CN105591832A - Application layer slow-speed attack detection method and correlation apparatus - Google Patents

Application layer slow-speed attack detection method and correlation apparatus Download PDF

Info

Publication number
CN105591832A
CN105591832A CN201410640483.1A CN201410640483A CN105591832A CN 105591832 A CN105591832 A CN 105591832A CN 201410640483 A CN201410640483 A CN 201410640483A CN 105591832 A CN105591832 A CN 105591832A
Authority
CN
China
Prior art keywords
application layer
internet protocol
server
protocol address
gateway interface
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410640483.1A
Other languages
Chinese (zh)
Other versions
CN105591832B (en
Inventor
闫帅帅
周志彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Cyber Tianjin Co Ltd
Original Assignee
Tencent Cyber Tianjin Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Cyber Tianjin Co Ltd filed Critical Tencent Cyber Tianjin Co Ltd
Priority to CN201410640483.1A priority Critical patent/CN105591832B/en
Publication of CN105591832A publication Critical patent/CN105591832A/en
Application granted granted Critical
Publication of CN105591832B publication Critical patent/CN105591832B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiments of the invention disclose an application layer slow-speed attack detection method and a correlation apparatus. The application layer slow-speed attack detection method comprises the following steps: obtaining a flow entering a server; based on the obtained flow entering the server, counting the quantity of transmission layer empty chains initiated to the server within preset duration; and if the counted quantity of the transmission layer empty chains is greater than or equal to a first threshold and the quantity of application layer data packets carrying a destination internetworking protocol address i and a public network gateway interface identification j in the flow entering the server within k periods accords with a preset threshold condition, performing application layer slow-speed attack alarm on the destination internetworking protocol address i and the public network gateway interface identification j, wherein the destination internetworking protocol address i is one of internetworking protocol addresses of the server. According to the technical scheme provided by the embodiments of the invention, the accuracy of the application layer slow-speed attack alarm is improved.

Description

Application layer slow attack detection method and related device
Technical Field
The invention relates to the technical field of image processing, in particular to a slow attack detection method and a related device for an application layer.
Background
At present, network attacks occur frequently and are said to be ubiquitous. A large number of hackers and various computer viruses are hidden in the internet. For some servers providing network services, it is often difficult to provide services normally when the servers are under network attack.
The application layer slow attack is a common network attack mode, and the attack mode causes a great obstacle to the normal work of the server, so that how to accurately detect whether the server is currently attacked by the application layer slow attack at a low speed becomes important.
The inventor of the present invention finds in research and practice that the existing application layer slow attack detection algorithm generally determines whether the server is currently under the application layer slow attack only by the statistical result of the public gateway interface in the hypertext transfer protocol request, but practice finds that the false alarm rate of the detection algorithm is quite high.
Disclosure of Invention
The embodiment of the invention provides an application layer slow attack detection method and a related device, aiming at improving the application layer slow attack alarm accuracy.
A first aspect of an embodiment of the present invention provides a method for detecting a slow attack on an application layer, including:
acquiring the flow entering a server;
counting the number of transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server;
if the counted number of the transport layer null links is larger than or equal to a first threshold value, and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server in K time periods meets a preset threshold value condition, performing application layer slow attack alarm aiming at the target internet protocol address i and the public gateway interface identifier j, wherein the target internet protocol address i is one internet protocol address of the server, and K is a positive integer larger than or equal to 1.
A second aspect of the present invention provides an application layer slow attack detection apparatus, including:
the acquisition unit is used for acquiring the flow entering the server;
the counting unit is used for counting the number of the transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server;
and an attack warning unit, configured to perform application layer slow attack warning for a target internet protocol address i and a public gateway interface identifier j if the number of transport layer null links counted by the counting unit is greater than or equal to a first threshold and the number of application layer packets carrying the target internet protocol address i and the public gateway interface identifier j in traffic entering the server in K counted time periods meets a preset threshold condition, where K is a positive integer greater than or equal to 1, and the target internet protocol address i is one of internet protocol addresses of the server.
A third aspect of the present invention provides a communication system comprising:
a server and a detection device;
the detection device is used for acquiring the flow entering the server; counting the number of transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server; if the counted number of the transport layer null links is larger than or equal to a first threshold value, and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server in K time periods meets a preset threshold value condition, performing application layer slow attack alarm aiming at the target internet protocol address i and the public gateway interface identifier j, wherein the target internet protocol address i is one internet protocol address of the server, and K is a positive integer larger than or equal to 1.
It can be seen that, the application layer slow attack detection apparatus in this embodiment counts the number of transport layer null links initiated to the server within a preset time period based on the acquired traffic entering the server, and performs an application layer slow attack alarm for a target internet protocol address i and a public gateway interface identifier j if the counted number of the transport layer null links is greater than or equal to a first threshold and the counted number of application layer data packets carrying the target internet protocol address i and the public gateway interface identifier j in the traffic entering the server within K time periods meets a preset threshold condition, wherein, since the statistical data in several aspects such as the number of the transport layer null links, the number of the application layer data packets carrying the internet protocol address i and the public gateway interface identifier j, and the like are referred together, the application layer slow attack alarm is found to be more accurately facilitated in practice, the false alarm rate is reduced, and the technical scheme is favorable for improving the low-speed attack alarm accuracy of the application layer.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a method for detecting slow attack at an application layer according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of another method for updating a traffic baseline according to an embodiment of the present invention;
fig. 3-a is a schematic flowchart of another method for detecting slow attack at an application layer according to an embodiment of the present invention;
fig. 3-b is a schematic diagram of an architecture of a communication system according to an embodiment of the present invention;
fig. 3-c is a schematic diagram of an architecture of another communication system provided by an embodiment of the present invention;
FIG. 3-d is a block diagram of a detecting apparatus according to an embodiment of the present invention;
fig. 4-a is a schematic flowchart of another method for detecting slow attack at an application layer according to an embodiment of the present invention;
fig. 4-b is a schematic diagram of an architecture of another communication system provided by an embodiment of the present invention;
fig. 5 is a schematic diagram of an application layer slow attack detection apparatus according to an embodiment of the present invention;
fig. 6 is a schematic diagram of another application layer slow attack detection apparatus provided in the embodiment of the present invention;
fig. 7 is a schematic diagram of a communication system according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides an application layer slow attack detection method and a related device, aiming at improving the application layer slow attack alarm accuracy.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The following are detailed below.
The terms "first," "second," "third," and "fourth," etc. in the description and claims of the invention and the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
The invention discloses an embodiment of an application layer slow attack detection method. The application layer slow attack detection method comprises the following steps: acquiring the flow entering a server; counting the number of transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server; if the counted number of the transport layer null links is larger than or equal to a first threshold value, and the counted number of application layer data packets entering the server in K time periods and carrying a target Internet Protocol (IP) address i and a public gateway interface identifier j meets a preset threshold condition, aiming at the target IP address i and the public gateway interface identifier j for carrying out application layer slow attack warning, the target IP address i is one of the IP addresses of the server, and K is a positive integer larger than or equal to 1.
Referring to fig. 1, fig. 1 is a schematic flowchart of an application layer slow attack detection method according to an embodiment of the present invention. As shown in fig. 1, an application layer slow attack detection method provided by an embodiment of the present invention may include:
101. and acquiring the flow entering the server.
Wherein traffic entering the server may be obtained, for example, by a bypass manner or may be obtained by an intercept manner. Alternatively, the traffic entering the server may be directly obtained by the server itself.
For example, where the server is interconnected with a core switch, then traffic entering the server through the core switch may be obtained.
102. And counting the number of the transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server.
The transport layer null link may be, for example, a transport layer link carrying a number of data packets smaller than or equal to a fourth threshold. For example, a transport layer link carries only a very small number of packets (e.g., only a SYN packet or three or five packets including a SYN packet), the transport layer link may be marked as a transport layer null link. That is, the fourth threshold may be, for example, equal to 1, 2, 3, 4, 5, 6, 8, 10, or other values.
The preset time period may be equal to 2 minutes, 3 minutes, 5 minutes, 6 minutes, 10 minutes or other time periods.
103. And if the counted number of the transport layer null links is greater than or equal to a first threshold value and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the flow entering the server in K time periods meets a preset threshold value condition, performing application layer slow attack alarm aiming at the target internet protocol address i and the public gateway interface identifier j.
Wherein the first threshold may be equal to 20, 50, 100, 150, or other values, for example.
The destination internet protocol address i is one of internet protocol addresses of the server. And K is a positive integer greater than or equal to 1. For example, K is equal to 1, 2, 3, 4, 6, 21, or other value.
The public gateway interface identifier j may be any one public gateway interface identifier carried by an application layer packet entering the server, or the public gateway interface identifier j may also be a specific public gateway interface identifier carried by an application layer packet entering the server.
When K is greater than or equal to 2, the K periods may be, for example, consecutive K periods or K periods in which the interval duration between adjacent periods is less than or equal to an interval threshold.
Wherein the time lengths of the K time periods can be equal or partially equal or different from each other. The duration of any one of the K periods described above may be, for example, 1 minute, 2 minutes, 3 minutes, 5 minutes, 10 minutes, or other duration.
It can be seen that, the detection device in this embodiment counts the number of transport layer null links initiated to the server within a preset time period based on the acquired traffic entering the server, and performs an application layer slow attack alarm for a target internet protocol address i and a public gateway interface identifier j if the counted number of transport layer null links is greater than or equal to a first threshold and the counted number of application layer data packets carrying the target internet protocol address i and the public gateway interface identifier j in the traffic entering the server within K time periods meets a preset threshold condition. As the alarm refers to the statistics data of the number of empty links of the transmission layer, the number of application layer data packets carrying the Internet protocol address i and the public gateway interface identifier j, and the like, the practice finds that the alarm is favorable for more accurately carrying out the slow attack alarm of the application layer, and is favorable for improving the accuracy of the slow attack alarm of the application layer.
In the research process, the application layer slow attack is often mainly characterized by occupying connection, so that the reference to the statistic value of the transmission layer empty connection is beneficial to more accurately judging whether the server is attacked by the application layer slow attack.
Optionally, in some possible embodiments of the present invention, the performing an application layer slow attack alarm for the destination internet protocol address i and the public gateway interface identifier j includes: and under the condition that the number of application layer data packets carrying active internet protocol addresses K in application layer data packets carrying target internet protocol addresses i and public gateway interface identifiers j in the flow entering the server in the counted time period x is greater than or equal to a second threshold value, performing application layer slow attack alarm aiming at the target internet protocol addresses i and the public gateway interface identifiers j, wherein the time period x is any one time period in the K time periods.
It can be understood that, since the number of the application layer packets carrying the active internet protocol address k among the application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server is also referred to during the alarm, the practice proves that further attention to the dimension of the source internet protocol address is beneficial to further improving the accuracy of the slow attack alarm of the application layer.
Wherein the second threshold may be equal to 20, 51, 100, 125, 150, 500, or other values, for example.
Optionally, in some possible embodiments of the present invention, in the application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the time period x, the number of the application layer data packets carrying the source internet protocol address k is greater than or equal to the number of the application layer data packets carrying any other source internet protocol address. That is to say, in the application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the period x, the number of the application layer packets of the source internet protocol address k is not less than the number of the application layer packets carrying any other source internet protocol address.
Optionally, in some possible embodiments of the present invention, the source internet protocol address k is one of source internet protocol addresses or any one of source internet protocol addresses carried by an application layer packet carrying a destination internet protocol address i and a public gateway interface identifier j in traffic entering the server in the time period x.
Optionally, in some possible embodiments of the present invention, the preset threshold condition includes: and the number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the period x is greater than or equal to a third threshold value.
Wherein the third threshold may be, for example, equal to 50, 90, 100, 125, 150, 300, 500, 800, or other values.
Optionally, in some possible embodiments of the invention, the period x is any one period among the K periods. The preset threshold condition may include, for example: and the number of the application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the time period x is greater than or equal to the number of the application layer data packets in the time period which has a mapping relation with the time period x and is recorded in the current traffic baseline corresponding to the public gateway interface identifier j.
If the number of records in the current traffic baseline corresponding to the public gateway interface identifier j is introduced into the preset threshold condition, it is equivalent to introducing a dynamic threshold, the dynamic thresholds corresponding to different time periods in different K time periods may not be the same, and the number of application layer data packets in the corresponding time period recorded in the current traffic baseline is used as the dynamic threshold, which is beneficial to more accurately determining whether the application layer slow attack may occur in the time period.
For example, assuming that the monitoring period of the traffic baseline is 1 week and the unit period length is 1 day, the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server on each day in 1 week may be recorded in the current traffic baseline corresponding to the public gateway interface identifier j. For example, assuming that the time period x is monday, the number of application layer packets in the reference time period x' is the number of application layer packets in monday recorded in the current traffic baseline corresponding to the common gateway interface identifier j. For another specific example, assuming that the current time period is wednesday, the number of application layer data packets in the reference time period x' is the number of application layer data packets in wednesday recorded in the current traffic baseline corresponding to the common gateway interface identifier j.
For another example, assuming that the monitoring period of the traffic baseline is 1 day and the unit time interval length is 1 hour, the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in each hour from 0 point to 24 points in 1 day may be recorded in the traffic baseline corresponding to the public gateway interface identifier j, specifically, for example, assuming that the time interval x is from 9 points to 10 points, the number of application layer packets in the reference time interval x' is the number of application layer packets from 9 points to 10 points recorded in the current traffic baseline corresponding to the public gateway interface identifier j. For another specific example, assuming that the time period x is 13 to 14, the number of application layer packets in the reference time period x' is the number of application layer packets from 13 to 14 recorded in the current traffic baseline corresponding to the common gateway interface identifier j.
For another example, assuming that the monitoring period of the traffic baseline is 1 day and the unit time interval length is 1 minute, the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server per minute from 0 point to 24 points in 1 day may be recorded in the traffic baseline corresponding to the public gateway interface identifier j. Specifically, for example, assuming that the time period x is 5 points 35 to 36 minutes, the number of application layer packets in the reference time period x' is the number of application layer packets in 5 points 35 to 36 minutes recorded in the current traffic baseline corresponding to the common gateway interface identifier j. For another specific example, assuming that the time period x is 15 points 58 to 59 minutes, the number of the application layer packets in the reference time period x' is the number of the application layer packets in 15 points 58 to 59 minutes recorded in the current traffic baseline corresponding to the common gateway interface identifier j, and so on.
For another example, assuming that the monitoring period of the traffic baseline is 1 hour and the unit period length is 1 minute, the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server per minute in 1 hour may be recorded in the traffic baseline corresponding to the public gateway interface identifier j. Specifically, for example, assuming that the time period x is 35 minutes to 36 minutes, the number of application layer data packets in the reference time period x' is the number of application layer data packets in 35 minutes to 36 minutes recorded in the current traffic baseline corresponding to the common gateway interface identifier j. For another specific example, assuming that the time period x is 58 minutes to 59 minutes, the number of the application layer packets in the reference time period x' is the number of the application layer packets in 58 minutes to 59 minutes recorded in the current traffic baseline corresponding to the common gateway interface identifier j, and so on.
The following also illustrates a traffic baseline updating method.
Referring to fig. 2, fig. 2 is a schematic flow chart of another method for updating a traffic baseline according to another embodiment of the present invention. As shown in fig. 1, another embodiment of the present invention provides another method for updating a traffic baseline, which may include:
201. and calculating the variance between the number of the application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the flow entering the server in the current time period and the number of the application layer data packets in the first reference time period. Wherein the number of the application layer data packets of the first reference time period is the number of the application layer data packets of the reference time period which has a mapping relation with the current time period and is recorded in the current traffic baseline.
If the variance is greater than the first threshold or less than the second threshold, step 202 is performed.
If the variance is less than the first threshold and at a second threshold, step 203 is performed.
The destination internet protocol address i is one of internet protocol addresses of the server.
The public gateway interface identifier j may be any one public gateway interface identifier carried by an application layer packet entering the server, or the public gateway interface identifier j may also be a specific public gateway interface identifier carried by an application layer packet entering the server.
202. Calculating a first expected number of a current period by using the number of application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in traffic entering the server in N history periods having a mapping relation with the current period in the latest N monitoring periods, calculating a second expected number of a first reference period by using the first expected number and the number of application layer data packets in N-1 history periods in the N history periods, updating the number of application layer data packets of the first reference period recorded in a current traffic baseline corresponding to the public gateway interface identifier j by using the second expected number, wherein the N history periods may be periods having the same sequence number as the current period in the latest N monitoring periods (for example, the current period is cycle 1, the N history periods are cycle 1 in the latest N cycles; for example, the current period is cycle 3, the N historical periods are week 3 of the last N weeks, and so on). Wherein the time difference between the N-1 history periods and the current period may be smaller than the time difference between the remaining period of the N history periods except the N-1 history periods and the current period (where, for example, the N history periods are week 1 of the last 7 weeks, the N-1 history periods may be week 1 of the last 6 weeks, and for example, assuming that the N history periods are week 1 of the last 10 weeks, the N-1 history periods may be week 1 of the last 9 weeks, and so on).
203. And calculating a third expected quantity of the first reference time period by using the quantity of the application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the latest N-1 monitoring periods in the N-1 historical time periods having a mapping relation with the current time period and the quantity of the application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the current time period, and updating the quantity of the application layer data packets of the first reference time period recorded in the current traffic baseline corresponding to the public gateway interface identifier j by using the third expected quantity.
For example, assuming that the monitoring period of the traffic baseline corresponding to the public gateway interface identifier j is 1 week, and the unit period length is 1 day, the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server on each day of 1 week may be recorded in the current traffic baseline corresponding to the public gateway interface identifier j. For example, assuming that the time period x is monday, the number of application layer data packets of the reference time period x' mapped to the time period x is the number of application layer data packets of monday recorded in the current traffic baseline corresponding to the common gateway interface identifier j. For another example, assuming that the current time period is wednesday, the number of application layer data packets of the reference time period x' is the number of application layer data packets of wednesday recorded in the current traffic baseline corresponding to the common gateway interface identifier j.
And N is a positive integer greater than 1. For example, the N may be equal to 2, 3, 4, 7, 6, 10, 21, or other values.
The method for updating the flow baseline is a method for updating the flow baseline based on an unsupervised learning method, and by comparing the flow value in the current time interval with the flow value in the corresponding time interval of the flow baseline, the method is beneficial to eliminating the influence caused by sudden increase and sharp decrease of the flow as much as possible, and further beneficial to further improving the flexibility of flow anomaly judgment based on the flow baseline.
In order to better understand and implement the above technical solutions of the embodiments of the present invention, the following further description is provided with reference to some specific application scenarios.
Referring to fig. 3-a, fig. 3-b and fig. 3-c, fig. 3-a is a schematic flow chart of an application layer slow attack detection method according to another embodiment of the present invention. The method illustrated in fig. 3-a may be embodied in the network architecture shown in fig. 3-b or fig. 3-c. As shown in fig. 3-a, another embodiment of the present invention provides an application layer slow attack detection method, which may include:
301. the detection device obtains the flow entering the server through the core switch in a bypass mode.
The detection device can be directly linked with the core switch, or the detection device can be linked with the core switch through the light splitting switch.
302. And counting the number of the transmission layer empty links initiated to the server in a preset time length by the detection device based on the acquired flow entering the server.
The transport layer null link may be, for example, a transport layer link carrying a number of data packets smaller than or equal to a fourth threshold. For example, a transport layer link carries only a very small number of packets (e.g., only a SYN packet or three or five packets including a SYN packet), the transport layer link may be marked as a transport layer null link. That is, the fourth threshold may be, for example, equal to 1, 2, 3, 4, 5, 6, 8, 10, or other values.
303. And if the counted number of the transport layer null links is greater than or equal to a first threshold value, the detection device counts the number of application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the flow entering the server in K time periods.
The detection device counts the number of application layer packets carrying active internet protocol addresses K in application layer packets carrying target internet protocol addresses i and public gateway interface identifiers j in flow entering the server in a time period x of K time periods. The period x is any one period among the K periods.
304. If the counted number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in K periods meets a preset threshold condition, and if the counted number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in x periods is greater than or equal to a second threshold, an application layer slow attack alarm can be performed for the destination internet protocol address i and the public gateway interface identifier j.
The destination internet protocol address i is one of internet protocol addresses of the server. And K is a positive integer greater than or equal to 1. For example, K is equal to 1, 2, 3, 4, 6, 21, or other value.
When K is greater than or equal to 2, the K periods may be, for example, consecutive K periods or K periods in which the interval duration between adjacent periods is less than or equal to an interval threshold.
Wherein the time lengths of the K time periods can be equal or partially equal or different from each other. The duration of any one of the K periods described above may be, for example, 1 minute, 2 minutes, 3 minutes, 5 minutes, 10 minutes, or other duration.
Wherein the second threshold may be equal to 20, 51, 100, 125, 150, 500, or other values, for example.
Optionally, in some possible embodiments of the present invention, in the application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the time period x, the number of the application layer packets carrying the source internet protocol address k is greater than or equal to the number of the application layer packets carrying other source internet protocol addresses.
Optionally, in some possible embodiments of the present invention, the source internet protocol address k is one of source internet protocol addresses or any one of source internet protocol addresses carried by an application layer packet carrying a destination internet protocol address i and a public gateway interface identifier j in traffic entering the server in the time period x.
Optionally, in some possible embodiments of the present invention, the preset threshold condition includes: and the number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the period x is greater than or equal to a third threshold value.
Wherein the third threshold may be, for example, equal to 50, 90, 100, 125, 150, 300, 500, 800, or other values.
Optionally, in some possible embodiments of the invention, the period x is any one period among the K periods. The preset threshold condition may include, for example: and the number of the application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the time period x is greater than or equal to the number of the application layer data packets in the time period which has a mapping relation with the time period x and is recorded in the current traffic baseline corresponding to the public gateway interface identifier j.
If the number of records in the current traffic baseline corresponding to the public gateway interface identifier j is introduced into the preset threshold condition, it is equivalent to introducing a dynamic threshold, the dynamic thresholds corresponding to different time periods in different K time periods may not be the same, and the number of application layer data packets in the corresponding time period recorded in the current traffic baseline is used as the dynamic threshold, which is beneficial to more accurately determining whether the application layer slow attack may occur in the time period.
For example, assuming that the monitoring period of the traffic baseline is 1 week and the unit period length is 1 day, the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server on each day in 1 week may be recorded in the current traffic baseline corresponding to the public gateway interface identifier j. For example, assuming that the time period x is monday, the number of application layer packets in the reference time period x' is the number of application layer packets in monday recorded in the current traffic baseline corresponding to the common gateway interface identifier j. For another specific example, assuming that the current time period is wednesday, the number of application layer data packets in the reference time period x' is the number of application layer data packets in wednesday recorded in the current traffic baseline corresponding to the common gateway interface identifier j.
For another example, assuming that the monitoring period of the traffic baseline is 1 day and the unit time interval length is 1 hour, the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server at each hour from 0 point to 24 points in 1 day may be recorded in the traffic baseline corresponding to the public gateway interface identifier j, specifically, for example, assuming that the time interval x is from 9 points to 10 points, the number of application layer packets at the reference time interval x' is the number of application layer packets from 9 points to 10 points recorded in the current traffic baseline corresponding to the public gateway interface identifier j. For another specific example, assuming that the time period x is 13 to 14, the number of application layer packets in the reference time period x' is the number of application layer packets from 13 to 14 recorded in the current traffic baseline corresponding to the common gateway interface identifier j.
For another example, assuming that the monitoring period of the traffic baseline is 1 day and the unit time interval length is 1 minute, the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server per minute from 0 point to 24 points in 1 day may be recorded in the traffic baseline corresponding to the public gateway interface identifier j. Specifically, for example, assuming that the time period x is 5 points 35 to 36 minutes, the number of application layer packets in the reference time period x' is the number of application layer packets in 5 points 35 to 36 minutes recorded in the current traffic baseline corresponding to the common gateway interface identifier j. For another specific example, assuming that the time period x is 15 points 58 to 59 minutes, the number of application layer packets of the reference time period x' may be the number of application layer packets of 15 points 58 to 59 minutes recorded in the current traffic baseline corresponding to the common gateway interface identifier j, and so on.
For another example, assuming that the monitoring period of the traffic baseline is 1 hour and the unit period length is 1 minute, the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server per minute in 1 hour may be recorded in the traffic baseline corresponding to the public gateway interface identifier j. Specifically, for example, assuming that the time period x is 35 minutes to 36 minutes, the number of application layer data packets in the reference time period x' is the number of application layer data packets in 35 minutes to 36 minutes recorded in the current traffic baseline corresponding to the common gateway interface identifier j. For another specific example, assuming that the time period x is 58 minutes to 59 minutes, the number of the application layer packets in the reference time period x' is the number of the application layer packets in 58 minutes to 59 minutes recorded in the current traffic baseline corresponding to the common gateway interface identifier j, and so on.
It can be seen that, the detection apparatus in this embodiment counts the number of transport layer null links initiated to the server within a preset time period based on the obtained traffic entering the server, and if the counted number of transport layer null links is greater than or equal to a first threshold and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server within K time periods meets a preset threshold condition, performs an application layer slow attack alarm for the target internet protocol address i and the public gateway interface identifier j, wherein, as the number of transport layer null links and the number of application layer data packets carrying the internet protocol address i and the public gateway interface identifier j are referred to together, practice finds that it is beneficial to perform an application layer slow attack alarm more accurately, this is seen to be beneficial for improving the application layer slow attack alarm accuracy.
It can be understood that, since the number of the application layer packets carrying the active internet protocol address k among the application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server is also referred to during the alarm, the practice proves that further attention to the dimension of the source internet protocol address is beneficial to further improving the accuracy of the slow attack alarm of the application layer.
Further, referring to fig. 3-d, the detection apparatus may have an internal module architecture as shown in fig. 3-d, where a plurality of four-layer modules are used to count the number of transport layer null connections, a plurality of seven-layer modules are used to count the number of application layer packets carrying destination IP addresses and different public gateway interface identifiers, and count the number of application layer packets carrying different source IP addresses in the application layer packets carrying different public gateway interface identifiers, and the like, the summarizing module is used to summarize the statistical results of the four-layer modules and the seven-layer modules, and the alarm module is used to perform alarm processing of slow application layer attacks in a summarizing structure.
Referring to fig. 4-a and 4-b, fig. 4-a is a schematic flow chart of a method for detecting slow attack at application layer according to another embodiment of the present invention. The method illustrated in fig. 4-a may be embodied in the network architecture shown in fig. 4-b. As shown in fig. 4-a, another embodiment of the present invention provides an application layer slow attack detection method, which may include:
401. the server obtains traffic entering the server through the core switch.
That is, the application layer slow attack detection device is deployed in the server.
402. And the server counts the number of the transmission layer empty links initiated to the server in a preset time length based on the acquired flow entering the server.
The transport layer null link may be, for example, a transport layer link carrying a number of data packets smaller than or equal to a fourth threshold. For example, a transport layer link carries only a very small number of packets (e.g., only a SYN packet or three or five packets including a SYN packet), the transport layer link may be marked as a transport layer null link. That is, the fourth threshold may be, for example, equal to 1, 2, 3, 4, 5, 6, 8, 10, or other values.
403. And if the counted number of the transport layer null links is larger than or equal to a first threshold value, the server counts the number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the flow entering the server in K time periods.
The server counts the number of application layer data packets carrying active internet protocol addresses K in application layer data packets carrying target internet protocol addresses i and public gateway interface identifiers j in flow entering the server in a time period x of K time periods. The period x is any one period among the K periods.
404. If the counted number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in K periods meets a preset threshold condition, and if the counted number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in x periods is greater than or equal to a second threshold, an application layer slow attack alarm can be performed for the destination internet protocol address i and the public gateway interface identifier j.
The destination internet protocol address i is one of internet protocol addresses of the server. And K is a positive integer greater than or equal to 1. For example, K is equal to 1, 2, 3, 4, 6, 21, or other value.
When K is greater than or equal to 2, the K periods may be, for example, consecutive K periods or K periods in which the interval duration between adjacent periods is less than or equal to an interval threshold.
Wherein the time lengths of the K time periods can be equal or partially equal or different from each other. The duration of any one of the K periods described above may be, for example, 1 minute, 2 minutes, 3 minutes, 5 minutes, 10 minutes, or other duration.
Wherein the second threshold may be equal to 20, 51, 100, 125, 150, 500, or other values, for example.
Optionally, in some possible embodiments of the present invention, in the application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the time period x, the number of the application layer packets carrying the source internet protocol address k is greater than or equal to the number of the application layer packets carrying other source internet protocol addresses.
Optionally, in some possible embodiments of the present invention, the source internet protocol address k is one of source internet protocol addresses or any one of source internet protocol addresses carried by an application layer packet carrying a destination internet protocol address i and a public gateway interface identifier j in traffic entering the server in the time period x.
Optionally, in some possible embodiments of the present invention, the preset threshold condition includes: and the number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the period x is greater than or equal to a third threshold value.
Wherein the third threshold may be, for example, equal to 50, 90, 100, 125, 150, 300, 500, 800, or other values.
Optionally, in some possible embodiments of the invention, the period x is any one period among the K periods. The preset threshold condition may include, for example: and the number of the application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the time period x is greater than or equal to the number of the application layer data packets in the time period which has a mapping relation with the time period x and is recorded in the current traffic baseline corresponding to the public gateway interface identifier j.
If the number of records in the current traffic baseline corresponding to the public gateway interface identifier j is introduced into the preset threshold condition, it is equivalent to introducing a dynamic threshold, the dynamic thresholds corresponding to different time periods in different K time periods may not be the same, and the number of application layer data packets in the corresponding time period recorded in the current traffic baseline is used as the dynamic threshold, which is beneficial to more accurately determining whether the application layer slow attack may occur in the time period.
It can be seen that, in this embodiment, the server counts the number of transport layer null links initiated to the server within a preset time period based on the obtained traffic entering the server, and if the counted number of the transport layer null links is greater than or equal to a first threshold and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server within K time periods meets a preset threshold condition, an application layer slow attack alarm is performed for the target internet protocol address i and the public gateway interface identifier j, wherein, as the statistical data in several aspects such as the number of the transport layer null links, the number of the application layer data packets carrying the internet protocol address i and the public gateway interface identifier j, and the like are referred together, practice finds that the application layer slow attack alarm is more accurately performed, this is seen to be beneficial for improving the application layer slow attack alarm accuracy.
It can be understood that, since the number of the application layer packets carrying the active internet protocol address k among the application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server is also referred to during the alarm, the practice proves that further attention to the dimension of the source internet protocol address is beneficial to further improving the accuracy of the slow attack alarm of the application layer.
An embodiment of the present invention further provides an application layer slow attack detection apparatus 500, including:
an obtaining unit 510, configured to obtain traffic entering the server.
A counting unit 520, configured to count, based on the obtained traffic entering the server, the number of transport layer null links initiated to the server within a preset time period.
An attack warning unit 530, configured to perform an application layer slow attack warning for a destination internet protocol address i and a public gateway interface identifier j if the number of transport layer null links counted by the counting unit is greater than or equal to a first threshold and the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in traffic entering the server in K counted time periods meets a preset threshold condition, where K is a positive integer greater than or equal to 1, and the destination internet protocol address i is one of internet protocol addresses of the server.
Optionally, in some possible embodiments of the present invention, in the aspect of performing application layer slow attack warning on the destination internet protocol address i and the public gateway interface identifier j, the attack warning unit is specifically configured to perform application layer slow attack warning on the destination internet protocol address i and the public gateway interface identifier j when the number of application layer packets carrying an active internet protocol address K in application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in traffic entering the server within a counted time period x is greater than or equal to a second threshold, where the time period x is any one time period among the K time periods.
Optionally, in some possible embodiments of the present invention, in the application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the time period x, the number of the application layer packets carrying the source internet protocol address k is greater than or equal to the number of the application layer packets carrying other source internet protocol addresses.
Or,
and the source internet protocol address k is one of source internet protocol addresses carried by application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the time period x.
Optionally, in some possible embodiments of the present invention, the period x is any one period among the K periods; wherein,
the preset threshold condition comprises: the number of application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the time period x is greater than or equal to the number of application layer data packets of the time period which has a mapping relation with the time period x and is recorded in a current traffic baseline corresponding to the public gateway interface identifier j;
or,
the preset threshold condition comprises: and the number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the period x is greater than or equal to a third threshold value.
Optionally, in some possible embodiments of the present invention, K is greater than or equal to 2, and the K time periods are consecutive K time periods or K time periods in which an interval duration between adjacent time periods is less than or equal to an interval threshold.
Optionally, in some possible embodiments of the present invention, the transport layer null link is a transport layer link that carries a number of packets smaller than or equal to a fourth threshold.
It can be understood that the functions of the functional modules of the detection apparatus 500 of this embodiment may be specifically implemented according to the method in the foregoing method embodiment, and the specific implementation process may refer to the related description of the foregoing method embodiment, which is not described herein again.
It can be seen that, in this embodiment, the application layer slow attack detection apparatus 500 counts the number of transport layer null links initiated to the server within a preset time period based on the obtained traffic entering the server, and if the counted number of the transport layer null links is greater than or equal to a first threshold and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server within K time periods meets a preset threshold condition, performs an application layer slow attack alarm for the target internet protocol address i and the public gateway interface identifier j, wherein, since the number of transport layer null links and the number of application layer data packets carrying the internet protocol address i and the public gateway interface identifier j are referred to together, practice finds that it is beneficial to perform an application layer slow attack alarm more accurately, this is seen to be beneficial for improving the application layer slow attack alarm accuracy.
Referring to fig. 6, fig. 6 is a block diagram of a detecting apparatus 600 according to another embodiment of the present invention.
Wherein, the detecting device 600 may include: at least 1 processor 601, memory 605 and at least 1 communication bus 602. A communication bus 602 is used to enable connectivity communication between these components. The detection apparatus 600 optionally comprises a user interface 603, which includes a display (e.g., a touch screen, a liquid crystal display, a Holographic (english: holography) or projection (english: Projector), etc.), a pointing device (e.g., a mouse, a trackball (english: trackball) touch pad or touch screen, etc.), a camera and/or a sound pickup apparatus, etc.
The detection apparatus 600 may further include at least 1 network interface 604.
Memory 605 may comprise, among other things, read-only memory and random access memory, and provides instructions and data to processor 601. Some of the memory 605 may also include non-volatile random access memory, among others.
In some embodiments, memory 605 stores the following elements, executable modules or data structures, or a subset thereof, or an expanded set thereof:
operating system 6051, which contains various system programs for implementing various basic services and for handling hardware-based tasks.
The application module 6052 contains various applications for implementing various application services.
In an embodiment of the present invention, the processor 601 obtains the traffic entering the server by calling a program or an instruction stored in the memory 605; counting the number of transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server; if the counted number of the transport layer null links is larger than or equal to a first threshold value, and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server in K time periods meets a preset threshold value condition, performing application layer slow attack warning on the target internet protocol address i and the public gateway interface identifier j, wherein K is a positive integer larger than or equal to 1, and the target internet protocol address i is one internet protocol address of the server.
Optionally, in some possible embodiments of the present invention, in the aspect of performing an application layer slow attack alarm for the destination internet protocol address i and the public gateway interface identifier j, the processor 601 is specifically configured to perform an application layer slow attack alarm for the destination internet protocol address i and the public gateway interface identifier j when the number of application layer packets carrying an active internet protocol address K in application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in traffic entering the server within a counted time period x is greater than or equal to a second threshold, where the time period x is any one time period among the K time periods.
Optionally, in some possible embodiments of the present invention, in the application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the time period x, the number of the application layer data packets carrying the source internet protocol address k is greater than or equal to the number of the application layer data packets carrying other source internet protocol addresses;
or,
the source internet protocol address k is one of source internet protocol addresses carried by application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the time period x;
optionally, in some possible embodiments of the present invention, the period x is any one period among the K periods; wherein,
the preset threshold condition comprises: the number of application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the time period x is greater than or equal to the number of application layer data packets of the time period which has a mapping relation with the time period x and is recorded in a current traffic baseline corresponding to the public gateway interface identifier j;
or,
the preset threshold condition comprises: and the number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the period x is greater than or equal to a third threshold value.
Optionally, in some possible embodiments of the present invention, K is greater than or equal to 2, and the K time periods are consecutive K time periods or K time periods in which an interval duration between adjacent time periods is less than or equal to an interval threshold.
Optionally, in some possible embodiments of the present invention, the transport layer null link is a transport layer link that carries a number of packets smaller than or equal to a fourth threshold.
It can be understood that the functions of the functional modules of the detection apparatus 600 in this embodiment may be specifically implemented according to the method in the foregoing method embodiment, and the specific implementation process may refer to the related description of the foregoing method embodiment, which is not described herein again.
It can be seen that, in this embodiment, the detection apparatus 600 counts, based on the obtained traffic entering the server, the number of transport layer null links initiated to the server within a preset time period, and if the counted number of the transport layer null links is greater than or equal to a first threshold and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server within K time periods meets a preset threshold condition, an application layer slow attack alarm is performed for the target internet protocol address i and the public gateway interface identifier j, where, as the number of the transport layer null links and the number of the application layer data packets carrying the internet protocol address i and the public gateway interface identifier j are referred to together, practice finds that it is beneficial to perform the application layer slow attack alarm more accurately, this is seen to be beneficial for improving the application layer slow attack alarm accuracy.
Referring to fig. 7, fig. 7 is a block diagram of a communication system according to another embodiment of the present invention.
The communication system comprises a server 710 and a detection device 720.
The detecting device 720 is used for acquiring the traffic entering the server 710; counting the number of transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server; if the counted number of the transport layer null links is larger than or equal to a first threshold value, and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server in K time periods meets a preset threshold value condition, performing application layer slow attack warning on the target internet protocol address i and the public gateway interface identifier j, wherein K is a positive integer larger than or equal to 1, and the target internet protocol address i is one internet protocol address of the server.
Optionally, in some possible embodiments of the present invention, in the aspect of performing an application layer slow attack alarm for the destination internet protocol address i and the public gateway interface identifier j, the detection device 720 is specifically configured to perform an application layer slow attack alarm for the destination internet protocol address i and the public gateway interface identifier j when the number of application layer packets carrying an active internet protocol address K in application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in traffic entering the server within a counted time period x is greater than or equal to a second threshold, where the time period x is any one time period among the K time periods.
Optionally, in some possible embodiments of the present invention, in the application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the time period x, the number of the application layer data packets carrying the source internet protocol address k is greater than or equal to the number of the application layer data packets carrying other source internet protocol addresses;
or,
the source internet protocol address k is one of source internet protocol addresses carried by application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the time period x;
optionally, in some possible embodiments of the present invention, the period x is any one period among the K periods; wherein,
the preset threshold condition comprises: the number of application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the time period x is greater than or equal to the number of application layer data packets of the time period which has a mapping relation with the time period x and is recorded in a current traffic baseline corresponding to the public gateway interface identifier j;
or,
the preset threshold condition comprises: and the number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the period x is greater than or equal to a third threshold value.
Optionally, in some possible embodiments of the present invention, K is greater than or equal to 2, and the K time periods are consecutive K time periods or K time periods in which an interval duration between adjacent time periods is less than or equal to an interval threshold.
Optionally, in some possible embodiments of the present invention, the transport layer null link is a transport layer link that carries a number of packets smaller than or equal to a fourth threshold.
It can be seen that, in this embodiment, the detection device 720 counts the number of transport layer null links initiated to the server within a preset time period based on the obtained traffic entering the server, and if the counted number of the transport layer null links is greater than or equal to a first threshold and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server within K time periods meets a preset threshold condition, performs an application layer slow attack alarm for the target internet protocol address i and the public gateway interface identifier j, wherein, as the number of the transport layer null links and the number of the application layer data packets carrying the internet protocol address i and the public gateway interface identifier j are referred to together, practice finds that it is beneficial to perform the application layer slow attack alarm more accurately, this is seen to be beneficial for improving the application layer slow attack alarm accuracy.
An embodiment of the present invention further provides a computer storage medium, where the computer storage medium may store a program, and when the program is executed, the program includes some or all of the steps of any one of the application layer slow attack detection methods described in the foregoing method embodiments.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implementing, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of some interfaces, devices or units, and may be an electric or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-only memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (14)

1. An application layer slow attack detection method is characterized by comprising the following steps:
acquiring the flow entering a server;
counting the number of transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server;
if the counted number of the transport layer null links is larger than or equal to a first threshold value, and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server in K time periods meets a preset threshold value condition, performing application layer slow attack alarm aiming at the target internet protocol address i and the public gateway interface identifier j, wherein the target internet protocol address i is one internet protocol address of the server, and K is a positive integer larger than or equal to 1.
2. The method according to claim 1, wherein said performing an application layer slow attack alarm for said destination internet protocol address i and said public gateway interface identity j comprises: and under the condition that the number of application layer data packets carrying active internet protocol addresses K in application layer data packets carrying target internet protocol addresses i and public gateway interface identifiers j in the flow entering the server in the counted time period x is greater than or equal to a second threshold value, performing application layer slow attack alarm aiming at the target internet protocol addresses i and the public gateway interface identifiers j, wherein the time period x is any one time period in the K time periods.
3. The method according to claim 2, wherein, in the application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the time period x, the number of the application layer packets carrying the source internet protocol address k is greater than or equal to the number of the application layer packets carrying other source internet protocol addresses.
4. The method of claim 2,
and the source internet protocol address k is one of source internet protocol addresses carried by application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the time period x.
5. The method according to any one of claims 1 to 4, wherein period x is any one of said K periods; wherein,
the preset threshold condition comprises: the number of application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the time interval x is greater than or equal to the number of application layer data packets of a reference time interval x 'recorded in a current traffic baseline corresponding to the public gateway interface identifier j, wherein the reference time interval x' has a mapping relation with the time interval x;
or,
the preset threshold condition comprises: and the number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the period x is greater than or equal to a third threshold value.
6. The method of any one of claims 1 to 5, wherein K is greater than or equal to 2, and the K periods are K consecutive periods or K periods in which a duration of an interval between adjacent periods is less than or equal to an interval threshold.
7. The method according to any of claims 1 to 6, wherein the transport layer null link is a transport layer link carrying a number of data packets smaller than or equal to a fourth threshold.
8. An application layer slow attack detection device, comprising:
the acquisition unit is used for acquiring the flow entering the server;
the counting unit is used for counting the number of the transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server;
and an attack warning unit, configured to perform application layer slow attack warning for a target internet protocol address i and a public gateway interface identifier j if the number of transport layer null links counted by the counting unit is greater than or equal to a first threshold and the number of application layer packets carrying the target internet protocol address i and the public gateway interface identifier j in traffic entering the server in K counted time periods meets a preset threshold condition, where K is a positive integer greater than or equal to 1, and the target internet protocol address i is one of internet protocol addresses of the server.
9. The apparatus of claim 8,
in the aspect of performing application layer slow attack warning for the target internet protocol address i and the public gateway interface identifier j, the attack warning unit is specifically configured to perform application layer slow attack warning for the target internet protocol address i and the public gateway interface identifier j when the number of application layer packets carrying active internet protocol addresses K in application layer packets carrying the target internet protocol address i and the public gateway interface identifier j in traffic entering the server within a counted time period x is greater than or equal to a second threshold, where the time period x is any one time period among the K time periods.
10. The apparatus of claim 9,
in application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the period x, the number of the application layer data packets carrying the source internet protocol address k is greater than or equal to the number of the application layer data packets carrying other source internet protocol addresses;
or,
and the source internet protocol address k is one of source internet protocol addresses carried by application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the time period x.
11. The apparatus according to any one of claims 8 to 10, wherein time period x is any one of the K time periods; wherein,
the preset threshold condition comprises: the number of application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the time interval x is greater than or equal to the number of application layer data packets of a reference time interval x 'recorded in a current traffic baseline corresponding to the public gateway interface identifier j, and the reference time interval x' has a mapping relation with the time interval x;
or,
the preset threshold condition comprises: and the number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the period x is greater than or equal to a third threshold value.
12. The apparatus of any one of claims 8 to 11, wherein K is greater than or equal to 2, and the K periods are K consecutive periods or K periods in which a duration of an interval between adjacent periods is less than or equal to an interval threshold.
13. The apparatus according to any of claims 8 to 12, wherein the transport layer null link is a transport layer link carrying a number of data packets smaller than or equal to a fourth threshold.
14. A communication system, comprising:
a server and a detection device;
the detection device is used for acquiring the flow entering the server; counting the number of transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server; if the counted number of the transport layer null links is larger than or equal to a first threshold value, and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server in K time periods meets a preset threshold value condition, performing application layer slow attack alarm aiming at the target internet protocol address i and the public gateway interface identifier j, wherein the target internet protocol address i is one internet protocol address of the server, and K is a positive integer larger than or equal to 1.
CN201410640483.1A 2014-11-13 2014-11-13 application layer slow attack detection method and related device Active CN105591832B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410640483.1A CN105591832B (en) 2014-11-13 2014-11-13 application layer slow attack detection method and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410640483.1A CN105591832B (en) 2014-11-13 2014-11-13 application layer slow attack detection method and related device

