CN105577608B - Network attack behavior detection method and device - Google Patents
Network attack behavior detection method and device Download PDFInfo
- Publication number
- CN105577608B CN105577608B CN201410529441.0A CN201410529441A CN105577608B CN 105577608 B CN105577608 B CN 105577608B CN 201410529441 A CN201410529441 A CN 201410529441A CN 105577608 B CN105577608 B CN 105577608B
- Authority
- CN
- China
- Prior art keywords
- access
- time period
- behavior
- amount
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 105
- 230000006399 behavior Effects 0.000 claims abstract description 315
- 230000008859 change Effects 0.000 claims abstract description 28
- 238000000605 extraction Methods 0.000 claims description 3
- 238000000034 method Methods 0.000 abstract description 16
- 230000000694 effects Effects 0.000 abstract description 6
- 230000007774 longterm Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012546 transfer Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000003203 everyday effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 206010001488 Aggression Diseases 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 208000012761 aggressive behavior Diseases 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Abstract
The invention discloses a network attack behavior detection method and device. The network attack behavior detection method comprises the following steps: detecting the access amount of a network access server in a target time period; judging whether the access amount in the target time period exceeds a preset threshold value, wherein the preset threshold value is obtained according to the access amount in the preset time period before the target time period, and the preset time period is dynamically adjusted along with the change of the target time period; if the access amount in the target time period is judged to exceed the preset threshold value, extracting behavior characteristics of access behaviors of the server; judging whether the extracted behavior features accord with normal access features or not; and if the extracted behavior features do not conform to the normal access features, determining that the access behavior is an attack behavior. By the method and the device, the technical problem that the slow attack behavior cannot be detected in the prior art is solved, and the effect of accurately identifying the slow attack behavior is achieved.
Description
Technical Field
The invention relates to the field of attack detection, in particular to a network attack behavior detection method and device.
Background
With the rapid development of the internet, the internet has become a part of people's lives. However, the servers in the internet are often subjected to some malicious attacks, which cause the servers to stop service or to crash, such as CC attack, wherein CC is abbreviated as challangelapsar, and the predecessor name of the attack is Fatboy attack, which is an attack mode that uses continuous sending of connection requests to the servers to cause denial of service. Therefore, the security protection of the server becomes an important link in the internet service.
At present, for the protection against server attacks such as CC attacks, a scheme of limiting the speed of a source IP is usually triggered by a simple threshold to achieve the purpose of blocking attack behaviors, and the specific protection mode is as follows:
firstly, an administrator configures an access threshold of a server, and when an attacker launches an attack action on the server, a protection device detects and finds the attack action according to the access threshold configured by the administrator; the guard device limits the speed of the source IP accessing the server.
However, the above-described protection method has the following problems: different servers of different services need to be configured with different thresholds, and therefore the administrator needs to configure the access thresholds accordingly for the different servers. When the access threshold needs to be changed, the administrator needs to manually set the change, and the configuration of the access threshold is not flexible. In addition, because the existing protection mode mainly triggers attack detection by the sudden increase of the access quantity in a short time exceeding a threshold value, the slow attack behavior which is continuously slow for a long time cannot be detected.
Aiming at the problem that the slow attack behavior cannot be detected in the prior art, an effective solution is not provided at present.
Disclosure of Invention
The embodiment of the invention provides a network attack behavior detection method and a network attack behavior detection device, which at least solve the technical problem that slow attack behaviors cannot be detected in the prior art.
According to an aspect of the embodiments of the present invention, a method for detecting network attack behavior is provided, including: detecting the access amount of a network access server in a target time period; judging whether the access amount in the target time period exceeds a preset threshold value, wherein the preset threshold value is obtained according to the access amount in a preset time period before the target time period, and the preset time period is dynamically adjusted along with the change of the target time period; if the access amount in the target time period is judged to exceed the preset threshold value, extracting behavior characteristics of access behaviors of the server; judging whether the extracted behavior features accord with normal access features or not, wherein the normal access features are extracted according to non-attack behaviors; and if the extracted behavior features do not conform to the normal access features, determining that the access behavior is an attack behavior.
According to another aspect of the embodiments of the present invention, there is also provided a network attack behavior detection apparatus, including: the first detection unit is used for detecting the access amount of the network access server in the target time period; the first judging unit is used for judging whether the access quantity in the target time period exceeds a preset threshold value, wherein the preset threshold value is obtained according to the access quantity in a preset time period before the target time period, and the preset time period is dynamically adjusted along with the change of the target time period; the extraction unit is used for extracting behavior characteristics of access behaviors of the server if the access quantity in the target time period is judged to exceed the preset threshold; the second judgment unit is used for judging whether the extracted behavior characteristics accord with normal access characteristics or not, wherein the normal access characteristics are the behavior characteristics extracted according to non-attack behaviors; and a first determination unit for determining that the access behavior is an attack behavior if the extracted behavior feature does not conform to the normal access feature.
According to the embodiment of the invention, the behavior characteristics of the access behavior are extracted, and whether the behavior characteristics accord with the normal access characteristics is judged to detect the attack behavior, so that not only can a rapid violent attack be detected, but also a long-term continuous slow attack can be identified, thereby solving the technical problem that the slow attack behavior cannot be detected in the prior art, and achieving the effect of accurately identifying the slow attack behavior.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a schematic view of a protection system according to an embodiment of the invention;
FIG. 2 is a flow chart of a network attack behavior detection method according to an embodiment of the present invention;
FIG. 3 is a timing diagram of a network attack behavior detection method according to an embodiment of the present invention;
FIG. 4 is a flow chart of a preferred network attack behavior detection method according to an embodiment of the present invention;
FIG. 5 is a schematic view of another shield system according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a network attack behavior detection apparatus according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a preferred network attack behavior detection apparatus according to an embodiment of the present invention; and
FIG. 8 is a schematic diagram of a detection apparatus according to an embodiment of the present invention.
Detailed Description
Before describing the embodiments of the present invention, the specialties involved in the embodiments of the present invention will be explained first:
TCP: all known as Transmission Control Protocol, TCP is a connection-oriented (connection-oriented) reliable Transport layer (Transport layer) communication Protocol based on byte streams, specified by RFC793 of IETF (specialized). The protocol number of TCP in IP messages is 6. In the simplified OSI model of computer networks, it performs the functions specified by the transport layer of layer four.
HTTP: the Hypertext transfer protocol (HTTP-Hypertext transfer protocol) is a data transfer protocol that specifies rules for communication between a browser and a web server, and transfers web documents via the internet.
And (3) CC attack: the challenge collepsar, the predecessor of which is the Fatboy attack, is the purpose of creating a denial of service by continuously sending connection requests to the web site.
And (3) access behavior: a client accesses a server with temporal and spatial characteristics.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
According to the embodiment of the invention, a network attack behavior detection method is provided.
Optionally, in this embodiment, the network attack behavior detection method may be applied to a protection system as shown in fig. 1, where the protection system includes a server 101, a protection device 102, and a gateway router 103, and a client 104 may access the server 101 through a network. One or more clients 104 may be provided, and one or more servers 101 may be provided. Such networks include, but are not limited to: a wide area network, a metropolitan area network, or a local area network. It should be noted that the client 104 in the embodiment of the present invention may be a Personal Computer (PC) as shown in fig. 1, or may be a terminal such as a mobile phone, a PDA, a tablet computer, or a game machine. In particular, the network attack behavior detection method may be performed by a detection device, wherein the detection device may be disposed on the guard device 102 in fig. 1.
As shown in fig. 2, the network attack behavior detection method according to the embodiment of the present invention includes the following steps:
step S202, detecting the access amount of the network access server in the target time period.
The target time period may be a current time period or any time period in which different users can access the server 101 through the network by using the client 104 to request resources from the server 101. The server 101 may be a web server, such as a web server, Http server, or the like. The access amount of the server access in the target time period is detected so as to monitor whether an attack behavior exists in the access behaviors of the server 101 in the target time period.
Step S204, judging whether the visit volume in the target time period exceeds a preset threshold value. The preset threshold is obtained according to the access amount in the preset time period before the target time period, and the preset time period is dynamically adjusted along with the change of the target time period.
After detecting the access amount of the access server 101 in the target time period, the access amount is compared with a preset threshold to determine whether the threshold exceeds the preset threshold. The preset threshold is obtained according to the access amount of the server 101 counted in the preset time period, and the preset thresholds of the servers with different services may be the same or different. The preset time period may be a period of time before the target time period. When the target time period is changed, the preset time period may be adjusted accordingly, and the preset time period is adjusted along with the change of the target time period, wherein the preset threshold may be calculated from the access amount in the adjusted preset time period. In this way, the preset threshold value can be directly calculated from the access amount of the server 101 in the preset time period without manual setting, and dynamic adjustment is performed along with the change of the target time period.
In step S206, if it is determined that the access amount in the target time period exceeds the preset threshold, the behavior feature of the access behavior of the access server is extracted.
The behavior characteristics of the extracted access behavior may be the access amount of any source IP access server 101 and the resource requested by the source IP access server 101, and the behavior characteristics of the access behavior are extracted so as to determine whether the access behavior is an attack behavior according to the characteristics.
And step S208, judging whether the extracted behavior characteristics accord with normal access characteristics or not, wherein the normal access characteristics are the behavior characteristics extracted according to the non-attack behaviors.
The normal access features may be behavior features extracted from access behaviors of the normal access server 101, and may be behavior features of non-attack behaviors obtained by counting and summarizing the non-attack access behaviors. For example, in the case where a client of the source IP normally accesses the server 101, there is a difference between the resource of the server 101 for its access request and the resource of the request accessed by the attack behavior, or there is a difference between the time interval of its access request and the request accessed by the attack behavior, and there is a difference between the access amount and the attack behavior in a period of time. According to the differences, the extracted behavior characteristics of the access behavior are compared with the normal access characteristics, so that whether the access behavior is an attack behavior or not can be determined.
And step S210, if the extracted behavior characteristics do not accord with the normal access characteristics, determining that the access behavior is an attack behavior.
After the access amount in the target time period is compared with the preset threshold, if it is determined that the access amount exceeds the preset threshold, it is considered that there may be an attack behavior in the access behaviors corresponding to the access amount of the server in the target time period, so as to trigger an attack detection flow to perform attack detection on the access behavior of the access server 101. Specifically, in the attack detection, behavior features of an access behavior of the access server 101 are extracted first, the behavior features are compared with normal access features, and whether the extracted behavior features conform to the normal access features is determined, wherein the access behavior that does not conform to the normal access features is determined as an attack behavior, and otherwise, the access behavior is determined as a non-attack behavior.
Due to the fact that the attack behavior characteristics of the attack behavior are the characteristics of the attack behavior whether the attack is a rapid violent attack or a long-term continuous slow attack, and the characteristics are different from the normal access characteristics. The behavior characteristics of the access behaviors are extracted, whether the behavior characteristics accord with the normal access characteristics is judged, and the attack behaviors are detected, so that not only can rapid violent attacks be detected, but also long-term continuous slow attacks can be identified, the technical problem that the slow attack behaviors cannot be detected in the prior art is solved, and the effect of accurately identifying the slow attack behaviors is achieved.
Specifically, as shown in fig. 3, the client 104 accesses the server 101 through a network. The number of the clients can be one or more. The server 101 records each access and counts the amount of access. The detection device in the guard device 102 may periodically detect the access amount of the server in the target time period, and specifically may be the access amount in the current time period. After detecting the visit volume in the target time period, comparing the visit volume with a preset threshold value, and judging whether the visit volume exceeds the preset threshold value, wherein the preset threshold value is obtained according to the visit volume in the preset time period before the target time period. And if the access quantity exceeds a preset threshold value, considering that an attack behavior exists in the access behaviors, and triggering an attack detection flow. Specifically, the attack detection process has been described in detail in the above embodiments, and is not described herein again.
If the attack behavior is detected from the access behaviors, an alarm prompt can be output, and the access of the client 104 with the attack behavior to the server is limited, specifically, the speed of the IP of the client 104 with the attack behavior is limited, or the access to the server is directly resisted.
The network attack behavior detection method of the embodiment of the invention can be applied to the detection of DDOS attacks such as CC attacks and the like, and can also be applied to the detection of other network attacks with similar characteristics.
Fig. 4 is a preferred network attack behavior detection method according to an embodiment of the present invention. As shown in fig. 4, the method comprises the steps of:
step S402, detecting the access amount of the network access server in the target time period.
This step is the same as step S202 shown in fig. 2, and is not described herein.
In step S404, it is determined whether the target time period has changed.
In step S406, if it is determined that the target time period changes, the preset time period is adjusted according to the change of the target time period.
Step S408, detecting the access amount of the server within the adjusted preset time period.
And step S410, calculating to obtain a preset threshold value according to the adjusted access amount in the preset time period.
Since attack detection needs to be performed on the server periodically, the target period of detection also needs to change with time. For example, the access amount of the current day is regularly detected every day, each access behavior is recorded according to time when the server records the access amount, and when the target time period detected by the detection device changes, the preset time period can be adjusted according to the change of the target time period, so that the preset threshold value is adjusted.
For example, when the target time period is 9/10 days 2014, the preset time period may be one week before the current day, i.e., 9/3 days 2014 to 9/9 days 2014, and when the target time period is 9/11 days 2014, the preset time period may be 9/4 days 2014 to 9/10 days 2014. Therefore, the preset time period is dynamically adjusted along with the change of the target time period, and the preset threshold value is calculated according to the access amount of the adjusted preset time period, so that the automatic learning threshold value is realized, and the configuration of workers is not needed.
Accordingly, for servers of different services, the access amount baseline of each server can be learned, so that the preset threshold value is extremely obtained according to the access amount baseline.
In step S412, it is determined whether the access amount in the target time period exceeds a preset threshold. The preset threshold value here is an adjusted threshold value that changes with the target time period. The specific determination method is the same as step S204 shown in fig. 2, and is not described herein.
In step S414, if it is determined that the access amount in the target time period exceeds the preset threshold, the behavior feature of the access behavior of the access server is extracted.
Step S416, determining whether the extracted behavior features conform to normal access features, where the normal access features are behavior features extracted according to non-aggressive behaviors.
And step S418, if the extracted behavior characteristics do not accord with the normal access characteristics, determining that the access behavior is an attack behavior.
Steps S414 to S418 are the same as steps S206 to S210 shown in fig. 2, and are not described herein.
According to the embodiment of the invention, whether the target time period changes or not is judged, the preset time period is adjusted according to the change of the target time period under the condition that the target time period changes is judged, the access amount of the server in the adjusted preset time period is detected, and the preset threshold value is calculated according to the access amount in the adjusted preset time period, so that the detection equipment can automatically learn the threshold value, manual configuration is not needed, and the threshold value is flexibly set. Meanwhile, due to the fact that different time periods have different access amounts, the accuracy of detection can be improved through automatic learning of the threshold, and missing detection or false detection is avoided.
Preferably, the preset time period includes a plurality of time periods having the same duration as the target time period, wherein before determining whether the access volume in the target time period exceeds a preset threshold, the network attack behavior detection method further includes: respectively detecting the access amount of the server in a plurality of time periods; taking the visit amount in the time period with the highest visit amount in the multiple time periods as a visit amount baseline, or selecting the visit amount in one time period from the multiple time periods as the visit amount baseline according to a preset rule; and calculating a preset threshold value from the visit quantity baseline.
The preset time period may be a selected time period including a plurality of time periods having the same duration as the target time period, and the plurality of time periods may be consecutive time periods or intermittent time periods. For example, when the duration of the target time period is one day, the preset time period may be one week before the target time period, for example, the target time period is 9/10 days 2014, and the preset time period may be from 9/3 days 2014 to 9/9 days 2014, as shown in table 1:
TABLE 1
Specifically, the detecting the access amount of the preset time period may include detecting the access amount of the server in each time slot of a plurality of time periods, such as the access amount A, B … G of each time period shown in table 1. After detecting the visit amount of each time period, the visit amount with the highest visit amount in the multiple time periods can be used as the visit amount baseline, or the visit amount of one time period can be selected as the visit amount baseline according to a preset rule. Wherein the baseline visit volume may be a reference visit volume for adjusting a preset threshold. The preset rule may be a predefined rule, for example, selecting the second highest visit amount visited in a plurality of time periods as the visit amount baseline.
After determining the visit amount baseline, a preset threshold may be calculated according to the visit amount baseline, for example, a preset multiple (e.g., 1.5 times) of the visit amount baseline may be used as the preset threshold, and attack detection is started after the visit amount exceeds a certain amplitude of the visit amount baseline, that is, the preset threshold.
According to the embodiment of the invention, the preset threshold is calculated by utilizing the access amount of a plurality of time periods which have the same time length as the target time period before the target time period, so that the accuracy of the preset threshold is improved, and the accuracy of attack detection is further improved.
In combination with the above embodiment, the calculation of the preset threshold in this embodiment may also be dynamically learned, and the preset time period may also be adjusted along with the change of the target time period.
Preferably, after detecting the access amount of the server in a plurality of time periods respectively, the network attack behavior detection method further includes: rejecting visit volume noise in visit volumes of the server in a plurality of time periods, and taking the visit volume in the time period with the highest visit volume in the plurality of time periods as a visit volume baseline comprises: and taking the visit amount in the time period with the highest visit amount in the plurality of time periods after the visit amount noise is eliminated as the visit amount baseline.
The access volume noise refers to interference factors existing in the statistical access volume, for example, a CC attack is suffered in a preset time period, and then the access volume generated by these attack behaviors belongs to the access volume noise and needs to be eliminated. For example, since a sudden increase occurs in the access volume of a certain time period in the preset time period due to a certain event, the access volume of the time period is much larger than the access volumes of other time periods, and the access behaviors corresponding to the access volumes are non-attack behaviors, in order to avoid causing the calculated preset threshold to be higher, the access volume of the certain time period can be used as the access volume noise.
And taking the visit volume in the time period with the highest visit volume in the plurality of time periods after the visit volume noise is removed as the visit volume baseline, and then calculating a preset threshold.
Optionally, the visit amount in one time period may be selected from the plurality of time periods from which the visit amount noise is removed as a visit amount baseline according to a preset rule, and then the preset threshold may be calculated.
According to the embodiment of the invention, the accuracy of the preset threshold obtained by calculation is prevented from being influenced by interference factors by eliminating the access amount noise in the preset time period, and the accuracy of the preset threshold is further improved.
Preferably, the judging whether the extracted behavior feature conforms to the normal access feature includes: determining the access amount of the access behavior; detecting resources accessed by the access behaviors; judging whether the access behavior requests part of resources of the server in a centralized manner or not according to the access amount of the access behavior and the resources accessed by the access behavior; if the access behavior set requests partial resources of the server, determining that the extracted behavior characteristics do not accord with normal access characteristics; and if the access behavior is not part of the resource of the centralized request server, determining that the extracted behavior characteristics conform to normal access characteristics.
Determining the access amount of the access behavior may be determining the access amount of a client corresponding to each source IP to access a server, where each access server requests a resource from that server, for example, when the server is a web server, the resource of the server may be a web resource, an audio resource, a picture resource, a video resource, and so on.
Judging whether the access behaviors intensively access partial resources of the server or not according to the access amount and the accessed resources, wherein the partial resources can be a certain resource in the server or fixed resources in the server, and if so, the extracted behavior characteristics are considered to be not in accordance with normal access characteristics; otherwise, the normal access feature is met.
Specifically, since an attacker often accesses the server and requests a certain type of resources in the server in a centralized manner in an attack behavior, for example, a large number of requests are sent to the server to request a certain picture resource in the server, while in a normal access behavior, resources requested by a single source IP are relatively dispersed, according to this feature, it is possible to detect whether the access behavior in the current access amount conforms to the normal access feature by detecting whether the access behavior of the source IP in the current access amount is used for requesting a part of resources of the server in a centralized manner, wherein the access behavior of the source IP used for requesting a part of resources of the server in a centralized manner is determined as not conforming to the normal access feature. In this way, it is possible to more accurately detect an attack behavior, whether the attack behavior is a block-rate attack or a slow-rate attack.
Optionally, in this embodiment, the network attack behavior detection method may be further applied to a protection system as shown in fig. 5, where the protection system includes a server 501, a protection device 502, and a gateway router 503, where a client 504 may access the server 501 through a network. The difference between this system and the system shown in fig. 1 is that the protection device 502 is disposed on the bypass, where the working manner of attack detection is the same as that in fig. 1, and is not described herein again.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
According to the embodiment of the invention, the invention also provides a network attack behavior detection device for implementing the network attack behavior detection method.
Optionally, in this embodiment, the network attack behavior detection apparatus may be applied to a protection system as shown in fig. 1, where the protection system includes a server 101, a protection device 102, and a gateway router 103, and a client 104 may access the server 101 through a network. One or more clients 104 may be provided, and one or more servers 101 may be provided. Such networks include, but are not limited to: a wide area network, a metropolitan area network, or a local area network. It should be noted that the client 104 in the embodiment of the present invention may be a Personal Computer (PC) as shown in fig. 1, or may be a terminal such as a mobile phone, a PDA, a tablet computer, or a game machine. Specifically, the network attack behavior detection apparatus may be implemented by a detection device, where the detection device may be disposed on the protection device 103 in fig. 1.
As shown in fig. 6, the network attack behavior detection apparatus according to the embodiment of the present invention includes: a first detection unit 10, a first judgment unit 20, an extraction unit 30, a second judgment unit 40, and a first determination unit 50.
The first detection unit 10 is used for detecting the access amount of the network access server in the target time period.
The target time period may be a current time period or any time period in which different users can access the server 101 through the network by using the client 104 to request resources from the server 101. The server 101 may be a web server, such as a web server, Http server, or the like. The access amount of the server access in the target time period is detected so as to monitor whether an attack behavior exists in the access behaviors of the server 101 in the target time period.
The first determining unit 20 is configured to determine whether the access amount in the target time period exceeds a preset threshold, where the preset threshold is a threshold obtained according to the access amount in a preset time period before the target time period, and the preset time period is dynamically adjusted along with a change of the target time period.
After detecting the access amount of the access server 101 in the target time period, the access amount is compared with a preset threshold to determine whether the threshold exceeds the preset threshold. The preset threshold is obtained according to the access amount of the server 101 counted in the preset time period, and the preset thresholds of the servers with different services may be the same or different. The preset time period may be a period of time before the target time period. When the target time period is changed, the preset time period may be adjusted accordingly, and the preset time period is adjusted along with the change of the target time period, wherein the preset threshold may be calculated from the access amount in the adjusted preset time period. In this way, the preset threshold value can be directly calculated from the access amount of the server 101 in the preset time period without manual setting, and dynamic adjustment is performed along with the change of the target time period.
The extracting unit 30 is configured to extract a behavior feature of an access behavior of the access server if it is determined that the access amount in the target time period exceeds a preset threshold.
The behavior characteristics of the extracted access behavior may be the access amount of any source IP access server 101 and the resource requested by the source IP access server 101, and the behavior characteristics of the access behavior are extracted so as to determine whether the access behavior is an attack behavior according to the characteristics.
The second judging unit 40 is configured to judge whether the extracted behavior feature conforms to a normal access feature, where the normal access feature is a behavior feature extracted according to a non-attack behavior.
The normal access features may be behavior features extracted from access behaviors of the normal access server 101, and may be behavior features of non-attack behaviors obtained by counting and summarizing the non-attack access behaviors. For example, in the case where a client of the source IP normally accesses the server 101, there is a difference between the resource of the server 101 for its access request and the resource of the request accessed by the attack behavior, or there is a difference between the time interval of its access request and the request accessed by the attack behavior, and there is a difference between the access amount and the attack behavior in a period of time. According to the differences, the extracted behavior characteristics of the access behavior are compared with the normal access characteristics, so that whether the access behavior is an attack behavior or not can be determined.
The first determination unit 50 is configured to determine that the access behavior is an attack behavior if the extracted behavior feature does not conform to the normal access feature.
After the access amount in the target time period is compared with the preset threshold, if it is determined that the access amount exceeds the preset threshold, it is considered that there may be an attack behavior in the access behaviors corresponding to the access amount of the server in the target time period, so as to trigger an attack detection flow to perform attack detection on the access behavior of the access server 101. Specifically, in the attack detection, behavior features of an access behavior of the access server 101 are extracted first, the behavior features are compared with normal access features, and whether the extracted behavior features conform to the normal access features is determined, wherein the access behavior that does not conform to the normal access features is determined as an attack behavior, and otherwise, the access behavior is determined as a non-attack behavior.
Due to the fact that the attack behavior characteristics of the attack behavior are the characteristics of the attack behavior whether the attack is a rapid violent attack or a long-term continuous slow attack, and the characteristics are different from the normal access characteristics. The behavior characteristics of the access behaviors are extracted, whether the behavior characteristics accord with the normal access characteristics is judged, and the attack behaviors are detected, so that not only can rapid violent attacks be detected, but also long-term continuous slow attacks can be identified, the technical problem that the slow attack behaviors cannot be detected in the prior art is solved, and the effect of accurately identifying the slow attack behaviors is achieved.
Specifically, as shown in fig. 3, the client 104 accesses the server 101 through a network. The number of the clients can be one or more. The server 101 records each access and counts the amount of access. The detection device in the guard device 102 may periodically detect the access amount of the server in the target time period, and specifically may be the access amount in the current time period. After detecting the visit volume in the target time period, comparing the visit volume with a preset threshold value, and judging whether the visit volume exceeds the preset threshold value, wherein the preset threshold value is obtained according to the visit volume in the preset time period before the target time period. And if the access quantity exceeds a preset threshold value, considering that an attack behavior exists in the access behaviors, and triggering an attack detection flow. Specifically, the attack detection process has been described in detail in the above embodiments, and is not described herein again.
If the attack behavior is detected from the access behaviors, an alarm prompt can be output, and the access of the client 104 with the attack behavior to the server is limited, specifically, the speed of the IP of the client 104 with the attack behavior is limited, or the access to the server is directly resisted.
The network attack behavior detection method of the embodiment of the invention can be applied to the detection of DDOS attacks such as CC attacks and the like, and can also be applied to the detection of other network attacks with similar characteristics.
Fig. 7 is a schematic diagram of a preferred network attack behavior detection apparatus according to an embodiment of the present invention. As shown in fig. 7, the network attack behavior detection apparatus according to the embodiment of the present invention further includes: a third judging unit 60, an adjusting unit 70, a second detecting unit 80 and a first calculating unit 90.
The third judging unit 60 is configured to judge whether the target time period has changed before judging whether the access amount in the target time period exceeds a preset threshold.
The adjusting unit 70 is configured to adjust the preset time period according to the change of the target time period if the target time period is determined to be changed.
The second detecting unit 80 is configured to detect an access amount of the server within the adjusted preset time period.
The first calculating unit 90 is configured to calculate a preset threshold from the adjusted access amount in the preset time period.
Since attack detection needs to be performed on the server periodically, the target period of detection also needs to change with time. For example, the access amount of the current day is regularly detected every day, each access behavior is recorded according to time when the server records the access amount, and when the target time period detected by the detection device changes, the preset time period can be adjusted according to the change of the target time period, so that the preset threshold value is adjusted.
For example, when the target time period is 9/10 days 2014, the preset time period may be one week before the current day, i.e., 9/3 days 2014 to 9/9 days 2014, and when the target time period is 9/11 days 2014, the preset time period may be 9/4 days 2014 to 9/10 days 2014. Therefore, the preset time period is dynamically adjusted along with the change of the target time period, and the preset threshold value is calculated according to the access amount of the adjusted preset time period, so that the automatic learning threshold value is realized, and the configuration of workers is not needed.
Accordingly, for servers of different services, the access amount baseline of each server can be learned, so that the preset threshold value is extremely obtained according to the access amount baseline.
According to the embodiment of the invention, whether the target time period changes or not is judged, the preset time period is adjusted according to the change of the target time period under the condition that the target time period changes is judged, the access amount of the server in the adjusted preset time period is detected, and the preset threshold value is calculated according to the access amount in the adjusted preset time period, so that the detection equipment can automatically learn the threshold value, manual configuration is not needed, and the threshold value is flexibly set. Meanwhile, due to the fact that different time periods have different access amounts, the accuracy of detection can be improved through automatic learning of the threshold, and missing detection or false detection is avoided.
Preferably, the preset time period includes a plurality of time periods having the same duration as the target time period, and the network attack behavior detection apparatus further includes: the third detection unit is used for respectively detecting the access quantity of the server in a plurality of time periods before judging whether the access quantity in the target time period exceeds a preset threshold value; a second determining unit, configured to use the access amount in a time period with the highest access amount in the multiple time periods as an access amount baseline, or select the access amount in one time period from the multiple time periods as the access amount baseline according to a preset rule; and the second calculation unit is used for calculating the preset threshold value from the visit quantity baseline.
The preset time period may be a selected time period including a plurality of time periods having the same duration as the target time period, and the plurality of time periods may be consecutive time periods or intermittent time periods. For example, when the duration of the target time period is one day, the preset time period may be one week before the target time period, for example, the target time period is 9/10 days 2014, and the preset time period may be 9/3 days 2014 to 9/9 days 2014, as shown in table 1.
Specifically, the detecting the access amount of the preset time period may include detecting the access amount of the server in each time slot of a plurality of time periods, such as the access amount A, B … G of each time period shown in table 1. After detecting the visit amount of each time period, the visit amount with the highest visit amount in the multiple time periods can be used as the visit amount baseline, or the visit amount of one time period can be selected as the visit amount baseline according to a preset rule. Wherein the baseline visit volume may be a reference visit volume for adjusting a preset threshold. The preset rule may be a predefined rule, for example, selecting the second highest visit amount visited in a plurality of time periods as the visit amount baseline.
After determining the visit amount baseline, a preset threshold may be calculated according to the visit amount baseline, for example, a preset multiple (e.g., 1.5 times) of the visit amount baseline may be used as the preset threshold, and attack detection is started after the visit amount exceeds a certain amplitude of the visit amount baseline, that is, the preset threshold.
According to the embodiment of the invention, the preset threshold is calculated by utilizing the access amount of a plurality of time periods which have the same time length as the target time period before the target time period, so that the accuracy of the preset threshold is improved, and the accuracy of attack detection is further improved.
In combination with the above embodiment, the calculation of the preset threshold in this embodiment may also be dynamically learned, and the preset time period may also be adjusted along with the change of the target time period.
Preferably, the network attack behavior detection apparatus further includes: a rejecting unit configured to reject an access amount noise in the access amount of the server in the plurality of time periods after detecting the access amount of the server in the plurality of time periods, respectively, the second determining unit including: and the first determining module is used for taking the visit amount in the time period with the highest visit amount in the plurality of time periods after the visit amount noise is eliminated as the visit amount baseline.
The access volume noise refers to interference factors existing in the statistical access volume, for example, a CC attack is suffered in a preset time period, and then the access volume generated by these attack behaviors belongs to the access volume noise and needs to be eliminated. For example, since a sudden increase occurs in the access volume of a certain time period in the preset time period due to a certain event, the access volume of the time period is much larger than the access volumes of other time periods, and the access behaviors corresponding to the access volumes are non-attack behaviors, in order to avoid causing the calculated preset threshold to be higher, the access volume of the certain time period can be used as the access volume noise.
And taking the visit volume in the time period with the highest visit volume in the plurality of time periods after the visit volume noise is removed as the visit volume baseline, and then calculating a preset threshold.
Optionally, the visit amount in one time period may be selected from the plurality of time periods from which the visit amount noise is removed as a visit amount baseline according to a preset rule, and then the preset threshold may be calculated.
According to the embodiment of the invention, the accuracy of the preset threshold obtained by calculation is prevented from being influenced by interference factors by eliminating the access amount noise in the preset time period, and the accuracy of the preset threshold is further improved.
Preferably, the second judgment unit includes: the second determining module is used for determining the access amount of the access behavior; the detection module is used for detecting the resources accessed by the access behaviors; the judging module is used for judging whether the access behaviors intensively request partial resources of the server or not according to the access amount of the access behaviors and the resources accessed by the access behaviors; the third determining module is used for determining that the extracted behavior characteristics do not accord with the normal access characteristics if the access behavior centralizes to request partial resources of the server; and a fourth determining module, configured to determine that the extracted behavior feature conforms to a normal access feature if the access behavior is not part of the resources of the centralized request server.
Determining the access amount of the access behavior may be determining the access amount of a client corresponding to each source IP to access a server, where each access server requests a resource from that server, for example, when the server is a web server, the resource of the server may be a web resource, an audio resource, a picture resource, a video resource, and so on.
Judging whether the access behaviors intensively access partial resources of the server or not according to the access amount and the accessed resources, wherein the partial resources can be a certain resource in the server or fixed resources in the server, and if so, the extracted behavior characteristics are considered to be not in accordance with normal access characteristics; otherwise, the normal access feature is met.
Specifically, since an attacker often accesses the server and requests a certain type of resources in the server in a centralized manner in an attack behavior, for example, a large number of requests are sent to the server to request a certain picture resource in the server, while in a normal access behavior, resources requested by a single source IP are relatively dispersed, according to this feature, it is possible to detect whether the access behavior in the current access amount conforms to the normal access feature by detecting whether the access behavior of the source IP in the current access amount is used for requesting a part of resources of the server in a centralized manner, wherein the access behavior of the source IP used for requesting a part of resources of the server in a centralized manner is determined as not conforming to the normal access feature. In this way, it is possible to more accurately detect an attack behavior, whether the attack behavior is a block-rate attack or a slow-rate attack.
Optionally, in this embodiment, the network attack behavior detection method may be further applied to a protection system as shown in fig. 5, where the protection system includes a server 501, a protection device 502, and a gateway router 503, where a client 504 may access the server 501 through a network. The difference between this system and the system shown in fig. 1 is that the protection device 502 is disposed on the bypass, where the working manner of attack detection is the same as that in fig. 1, and is not described herein again.
Example 3
According to an embodiment of the present invention, there is further provided a detection device for implementing the network attack behavior detection method, as shown in fig. 8, the detection device includes: a processor 801, a network interface 802 and a memory 803, wherein the processor 801 may be used to execute the network attack behavior detection method of embodiment 1, and the memory 803 may be used to store program codes and intermediate data of processing procedures of the network attack behavior detection method of embodiment 1. The network interface is used for connecting with a server or other network equipment.
In particular, the processor 801 may be configured to perform the following steps:
step S31 detects the access amount of the network access server in the target time period.
In step S32, it is determined whether the access amount in the target time period exceeds a preset threshold. The preset threshold is obtained according to the access amount in the preset time period before the target time period, and the preset time period is dynamically adjusted along with the change of the target time period.
In step S33, if it is determined that the access amount in the target time period exceeds the preset threshold, the behavior feature of the access behavior of the access server is extracted.
And step S34, judging whether the extracted behavior characteristics accord with normal access characteristics or not, wherein the normal access characteristics are the behavior characteristics extracted according to the non-attack behaviors.
In step S35, if the extracted behavior feature does not conform to the normal access feature, it is determined that the access behavior is an attack behavior.
According to the embodiment of the invention, no matter fast violent attack or long-term continuous slow attack, the behavior characteristics of the attack behavior have the characteristics of the attack behavior, and the characteristics are different from normal access characteristics. The behavior characteristics of the access behaviors are extracted, whether the behavior characteristics accord with the normal access characteristics is judged, and the attack behaviors are detected, so that not only can rapid violent attacks be detected, but also long-term continuous slow attacks can be identified, the technical problem that the slow attack behaviors cannot be detected in the prior art is solved, and the effect of accurately identifying the slow attack behaviors is achieved.
Optionally, the specific examples in this embodiment may refer to the examples described in embodiment 1 and embodiment 2, and this embodiment is not described herein again.
Example 4
The embodiment of the invention also provides a storage medium. Optionally, in this embodiment, the storage medium may store a program code for executing the network attack behavior detection method according to the embodiment of the present invention.
Optionally, in this embodiment, the storage medium may be located on the detection device in embodiment 3 of the present invention.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps:
step S41 detects the access amount of the network access server in the target time period.
In step S42, it is determined whether the access amount in the target time period exceeds a preset threshold. The preset threshold is obtained according to the access amount in the preset time period before the target time period, and the preset time period is dynamically adjusted along with the change of the target time period.
In step S43, if it is determined that the access amount in the target time period exceeds the preset threshold, the behavior feature of the access behavior of the access server is extracted.
And step S44, judging whether the extracted behavior characteristics accord with normal access characteristics or not, wherein the normal access characteristics are the behavior characteristics extracted according to the non-attack behaviors.
In step S45, if the extracted behavior feature does not conform to the normal access feature, it is determined that the access behavior is an attack behavior.
According to the embodiment of the invention, no matter fast violent attack or long-term continuous slow attack, the behavior characteristics of the attack behavior have the characteristics of the attack behavior, and the characteristics are different from normal access characteristics. The behavior characteristics of the access behaviors are extracted, whether the behavior characteristics accord with the normal access characteristics is judged, and the attack behaviors are detected, so that not only can rapid violent attacks be detected, but also long-term continuous slow attacks can be identified, the technical problem that the slow attack behaviors cannot be detected in the prior art is solved, and the effect of accurately identifying the slow attack behaviors is achieved.
Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
Optionally, the specific examples in this embodiment may refer to the examples described in embodiment 1 and embodiment 2, and this embodiment is not described herein again.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be substantially or partially implemented in the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, and including instructions for causing one or more computer devices (which may be personal computers, servers, or network devices) to execute all or part of the steps of the method according to the embodiments of the present invention.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, a division of a unit is merely a division of a logic function, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.
Claims (8)
1. A network attack behavior detection method is characterized by comprising the following steps:
detecting the access amount of a network access server in a target time period;
judging whether the access amount in the target time period exceeds a preset threshold value, wherein the preset threshold value is obtained according to the access amount in a preset time period before the target time period, and the preset time period is dynamically adjusted along with the change of the target time period;
if the access amount in the target time period is judged to exceed the preset threshold value, extracting behavior characteristics of access behaviors of the server;
judging whether the extracted behavior features accord with normal access features or not, wherein the normal access features are extracted according to non-attack behaviors; and
if the extracted behavior features do not conform to the normal access features, determining that the access behavior is an attack behavior;
wherein, judging whether the extracted behavior characteristics accord with the normal access characteristics comprises:
determining an access amount of the access behavior;
detecting a resource accessed by the access behavior;
judging whether the access behavior requests part of resources of the server in a centralized manner or not according to the access amount of the access behavior and the resources accessed by the access behavior;
if the access behavior set requests partial resources of the server, determining that the extracted behavior features do not conform to normal access features; and
and if the access behavior is not part of the resources of the centralized request server, determining that the extracted behavior characteristics accord with normal access characteristics.
2. The network attack behavior detection method according to claim 1, before determining whether the access volume in the target time period exceeds a preset threshold, the network attack behavior detection method further comprising:
judging whether the target time period changes or not;
if the target time period is judged to be changed, adjusting the preset time period according to the change of the target time period;
detecting the access amount of the server within the adjusted preset time period; and
and calculating the preset threshold value according to the adjusted access amount in the preset time period.
3. The cyber attack behavior detection method according to claim 1, wherein the preset time period includes a plurality of time periods having the same duration as the target time period, and wherein before determining whether the access amount in the target time period exceeds a preset threshold, the cyber attack behavior detection method further includes
Respectively detecting the access amount of the server in the plurality of time periods;
taking the visit amount in the time period with the highest visit amount in the multiple time periods as a visit amount baseline, or selecting the visit amount in one time period from the multiple time periods as the visit amount baseline according to a preset rule; and
and calculating the preset threshold value according to the visit quantity baseline.
4. The network attack behavior detection method according to claim 3,
after detecting the access amount of the server in the plurality of time periods respectively, the network attack behavior detection method further includes: rejecting access volume noise in the access volumes of the servers over the plurality of time periods,
taking the visit amount in the time period with the highest visit amount in the plurality of time periods as a visit amount baseline comprises the following steps: and taking the visit amount in the time period with the highest visit amount in the plurality of time periods after the visit amount noise is eliminated as the visit amount baseline.
5. A cyber attack behavior detection apparatus, comprising:
the first detection unit is used for detecting the access amount of the network access server in the target time period;
a first judging unit, configured to judge whether an access amount in the target time period exceeds a preset threshold, where the preset threshold is a threshold obtained according to the access amount in a preset time period before the target time period, and the preset time period is dynamically adjusted along with a change of the target time period;
the extraction unit is used for extracting behavior characteristics of access behaviors of the server if the access quantity in the target time period is judged to exceed the preset threshold;
the second judgment unit is used for judging whether the extracted behavior characteristics accord with normal access characteristics or not, wherein the normal access characteristics are the behavior characteristics extracted according to non-attack behaviors; and
a first determination unit, configured to determine that the access behavior is an attack behavior if the extracted behavior feature does not conform to a normal access feature;
wherein the second judgment unit includes:
the second determination module is used for determining the access quantity of the access behavior;
the detection module is used for detecting the resources accessed by the access behaviors;
the judging module is used for judging whether the access behaviors intensively request partial resources of the server or not according to the access amount of the access behaviors and the resources accessed by the access behaviors;
a third determining module, configured to determine that the extracted behavior feature does not conform to a normal access feature if the access behavior centralizes to request a portion of resources of the server; and
a fourth determining module, configured to determine that the extracted behavior feature conforms to a normal access feature if the access behavior is not a partial resource that requests the server in a centralized manner.
6. The cyber attack behavior detection apparatus according to claim 5, wherein the cyber attack behavior detection apparatus further comprises:
the third judging unit is used for judging whether the target time period changes or not before judging whether the access amount in the target time period exceeds a preset threshold value or not;
the adjusting unit is used for adjusting the preset time period according to the change of the target time period if the target time period is judged to be changed;
the second detection unit is used for detecting the access amount of the server in the adjusted preset time period; and
and the first calculating unit is used for calculating the preset threshold value according to the adjusted access amount in the preset time period.
7. The cyber-attack behavior detection apparatus according to claim 5, wherein the preset time period includes a plurality of time periods having the same duration as the target time period, and wherein the cyber-attack behavior detection apparatus further includes:
a third detection unit, configured to detect the access amounts of the servers in the multiple time periods respectively before determining whether the access amount in the target time period exceeds a preset threshold;
a second determining unit, configured to use the access amount in a time period with the highest access amount in the multiple time periods as an access amount baseline, or select the access amount in one time period from the multiple time periods as the access amount baseline according to a preset rule; and
and the second calculation unit is used for calculating the preset threshold value from the visit quantity baseline.
8. The cyber attack behavior detecting apparatus according to claim 7,
the network attack behavior detection device further comprises: a rejecting unit configured to reject an access amount noise in the access amounts of the servers in the plurality of time slots after detecting the access amounts of the servers in the plurality of time slots, respectively,
the second determination unit includes: and the first determining module is used for taking the visit amount in the time period with the highest visit amount in the plurality of time periods after the visit amount noise is eliminated as the visit amount baseline.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410529441.0A CN105577608B (en) | 2014-10-08 | 2014-10-08 | Network attack behavior detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410529441.0A CN105577608B (en) | 2014-10-08 | 2014-10-08 | Network attack behavior detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105577608A CN105577608A (en) | 2016-05-11 |
| CN105577608B true CN105577608B (en) | 2020-02-07 |
Family
ID=55887277
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410529441.0A Active CN105577608B (en) | 2014-10-08 | 2014-10-08 | Network attack behavior detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105577608B (en) |
Families Citing this family (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107465651B (en) * | 2016-06-06 | 2020-10-02 | 腾讯科技(深圳)有限公司 | Network attack detection method and device |
| CN109428870B (en) * | 2017-08-31 | 2021-10-12 | 阿里巴巴集团控股有限公司 | Network attack processing method, device and system based on Internet of things |
| CN107579981A (en) * | 2017-09-08 | 2018-01-12 | 北京神州绿盟信息安全科技股份有限公司 | A kind of network flow monitoring method and system |
| CN107659566B (en) * | 2017-09-20 | 2021-01-19 | 深圳市创梦天地科技股份有限公司 | Method and device for determining identification frequency of abnormal access of server and server |
| CN107707547A (en) * | 2017-09-29 | 2018-02-16 | 北京神州绿盟信息安全科技股份有限公司 | The detection method and equipment of a kind of ddos attack |
| CN108011880A (en) * | 2017-12-04 | 2018-05-08 | 郑州云海信息技术有限公司 | The management method and computer-readable recording medium monitored in cloud data system |
| CN108234516B (en) * | 2018-01-26 | 2021-01-26 | 北京安博通科技股份有限公司 | Method and device for detecting network flooding attack |
| CN109274638A (en) * | 2018-05-22 | 2019-01-25 | 四川斐讯信息技术有限公司 | A kind of method and router of attack source access automatic identification processing |
| CN109246157B (en) * | 2018-11-16 | 2021-03-02 | 杭州安恒信息技术股份有限公司 | Correlation detection method for HTTP slow request DOS attack |
| CN110519265B (en) * | 2019-08-27 | 2022-02-25 | 新华三信息安全技术有限公司 | Method and device for defending attack |
| CN110505232A (en) * | 2019-08-27 | 2019-11-26 | 百度在线网络技术(北京)有限公司 | The detection method and device of network attack, electronic equipment, storage medium |
| CN113632432B (en) * | 2019-09-12 | 2023-09-19 | 奇安信安全技术(珠海)有限公司 | Method and device for judging attack behaviors and computer storage medium |
| CN111371784A (en) * | 2020-03-04 | 2020-07-03 | 贵州弈趣云创科技有限公司 | Method for automatically fusing attacked distributed point-to-point service |
| CN113496033A (en) * | 2020-04-08 | 2021-10-12 | 腾讯科技(深圳)有限公司 | Access behavior recognition method and device and storage medium |
| CN111565202B (en) * | 2020-07-15 | 2020-10-27 | 腾讯科技(深圳)有限公司 | Intranet vulnerability attack defense method and related device |
| CN112134723A (en) * | 2020-08-21 | 2020-12-25 | 杭州数梦工场科技有限公司 | Network anomaly monitoring method and device, computer equipment and storage medium |
| CN112953907B (en) * | 2021-01-28 | 2023-08-08 | 中国工商银行股份有限公司 | Attack behavior identification method and device |
| CN113904839A (en) * | 2021-09-30 | 2022-01-07 | 杭州数梦工场科技有限公司 | Access request management method and device |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101557394A (en) * | 2009-04-10 | 2009-10-14 | 无锡智高志科技有限公司 | Method for controlling data in active defense system of Honeynet |
| CN101902366A (en) * | 2009-05-27 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Method and system for detecting abnormal service behaviors |
| CN102681999A (en) * | 2011-03-08 | 2012-09-19 | 阿里巴巴集团控股有限公司 | Method and device for collecting and sending user action information |
| CN103607391A (en) * | 2013-11-19 | 2014-02-26 | 北京航空航天大学 | SQL injection attack detection method based on K-means |
| CN103701795A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Identification method and device for attack source of denial of service attack |
| CN103701794A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Identification method and device for denial of service attack |
| CN103701793A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Method and device for identifying server broiler chicken |
| JP2014071932A (en) * | 2012-10-01 | 2014-04-21 | Toppan Printing Co Ltd | Multi-chip memory module |
| CN104065644A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Method and apparatus for recognizing CC attacks based on log analysis |
-
2014
- 2014-10-08 CN CN201410529441.0A patent/CN105577608B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101557394A (en) * | 2009-04-10 | 2009-10-14 | 无锡智高志科技有限公司 | Method for controlling data in active defense system of Honeynet |
| CN101902366A (en) * | 2009-05-27 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Method and system for detecting abnormal service behaviors |
| CN102681999A (en) * | 2011-03-08 | 2012-09-19 | 阿里巴巴集团控股有限公司 | Method and device for collecting and sending user action information |
| JP2014071932A (en) * | 2012-10-01 | 2014-04-21 | Toppan Printing Co Ltd | Multi-chip memory module |
| CN103607391A (en) * | 2013-11-19 | 2014-02-26 | 北京航空航天大学 | SQL injection attack detection method based on K-means |
| CN103701795A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Identification method and device for attack source of denial of service attack |
| CN103701794A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Identification method and device for denial of service attack |
| CN103701793A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Method and device for identifying server broiler chicken |
| CN104065644A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Method and apparatus for recognizing CC attacks based on log analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105577608A (en) | 2016-05-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105577608B (en) | Network attack behavior detection method and device | |
| US11228593B2 (en) | Session security splitting and application profiler | |
| US9848016B2 (en) | Identifying malicious devices within a computer network | |
| EP3544250B1 (en) | Method and device for detecting dos/ddos attack, server, and storage medium | |
| US8302180B1 (en) | System and method for detection of network attacks | |
| EP2863611B1 (en) | Device for detecting cyber attack based on event analysis and method thereof | |
| CN107465651B (en) | Network attack detection method and device | |
| CN105939326B (en) | Method and device for processing message | |
| CN103701795B (en) | The recognition methods of the attack source of Denial of Service attack and device | |
| CN107645478B (en) | Network attack defense system, method and device | |
| CN102404741B (en) | Method and device for detecting abnormal online of mobile terminal | |
| CN108234516B (en) | Method and device for detecting network flooding attack | |
| US9787711B2 (en) | Enabling custom countermeasures from a security device | |
| CN105656843B (en) | Application layer protection method and device based on verification and network equipment | |
| CN105592070B (en) | Application layer DDoS defence methods and system | |
| Oo et al. | Enhancement of preventing application layer based on DDoS attacks by using hidden semi-Markov model | |
| KR101231966B1 (en) | Server obstacle protecting system and method | |
| CN113765914B (en) | CC attack protection method, system, computer equipment and readable storage medium | |
| KR101565942B1 (en) | Method and Apparatus for detecting ID theft | |
| CN114205169A (en) | Network security defense method, device and system | |
| CN108600209A (en) | A kind of information processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231225 Address after: 518000 Tencent Building, No. 1 High-tech Zone, Nanshan District, Shenzhen City, Guangdong Province, 35 Floors Patentee after: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. Patentee after: TENCENT CLOUD COMPUTING (BEIJING) Co.,Ltd. Address before: 2, 518000, East 403 room, SEG science and Technology Park, Zhenxing Road, Shenzhen, Guangdong, Futian District Patentee before: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. |
|
| TR01 | Transfer of patent right |