CN105007271B - A kind of recognition methods and system of ddos attack Botnet - Google Patents
A kind of recognition methods and system of ddos attack Botnet Download PDFInfo
- Publication number
- CN105007271B CN105007271B CN201510424040.3A CN201510424040A CN105007271B CN 105007271 B CN105007271 B CN 105007271B CN 201510424040 A CN201510424040 A CN 201510424040A CN 105007271 B CN105007271 B CN 105007271B
- Authority
- CN
- China
- Prior art keywords
- botnet
- domain
- sbs
- attack
- measurement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 23
- 238000005259 measurement Methods 0.000 claims description 60
- 238000001514 detection method Methods 0.000 claims description 4
- 239000000523 sample Substances 0.000 claims description 3
- 239000003795 chemical substances by application Substances 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 239000008186 active pharmaceutical agent Substances 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses the recognition methods and system of a kind of ddos attack Botnet.By measuring each link available bandwidth, the attack traffic that each domain issues is inferred, and then identify the Botnet for starting ddos attack.The present invention is suitable for various agreements independent of specific ddos attack type, and without modifying to conventional network equipment.
Description
Technical field
The invention belongs to computer network security technology fields, are related to network attack and trace to the source, and in particular to a kind of DDoS is attacked
Hit the recognition methods and system of Botnet.
Background technique
Botnet be also be exactly Botnet described in us, refer to using one or more communication means, will largely lead
Machine infects bot (bot program), to be formed by the net of one or one-to-many control between controller and infected host
Network.The attacker of Botnet is controlled usually using the botnet that it possesses with DDoS (Distribution Denial
OfService, distributed denial of service) attack, bank card password is stolen, spam is sent, sensitive information is stolen etc. attacks
Mode is made profit.
Ddos attack refers to joins together to occupy as Attack Platform using reasonable service request by multiple computers
A large amount of Service Sources of one or more destination servers, so that legitimate user be made to be unable to get the service response of the server.
There is currently the tracing technologies of some ddos attacks, mainly pass through data packet marking of the convection current through router, from
And it can be inferred that attack path (link and router that Attacking Packets stream passes through) and the attack source (side of attack package outflow
Boundary's router), there are no to the technology for starting the Botnet of ddos attack to be identified.
Summary of the invention
The present invention provides the recognition methods and system of a kind of ddos attack Botnet.Band can be used by measuring each link
Width infers the attack traffic that each domain issues, and then identifies the Botnet for starting ddos attack.
To achieve the goals above, the invention adopts the following technical scheme:
A kind of recognition methods of ddos attack Botnet, comprising the following steps:
(1) after detecting ddos attack, the available bandwidth of the data link in each domain is measured respectively, until it is available to meet link
Bandwidth measurement accuracy;
(2) according to above-mentioned measurement result, available bandwidth when in conjunction with without attack obtains the attack traffic of corresponding domain sending;
(3) DDoS Botnet is identified in conjunction with the distributed intelligence of zombie host according to obtained attack traffic.
Further, ddos attack is detected using the DDoS detection technique based on entropy.
Further, available bandwidth is measured based on probe messages Rate Models (probe rate model, PRM).
Further, above-mentioned " meeting link available bandwidth measurement precision " refers to the difference of adjacent measurement result twice (i.e.
The difference of the two is divided by the minimum value in the two) less than one given threshold.Specifically, it is assumed that previous measurement obtained can
It is A1 with bandwidth, the available bandwidth that next one-shot measurement obtains is A2, then | A1-A2 |/min (A1, A2)≤given threshold
The required precision for meeting measurement is believed that when THD.This given threshold depend on specific required precision, such as 5% or
3%.
The distributed intelligence of above-mentioned zombie host is primarily referred to as distribution of the bot program (bot) of each Botnet in each domain
Ratio.Such as assume there be M domain that (this is according to the topological structure of real network come fixed in how many a domains, can by taking telecommunications as an example
To regard the telecommunications of each province as a domain), bot quantity of the Botnet in each domain is N1,N2,...,NM, then in i-th of domain
Interior bot distribution ratio is Ni/(N1+N2+…+NM)。
Further, DDoS Botnet is identified according to following methods:
(1) domain is chosen to (di, dj), it is desirable that i, j meetIf there is such domain pair, enter step
(2), it otherwise enters step (5), UST indicates the domain compared to set, di, djI-th of domain and j-th of domain are respectively indicated,
bi, bjRespectively indicate i-th of Botnet and j-th of Botnet.
(2) if | SBS |=1 or | UST |=M (M-1)/2 enters step (5), otherwise enters step (3), SBS table
Show remaining suspicious Botnet set, SBS=BS={ b1,b2,...,bN, BS represents the set for containing N number of Botnet, M
The total number of representative domain.
(3) the element b in SBS is chosenn, it is desirable that bnStep (4) are not lived through, if there is such element bn, into step
Suddenly (4), otherwise UST=UST+ { (bi, bj), switch to step (1).
(4) if bnMeetAnd vi<vj, then SBS=SBS- { bn, it is transferred to step (2), bnIndicate SBS
Any one element,N-th of Botnet is respectively indicated in the zombie host ratio in i-th and j-th domain, Φ table
Show recognition threshold, vi, vjRespectively indicate the corresponding attack traffic size in i-th of domain and j-th of domain, 1≤i≤M, 1≤j≤M.
(5) if | SBS | remaining element is exactly the Botnet of offensive attack in=1, SBS, otherwise from SBS with
Machine selects Botnet of the element as offensive attack.
A kind of identifying system of ddos attack Botnet, comprising:
Identifier, for identification ddos attack;Link available bandwidth measurement is initiated to instruct to measuring appliance;And according to measurement
The Botnet of ddos attack is started in the return information of device, identification;
Measuring appliance, the available bandwidth measurement for receiving identifier instruct;Available bandwidth measurement is initiated to instruct to corresponding domain
Measurement point;Receive the measurement data packet that measurement point is sent, measures available bandwidth;Return measurement result is to knowledge after measurement
Other device;
Measurement point, the measurement instruction for being sent according to measuring appliance send measurement data packet to corresponding measuring appliance, until
Meet measurement accuracy requirement;
Wherein, identifier is deployed on backbone router;Measuring appliance is deployed on the backbone router in one domain of link;It surveys
Amount point is deployed on the border router in a domain.
Beneficial effects of the present invention are as follows:
The present invention can effectively identify the Botnet for starting ddos attack, and the present invention is attacked independent of specific DDoS
Type is hit, is suitable for various agreements, and without modifying to conventional network equipment.
Detailed description of the invention
Fig. 1 is the system deployment schematic diagram for the Botnet that ddos attack is started in present invention identification, in which: I: identifier
(identifier), R: router (router), M: measuring appliance (measurer), A: measurement point (agent), B: bot program
(bot), C: client (client).
Fig. 2 is the method flow diagram for the Botnet that ddos attack is started in present invention identification.
Specific embodiment
The invention discloses the method and system that the Botnet of ddos attack is started in a kind of identification.System is introduced separately below
System deployment way, system architecture diagram, identification process and core algorithm therein to Botnet.
(1) system introduction and deployment way
System deployment mode is as shown in Figure 1.System includes three parts: identifier (identifier), measuring appliance
(measurer) and measurement point (agent).
These three partial functions are described below:
Identifier: identification ddos attack;Link available bandwidth measurement is initiated to instruct to measuring appliance;According to the return of measuring appliance
Information infers the Botnet for starting ddos attack.
Measuring appliance: receive the bandwidth measurement instruction of identifier;Available bandwidth measurement is initiated to instruct to the measurement point of corresponding domain;
Receive the measurement data packet that measurement point is sent, measures available bandwidth;Return measurement result is to identifier after measurement.
Measurement point: the measurement instruction sent according to measuring appliance sends measurement data packet to corresponding measuring appliance, until meeting
Measurement accuracy requirement.
Wherein, identifier is deployed on backbone router;Measuring appliance is deployed on the backbone router in one domain of link;It surveys
Amount point is deployed on the border router in a domain.
Domain: domain is usually that perhaps the network segment such as network in a province or a city is considered as a domain to biggish subnet.
(2) identification process
Identification process of the invention is as shown in Fig. 2, mainly comprise the steps that
1) on-line operation identifier (identifier) detects ddos attack;
2) identifier (identifier) transmission available bandwidth measurement, which instructs, gives measuring appliance (measurer);
3) measuring appliance (measurer) transmission available bandwidth measurement, which instructs, gives corresponding measurement point (agent);
4) measurement point (agent) sends measurement data packet and gives corresponding measuring appliance (measurer);
5) judge whether to reach link available bandwidth measurement precision, if not up to, repeatedly step 4);If reached
It arrives, then carries out in next step;
6) measuring appliance (measurer) obtains corresponding domain sending in conjunction with without available bandwidth when attacking according to measurement result
Attack traffic;
7) measuring appliance (measurer) returns to attack traffic information result and gives identifier (identifier);
8) identifier (identifier) is according to returning the result, in conjunction with the zombie host distributed intelligence of Botnet, identification
Start the Botnet of ddos attack out.
The present invention uses the DDoS detection technique based on entropy.Specifically refer to IP packet size entropy-based
scheme for detection ofDoS/DDoS attacks.
(3) core identification algorithm
Identifier is described below according to zombie host in the distribution situation in each domain and the attack traffic in each domain, identification
Start the algorithm of the Botnet of ddos attack.
1) assume to share M domain.Domain collection is combined into DS={ d1,d2,...,dM, the corresponding attack traffic size in i-th of domain is
vi(1≤i≤M);N number of Botnet is shared, Botnet set is BS={ b1,b2,...,bN};Remaining suspicious corpse net
Network set SBS=BS;The domain compared is to set UST={ }.A recognition threshold Φ is set, which is empirical value, is pushed away
It recommends and is set as 0.2 or 0.5.Indicate n-th of Botnet in the zombie host ratio in i-th and j-th domain.
2) while | SBS |>1or | DS |<M (M-1)/2:
3) selection domain is to (di,dj), i, j meet
4) any one element b of for SBSn:
5)if bnMeetand vi<vj:
6) SBS:=SBS- { bn}
7)endif
8)endfor
9) UST:=UST+ { (bi,bj)}
10)end while
11)
12) if | SBS |==1then
13) in SBS that remaining element be exactly offensive attack Botnet
14)else
15) Botnet of the element as offensive attack is randomly choosed from SBS.
Claims (9)
1. a kind of recognition methods of ddos attack Botnet, comprising the following steps:
(1) after detecting ddos attack, the available bandwidth of the data link in each domain is measured respectively, until meeting link available bandwidth
Measurement accuracy;
(2) according to above-mentioned measurement result, available bandwidth when in conjunction with without attack obtains the attack traffic of corresponding domain sending;
(3) DDoS Botnet, the corpse are identified in conjunction with the distributed intelligence of zombie host according to obtained attack traffic
The distributed intelligence of host refers to distribution ratio of the bot program of each Botnet in each domain;Wherein: being known according to following methods
Other DDoS Botnet:
1) domain is chosen to (di, dj), it is desirable that i, j meetIf there is such domain pair, enter step 2), it is no
It then enters step 5), UST indicates the domain compared to set, di, djRespectively indicate i-th of domain and j-th of domain, bi, bjRespectively
Indicate i-th of Botnet and j-th of Botnet;
If 2) | SBS |=1 or | UST | 5)=M (M-1)/2 is entered step, is otherwise entered step 3), SBS indicate it is remaining
Suspicious Botnet set, SBS=BS={ b1,b2,...,bN, BS represents the set for containing N number of Botnet, M representative domain
Total number;
3) the element b in SBS is chosenn, it is desirable that bnStep 4) is not lived through, if there is such element bn, it enters step 4),
Otherwise UST=UST+ { (bi, bj), switch to step 1);
If 4) bnMeet ri n≥(1+Φ)rj nAnd vi< vj, then SBS=SBS- { bn, it is transferred to step 2), bnIndicate appointing for SBS
What element, ri n,rj nN-th of Botnet is respectively indicated in the zombie host ratio in i-th and j-th domain, Φ indicates to know
Other threshold value, vi, vjRespectively indicate the corresponding attack traffic size in i-th of domain and j-th of domain, 1≤i≤M, 1≤j≤M;
If 5) | SBS | remaining element is exactly the Botnet of offensive attack in=1, SBS, is otherwise selected at random from SBS
Select Botnet of the element as offensive attack.
2. the recognition methods of ddos attack Botnet as described in claim 1, which is characterized in that use the DDoS based on entropy
Detection technique detects ddos attack.
3. the recognition methods of ddos attack Botnet as described in claim 1, which is characterized in that be based on probe messages rate
Model measurement available bandwidth.
4. the recognition methods of ddos attack Botnet as described in claim 1, which is characterized in that the link that meets can be used
Bandwidth measurement accuracy refers to less than one given threshold of difference of adjacent measurement result twice.
5. the recognition methods of ddos attack Botnet as claimed in claim 4, which is characterized in that | A1-A2 |/min (A1,
A2)≤THD when, then it is assumed that meet link available bandwidth measurement required precision, wherein A1 indicate it is previous measure obtain can
With bandwidth, A2 indicates that the available bandwidth that next one-shot measurement obtains, THD indicate given threshold.
6. the recognition methods of ddos attack Botnet as described in claim 1, which is characterized in that the bot program is each
Distribution ratio in domain is Ni/N1+N2+…+NM, i-th of domain of i expression, the number of M representative domain, N1,N2,...,NMIndicate one
Bot program quantity of the Botnet in each domain.
7. the recognition methods of ddos attack Botnet as described in claim 1, which is characterized in that identified according to following methods
DDoS Botnet:
1) domain is chosen to (di, dj), it is desirable that i, j meetIf there is such domain pair, enter step 2), it is no
It then enters step 5), UST indicates the domain compared to set, di, djRespectively indicate i-th of domain and j-th of domain, bi, bjRespectively
Indicate i-th of Botnet and j-th of Botnet;
If 2) | SBS |=1 or | UST | 5)=M (M-1)/2 is entered step, is otherwise entered step 3), SBS indicate it is remaining
Suspicious Botnet set, SBS=BS={ b1,b2,...,bN, BS represents the set for containing N number of Botnet, M representative domain
Total number;
3) the element b in SBS is chosenn, it is desirable that bnStep 4) is not lived through, if there is such element bn, it enters step 4),
Otherwise UST=UST+ { (bi, bj), switch to step 1);
If 4) bnMeet ri n≥(1+Φ)rj nAnd vi< vj, then SBS=SBS- { bn, it is transferred to step 2), bnIndicate appointing for SBS
What element, ri n,rj nN-th of Botnet is respectively indicated in the zombie host ratio in i-th and j-th domain, Φ indicates to know
Other threshold value, vi, vjRespectively indicate the corresponding attack traffic size in i-th of domain and j-th of domain, 1≤i≤M, 1≤j≤M;
If 5) | SBS | remaining element is exactly the Botnet of offensive attack in=1, SBS, is otherwise selected at random from SBS
Select Botnet of the element as offensive attack.
8. a kind of identifying system of ddos attack Botnet, comprising:
Identifier, for identification ddos attack;Link available bandwidth measurement is initiated to instruct to measuring appliance;And according to measuring appliance
The Botnet of ddos attack is started in return information, identification, in which: identifies DDoS Botnet according to following methods:
1) domain is chosen to (di, dj), it is desirable that i, j meetIf there is such domain pair, enter step 2), it is no
It then enters step 5), UST indicates the domain compared to set, di, djRespectively indicate i-th of domain and j-th of domain, bi, bjRespectively
Indicate i-th of Botnet and j-th of Botnet;
If 2) | SBS |=1 or | UST | 5)=M (M-1)/2 is entered step, is otherwise entered step 3), SBS indicate it is remaining
Suspicious Botnet set, SBS=BS={ b1,b2,...,bN, BS represents the set for containing N number of Botnet, M representative domain
Total number;
3) the element b in SBS is chosenn, it is desirable that bnStep 4) is not lived through, if there is such element bn, it enters step 4),
Otherwise UST=UST+ { (bi, bj), switch to step 1);
If 4) bnMeet ri n≥(1+Φ)rj nAnd vi< vj, then SBS=SBS- { bn, it is transferred to step 2), bnIndicate appointing for SBS
What element, ri n,rj nN-th of Botnet is respectively indicated in the zombie host ratio in i-th and j-th domain, Φ indicates to know
Other threshold value, vi, vjRespectively indicate the corresponding attack traffic size in i-th of domain and j-th of domain, 1≤i≤M, 1≤j≤M;
If 5) | SBS | remaining element is exactly the Botnet of offensive attack in=1, SBS, is otherwise selected at random from SBS
Select Botnet of the element as offensive attack;
Measuring appliance, the available bandwidth measurement for receiving identifier instruct;Available bandwidth measurement is initiated to instruct to the survey of corresponding domain
Amount point;Receive the measurement data packet that measurement point is sent, measures available bandwidth;Return measurement result is to identification after measurement
Device;
Measurement point, the measurement instruction for being sent according to measuring appliance send measurement data packet to corresponding measuring appliance, until meeting
Measurement accuracy requirement.
9. the identifying system of ddos attack Botnet as claimed in claim 8, which is characterized in that the identifier is deployed in
On backbone router;The measuring appliance is deployed on the backbone router in one domain of link;The measurement point is deployed in a domain
Border router on.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510424040.3A CN105007271B (en) | 2015-07-17 | 2015-07-17 | A kind of recognition methods and system of ddos attack Botnet |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510424040.3A CN105007271B (en) | 2015-07-17 | 2015-07-17 | A kind of recognition methods and system of ddos attack Botnet |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105007271A CN105007271A (en) | 2015-10-28 |
| CN105007271B true CN105007271B (en) | 2019-01-18 |
Family
ID=54379792
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510424040.3A Expired - Fee Related CN105007271B (en) | 2015-07-17 | 2015-07-17 | A kind of recognition methods and system of ddos attack Botnet |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105007271B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107241304B (en) * | 2016-03-29 | 2021-02-02 | 阿里巴巴集团控股有限公司 | Method and device for detecting DDoS attack |
| CN106850571A (en) * | 2016-12-29 | 2017-06-13 | 北京奇虎科技有限公司 | The recognition methods of Botnet family and device |
| CN109302427B (en) * | 2018-11-30 | 2020-06-19 | 西安交通大学 | Method for positioning DDoS attack target link of backbone link considering attack precision |
| CN110225037B (en) * | 2019-06-12 | 2021-11-30 | 广东工业大学 | DDoS attack detection method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753562A (en) * | 2009-12-28 | 2010-06-23 | 成都市华为赛门铁克科技有限公司 | Detection methods, device and network security protecting device for botnet |
| CN101924757A (en) * | 2010-07-30 | 2010-12-22 | 中国电信股份有限公司 | Method and system for reviewing Botnet |
| US20110154489A1 (en) * | 2009-12-21 | 2011-06-23 | Hyun Cheol Jeong | System for analyzing malicious botnet activity in real time |
| CN104618377A (en) * | 2015-02-04 | 2015-05-13 | 上海交通大学 | NetFlow based botnet network detection system and detection method |
-
2015
- 2015-07-17 CN CN201510424040.3A patent/CN105007271B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110154489A1 (en) * | 2009-12-21 | 2011-06-23 | Hyun Cheol Jeong | System for analyzing malicious botnet activity in real time |
| CN101753562A (en) * | 2009-12-28 | 2010-06-23 | 成都市华为赛门铁克科技有限公司 | Detection methods, device and network security protecting device for botnet |
| CN101924757A (en) * | 2010-07-30 | 2010-12-22 | 中国电信股份有限公司 | Method and system for reviewing Botnet |
| CN104618377A (en) * | 2015-02-04 | 2015-05-13 | 上海交通大学 | NetFlow based botnet network detection system and detection method |
Non-Patent Citations (1)
| Title |
|---|
| 《DDoS攻击检测和控制方法》;张永铮等;《软件学报》;20120831;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105007271A (en) | 2015-10-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Liu et al. | Efficient DDoS attacks mitigation for stateful forwarding in Internet of Things | |
| CN105007271B (en) | A kind of recognition methods and system of ddos attack Botnet | |
| WO2018108052A1 (en) | Ddos attack defense method, system and related equipment | |
| CN107135187A (en) | Preventing control method, the apparatus and system of network attack | |
| Sanmorino et al. | DDoS attack detection method and mitigation using pattern of the flow | |
| EP2482497B1 (en) | Data forwarding method, data processing method, system and device thereof | |
| CN108737447B (en) | User datagram protocol flow filtering method, device, server and storage medium | |
| TWI506472B (en) | Network device and method for avoiding arp attacks | |
| CN105577669B (en) | A kind of method and device of the false source attack of identification | |
| Sung et al. | Protecting end-device from replay attack on LoRaWAN | |
| Osanaiye et al. | TCP/IP header classification for detecting spoofed DDoS attack in Cloud environment | |
| CN105429940B (en) | A method of the extraction of network data flow zero watermarking is carried out using comentropy and hash function | |
| Park et al. | Analysis of slow read DoS attack and countermeasures on web servers | |
| KR102149531B1 (en) | Method for connection fingerprint generation and traceback based on netflow | |
| Velauthapillai et al. | Global detection of flooding-based DDoS attacks using a cooperative overlay network | |
| US20050240780A1 (en) | Self-propagating program detector apparatus, method, signals and medium | |
| KR101211147B1 (en) | System for network inspection and providing method thereof | |
| KR101715107B1 (en) | System and providing method for retroactive network inspection | |
| Archibald et al. | Disambiguating HTTP: classifying web applications | |
| Park et al. | Analysis of slow read dos attack and countermeasures | |
| Gaurav et al. | Super-router: A collaborative filtering technique against ddos attacks | |
| Chi et al. | Detecting and blocking malicious traffic caused by IRC protocol based botnets | |
| Huang et al. | A Hybrid Association Rule‐Based Method to Detect and Classify Botnets | |
| Xiulei et al. | Defending DDoS attacks in software defined networking based on improved Shiryaev–Roberts detection algorithm | |
| Xiong et al. | Real-time detection of encrypted thunder traffic based on trustworthy behavior association |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20190118 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |