very harmful.Such as, HTTP-Flood attacks, for use HTML (Hypertext Markup Language) (Hypertext Transfer Protocol, referred to as HTTP) the webpage of Web server, distributed denial of service attack (Distributed Denialof Service, referred to as DDoS) is adopted to destroy a kind of ddos attack of the availability of Web application.
When HTTP-Flood attacks and occurs, assailant utilizes instrument to forge or kidnaps the URL (URL(uniform resource locator) of browser to specific website, Uniform Resource Locator, referred to as URL) send a large amount of HTTP request, server is made to be busy with providing resource to assailant and the service request of other validated users cannot being responded, and then make website reach process bottleneck, thus reach the object of website denial of service.
Network attack of the prior art (such as, HTTP-Flood) protectiving scheme is all that the service provided from website is considered, the detection of the frequency that conducts interviews or control.Access when certain IP address exceedes certain number of times within a certain period of time, just thinks network attack.Also some scheme more become more meticulous the statistics of frequency is limited on some URL specified or in the Cookie value of specifying.
But, existing network attack protectiving scheme adopts the statistics of simple IP address access frequency, for NAT (the Network Address Translation of share I P outlet, network address translation) user, only adopt access frequency index also can be easy to cause NAT user to be manslaughtered as the criterion of attacking.
And, existing network attack protectiving scheme, cannot attack by test example such as distributed HTTP-Flood, because the access frequency of single attack IP address (broiler chicken) is not high, the frequency of attack cannot be reached, but initiated the attack pattern of asking in a large number by broiler chicken simultaneously, also can cause website denial of service.
In addition, existing network attack protectiving scheme, some also needs to specify specific URL or Cookie just can add up, and therefore has high characteristic be coupled with web site traffic, in the website that URL number ratio is larger, deployment and O&M cost higher.
Summary of the invention
The present invention attacks the problems referred to above of guard technology in view of existing network and makes, and its object is to provide a kind of network attack detecting method and the checkout equipment that accurately and effectively can detect network attack (such as, HTTP-Flood) to website.
The network attack detecting method of one aspect of the present invention, for utilizing instrument script or program to initiate access request to carry out the network attack detecting method of network attack from trend website, comprise: visit data acquisition step S1, the temporal information of each described access request is gathered within first scheduled time, the access time interval data between each twice adjacent access request is calculated, to form access time interval data group according to described temporal information, visit data dispersion degree calculation procedure S2, according to described access time interval data group, calculates the dispersion degree of described access time interval data group, with attack data judging step S3, when described dispersion degree is within the scope of predetermined attack data discrete, be judged to be that described access request is network attack, when described dispersion degree is not within the scope of described predetermined attack data discrete, be judged to be that described access request is not network attack, and export this result of determination as final detection result, described predetermined attack data discrete scope comes predetermined according to the network environment of described website, and described dispersion degree refers within the scope of the attack data discrete that this is predetermined: described in each in described access time interval data group, access time interval data can be regarded as constant.
Network attack detecting method according to an aspect of the present invention, the dispersion degree of described access time interval data group utilizes statistics computing to calculate.
Network attack detecting method according to an aspect of the present invention, described statistics computing is the computing utilizing variance, standard deviation or mean difference.
Network attack detecting method according to an aspect of the present invention, described visit data dispersion degree calculation procedure S2 comprises: constant fluctuation range determining step S2-1, according to the described access time interval data group formed by described visit data acquisition step S1, calculate the mean value of all access time interval datas, using as constant desired value, and following formula (1) is adopted to determine constant fluctuation range; Constant number count step S2-2, according to the described constant fluctuation range determined by described constant fluctuation range determining step S2-1, judge each described access time interval data in described access time interval data whether in described constant fluctuation range, and the described access time interval data in described constant fluctuation range is counted, calculate the data bulk of the described access time interval data meeting described constant fluctuation range, using as constant quantity; With dispersion degree calculation procedure S2-3, according to the described constant quantity calculated by described constant number count step S2-2, following formula (2) is adopted to calculate the dispersion degree of described access time interval data group, wherein, described formula (1) is: constant fluctuation range≤constant desired value × (1 ± predetermined variance), described formula (2) is: dispersion degree=(the data total amount of 1-constant quantity/access time interval data group) × 100%.
Network attack detecting method according to an aspect of the present invention, described predetermined variance comes predetermined according to the network environment of described website.
Network attack detecting method according to an aspect of the present invention, described predetermined variance is 8%.
Network attack detecting method according to an aspect of the present invention, 0≤described predetermined attack data discrete scope≤20%.
Network attack detecting method according to an aspect of the present invention, before described visit data acquisition step S1, comprise: both deposited network attack treatment step SS1, according to the network attack information table of the information of the access request being confirmed as network attack that stores pre-set, judge whether described access request is both deposited network attack, and carry out branch process, that is: when described access request is present in described network attack information table, be judged to be that described access request had both deposited network attack, and be directly judged to be that described access request is network attack, and do not carry out the action of described visit data acquisition step S1 and step afterwards thereof, when described access request is not present in described network attack information table, is judged to be that described access request is not both deposited network attack, then carries out described visit data acquisition step S1.
Network attack detecting method according to an aspect of the present invention, described attack data judging step (S3) comprising:
Network attack information adding step SS3, when the described result of determination of described attack data judging step S3 be described access request is network attack, enters the information adding of described access request in described network attack information table.
Network attack detecting method according to an aspect of the present invention, before described visit data acquisition step S1, comprise: network attack detects step SA1 in advance, calculate the access frequency of described access request within second scheduled time, when described access frequency exceedes suspicious visit frequency threshold value, be judged to be that described access request is suspicious access request, then described visit data acquisition step S1 is carried out, when described access frequency does not exceed described suspicious visit frequency threshold value, do not carry out described visit data acquisition step S1 and step afterwards thereof, and be directly judged to be that described access request is not network attack.
Network attack detecting method according to an aspect of the present invention, described both deposited network attack treatment step SS1 before, comprise: network attack detects step SA1 in advance, calculate the access frequency of described access request within second scheduled time, when described access frequency exceedes suspicious visit frequency threshold value, be judged to be that described access request is suspicious access request, then network attack treatment step SS1 had both been deposited described in carrying out, when described access frequency does not exceed described suspicious visit frequency threshold value, both network attack treatment step SS1 and step afterwards thereof had been deposited described in not carrying out, and be directly judged to be that described access request is not network attack.
Network attack detecting method according to an aspect of the present invention, described suspicious visit frequency threshold value is network environment according to described website and preset can judge that described access request is likely the frequency threshold of network attack.
Network attack detecting method according to an aspect of the present invention, described suspicious visit frequency threshold value is that described access request is likely the value that the frequency threshold of network attack is low to can judging of presetting than the network environment according to described website.
Network attack detecting method according to an aspect of the present invention, described suspicious visit frequency threshold value is preset can judge that described access request is likely the value of the frequency threshold low 20% of network attack than the network environment according to described website.
Network attack detecting method according to an aspect of the present invention, described first scheduled time is identical with described second scheduled time.
Network attack detecting method according to an aspect of the present invention, described network attack is distributed denial of service attack.
Network attack detecting method according to an aspect of the present invention, described distributed denial of service attack is that HTTP-Flood attacks.
Network attack detecting method according to an aspect of the present invention, described access request is the access request of identical ip addresses.
The network attack detection equipment of another aspect of the present invention, for utilizing instrument script or program to initiate access request to carry out the network attack detection equipment of network attack from trend website, comprise: visit data collecting unit, the temporal information of each described access request is gathered within first scheduled time, the access time interval data between each twice adjacent access request is calculated, to form access time interval data group according to described temporal information; Visit data dispersion degree computing unit, according to described access time interval data group, calculates the dispersion degree of described access time interval data group; With attack data determining unit, when described dispersion degree is within the scope of predetermined attack data discrete, be judged to be that described access request is network attack, when described dispersion degree is not within the scope of described predetermined attack data discrete, be judged to be that described access request is not network attack, and exporting this result of determination as final detection result, described predetermined attack data discrete scope comes predetermined according to the network environment of described website.
Network attack detection equipment according to a further aspect in the invention, in the prime of described visit data collecting unit, comprise: both deposited network attack processing unit, according to the network attack information table of the information of the access request being confirmed as network attack that stores pre-set, judge whether described access request is both deposited network attack, and carry out branch process, that is: when described access request is present in described network attack information table, be judged to be that described access request had both deposited network attack, and be directly judged to be that described access request is network attack, and do not carry out the action of described visit data collecting unit and unit afterwards thereof, when described access request is not present in described network attack information table, is judged to be that described access request is not both deposited network attack, then carries out the action of described visit data collecting unit.
Network attack detection equipment according to a further aspect in the invention, described attack data determining unit comprises: network attack information adding unit, when the described result of determination of described attack data determining unit be described access request is network attack, the information adding of described access request is entered in described network attack information table.
Network attack detection equipment according to a further aspect in the invention, in the prime of described visit data collecting unit, comprise: the pre-detecting unit of network attack, calculate the access frequency of described access request within second scheduled time, when described access frequency exceedes suspicious visit frequency threshold value, be judged to be that described access request is suspicious access request, then the action of described visit data collecting unit is carried out, when described access frequency does not exceed described suspicious visit frequency threshold value, do not carry out the action of described visit data collecting unit and unit afterwards thereof, and be directly judged to be that described access request is not network attack.
Network attack detection equipment according to a further aspect in the invention, in described prime of both having deposited network attack processing unit, comprise: the pre-detecting unit of network attack, calculate the access frequency of described access request within second scheduled time, when described access frequency exceedes suspicious visit frequency threshold value, be judged to be that described access request is suspicious access request, then the action of network attack processing unit had both been deposited described in carrying out, when described access frequency does not exceed described suspicious visit frequency threshold value, both the action of network attack processing unit and unit afterwards thereof had been deposited described in not carrying out, and be directly judged to be that described access request is not network attack.
Network attack detection equipment according to a further aspect in the invention, described suspicious visit frequency threshold value is network environment according to described website and preset can judge that described access request is likely the frequency threshold of network attack.
Network attack detection equipment according to a further aspect in the invention, described suspicious visit frequency threshold value is that described access request is likely the value that the frequency threshold of network attack is low to can judging of presetting than the network environment according to described website.
Network attack detection equipment according to a further aspect in the invention, described suspicious visit frequency threshold value is preset can judge that described access request is likely the value of the frequency threshold low 20% of network attack than the network environment according to described website.
Network attack detection equipment according to a further aspect in the invention, described first scheduled time is identical with described second scheduled time.
According to technique scheme of the present invention, do not need to specify specific URL or Cookie just can process, have the low characteristic be coupled with web site traffic, deployment and O&M cost are effectively reduced.
According to technique scheme of the present invention, be no longer simple IP address access frequency statistics, for the NAT user of share I P outlet, can identification decision access whether be user behavior effectively, reduce NAT user by the probability of manslaughtering.
According to technique scheme of the present invention, distributed HTTP-Flood can be detected and attack this kind of network attack, for the situation that the access frequency of single attack IP address (broiler chicken) is not high, by reducing the suspicious visit frequency threshold value of the pre-detecting unit of network attack, broiler chicken is brought in the network attack investigation process of rear class, investigate also decision network by the network attack investigation process of rear class again to attack, can effectively protect the denial of service of this kind of website.
As mentioned above, according to network attack detecting method of the present invention and checkout equipment, the network attack to website accurately and effectively can be detected.
Accompanying drawing explanation
Fig. 1 is the overall flow figure of the network attack detecting method of embodiments of the invention 1.
Fig. 2 is the flow chart of an example of the visit data dispersion degree calculation procedure S2 of the network attack detecting method of embodiments of the invention 1.
Fig. 3 is the functional block diagram of the network attack detection equipment 100 of embodiments of the invention 1.
Fig. 4 is the general flow chart of the network attack detecting method of embodiments of the invention 2.
Fig. 5 is the general flow chart of the network attack detecting method of embodiments of the invention 3.
Embodiment
First, the present inventor is in order to solve the technical problem of prior art, and sight is paid close attention to: normal users and network attack are (such as, HTTP-Flood attacks) use the attack of script to be all the constant situation in IP address, the detection core of network attack is just, how user is accessed normally and use the attack area of script to separate with network attack (such as, HTTP-Flood attacks).So, the present inventor has carried out a large amount of experiments and research for network attacks such as HTTP-Flood attacks, its result shows, when normal users accesses certain website, due to amount of information or the content difference of each URL carrying of website, the time that user rests on single URL is unfixed, and that is, there is certain fluctuation in the time interval of adjacent twice access websites of normal users.And similar to the network attack such as HTTP-Flood attack mode, owing to being that instrument script or rogue program initiate request automatically, so the time interval between adjacent Twice requests is a constant substantially.Based on above-mentioned analysis, there is larger otherness in the Time-distribution of user's normal request and network attack request, and as the single IP address such as HTTP-Flood attack carry out network attack time, the average time interval of the adjacent Twice requests of this IP address is very short, and all access time intervals of this IP address are very close, do not have large fluctuation, very little with the difference (namely standard deviation) of average time interval.Therefore, the present inventor is according to above-mentioned analysis result, that considers breakthrough prior art only utilizes this index of access frequency as the limitation of the criterion of network attack, and the time interval of having invented a kind of secondary IP address access websites starts with, and use operation method statistically, such as add the factors such as upside deviation, standard deviation or mean difference, carry out the dispersion degree of interval data analysis time, in this, as network attack detecting method and the checkout equipment of the criterion of attack.
For making the object, technical solutions and advantages of the present invention clearly understand, below in conjunction with specific embodiment, and with reference to accompanying drawing, the present invention is described in more detail.
" embodiment 1 "
Fig. 1 is the overall flow figure of the network attack detecting method of embodiments of the invention 1.
As shown in Figure 1, the network attack detecting method of embodiments of the invention 1 comprises: visit data acquisition step S1, visit data dispersion degree calculation procedure S2 and attack data judging step S3.
First, in visit data acquisition step S1, start in the given time to gather the temporal information that IP accesses URL at every turn, and calculate the access time interval data between each twice adjacent access request according to these gathered temporal informations, and form access time interval data group, export to visit data dispersion degree calculation procedure S2.Wherein, described predetermined acquisition time can pre-set according to the actual state of the network environment of website, and such as, website commonly arranges 1 to 2 minute.
Then, in visit data dispersion degree calculation procedure S2, according to the access time interval data group formed by visit data acquisition step S1, such as utilize the statistically operation method etc. such as variance, standard deviation or mean difference, calculate the dispersion degree of access time interval data group, export to and attack data judging step S3.
Then, in attack data judging step S3, according to the dispersion degree of the access time interval data group calculated by visit data dispersion degree calculation procedure S2, judge whether this access IP is network attack IP.Specifically, when the dispersion degree of access time interval data group is within the scope of predetermined attack data discrete, be judged to be that this access IP is network attack IP, when the dispersion degree of access time interval data group exceedes predetermined attack data discrete scope, be judged to be that this access IP is not network attack IP, and export this result of determination as final detection result.
At this, the computational methods of the dispersion degree of the access time interval data group that described predetermined attack data discrete scope can adopt according to the actual state of the network environment of website and visit data dispersion degree calculation procedure S2 pre-determine.In addition, so-called dispersion degree just refers within the scope of the attack data discrete that this is predetermined: each access time interval data in access time interval data group does not have large difference, can be regarded as being a constant substantially, thus the Annual distribution characteristic of user's normal access request can be different from.
In addition, about the concrete operation method of the dispersion degree of the access time interval data group in visit data dispersion degree calculation procedure S2, the operation method of known assessment data dispersion degree statistically can be adopted, such as, variance, standard deviation, the difference of two squares etc.At this, the present inventor carrys out the dispersion degree of interval data group analysis time exemplarily to adopt variance, is described the concrete calculation process of visit data dispersion degree calculation procedure S2.But be only a kind of example adopting variance here.Skilled person also can adopt other statistics computings such as standard deviation, the difference of two squares etc. to carry out the computing of this variance alternative.As long as the dispersion degree of time interval data group correctly can be calculated, to its concrete operation method and indefinite.
Fig. 2 is the flow chart of an example of the visit data dispersion degree calculation procedure S2 of the network attack detecting method of embodiments of the invention 1.
As shown in Figure 2, visit data dispersion degree calculation procedure S2 comprises: constant fluctuation range determining step S2-1, constant number count step S2-2 and dispersion degree calculation procedure S2-3.
First, in constant fluctuation range determining step S2-1, according to the access time interval data group formed by visit data acquisition step S1, calculate the mean value of all access time interval datas, using as constant desired value, and following formula (1) is adopted to determine constant fluctuation range.
Constant fluctuation range≤constant desired value × (1 ± predetermined variance) ... (1)
At this, predetermined variance can pre-determine according to the actual state of the network environment of website, such as, generally can be set to 8%.
Then, in constant number count step S2-2, according to the constant fluctuation range determined by constant fluctuation range determining step S2-1, judge each access time interval data in access time interval data whether in this constant fluctuation range, and the access time interval data in this constant fluctuation range is counted, calculate the data bulk of the access time interval data meeting this constant fluctuation range, using as constant quantity.
Then, in dispersion degree calculation procedure S2-3, according to the constant quantity calculated by constant number count step S2-2, adopt following formula (2) to calculate the dispersion degree of access time interval data group.
Dispersion degree=(the data total amount of 1-constant quantity/access time interval data group) × 100%
…(2)
Thus, the dispersion degree of the time interval data group of this access IP collected in the given time, using as judging this access IP whether as the standard of network attack IP.
In addition, for the operation method of the variance adopted in above-mentioned constant fluctuation range determining step S2-1, the predetermined attack data discrete scope in attack data judging step S3 afterwards, such as, can be set to 0≤predetermined attack data discrete scope≤20%.
Thus, according to the network attack detecting method of the present embodiment 1, be no longer simple IP address access frequency statistics, for the NAT user of share I P outlet, can identification decision access whether be user behavior effectively, reduce NAT user by the probability of manslaughtering.
In addition, according to the network attack detecting method of the present embodiment 1, do not need to specify specific URL or Cookie just can process, have the low characteristic be coupled with web site traffic, deployment and O&M cost are effectively reduced.
In addition, although the technique scheme of the present embodiment 1 is described in the mode of steps flow chart, not accommodating doubtful, technique scheme can be realized by hardware configuration equally.
Fig. 3 is the functional block diagram of the network attack detection equipment 100 of embodiments of the invention 1.
As shown in Figure 3, the network attack detection equipment 100 of the present embodiment 1 comprises: visit data collecting unit 101, visit data dispersion degree computing unit 102 and attack data determining unit 103.
First, visit data collecting unit 101, start in the given time to gather the temporal information that IP accesses URL at every turn, and calculate the access time interval data between each twice adjacent access request according to these gathered temporal informations, and form access time interval data group, export to visit data dispersion degree computing unit 102.Wherein, described predetermined acquisition time can pre-set according to the actual state of the network environment of website.
Then, visit data dispersion degree computing unit 102, according to the access time interval data group formed by visit data collecting unit 101, such as utilize the statistically operation method etc. such as variance, standard deviation or mean difference, calculate the dispersion degree of access time interval data group, export to and attack data determining unit 103.
Then, attack data determining unit 103, according to the dispersion degree of the access time interval data group calculated by visit data dispersion degree computing unit 102, judge whether this access IP is network attack IP.Specifically, when the dispersion degree of access time interval data group is within the scope of predetermined attack data discrete, be judged to be that this access IP is network attack IP, when within the scope of the attack data discrete that the dispersion degree step of access time interval data group is predetermined, be judged to be that this access IP is not network attack IP, and export this result of determination as final detection result.
Like this, the network attack detection equipment 100 of embodiment 1 also can obtain the technique effect identical with the technique effect adopting above-mentioned network attack detecting method to obtain equally.
" embodiment 2 "
Below, inventor further contemplates the situation in order to avoid carrying out unnecessary duplicate detection again to the IP being determined to be network attack, and improves the network attack detecting method of above-described embodiment 1.
Fig. 4 is the general flow chart of the network attack detecting method of embodiments of the invention 2.Wherein, the part identical with embodiment 1 is simplified, and indicate the part different from embodiment 1 with thick line.In addition, also only the part different from embodiment 1 is described below.
As shown in Figure 4, the network attack detecting method of the present embodiment 2 and the difference of embodiment 1 are, first, in order to judge whether to access IP as both depositing the access of attacking IP, and pre-set the network attack information table of the information storing the access IP being confirmed as network attack, secondly, added before the visit data acquisition step S1 of embodiment 1 and both deposited network attack treatment step SS1 and also added network attack information adding step SS3 in the attack data judging step S3 of embodiment 1.
Both depositing in network attack treatment step SS1, according to the network attack information table storing the information of the access IP being confirmed as network attack pre-set, judging whether this access IP is both deposited network attack IP.
Specifically, when accessing IP and being present in this network attack information table, be judged to be that this access IP had both deposited network attack IP, and skip visit data acquisition step S1 and the step afterwards thereof of embodiment 1, be directly judged to be that described access request is network attack.When this access IP is that this network is attacked in information table, is judged to be that this access IP had both deposited network attack, then carries out the visit data acquisition step S1 of embodiment 1.
In addition, both deposited adding of network attack treatment step SS1 relative to above-mentioned, also correspondingly in the attack data judging step S3 of embodiment 1 added network attack information adding step SS3.
In network attack information adding step SS3, when the result of determination of the attack data judging step S3 of embodiment 1 is network attack for accessing IP, just the information adding of this access IP is entered in described network attack information table, so that no longer duplicate detection when next time is detected.
Thus, according to the network attack detecting method of the present embodiment 2, the technique effect of above-described embodiment 1 can be realized equally, and avoid the unnecessary duplicate detection of both depositing and attacking IP.
In addition, although the technique scheme of the present embodiment 2 is described in the mode of steps flow chart, not accommodating doubtful, technique scheme can be realized by hardware configuration too.
" embodiment 3 "
The visit capacity that the present inventor further contemplates due to large-scale website can be huge, and reality of the present invention utilize the computing of this detection method of the dispersion degree of access time interval data group slightly more complicated than the detection method of existing simple access frequency, if all direct network attack detections carrying out the embodiment of the present invention 1 or 2 for all flows, the computation burden of network attack detection can be larger, therefore, the present inventor improves further, have employed the network attack detection scheme also by the above embodiment of the present invention 1 or 2 on the basis of existing network attack detection scheme, to realize more efficient and accurate network attack detecting method.
Fig. 5 is the general flow chart of the network attack detecting method of embodiments of the invention 3.Wherein, simplify for embodiment 1,2 identical parts, and indicate and embodiment 1,2 different parts with thick line.In addition, be also only described from embodiment 1,2 different parts below.
As shown in Figure 5, the network attack detecting method of the present embodiment 3 and the difference of embodiment 1,2 are, before the network attack detection of embodiment 1,2, have added network attack and have detected step SA1 in advance.
What network attack detected that step SA1 adopts in advance is the detection method of the existing access frequency only utilized in predetermined time, thus, carries out network attack pre-(initially) and detects.Afterwards, then adopt the network attack detection of embodiments of the invention 1 or 2 to come to detect more accurately.
Specifically, detect in advance in step SA1 at network attack, calculate access IP access frequency in the given time, when the access frequency calculated exceedes suspicious visit frequency threshold value, be judged to be that this access IP is suspicious access IP, then carry out the network attack detection of embodiment 1 or 2, when the access frequency calculated does not exceed suspicious visit frequency threshold value, skip the network attack detection of embodiment 1 or 2, and be directly judged to be that this access IP is not network attack IP.
At this, the parameter needing setting is only described suspicious visit frequency threshold value, this suspicious visit frequency threshold value can pre-determine according to the actual state of the network environment of website, and can be set in the same manner as prior art and can judge that accessing IP is likely the preset frequency threshold value of network attack IP, such as, common website can be set to 100 beats/min.But described suspicious visit frequency threshold value preferably sets lower than the above-mentioned preset frequency threshold value of prior art by the present invention, such as, can be the value of low 20%, thereby, it is possible to effectively the IP that distributed HTTP-Flood attacks is arranged in monitoring range.
In addition, the network attack of the present embodiment 3 detects the described scheduled time of the described scheduled time of step SA1 and the visit data acquisition step S1 of embodiment 1 in advance, preferably adopts the identical time, can make check processing Integral synchronous like this, be convenient to simplified operation.
According to the technique scheme of the present embodiment 3, by using technical pattern of the present invention on the basis of prior art structure, detection load of the present invention can not only be alleviated, and can detect that distributed HTTP-Flood attacks this kind of network attack, for the situation that the access frequency of single attack IP address (broiler chicken) is not high, by reducing the suspected attack frequency threshold of suspected attack detecting unit 210, broiler chicken is brought in suspected attack investigation unit 220, investigated by suspected attack investigation unit 220 again and judge to attack, can effectively protect the denial of service of this kind of website.
Above-described specific embodiment, further describes object of the present invention, technical scheme and beneficial effect, and those skilled in the art it should be understood that and the foregoing is only specific embodiments of the invention, are not limited to the present invention.Within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.Real protection scope of the present invention is determined by claim.
In addition, technical scheme described in the above embodiment of the present invention 1,2,3, although be illustrated with software flow, with regard to those skilled in the art, part or all of these technical schemes all can be realized by the combination of hardware, software or hardware and software, and this is self-evident.

Claims (26)

1. a network attack detecting method, being for utilizing instrument script or program to initiate access request to carry out the network attack detecting method of network attack from trend website, comprising:
Visit data acquisition step (S1), the temporal information of each described access request is gathered within first scheduled time, the access time interval data between each twice adjacent access request is calculated, to form access time interval data group according to described temporal information;
Visit data dispersion degree calculation procedure (S2), according to described access time interval data group, calculates the dispersion degree of described access time interval data group; With
Attack data judging step (S3), when described dispersion degree is within the scope of predetermined attack data discrete, be judged to be that described access request is network attack, when described dispersion degree is not within the scope of described predetermined attack data discrete, be judged to be that described access request is not network attack, and exporting this result of determination as final detection result, described predetermined attack data discrete scope is predetermined according to the network environment of described website.
2. network attack detecting method according to claim 1, is characterized in that,
Described dispersion degree utilizes variance, standard deviation or mean difference to calculate.
3. network attack detecting method according to claim 1, is characterized in that, described visit data dispersion degree calculation procedure (S2) comprising:
Constant fluctuation range determining step (S2-1), according to the described access time interval data group formed by described visit data acquisition step (S1), calculate the mean value of all access time interval datas, using as constant desired value, and following formula (1) is adopted to determine constant fluctuation range;
Constant number count step (S2-2), according to the described constant fluctuation range determined by described constant fluctuation range determining step (S2-1), judge each described access time interval data in described access time interval data whether in described constant fluctuation range, and the described access time interval data in described constant fluctuation range is counted, calculate the data bulk of the described access time interval data meeting described constant fluctuation range, using as constant quantity; With
Dispersion degree calculation procedure (S2-3), according to the described constant quantity calculated by described constant number count step (S2-2), following formula (2) is adopted to calculate the dispersion degree of described access time interval data group
Wherein, described formula (1) is:
Constant fluctuation range≤constant desired value × (1 ± predetermined variance),
Described formula (2) is:
Dispersion degree=(the data total amount of 1-constant quantity/access time interval data group) × 100%.
4. network attack detecting method according to claim 3, is characterized in that,
Described predetermined variance comes predetermined according to the network environment of described website.
5. network attack detecting method according to claim 3, is characterized in that,
Described predetermined variance is 8%.
6. network attack detecting method according to claim 3, is characterized in that,
0≤described predetermined attack data discrete scope≤20%.
7., according to the network attack detecting method in claim 1-6 described in any one, it is characterized in that,
Before described visit data acquisition step (S1), comprising:
Both network attack treatment step (SS1) had been deposited, according to the network attack information table of the information of the access request being confirmed as network attack that stores pre-set, judge whether described access request is both deposited network attack, and carry out branch process, that is:
When described access request is present in described network attack information table, be judged to be that described access request had both deposited network attack, and be directly judged to be that described access request is network attack, and do not carry out the action of described visit data acquisition step (S1) and step afterwards thereof;
When described access request is not present in described network attack information table, be judged to be that described access request is not both deposited network attack, then carry out described visit data acquisition step (S1).
8. network attack detecting method according to claim 7, is characterized in that,
Described attack data judging step (S3) comprising:
Network attack information adding step (SS3), when the described result of determination of described attack data judging step (S3) be described access request is network attack, enters the information adding of described access request in described network attack information table.
9., according to the network attack detecting method in claim 1-6 described in any one, it is characterized in that,
Before described visit data acquisition step (S1), comprising:
Network attack detects step (SA1) in advance, calculate the access frequency of described access request within second scheduled time, when described access frequency exceedes suspicious visit frequency threshold value, be judged to be that described access request is suspicious access request, then described visit data acquisition step (S1) is carried out, when described access frequency does not exceed described suspicious visit frequency threshold value, do not carry out described visit data acquisition step (S1) and step afterwards thereof, and be directly judged to be that described access request is not network attack.
10. network attack detecting method according to claim 7, is characterized in that,
Described both deposited network attack treatment step (SS1) before, comprising:
Network attack detects step (SA1) in advance, calculate the access frequency of described access request within second scheduled time, when described access frequency exceedes suspicious visit frequency threshold value, be judged to be that described access request is suspicious access request, then network attack treatment step (SS1) had both been deposited described in carrying out, when described access frequency does not exceed described suspicious visit frequency threshold value, both deposited network attack treatment step (SS1) and step afterwards thereof described in not carrying out, and be directly judged to be that described access request was not network attack.
11. network attack detecting methods according to claim 9 or 10, is characterized in that,
Described suspicious visit frequency threshold value is network environment according to described website and preset can judge that described access request is likely the frequency threshold of network attack.
12. network attack detecting methods according to claim 9 or 10, is characterized in that,
Described suspicious visit frequency threshold value is that described access request is likely the value that the frequency threshold of network attack is low to can judging of presetting than the network environment according to described website.
13. network attack detecting methods according to claim 9 or 10, is characterized in that,
Described suspicious visit frequency threshold value is preset can judge that described access request is likely the value of the frequency threshold low 20% of network attack than the network environment according to described website.
14. network attack detecting methods according to claim 9 or 10, is characterized in that,
Described first scheduled time is identical with described second scheduled time.
15., according to the network attack detecting method in claim 1-14 described in any one, is characterized in that,
Described network attack is distributed denial of service attack.
16. network attack detecting methods according to claim 15, is characterized in that,
Described distributed denial of service attack is that HTTP-Flood attacks.
17., according to the network attack detecting method in claim 1-16 described in any one, is characterized in that,
Described access request is the access request of identical ip addresses.
18. 1 kinds of network attack detection equipment, being for utilizing instrument script or program to initiate access request to carry out the network attack detection equipment of network attack from trend website, comprising:
Visit data collecting unit, gathers the temporal information of each described access request within first scheduled time, calculates the access time interval data between each twice adjacent access request according to described temporal information, to form access time interval data group;
Visit data dispersion degree computing unit, according to described access time interval data group, calculates the dispersion degree of described access time interval data group; With
Attack data determining unit, when described dispersion degree is within the scope of predetermined attack data discrete, be judged to be that described access request is network attack, when described dispersion degree is not within the scope of described predetermined attack data discrete, be judged to be that described access request is not network attack, and export this result of determination as final detection result
Described predetermined attack data discrete scope pre-determines according to the network environment of described website.
19. network attack detection equipment according to claim 18, is characterized in that,
In the prime of described visit data collecting unit, comprising:
Both deposited network attack processing unit, and according to the network attack information table of the information of the access request being confirmed as network attack that stores pre-set, judged whether described access request is both deposited network attack, and carry out branch process, that is:
When described access request is present in described network attack information table, be judged to be that described access request had both deposited network attack, and be directly judged to be that described access request is network attack, and do not carry out the action of described visit data collecting unit and unit afterwards thereof;
When described access request is not present in described network attack information table, is judged to be that described access request is not both deposited network attack, then carries out the action of described visit data collecting unit.
20. network attack detection equipment according to claim 19, is characterized in that,
Described attack data determining unit comprises:
Network attack information adding unit, when the described result of determination of described attack data determining unit be described access request is network attack, enters the information adding of described access request in described network attack information table.
21. network attack detection equipment according to claim 18, is characterized in that,
In the prime of described visit data collecting unit, comprising:
The pre-detecting unit of network attack, calculate the access frequency of described access request within second scheduled time, when described access frequency exceedes suspicious visit frequency threshold value, be judged to be that described access request is suspicious access request, then the action of described visit data collecting unit is carried out, when described access frequency does not exceed described suspicious visit frequency threshold value, do not carry out the action of described visit data collecting unit and unit afterwards thereof, and be directly judged to be that described access request is not network attack.
22. network attack detection equipment according to claim 19, is characterized in that,
In described prime of both having deposited network attack processing unit, comprising:
The pre-detecting unit of network attack, calculate the access frequency of described access request within second scheduled time, when described access frequency exceedes suspicious visit frequency threshold value, be judged to be that described access request is suspicious access request, then the action of network attack processing unit had both been deposited described in carrying out, when described access frequency does not exceed described suspicious visit frequency threshold value, both deposited the action of network attack processing unit and unit afterwards thereof described in not carrying out, and be directly judged to be that described access request was not network attack.
23. network attack detection equipment according to claim 21 or 22, is characterized in that,
Described suspicious visit frequency threshold value is network environment according to described website and preset can judge that described access request is likely the frequency threshold of network attack.
24. network attack detection equipment according to claim 21 or 22, is characterized in that,
Described suspicious visit frequency threshold value is that described access request is likely the value that the frequency threshold of network attack is low to can judging of presetting than the network environment according to described website.
25. network attack detection equipment according to claim 21 or 22, is characterized in that,
Described suspicious visit frequency threshold value is preset can judge that described access request is likely the value of the frequency threshold low 20% of network attack than the network environment according to described website.
26. network attack detection equipment according to claim 21 or 22, is characterized in that,
Described first scheduled time is identical with described second scheduled time.
CN201510423996.1A 2015-07-17 2015-07-17 Network attack detection method and detection apparatus Pending CN104935609A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510423996.1A CN104935609A (en) 2015-07-17 2015-07-17 Network attack detection method and detection apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510423996.1A CN104935609A (en) 2015-07-17 2015-07-17 Network attack detection method and detection apparatus

Publications (1)

Publication Number Publication Date
CN104935609A true CN104935609A (en) 2015-09-23

Family

ID=54122581

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510423996.1A Pending CN104935609A (en) 2015-07-17 2015-07-17 Network attack detection method and detection apparatus

Country Status (1)

Country Link
CN (1) CN104935609A (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209781A (en) * 2016-06-27 2016-12-07 徐汕 A kind of based on the access recognition methods of statistical exceptional interface
CN106357628A (en) * 2016-08-31 2017-01-25 东软集团股份有限公司 Attack defense method and device
CN106789831A (en) * 2015-11-19 2017-05-31 阿里巴巴集团控股有限公司 The method and apparatus for recognizing network attack
CN107360199A (en) * 2017-09-13 2017-11-17 杭州安恒信息技术有限公司 Botnet recognition methods and device
CN107426136A (en) * 2016-05-23 2017-12-01 腾讯科技(深圳)有限公司 A kind of recognition methods of network attack and device
CN107547548A (en) * 2017-09-05 2018-01-05 北京京东尚科信息技术有限公司 Data processing method and system
CN107743113A (en) * 2016-11-23 2018-02-27 腾讯科技(深圳)有限公司 A kind of detection method and system of website attack
CN108028832A (en) * 2016-05-10 2018-05-11 华为技术有限公司 Detect the method and apparatus of network attack
CN108683678A (en) * 2018-05-28 2018-10-19 北京天地和兴科技有限公司 A kind of abnormal behaviour prediction technique of Behavior-based control cooperative awareness model
CN109474573A (en) * 2017-12-30 2019-03-15 北京安天网络安全技术有限公司 A kind of method, apparatus and storage medium of identification inactivation trojan horse program
CN110730195A (en) * 2019-12-18 2020-01-24 腾讯科技(深圳)有限公司 Data processing method and device and computer readable storage medium
US10715546B2 (en) 2016-11-23 2020-07-14 Tencent Technology (Shenzhen) Company Limited Website attack detection and protection method and system
CN112532617A (en) * 2020-11-27 2021-03-19 神州绿盟成都科技有限公司 Detection method, device, equipment and medium for HTTP Flood attack
CN113329032A (en) * 2021-06-23 2021-08-31 深信服科技股份有限公司 Attack detection method, device, equipment and medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090138590A1 (en) * 2007-11-26 2009-05-28 Eun Young Lee Apparatus and method for detecting anomalous traffic
CN101834866A (en) * 2010-05-05 2010-09-15 北京来安科技有限公司 CC (Communication Center) attack protective method and system thereof
CN103746987A (en) * 2013-12-31 2014-04-23 东软集团股份有限公司 Method and system for detecting DoS attack in semantic Web application
CN104023010A (en) * 2014-05-31 2014-09-03 郑林 Autonomous cognitive method for network security
CN104113519A (en) * 2013-04-16 2014-10-22 阿里巴巴集团控股有限公司 Network attack detection method and device thereof
CN104361283A (en) * 2014-12-05 2015-02-18 网宿科技股份有限公司 Web attack protection method
CN104378361A (en) * 2014-10-24 2015-02-25 苏州阔地网络科技有限公司 Network intrusion detection method and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090138590A1 (en) * 2007-11-26 2009-05-28 Eun Young Lee Apparatus and method for detecting anomalous traffic
CN101834866A (en) * 2010-05-05 2010-09-15 北京来安科技有限公司 CC (Communication Center) attack protective method and system thereof
CN104113519A (en) * 2013-04-16 2014-10-22 阿里巴巴集团控股有限公司 Network attack detection method and device thereof
CN103746987A (en) * 2013-12-31 2014-04-23 东软集团股份有限公司 Method and system for detecting DoS attack in semantic Web application
CN104023010A (en) * 2014-05-31 2014-09-03 郑林 Autonomous cognitive method for network security
CN104378361A (en) * 2014-10-24 2015-02-25 苏州阔地网络科技有限公司 Network intrusion detection method and system
CN104361283A (en) * 2014-12-05 2015-02-18 网宿科技股份有限公司 Web attack protection method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
赵国锋,喻守成,文晟: "基于用户行为分析的应用层DDoS攻击检测方法", 《计算机应用研究》 *
龚俭,梅海彬,丁勇,魏德昊: "多特征关联的入侵事件冗余消除", 《东南大学学报》 *

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789831A (en) * 2015-11-19 2017-05-31 阿里巴巴集团控股有限公司 The method and apparatus for recognizing network attack
CN106789831B (en) * 2015-11-19 2020-10-23 阿里巴巴集团控股有限公司 Method and device for identifying network attack
CN108028832A (en) * 2016-05-10 2018-05-11 华为技术有限公司 Detect the method and apparatus of network attack
CN107426136A (en) * 2016-05-23 2017-12-01 腾讯科技(深圳)有限公司 A kind of recognition methods of network attack and device
CN107426136B (en) * 2016-05-23 2020-01-14 腾讯科技(深圳)有限公司 Network attack identification method and device
CN106209781B (en) * 2016-06-27 2019-09-06 航天云网科技发展有限责任公司 One kind accessing recognition methods based on statistical exceptional interface
CN106209781A (en) * 2016-06-27 2016-12-07 徐汕 A kind of based on the access recognition methods of statistical exceptional interface
CN106357628A (en) * 2016-08-31 2017-01-25 东软集团股份有限公司 Attack defense method and device
CN106357628B (en) * 2016-08-31 2019-09-06 东软集团股份有限公司 The defence method and device of attack
CN107743113A (en) * 2016-11-23 2018-02-27 腾讯科技(深圳)有限公司 A kind of detection method and system of website attack
US10715546B2 (en) 2016-11-23 2020-07-14 Tencent Technology (Shenzhen) Company Limited Website attack detection and protection method and system
CN107547548A (en) * 2017-09-05 2018-01-05 北京京东尚科信息技术有限公司 Data processing method and system
CN107547548B (en) * 2017-09-05 2020-06-30 北京京东尚科信息技术有限公司 Data processing method and system
CN107360199B (en) * 2017-09-13 2019-11-08 杭州安恒信息技术股份有限公司 Botnet recognition methods and device
CN107360199A (en) * 2017-09-13 2017-11-17 杭州安恒信息技术有限公司 Botnet recognition methods and device
CN109474573A (en) * 2017-12-30 2019-03-15 北京安天网络安全技术有限公司 A kind of method, apparatus and storage medium of identification inactivation trojan horse program
CN109474573B (en) * 2017-12-30 2021-05-25 北京安天网络安全技术有限公司 Method, device and storage medium for identifying inactivated Trojan horse program
CN108683678A (en) * 2018-05-28 2018-10-19 北京天地和兴科技有限公司 A kind of abnormal behaviour prediction technique of Behavior-based control cooperative awareness model
CN110730195A (en) * 2019-12-18 2020-01-24 腾讯科技(深圳)有限公司 Data processing method and device and computer readable storage medium
CN110730195B (en) * 2019-12-18 2020-03-31 腾讯科技(深圳)有限公司 Data processing method and device and computer readable storage medium
CN112532617A (en) * 2020-11-27 2021-03-19 神州绿盟成都科技有限公司 Detection method, device, equipment and medium for HTTP Flood attack
CN113329032A (en) * 2021-06-23 2021-08-31 深信服科技股份有限公司 Attack detection method, device, equipment and medium

Similar Documents

Publication Publication Date Title
CN104935609A (en) Network attack detection method and detection apparatus
CN104113519B (en) Network attack detecting method and its device
CN104391979B (en) Network malice reptile recognition methods and device
CN103179132B (en) A kind of method and device detecting and defend CC attack
CN103685294B (en) Method and device for identifying attack sources of denial of service attack
CN101834866B (en) CC (Communication Center) attack protective method and system thereof
CN103428189B (en) A kind of methods, devices and systems identifying malicious network device
CN103701793B (en) The recognition methods of server broiler chicken and device
CN105577608B (en) Network attack behavior detection method and device
CN105357195A (en) Unauthorized web access vulnerability detecting method and device
CN102790700B (en) Method and device for recognizing webpage crawler
CN103561012B (en) WEB backdoor detection method and system based on relevance tree
CN103493435A (en) Shared terminal identification system using a network packet and processing method thereof
CN103685293B (en) Protection method and device for denial of service attack
US11451583B2 (en) System and method to detect and block bot traffic
CN104954384B (en) A kind of url mimicry methods of protection Web applications safety
WO2016186769A1 (en) Customized record handling in a content delivery network
CN105100032A (en) Method and apparatus for preventing resource steal
CN109428857B (en) Detection method and device for malicious detection behaviors
CN106506547A (en) Processing method, WAF, router and system for Denial of Service attack
US20200267172A1 (en) Method of processing web requests directed to a website
CN106534042A (en) Server invasion identifying method and apparatus based on data analysis and cloud safety system
CN104933069A (en) Method and system for analyzing web browsing statistics of desktop terminal
CN102984003A (en) Network access detection system and network access detection method
CN107800686A (en) A kind of fishing website recognition methods and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20150923

RJ01 Rejection of invention patent application after publication