Publications (2)

Publication Number Publication Date
CN105591832A true CN105591832A (en) 2016-05-18
CN105591832B CN105591832B (en) 2019-12-10

Family

ID=55931089

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410640483.1A Active CN105591832B (en) 2014-11-13 2014-11-13 application layer slow attack detection method and related device

Country Status (1)

Country Link
CN (1) CN105591832B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234516A (en) * 2018-01-26 2018-06-29 北京安博通科技股份有限公司 A kind of detection method and device of network flood attack
CN109150838A (en) * 2018-07-24 2019-01-04 湖南大学 A kind of method for comprehensive detection for Denial of Service attack at a slow speed
CN109474570A (en) * 2017-12-29 2019-03-15 北京安天网络安全技术有限公司 It is a kind of to detect the method and system attacked at a slow speed
CN110417624A (en) * 2019-08-30 2019-11-05 腾讯科技(深圳)有限公司 Statistical method, device and the storage medium of request
CN116074083A (en) * 2023-01-28 2023-05-05 天翼云科技有限公司 Method and device for identifying slow attack, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101465760A (en) * 2007-12-17 2009-06-24 北京启明星辰信息技术股份有限公司 Method and system for detecting abnegation service aggression
CN102438025A (en) * 2012-01-10 2012-05-02 中山大学 Indirect distributed denial of service attack defense method and system based on Web agency
CN102523202A (en) * 2011-12-01 2012-06-27 华北电力大学 Deep learning intelligent detection method for fishing webpages
CN103179132A (en) * 2013-04-09 2013-06-26 中国信息安全测评中心 Method and device for detecting and defending CC (challenge collapsar)
US20140143850A1 (en) * 2012-11-21 2014-05-22 Check Point Software Technologies Ltd. Penalty box for mitigation of denial-of-service attacks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101465760A (en) * 2007-12-17 2009-06-24 北京启明星辰信息技术股份有限公司 Method and system for detecting abnegation service aggression
CN102523202A (en) * 2011-12-01 2012-06-27 华北电力大学 Deep learning intelligent detection method for fishing webpages
CN102438025A (en) * 2012-01-10 2012-05-02 中山大学 Indirect distributed denial of service attack defense method and system based on Web agency
US20140143850A1 (en) * 2012-11-21 2014-05-22 Check Point Software Technologies Ltd. Penalty box for mitigation of denial-of-service attacks
CN103179132A (en) * 2013-04-09 2013-06-26 中国信息安全测评中心 Method and device for detecting and defending CC (challenge collapsar)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109474570A (en) * 2017-12-29 2019-03-15 北京安天网络安全技术有限公司 It is a kind of to detect the method and system attacked at a slow speed
CN108234516A (en) * 2018-01-26 2018-06-29 北京安博通科技股份有限公司 A kind of detection method and device of network flood attack
CN109150838A (en) * 2018-07-24 2019-01-04 湖南大学 A kind of method for comprehensive detection for Denial of Service attack at a slow speed
CN110417624A (en) * 2019-08-30 2019-11-05 腾讯科技(深圳)有限公司 Statistical method, device and the storage medium of request
CN116074083A (en) * 2023-01-28 2023-05-05 天翼云科技有限公司 Method and device for identifying slow attack, electronic equipment and storage medium
WO2024156236A1 (en) * 2023-01-28 2024-08-02 天翼云科技有限公司 Slow attack identification method and apparatus, electronic device and storage medium

Also Published As

Publication number Publication date
CN105591832B (en) 2019-12-10

Similar Documents

Publication Publication Date Title
CN110121876B (en) System and method for detecting malicious devices by using behavioral analysis
CN109829310B (en) Similar attack defense method, device, system, storage medium and electronic device
CN108768943B (en) Method and device for detecting abnormal account and server
US9565203B2 (en) Systems and methods for detection of anomalous network behavior
CN105591832B (en) application layer slow attack detection method and related device
AU2017268608B2 (en) Method, device, server and storage medium of detecting DoS/DDoS attack
CN108965347B (en) Distributed denial of service attack detection method, device and server
US10291630B2 (en) Monitoring apparatus and method
US20160021131A1 (en) Identifying stealth packets in network communications through use of packet headers
CN109922072B (en) Distributed denial of service attack detection method and device
CN110912927B (en) Method and device for detecting control message in industrial control system
CN111083157B (en) Method and device for processing message filtering rules
CN109327449B (en) Attack path restoration method, electronic device and computer readable storage medium
EP2854362B1 (en) Software network behavior analysis and identification system
CN105281966A (en) Method and device for identifying abnormal traffic of network equipment
CN112422554B (en) Method, device, equipment and storage medium for detecting abnormal traffic external connection
CN112738099B (en) Method and device for detecting slow attack, storage medium and electronic equipment
US20130347109A1 (en) Techniques for Detecting Program Modifications
CN109561097B (en) Method, device, equipment and storage medium for detecting security vulnerability injection of structured query language
CN105656848B (en) Application layer rapid attack detection method and related device
CN111092849B (en) Traffic-based detection method and device for distributed denial of service
CN115296904B (en) Domain name reflection attack detection method and device, electronic equipment and storage medium
CN107528859B (en) Defense method and device for DDoS attack
CN106817268B (en) DDOS attack detection method and system
CN112560085B (en) Privacy protection method and device for business prediction model

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant