CN105591832B

CN105591832B - application layer slow attack detection method and related device

Info

Publication number: CN105591832B
Application number: CN201410640483.1A
Authority: CN
Inventors: 闫帅帅; 周志彬
Original assignee: Tencent Cyber Tianjin Co Ltd
Current assignee: Tencent Cyber Tianjin Co Ltd
Priority date: 2014-11-13
Filing date: 2014-11-13
Publication date: 2019-12-10
Anticipated expiration: 2034-11-13
Also published as: CN105591832A

Abstract

The embodiment of the invention discloses an application layer slow attack detection method and a related device. The method for detecting the slow attack of the application layer comprises the following steps: acquiring the flow entering a server; counting the number of transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server; and if the counted number of the transport layer null links is greater than or equal to a first threshold value and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the flow entering the server in K time periods meets a preset threshold value condition, performing application layer slow attack alarm aiming at the target internet protocol address i and the public gateway interface identifier j, wherein the target internet protocol address i is one internet protocol address of the server. The technical scheme of the embodiment of the invention is beneficial to improving the low-speed attack alarm accuracy of the application layer.

Description

application layer slow attack detection method and related device

Technical Field

The invention relates to the technical field of image processing, in particular to a slow attack detection method and a related device for an application layer.

Background

At present, network attacks occur frequently and are said to be ubiquitous. A large number of hackers and various computer viruses are hidden in the internet. For some servers providing network services, it is often difficult to provide services normally when the servers are under network attack.

The application layer slow attack is a common network attack mode, and the attack mode causes a great obstacle to the normal work of the server, so that how to accurately detect whether the server is currently attacked by the application layer slow attack at a low speed becomes important.

The inventor of the present invention finds in research and practice that the existing application layer slow attack detection algorithm generally determines whether the server is currently under the application layer slow attack only by the statistical result of the public gateway interface in the hypertext transfer protocol request, but practice finds that the false alarm rate of the detection algorithm is quite high.

Disclosure of Invention

The embodiment of the invention provides an application layer slow attack detection method and a related device, aiming at improving the application layer slow attack alarm accuracy.

A first aspect of an embodiment of the present invention provides a method for detecting a slow attack on an application layer, including:

Acquiring the flow entering a server;

Counting the number of transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server;

If the counted number of the transport layer null links is larger than or equal to a first threshold value, and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server in K time periods meets a preset threshold value condition, performing application layer slow attack alarm aiming at the target internet protocol address i and the public gateway interface identifier j, wherein the target internet protocol address i is one internet protocol address of the server, and K is a positive integer larger than or equal to 1.

A second aspect of the present invention provides an application layer slow attack detection apparatus, including:

The acquisition unit is used for acquiring the flow entering the server;

the counting unit is used for counting the number of the transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server;

And an attack warning unit, configured to perform application layer slow attack warning for a target internet protocol address i and a public gateway interface identifier j if the number of transport layer null links counted by the counting unit is greater than or equal to a first threshold and the number of application layer packets carrying the target internet protocol address i and the public gateway interface identifier j in traffic entering the server in K counted time periods meets a preset threshold condition, where K is a positive integer greater than or equal to 1, and the target internet protocol address i is one of internet protocol addresses of the server.

A third aspect of the present invention provides a communication system comprising:

A server and a detection device;

the detection device is used for acquiring the flow entering the server; counting the number of transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server; if the counted number of the transport layer null links is larger than or equal to a first threshold value, and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server in K time periods meets a preset threshold value condition, performing application layer slow attack alarm aiming at the target internet protocol address i and the public gateway interface identifier j, wherein the target internet protocol address i is one internet protocol address of the server, and K is a positive integer larger than or equal to 1.

It can be seen that, the application layer slow attack detection apparatus in this embodiment counts the number of transport layer null links initiated to the server within a preset time period based on the acquired traffic entering the server, and performs an application layer slow attack alarm for a target internet protocol address i and a public gateway interface identifier j if the counted number of the transport layer null links is greater than or equal to a first threshold and the counted number of application layer data packets carrying the target internet protocol address i and the public gateway interface identifier j in the traffic entering the server within K time periods meets a preset threshold condition, wherein, since the statistical data in several aspects such as the number of the transport layer null links, the number of the application layer data packets carrying the internet protocol address i and the public gateway interface identifier j, and the like are referred together, the application layer slow attack alarm is found to be more accurately facilitated in practice, the false alarm rate is reduced, and the technical scheme is favorable for improving the low-speed attack alarm accuracy of the application layer.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

fig. 1 is a schematic flowchart of a method for detecting slow attack at an application layer according to an embodiment of the present invention;

Fig. 2 is a schematic flow chart of another method for updating a traffic baseline according to an embodiment of the present invention;

fig. 3-a is a schematic flowchart of another method for detecting slow attack at an application layer according to an embodiment of the present invention;

Fig. 3-b is a schematic diagram of an architecture of a communication system according to an embodiment of the present invention;

Fig. 3-c is a schematic diagram of an architecture of another communication system provided by an embodiment of the present invention;

FIG. 3-d is a block diagram of a detecting apparatus according to an embodiment of the present invention;

Fig. 4-a is a schematic flowchart of another method for detecting slow attack at an application layer according to an embodiment of the present invention;

fig. 4-b is a schematic diagram of an architecture of another communication system provided by an embodiment of the present invention;

fig. 5 is a schematic diagram of an application layer slow attack detection apparatus according to an embodiment of the present invention;

Fig. 6 is a schematic diagram of another application layer slow attack detection apparatus provided in the embodiment of the present invention;

Fig. 7 is a schematic diagram of a communication system according to an embodiment of the present invention.

Detailed Description

In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The following are detailed below.

The terms "first," "second," "third," and "fourth," etc. in the description and claims of the invention and the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.

the invention discloses an embodiment of an application layer slow attack detection method. The application layer slow attack detection method comprises the following steps: acquiring the flow entering a server; counting the number of transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server; if the counted number of the transport layer null links is larger than or equal to a first threshold value, and the counted number of application layer data packets carrying a target Internet Protocol (IP) address i and a public gateway interface identifier j in the traffic entering the server in K periods meets a preset threshold condition, performing application layer slow attack alarm on the target Internet Protocol address i and the public gateway interface identifier j, wherein the target Internet Protocol address i is one of Internet Protocol addresses of the server, and K is a positive integer larger than or equal to 1.

Referring to fig. 1, fig. 1 is a schematic flowchart of an application layer slow attack detection method according to an embodiment of the present invention. As shown in fig. 1, an application layer slow attack detection method provided by an embodiment of the present invention may include:

101. And acquiring the flow entering the server.

Wherein traffic entering the server may be obtained, for example, by a bypass manner or may be obtained by an intercept manner. Alternatively, the traffic entering the server may be directly obtained by the server itself.

For example, where the server is interconnected with a core switch, then traffic entering the server through the core switch may be obtained.

102. And counting the number of the transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server.

The transport layer null link may be, for example, a transport layer link carrying a number of data packets smaller than or equal to a fourth threshold. For example, a transport layer link carries only a very small number of packets (e.g., only a SYN packet or three or five packets including a SYN packet), the transport layer link may be marked as a transport layer null link. That is, the fourth threshold may be, for example, equal to 1,2, 3, 4, 5, 6, 8, 10, or other values.

The preset time period may be equal to 2 minutes, 3 minutes, 5 minutes, 6 minutes, 10 minutes or other time periods.

103. And if the counted number of the transport layer null links is greater than or equal to a first threshold value and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the flow entering the server in K time periods meets a preset threshold value condition, performing application layer slow attack alarm aiming at the target internet protocol address i and the public gateway interface identifier j.

wherein the first threshold may be equal to 20, 50, 100, 150, or other values, for example.

The destination internet protocol address i is one of internet protocol addresses of the server. And K is a positive integer greater than or equal to 1. For example, K is equal to 1,2, 3, 4, 6, 21, or other value.

The public gateway interface identifier j may be any one public gateway interface identifier carried by an application layer packet entering the server, or the public gateway interface identifier j may also be a specific public gateway interface identifier carried by an application layer packet entering the server.

When K is greater than or equal to 2, the K periods may be, for example, consecutive K periods or K periods in which the interval duration between adjacent periods is less than or equal to an interval threshold.

wherein the time lengths of the K time periods can be equal or partially equal or different from each other. The duration of any one of the K periods described above may be, for example, 1 minute, 2 minutes, 3 minutes, 5 minutes, 10 minutes, or other duration.

It can be seen that, the detection device in this embodiment counts the number of transport layer null links initiated to the server within a preset time period based on the acquired traffic entering the server, and performs an application layer slow attack alarm for a target internet protocol address i and a public gateway interface identifier j if the counted number of transport layer null links is greater than or equal to a first threshold and the counted number of application layer data packets carrying the target internet protocol address i and the public gateway interface identifier j in the traffic entering the server within K time periods meets a preset threshold condition. As the alarm refers to the statistics data of the number of empty links of the transmission layer, the number of application layer data packets carrying the Internet protocol address i and the public gateway interface identifier j, and the like, the practice finds that the alarm is favorable for more accurately carrying out the slow attack alarm of the application layer, and is favorable for improving the accuracy of the slow attack alarm of the application layer.

In the research process, the application layer slow attack is often mainly characterized by occupying connection, so that the reference to the statistic value of the transmission layer empty connection is beneficial to more accurately judging whether the server is attacked by the application layer slow attack.

optionally, in some possible embodiments of the present invention, the performing an application layer slow attack alarm for the destination internet protocol address i and the public gateway interface identifier j includes: and under the condition that the number of application layer data packets carrying active internet protocol addresses K in application layer data packets carrying target internet protocol addresses i and public gateway interface identifiers j in the flow entering the server in the counted time period x is greater than or equal to a second threshold value, performing application layer slow attack alarm aiming at the target internet protocol addresses i and the public gateway interface identifiers j, wherein the time period x is any one time period in the K time periods.

It can be understood that, since the number of the application layer packets carrying the active internet protocol address k among the application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server is also referred to during the alarm, the practice proves that further attention to the dimension of the source internet protocol address is beneficial to further improving the accuracy of the slow attack alarm of the application layer.

Wherein the second threshold may be equal to 20, 51, 100, 125, 150, 500, or other values, for example.

Optionally, in some possible embodiments of the present invention, in the application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the time period x, the number of the application layer data packets carrying the source internet protocol address k is greater than or equal to the number of the application layer data packets carrying any other source internet protocol address. That is to say, in the application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the period x, the number of the application layer packets of the source internet protocol address k is not less than the number of the application layer packets carrying any other source internet protocol address.

Optionally, in some possible embodiments of the present invention, the source internet protocol address k is one of source internet protocol addresses or any one of source internet protocol addresses carried by an application layer packet carrying a destination internet protocol address i and a public gateway interface identifier j in traffic entering the server in the time period x.

Optionally, in some possible embodiments of the present invention, the preset threshold condition includes: and the number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the period x is greater than or equal to a third threshold value.

Wherein the third threshold may be, for example, equal to 50, 90, 100, 125, 150, 300, 500, 800, or other values.

optionally, in some possible embodiments of the invention, the period x is any one period among the K periods. The preset threshold condition may include, for example: and the number of the application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the time period x is greater than or equal to the number of the application layer data packets in the time period which has a mapping relation with the time period x and is recorded in the current traffic baseline corresponding to the public gateway interface identifier j.

if the number of records in the current traffic baseline corresponding to the public gateway interface identifier j is introduced into the preset threshold condition, it is equivalent to introducing a dynamic threshold, the dynamic thresholds corresponding to different time periods in different K time periods may not be the same, and the number of application layer data packets in the corresponding time period recorded in the current traffic baseline is used as the dynamic threshold, which is beneficial to more accurately determining whether the application layer slow attack may occur in the time period.

For example, assuming that the monitoring period of the traffic baseline is 1 week and the unit period length is 1 day, the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server on each day in 1 week may be recorded in the current traffic baseline corresponding to the public gateway interface identifier j. For example, assuming that the time period x is monday, the number of application layer packets in the reference time period x' is the number of application layer packets in monday recorded in the current traffic baseline corresponding to the common gateway interface identifier j. For another specific example, assuming that the current time period is wednesday, the number of application layer data packets in the reference time period x' is the number of application layer data packets in wednesday recorded in the current traffic baseline corresponding to the common gateway interface identifier j.

For another example, assuming that the monitoring period of the traffic baseline is 1 day and the unit time interval length is 1 hour, the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in each hour from 0 point to 24 points in 1 day may be recorded in the traffic baseline corresponding to the public gateway interface identifier j, specifically, for example, assuming that the time interval x is from 9 points to 10 points, the number of application layer packets in the reference time interval x' is the number of application layer packets from 9 points to 10 points recorded in the current traffic baseline corresponding to the public gateway interface identifier j. For another specific example, assuming that the time period x is 13 to 14, the number of application layer packets in the reference time period x' is the number of application layer packets from 13 to 14 recorded in the current traffic baseline corresponding to the common gateway interface identifier j.

For another example, assuming that the monitoring period of the traffic baseline is 1 day and the unit time interval length is 1 minute, the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server per minute from 0 point to 24 points in 1 day may be recorded in the traffic baseline corresponding to the public gateway interface identifier j. Specifically, for example, assuming that the time period x is 5 points 35 to 36 minutes, the number of application layer packets in the reference time period x' is the number of application layer packets in 5 points 35 to 36 minutes recorded in the current traffic baseline corresponding to the common gateway interface identifier j. For another specific example, assuming that the time period x is 15 points 58 to 59 minutes, the number of the application layer packets in the reference time period x' is the number of the application layer packets in 15 points 58 to 59 minutes recorded in the current traffic baseline corresponding to the common gateway interface identifier j, and so on.

For another example, assuming that the monitoring period of the traffic baseline is 1 hour and the unit period length is 1 minute, the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server per minute in 1 hour may be recorded in the traffic baseline corresponding to the public gateway interface identifier j. Specifically, for example, assuming that the time period x is 35 minutes to 36 minutes, the number of application layer data packets in the reference time period x' is the number of application layer data packets in 35 minutes to 36 minutes recorded in the current traffic baseline corresponding to the common gateway interface identifier j. For another specific example, assuming that the time period x is 58 minutes to 59 minutes, the number of the application layer packets in the reference time period x' is the number of the application layer packets in 58 minutes to 59 minutes recorded in the current traffic baseline corresponding to the common gateway interface identifier j, and so on.

The following also illustrates a traffic baseline updating method.

Referring to fig. 2, fig. 2 is a schematic flow chart of another method for updating a traffic baseline according to another embodiment of the present invention. As shown in fig. 1, another embodiment of the present invention provides another method for updating a traffic baseline, which may include:

201. and calculating the variance between the number of the application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the flow entering the server in the current time period and the number of the application layer data packets in the first reference time period. Wherein the number of the application layer data packets of the first reference time period is the number of the application layer data packets of the reference time period which has a mapping relation with the current time period and is recorded in the current traffic baseline.

If the variance is greater than the first threshold or less than the second threshold, step 202 is performed.

If the variance is less than the first threshold and at a second threshold, step 203 is performed.

The destination internet protocol address i is one of internet protocol addresses of the server.

202. Calculating a first expected number of a current period by using the number of application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in traffic entering the server in N history periods having a mapping relation with the current period in the latest N monitoring periods, calculating a second expected number of a first reference period by using the first expected number and the number of application layer data packets in N-1 history periods in the N history periods, updating the number of application layer data packets of the first reference period recorded in a current traffic baseline corresponding to the public gateway interface identifier j by using the second expected number, wherein the N history periods may be periods having the same sequence number as the current period in the latest N monitoring periods (for example, the current period is cycle 1, the N history periods are cycle 1 in the latest N cycles; for example, the current period is cycle 3, the N historical periods are week 3 of the last N weeks, and so on). Wherein the time difference between the N-1 history periods and the current period may be smaller than the time difference between the remaining period of the N history periods except the N-1 history periods and the current period (where, for example, the N history periods are week 1 of the last 7 weeks, the N-1 history periods may be week 1 of the last 6 weeks, and for example, assuming that the N history periods are week 1 of the last 10 weeks, the N-1 history periods may be week 1 of the last 9 weeks, and so on).

203. And calculating a third expected quantity of the first reference time period by using the quantity of the application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the latest N-1 monitoring periods in the N-1 historical time periods having a mapping relation with the current time period and the quantity of the application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the current time period, and updating the quantity of the application layer data packets of the first reference time period recorded in the current traffic baseline corresponding to the public gateway interface identifier j by using the third expected quantity.

For example, assuming that the monitoring period of the traffic baseline corresponding to the public gateway interface identifier j is 1 week, and the unit period length is 1 day, the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server on each day of 1 week may be recorded in the current traffic baseline corresponding to the public gateway interface identifier j. For example, assuming that the time period x is monday, the number of application layer data packets of the reference time period x' mapped to the time period x is the number of application layer data packets of monday recorded in the current traffic baseline corresponding to the common gateway interface identifier j. For another example, assuming that the current time period is wednesday, the number of application layer data packets of the reference time period x' is the number of application layer data packets of wednesday recorded in the current traffic baseline corresponding to the common gateway interface identifier j.

and N is a positive integer greater than 1. For example, the N may be equal to 2, 3, 4, 7, 6, 10, 21, or other values.

the method for updating the flow baseline is a method for updating the flow baseline based on an unsupervised learning method, and by comparing the flow value in the current time interval with the flow value in the corresponding time interval of the flow baseline, the method is beneficial to eliminating the influence caused by sudden increase and sharp decrease of the flow as much as possible, and further beneficial to further improving the flexibility of flow anomaly judgment based on the flow baseline.

In order to better understand and implement the above technical solutions of the embodiments of the present invention, the following further description is provided with reference to some specific application scenarios.

referring to fig. 3-a, fig. 3-b and fig. 3-c, fig. 3-a is a schematic flow chart of an application layer slow attack detection method according to another embodiment of the present invention. The method illustrated in fig. 3-a may be embodied in the network architecture shown in fig. 3-b or fig. 3-c. As shown in fig. 3-a, another embodiment of the present invention provides an application layer slow attack detection method, which may include:

301. The detection device obtains the flow entering the server through the core switch in a bypass mode.

The detection device can be directly linked with the core switch, or the detection device can be linked with the core switch through the light splitting switch.

302. And counting the number of the transmission layer empty links initiated to the server in a preset time length by the detection device based on the acquired flow entering the server.

303. And if the counted number of the transport layer null links is greater than or equal to a first threshold value, the detection device counts the number of application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the flow entering the server in K time periods.

The detection device counts the number of application layer packets carrying active internet protocol addresses K in application layer packets carrying target internet protocol addresses i and public gateway interface identifiers j in flow entering the server in a time period x of K time periods. The period x is any one period among the K periods.

304. If the counted number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in K periods meets a preset threshold condition, and if the counted number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in x periods is greater than or equal to a second threshold, an application layer slow attack alarm can be performed for the destination internet protocol address i and the public gateway interface identifier j.

optionally, in some possible embodiments of the present invention, in the application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the time period x, the number of the application layer packets carrying the source internet protocol address k is greater than or equal to the number of the application layer packets carrying other source internet protocol addresses.

For another example, assuming that the monitoring period of the traffic baseline is 1 day and the unit time interval length is 1 hour, the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server at each hour from 0 point to 24 points in 1 day may be recorded in the traffic baseline corresponding to the public gateway interface identifier j, specifically, for example, assuming that the time interval x is from 9 points to 10 points, the number of application layer packets at the reference time interval x' is the number of application layer packets from 9 points to 10 points recorded in the current traffic baseline corresponding to the public gateway interface identifier j. For another specific example, assuming that the time period x is 13 to 14, the number of application layer packets in the reference time period x' is the number of application layer packets from 13 to 14 recorded in the current traffic baseline corresponding to the common gateway interface identifier j.

For another example, assuming that the monitoring period of the traffic baseline is 1 day and the unit time interval length is 1 minute, the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server per minute from 0 point to 24 points in 1 day may be recorded in the traffic baseline corresponding to the public gateway interface identifier j. Specifically, for example, assuming that the time period x is 5 points 35 to 36 minutes, the number of application layer packets in the reference time period x' is the number of application layer packets in 5 points 35 to 36 minutes recorded in the current traffic baseline corresponding to the common gateway interface identifier j. For another specific example, assuming that the time period x is 15 points 58 to 59 minutes, the number of application layer packets of the reference time period x' may be the number of application layer packets of 15 points 58 to 59 minutes recorded in the current traffic baseline corresponding to the common gateway interface identifier j, and so on.

it can be seen that, the detection apparatus in this embodiment counts the number of transport layer null links initiated to the server within a preset time period based on the obtained traffic entering the server, and if the counted number of transport layer null links is greater than or equal to a first threshold and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server within K time periods meets a preset threshold condition, performs an application layer slow attack alarm for the target internet protocol address i and the public gateway interface identifier j, wherein, as the number of transport layer null links and the number of application layer data packets carrying the internet protocol address i and the public gateway interface identifier j are referred to together, practice finds that it is beneficial to perform an application layer slow attack alarm more accurately, this is seen to be beneficial for improving the application layer slow attack alarm accuracy.

Further, referring to fig. 3-d, the detection apparatus may have an internal module architecture as shown in fig. 3-d, where a plurality of four-layer modules are used to count the number of transport layer null connections, a plurality of seven-layer modules are used to count the number of application layer packets carrying destination IP addresses and different public gateway interface identifiers, and count the number of application layer packets carrying different source IP addresses in the application layer packets carrying different public gateway interface identifiers, and the like, the summarizing module is used to summarize the statistical results of the four-layer modules and the seven-layer modules, and the alarm module is used to perform alarm processing of slow application layer attacks in a summarizing structure.

Referring to fig. 4-a and 4-b, fig. 4-a is a schematic flow chart of a method for detecting slow attack at application layer according to another embodiment of the present invention. The method illustrated in fig. 4-a may be embodied in the network architecture shown in fig. 4-b. As shown in fig. 4-a, another embodiment of the present invention provides an application layer slow attack detection method, which may include:

401. the server obtains traffic entering the server through the core switch.

That is, the application layer slow attack detection device is deployed in the server.

402. And the server counts the number of the transmission layer empty links initiated to the server in a preset time length based on the acquired flow entering the server.

403. And if the counted number of the transport layer null links is larger than or equal to a first threshold value, the server counts the number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the flow entering the server in K time periods.

the server counts the number of application layer data packets carrying active internet protocol addresses K in application layer data packets carrying target internet protocol addresses i and public gateway interface identifiers j in flow entering the server in a time period x of K time periods. The period x is any one period among the K periods.

404. If the counted number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in K periods meets a preset threshold condition, and if the counted number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in x periods is greater than or equal to a second threshold, an application layer slow attack alarm can be performed for the destination internet protocol address i and the public gateway interface identifier j.

It can be seen that, in this embodiment, the server counts the number of transport layer null links initiated to the server within a preset time period based on the obtained traffic entering the server, and if the counted number of the transport layer null links is greater than or equal to a first threshold and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server within K time periods meets a preset threshold condition, an application layer slow attack alarm is performed for the target internet protocol address i and the public gateway interface identifier j, wherein, as the statistical data in several aspects such as the number of the transport layer null links, the number of the application layer data packets carrying the internet protocol address i and the public gateway interface identifier j, and the like are referred together, practice finds that the application layer slow attack alarm is more accurately performed, this is seen to be beneficial for improving the application layer slow attack alarm accuracy.

An embodiment of the present invention further provides an application layer slow attack detection apparatus 500, including:

An obtaining unit 510, configured to obtain traffic entering the server.

A counting unit 520, configured to count, based on the obtained traffic entering the server, the number of transport layer null links initiated to the server within a preset time period.

An attack warning unit 530, configured to perform an application layer slow attack warning for a destination internet protocol address i and a public gateway interface identifier j if the number of transport layer null links counted by the counting unit is greater than or equal to a first threshold and the number of application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in traffic entering the server in K counted time periods meets a preset threshold condition, where K is a positive integer greater than or equal to 1, and the destination internet protocol address i is one of internet protocol addresses of the server.

Optionally, in some possible embodiments of the present invention, in the aspect of performing application layer slow attack warning on the destination internet protocol address i and the public gateway interface identifier j, the attack warning unit is specifically configured to perform application layer slow attack warning on the destination internet protocol address i and the public gateway interface identifier j when the number of application layer packets carrying an active internet protocol address K in application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in traffic entering the server within a counted time period x is greater than or equal to a second threshold, where the time period x is any one time period among the K time periods.

alternatively, the first and second electrodes may be,

And the source internet protocol address k is one of source internet protocol addresses carried by application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the time period x.

Optionally, in some possible embodiments of the present invention, the period x is any one period among the K periods; wherein the content of the first and second substances,

The preset threshold condition comprises: the number of application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the time period x is greater than or equal to the number of application layer data packets of the time period which has a mapping relation with the time period x and is recorded in a current traffic baseline corresponding to the public gateway interface identifier j;

Alternatively, the first and second electrodes may be,

The preset threshold condition comprises: and the number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the period x is greater than or equal to a third threshold value.

Optionally, in some possible embodiments of the present invention, K is greater than or equal to 2, and the K time periods are consecutive K time periods or K time periods in which an interval duration between adjacent time periods is less than or equal to an interval threshold.

Optionally, in some possible embodiments of the present invention, the transport layer null link is a transport layer link that carries a number of packets smaller than or equal to a fourth threshold.

it can be understood that the functions of the functional modules of the detection apparatus 500 of this embodiment may be specifically implemented according to the method in the foregoing method embodiment, and the specific implementation process may refer to the related description of the foregoing method embodiment, which is not described herein again.

it can be seen that, in this embodiment, the application layer slow attack detection apparatus 500 counts the number of transport layer null links initiated to the server within a preset time period based on the obtained traffic entering the server, and if the counted number of the transport layer null links is greater than or equal to a first threshold and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server within K time periods meets a preset threshold condition, performs an application layer slow attack alarm for the target internet protocol address i and the public gateway interface identifier j, wherein, since the number of transport layer null links and the number of application layer data packets carrying the internet protocol address i and the public gateway interface identifier j are referred to together, practice finds that it is beneficial to perform an application layer slow attack alarm more accurately, this is seen to be beneficial for improving the application layer slow attack alarm accuracy.

Referring to fig. 6, fig. 6 is a block diagram of a detecting apparatus 600 according to another embodiment of the present invention.

Wherein, the detecting device 600 may include: at least 1 processor 601, memory 605 and at least 1 communication bus 602. A communication bus 602 is used to enable connectivity communication between these components. The detection apparatus 600 optionally comprises a user interface 603, which includes a display (e.g., a touch screen, a liquid crystal display, a Holographic (english: holography) or projection (english: Projector), etc.), a pointing device (e.g., a mouse, a trackball (english: trackball) touch pad or touch screen, etc.), a camera and/or a sound pickup apparatus, etc.

the detection apparatus 600 may further include at least 1 network interface 604.

Memory 605 may comprise, among other things, read-only memory and random access memory, and provides instructions and data to processor 601. Some of the memory 605 may also include non-volatile random access memory, among others.

In some embodiments, memory 605 stores the following elements, executable modules or data structures, or a subset thereof, or an expanded set thereof:

Operating system 6051, which contains various system programs for implementing various basic services and for handling hardware-based tasks.

the application module 6052 contains various applications for implementing various application services.

In an embodiment of the present invention, the processor 601 obtains the traffic entering the server by calling a program or an instruction stored in the memory 605; counting the number of transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server; if the counted number of the transport layer null links is larger than or equal to a first threshold value, and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server in K time periods meets a preset threshold value condition, performing application layer slow attack warning on the target internet protocol address i and the public gateway interface identifier j, wherein K is a positive integer larger than or equal to 1, and the target internet protocol address i is one internet protocol address of the server.

Optionally, in some possible embodiments of the present invention, in the aspect of performing an application layer slow attack alarm for the destination internet protocol address i and the public gateway interface identifier j, the processor 601 is specifically configured to perform an application layer slow attack alarm for the destination internet protocol address i and the public gateway interface identifier j when the number of application layer packets carrying an active internet protocol address K in application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in traffic entering the server within a counted time period x is greater than or equal to a second threshold, where the time period x is any one time period among the K time periods.

Optionally, in some possible embodiments of the present invention, in the application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the time period x, the number of the application layer data packets carrying the source internet protocol address k is greater than or equal to the number of the application layer data packets carrying other source internet protocol addresses;

alternatively, the first and second electrodes may be,

The source internet protocol address k is one of source internet protocol addresses carried by application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the time period x;

Alternatively, the first and second electrodes may be,

it can be understood that the functions of the functional modules of the detection apparatus 600 in this embodiment may be specifically implemented according to the method in the foregoing method embodiment, and the specific implementation process may refer to the related description of the foregoing method embodiment, which is not described herein again.

It can be seen that, in this embodiment, the detection apparatus 600 counts, based on the obtained traffic entering the server, the number of transport layer null links initiated to the server within a preset time period, and if the counted number of the transport layer null links is greater than or equal to a first threshold and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server within K time periods meets a preset threshold condition, an application layer slow attack alarm is performed for the target internet protocol address i and the public gateway interface identifier j, where, as the number of the transport layer null links and the number of the application layer data packets carrying the internet protocol address i and the public gateway interface identifier j are referred to together, practice finds that it is beneficial to perform the application layer slow attack alarm more accurately, this is seen to be beneficial for improving the application layer slow attack alarm accuracy.

Referring to fig. 7, fig. 7 is a block diagram of a communication system according to another embodiment of the present invention.

the communication system comprises a server 710 and a detection device 720.

The detecting device 720 is used for acquiring the traffic entering the server 710; counting the number of transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server; if the counted number of the transport layer null links is larger than or equal to a first threshold value, and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server in K time periods meets a preset threshold value condition, performing application layer slow attack warning on the target internet protocol address i and the public gateway interface identifier j, wherein K is a positive integer larger than or equal to 1, and the target internet protocol address i is one internet protocol address of the server.

optionally, in some possible embodiments of the present invention, in the aspect of performing an application layer slow attack alarm for the destination internet protocol address i and the public gateway interface identifier j, the detection device 720 is specifically configured to perform an application layer slow attack alarm for the destination internet protocol address i and the public gateway interface identifier j when the number of application layer packets carrying an active internet protocol address K in application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in traffic entering the server within a counted time period x is greater than or equal to a second threshold, where the time period x is any one time period among the K time periods.

alternatively, the first and second electrodes may be,

Alternatively, the first and second electrodes may be,

it can be seen that, in this embodiment, the detection device 720 counts the number of transport layer null links initiated to the server within a preset time period based on the obtained traffic entering the server, and if the counted number of the transport layer null links is greater than or equal to a first threshold and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server within K time periods meets a preset threshold condition, performs an application layer slow attack alarm for the target internet protocol address i and the public gateway interface identifier j, wherein, as the number of the transport layer null links and the number of the application layer data packets carrying the internet protocol address i and the public gateway interface identifier j are referred to together, practice finds that it is beneficial to perform the application layer slow attack alarm more accurately, this is seen to be beneficial for improving the application layer slow attack alarm accuracy.

An embodiment of the present invention further provides a computer storage medium, where the computer storage medium may store a program, and when the program is executed, the program includes some or all of the steps of any one of the application layer slow attack detection methods described in the foregoing method embodiments.

it should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.

in the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

In the embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implementing, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of some interfaces, devices or units, and may be an electric or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

in addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.

The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims

1. An application layer slow attack detection method is characterized by comprising the following steps:

Acquiring the flow entering a server;

If the counted number of the transport layer null links is larger than or equal to a first threshold value and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server in K time periods meets a preset threshold value condition, performing application layer slow attack alarm aiming at the target internet protocol address i and the public gateway interface identifier j, wherein the target internet protocol address i is one internet protocol address of the server, and K is a positive integer larger than or equal to 1;

the time interval x is any one time interval in the K time intervals; wherein the preset threshold condition comprises: the number of application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the time interval x is greater than or equal to the number of application layer data packets of a reference time interval x 'recorded in a current traffic baseline corresponding to the public gateway interface identifier j, wherein the reference time interval x' has a mapping relation with the time interval x; or, the preset threshold condition includes: and the number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the period x is greater than or equal to a third threshold value.

2. the method according to claim 1, wherein said performing an application layer slow attack alarm for said destination internet protocol address i and said public gateway interface identity j comprises: and under the condition that the number of application layer data packets carrying active internet protocol addresses K in application layer data packets carrying target internet protocol addresses i and public gateway interface identifiers j in the flow entering the server in the counted time period x is greater than or equal to a second threshold value, performing application layer slow attack alarm aiming at the target internet protocol addresses i and the public gateway interface identifiers j, wherein the time period x is any one time period in the K time periods.

3. The method according to claim 2, wherein, in the application layer packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the time period x, the number of the application layer packets carrying the source internet protocol address k is greater than or equal to the number of the application layer packets carrying other source internet protocol addresses.

4. The method of claim 2,

5. The method of any one of claims 1 to 4, wherein K is greater than or equal to 2, and the K periods are K consecutive periods or K periods in which a duration of an interval between adjacent periods is less than or equal to an interval threshold.

6. the method according to any of claims 1 to 4, wherein the transport layer null link is a transport layer link carrying a number of data packets smaller than or equal to a fourth threshold.

7. An application layer slow attack detection device, comprising:

The acquisition unit is used for acquiring the flow entering the server;

An attack alarm unit, configured to perform application layer slow attack alarm on a target internet protocol address i and a public gateway interface identifier j if the number of transport layer null links counted by the counting unit is greater than or equal to a first threshold and the number of application layer data packets carrying the target internet protocol address i and the public gateway interface identifier j in traffic entering the server in K counted time periods meets a preset threshold condition, where K is a positive integer greater than or equal to 1, and the target internet protocol address i is one internet protocol address of the server;

8. the apparatus of claim 7,

In the aspect of performing application layer slow attack warning for the target internet protocol address i and the public gateway interface identifier j, the attack warning unit is specifically configured to perform application layer slow attack warning for the target internet protocol address i and the public gateway interface identifier j when the number of application layer packets carrying active internet protocol addresses K in application layer packets carrying the target internet protocol address i and the public gateway interface identifier j in traffic entering the server within a counted time period x is greater than or equal to a second threshold, where the time period x is any one time period among the K time periods.

9. The apparatus of claim 8,

In application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the period x, the number of the application layer data packets carrying the source internet protocol address k is greater than or equal to the number of the application layer data packets carrying other source internet protocol addresses;

alternatively, the first and second electrodes may be,

10. The apparatus of any one of claims 7 to 9, wherein K is greater than or equal to 2, and the K periods are K consecutive periods or K periods in which a duration of an interval between adjacent periods is less than or equal to an interval threshold.

11. the apparatus according to any of claims 7 to 9, wherein the transport layer null link is a transport layer link carrying a number of data packets smaller than or equal to a fourth threshold.

12. A communication system, comprising:

A server and a detection device;

The detection device is used for acquiring the flow entering the server; counting the number of transmission layer empty links initiated to the server within a preset time length based on the acquired flow entering the server; if the counted number of the transport layer null links is larger than or equal to a first threshold value and the counted number of application layer data packets carrying a target internet protocol address i and a public gateway interface identifier j in the traffic entering the server in K time periods meets a preset threshold value condition, performing application layer slow attack alarm aiming at the target internet protocol address i and the public gateway interface identifier j, wherein the target internet protocol address i is one internet protocol address of the server, and K is a positive integer larger than or equal to 1; the time interval x is any one time interval in the K time intervals; wherein the preset threshold condition comprises: the number of application layer data packets carrying a destination internet protocol address i and a public gateway interface identifier j in the traffic entering the server in the time interval x is greater than or equal to the number of application layer data packets of a reference time interval x 'recorded in a current traffic baseline corresponding to the public gateway interface identifier j, wherein the reference time interval x' has a mapping relation with the time interval x; or, the preset threshold condition includes: and the number of application layer data packets carrying the destination internet protocol address i and the public gateway interface identifier j in the traffic entering the server in the period x is greater than or equal to a third threshold value.

13. a storage medium having stored therein a computer program for executing the application-level slow attack detection method of any one of claims 1 to 6.