CN105656848A

CN105656848A - Method and related device for detecting quick attack of application layer

Info

Publication number: CN105656848A
Application number: CN201410640241.2A
Authority: CN
Inventors: 闫帅帅; 陈虎
Original assignee: Tencent Cyber Shenzhen Co Ltd
Current assignee: Tencent Cyber Shenzhen Co Ltd
Priority date: 2014-11-13
Filing date: 2014-11-13
Publication date: 2016-06-08
Anticipated expiration: 2034-11-13
Also published as: CN105656848B

Abstract

The embodiment of the invention discloses a method and related device for detecting a quick attack of an application layer. The method for detecting the quick attack of the application layer comprises the following steps of: obtaining the traffic entering a server; counting the number of application layer data packets carrying a target internetworking protocol address i and a public gateway interface identifier j in the traffic entering the server in K time intervals; and, if the counted number of the application layer data packets carrying the target internetworking protocol address i and the public gateway interface identifier j in the traffic entering the server in K time intervals accords with a threshold value condition, alarming the quick attack of the application layer for the target internetworking protocol address i and the public gateway interface identifier j, wherein the target internetworking protocol address i is one internetworking protocol address in the server; and the K is a positive integer, which is greater than or equal to 1. By means of the scheme in the embodiment of the invention, the quick attack alarm accuracy of the application layer is increased easily.

Description

Applied layer fast-attack detection method and relative unit

Technical field

The present invention relates to technical field of image processing, it is specifically related to applied layer fast-attack detection method and relative unit.

Background technology

At present, network is attacked and is often occurred, it can be said that ubiquitous. Internet is hidden a large amount of hackers and all kinds of computer virus. For providing some servers of Network, when it is subject to often just being difficult to normally provide service when network is attacked.

Applied layer fast-attack is that a kind of common network attacks mode, and server normal operation is caused bigger obstacle by this kind of attack mode, therefore, how can detect out whether server currently suffers applied layer fast-attack to become very important fast and accurately.

The present inventor finds in research and practice process, existing applied layer fast-attack detection algorithm is generally by means of only the statistics of the hypertext transfer protocol request quantity received by server to judge whether server currently suffers applied layer fast-attack, but practice finds that this kind detects the rate of false alarm of algorithm is quite high.

Summary of the invention

The embodiment of the present invention provides applied layer fast-attack detection method and relative unit, to improving applied layer fast-attack alarm accuracy.

The first aspect of the embodiment of the present invention provides a kind of applied layer fast-attack detection method, comprising:

Obtain the flow entering server;

Add up the quantity of the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow entering described server in K period;

If the quantity entering the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in K the period counted meets preset threshold condition, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, described object internetwork-ing agreement address i is one of them internetwork-ing agreement address of described server, described K be more than or equal to 1 positive integer.

The second aspect of the embodiment of the present invention provides a kind of applied layer fast-attack detection device, comprising:

Acquiring unit, for obtaining the flow entering server;

Statistic unit, carries object internetwork-ing agreement address i and the quantity of application layer data bag of CGI (Common Gateway Interface) mark j for adding up in the flow entering described server in K period;

Attack alarm unit, if the quantity for the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow entering described server in K the period that described statistic unit counts meets preset threshold condition, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, described K be more than or equal to 1 positive integer, described object internetwork-ing agreement address i is one of them internetwork-ing agreement address of described server.

The third aspect of the embodiment of the present invention provides a kind of communication system, comprising:

Server and detection device;

Wherein, described detection device is used for, and obtains the flow entering described server; Add up the quantity of the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow entering described server in K period; If the quantity entering the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in K the period counted meets preset threshold condition, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, described object internetwork-ing agreement address i is one of them internetwork-ing agreement address of described server, described K be more than or equal to 1 positive integer.

Can find out, in the scheme that the embodiment of the present invention provides, the quantity entering the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server within K the period counted meets preset threshold condition, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, wherein, the statistic data of the aspects such as the quantity of the application layer data bag carrying internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j is with reference to due to alarm, practice finds to be conducive to like this carrying out applied layer fast-attack alarm more accurately, visible this is conducive to improving applied layer fast-attack alarm accuracy.

Accompanying drawing explanation

In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, it is briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.

Fig. 1 is the schematic flow sheet of a kind of applied layer fast-attack detection method that the embodiment of the present invention provides;

Fig. 2 is the schematic flow sheet of the update method of another kind of flow baseline that the embodiment of the present invention provides;

Fig. 3-a is the schematic flow sheet of another kind of applied layer fast-attack detection method that the embodiment of the present invention provides;

Fig. 3-b is the configuration diagram of a kind of communication system that the embodiment of the present invention provides;

Fig. 3-c is the configuration diagram of another kind of communication system that the embodiment of the present invention provides;

Fig. 3-d is a kind of module architectures schematic diagram detecting device that the embodiment of the present invention provides;

Fig. 4-a is the schematic flow sheet of another kind of applied layer fast-attack detection method that the embodiment of the present invention provides;

Fig. 4-b is the configuration diagram of a kind of communication system that the embodiment of the present invention provides;

Fig. 5 is the schematic diagram of a kind of applied layer fast-attack detection device that the embodiment of the present invention provides;

Fig. 6 is the schematic diagram of another kind of applied layer fast-attack detection device that the embodiment of the present invention provides;

Fig. 7 is the schematic diagram of a kind of communication system that the embodiment of the present invention provides.

Embodiment

In order to make those skilled in the art understand the present invention program better, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the embodiment of a part of the present invention, instead of whole embodiments. Based on the embodiment in the present invention, those of ordinary skill in the art, not making other embodiments all obtained under creative work prerequisite, should belong to the scope of protection of the invention.

Term " first " in the specification sheets of the present invention and claim book and above-mentioned accompanying drawing, " the 2nd ", " the 3rd " and " the 4th " etc. are for distinguishing different object, instead of for describing particular order. In addition, term " comprising " and " having " and their any distortion, it is intended that cover and do not arrange his comprising. Such as contain the process of series of steps or unit, method, system, product or equipment and it is not defined in the step or unit listed, but selection of land can also comprise the step or unit do not listed, or selection of land can also comprise other step intrinsic for these processes, method, product or equipment or unit.

First scheme description is carried out from the angle of server below.

An embodiment of applied layer fast-attack detection method of the present invention. Wherein, a kind of applied layer fast-attack detection method, it is possible to comprising: obtain the flow entering server; Add up the quantity of the application layer data bag carrying object internetwork-ing agreement (IP, InternetProtocol) address i and CGI (Common Gateway Interface) mark j in the flow entering described server in K period; If the quantity entering the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in K the period counted meets preset threshold condition, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, described object internetwork-ing agreement address i is one of them internetwork-ing agreement address of described server, wherein, described K be more than or equal to 1 positive integer.

See the schematic flow sheet of a kind of applied layer fast-attack detection method that Fig. 1, Fig. 1 provide for one embodiment of the present of invention. As shown in Figure 1, a kind of applied layer fast-attack detection method that one embodiment of the present of invention provides can comprise:

101, the flow entering server is obtained.

Wherein, such as obtain the flow entering server by bypass mode or obtain, by retaining mode, the flow entering server. Or, it is also possible to directly obtain the flow entering this server by server self.

Such as, when server and core exchange board are interconnected, then can obtain the flow being exchanged by core and entering server.

102, Corpus--based Method enters the quantity of the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in K period.

If the quantity entering the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in 103 K the periods counted meets preset threshold condition, carry out applied layer fast-attack alarm for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j.

Wherein, described object internetwork-ing agreement address i is one of them internetwork-ing agreement address of described server. Described K be more than or equal to 1 positive integer. Such as described K equals 1,2,3,4,6,21 or other values.

Wherein, described CGI (Common Gateway Interface) mark j can be the mark of any one CGI (Common Gateway Interface) entrained by the application layer data bag entering described server, or described CGI (Common Gateway Interface) mark j also can be the specific CGI (Common Gateway Interface) mark of certain entrained by the application layer data bag entering described server.

Wherein, when described K is more than or equal to 2, described K the period such as can be K the period of continuous print or length is less than or equals K the period of interval threshold when described K the period is the interval between adjacent time interval.

Wherein, described K the period time length can be equal or part is equal or mutually inequal. The time length of any one period in above-mentioned K the period such as can be 1 minute, 2 minutes, 3 minutes, 5 minutes, 10 minutes or other time long.

Can find out, the quantity that the present embodiment detection device enters the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server within K the period counted meets preset threshold condition, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, wherein, the statistic data of the aspects such as the quantity of the application layer data bag carrying internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j is with reference to due to alarm, practice finds to be conducive to like this carrying out applied layer fast-attack alarm more accurately, visible this is conducive to improving applied layer fast-attack alarm accuracy.

Optionally, in some possible enforcement modes of the present invention, described for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j carry out applied layer fast-attack alarm, comprise: among the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j entering in the flow of described server within period x counted, when the quantity carrying the application layer data bag of active internetwork-ing agreement address k is more than or equal to Second Threshold, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, described period x is any one period among described K the period.

Wherein, Second Threshold such as can equal 20,51,100,125,150,500 or other values.

It is appreciated that, due to also with reference in the lump when alarm in the flow entering described server carry object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j application layer data bag among, carry the quantity of the application layer data bag of active internetwork-ing agreement address k, facts have proved, the further concern of this dimension of internetwork-ing agreement address, source is conducive to improving further applied layer fast-attack alarm accuracy.

Optionally, in some possible enforcement modes of the present invention, entering in described period x among the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server, the quantity carrying the application layer data bag of described source internetwork-ing agreement address k is greater than or equal to the quantity of the application layer data bag carrying other any one internetwork-ing agreement addresses, source. This is that is, entering in described period x among the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server, the quantity of the application layer data bag of described source internetwork-ing agreement address k is no less than the quantity of the application layer data bag carrying other any one internetwork-ing agreement addresses, source.

Optionally, in some possible enforcement modes of the present invention, described source internetwork-ing agreement address k is one of them the internetwork-ing agreement address, source entrained by application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j or any one internetwork-ing agreement address, source entering in the flow of described server in described period x.

Optionally, in some possible enforcement modes of the present invention, described preset threshold condition comprises: the quantity entering the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in described period x is greater than or equal to the 3rd threshold value.

Wherein, the 3rd threshold value such as can equal 50,90,100,125,150,300,500,800 or other values.

Optional again, in some possible enforcement modes of the present invention, period x is any one period among described K the period. Described preset threshold condition such as can comprise: the quantity entering the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in described period x, is greater than or equal to the quantity identifying the application layer data bag of the period with described period x with mapping relation of record in present flow rate baseline corresponding to j with described CGI (Common Gateway Interface).

Wherein, if above-mentioned preset threshold condition is introduced the record quantity in present flow rate baseline corresponding to described CGI (Common Gateway Interface) mark j, so just be equivalent to introduce dynamic threshold, the dynamic threshold corresponding to Different periods in different K the period may without identical, and the quantity of application layer data bag of the corresponding period of record, as dynamic threshold, is conducive to judging whether this period applied layer fast-attack may occurs more accurately in present flow rate baseline.

For example, the monitoring period assuming flow baseline is 1 week, and unit Period Length is 1 day, identify the quantity that can have recorded the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow entering described server each day in 1 week in present flow rate baseline corresponding to j with described CGI (Common Gateway Interface). Concrete for example, it is assumed that period x is Monday, then the quantity of the application layer data bag of reference period x �� is the quantity of the application layer data bag of the Monday of record in the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding. Concrete again for example, it is assumed that the current period is Wednesday, then the quantity of the application layer data bag of reference period x �� is the quantity of the application layer data bag of the Wednesday of record in the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding.

Again such as, the monitoring period assuming flow baseline is 1 day, and unit Period Length is 1 hour, then identify with described CGI (Common Gateway Interface) and flow baseline corresponding to j can have recorded 0 in 1 day o'clock to the quantity entering the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in 24 o'clock each hour, concrete example as, assume that period x is at 9 o'clock to 10 o'clock, then the quantity of the application layer data bag of reference period x �� is the quantity of the application layer data bag of 9 o'clock to 10 o'clock of record in the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding. concrete for example, it is assumed that period x is 13 o'clock to 14 o'clock again, then the quantity of the application layer data bag of reference period x �� is the quantity of the application layer data bag of 13 o'clock to 14 o'clock of record in the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding.

Again such as, the monitoring period assuming flow baseline is 1 day, and unit Period Length is 1 minute, then identifies with described CGI (Common Gateway Interface) and flow baseline corresponding to j can have recorded the quantity that 0 in 1 day o'clock entered the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server to every minute in 24 o'clock. As assumed, period x is 5: 35 minutes 1 to concrete example, then the quantity of the application layer data bag of reference period x �� is the quantity of the application layer data bag of 5: 35 minutes 1 of record in the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding. Again concrete example as, assume that period x is 15: 58 minutes 1, then the quantity of the application layer data bag of reference period x �� is the quantity of the application layer data bag of 15: 58 minutes 1 of record in the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding, analogizes with this.

Such as the monitoring period of hypothesis flow baseline is 1 hour again, and unit Period Length is 1 minute, then identify in flow baseline corresponding to j in the flow entering described server for every minute that can have recorded in 1 hour the quantity of the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j with described CGI (Common Gateway Interface). As assumed, period x is 35 points to 36 points to concrete example, then the quantity of the application layer data bag of reference period x �� is the quantity of the application layer data bag of 35 points to 36 points of record in the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding. Concrete for example, it is assumed that period x is 58 points to 59 points again, then the quantity of the application layer data bag of reference period x �� is the quantity of the application layer data bag of 58 points to 59 points of record in the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding, analogizes with this.

Also illustrate below the update method of a kind of flow baseline.

The schematic flow sheet of the update method of another kind of flow baseline provided for an alternative embodiment of the invention see Fig. 2, Fig. 2. As shown in Figure 1, the update method of another kind of flow baseline that an alternative embodiment of the invention provides can comprise:

201, calculating the current period enters the quantity of the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of server and first with reference to the variance of the quantity of the application layer data bag of period. Wherein, the quantity of the application layer data bag of described first reference period is the quantity of the application layer data bag of the reference period with the current period with mapping relation of record in present flow rate baseline.

If described variance is greater than the first threshold value or is less than Second Threshold, then perform step 202.

If described variance is less than the first threshold value and in Second Threshold, then performs step 203.

202, utilize in nearest N number of monitoring period and enter the quantity of the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in the N number of history period that there is mapping relation with the described current period, calculate first desired amt of current period, utilize the quantity of the application layer data bag of described first desired amt and N-1 history period in described N number of history period, the second phase calculating for the first reference period hopes quantity, quantity upgrades the quantity of the application layer data bag of the first reference period of record in present flow rate baseline corresponding to CGI (Common Gateway Interface) mark j to utilize the second phase to hope, described N number of history period can be the period identical with current period sequence number in nearest N number of monitoring period, and (the such as current period is week 1, described N number of history period is the week 1 in nearest N week, such as the current period is week 3 again, and described N number of history period is the week 3 in nearest N week, analogizes with this). wherein, the time difference of described N-1 history period and described current period, the residue period that can be less than in described N number of history period except described N-1 the history period and the time difference of described current period are (wherein, such as described N number of history period is the week 1 in nearest 7 weeks, then described N-1 the history period can be the week 1 in nearest 6 weeks, again such as, assume that described N number of history period is the week 1 in nearest 10 weeks, then described N-1 the history period can be the week 1 in nearest 9 weeks, analogizes with this).

203, utilize in nearest N-1 monitoring period and enter the quantity of the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in N-1 the history period that there is mapping relation with the described current period, and the described current period enters the quantity of the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server, the third phase calculating for the first reference period hopes quantity, quantity upgrades the quantity of the application layer data bag of the first reference period of record in present flow rate baseline corresponding to CGI (Common Gateway Interface) mark j to utilize the described third phase to hope.

Such as, assuming that CGI (Common Gateway Interface) identifies the monitoring period of flow baseline corresponding to j is 1 week, and unit Period Length is 1 day, the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding can have recorded the quantity of the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow entering described server of each day in 1 week. Concrete for example, it is assumed that period x is Monday, then the quantity with period x with the application layer data bag of reference period x �� of mapping relation is the quantity of the application layer data bag of the Monday of record in the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding. Such as assume that again the current period is Wednesday, then the quantity of the application layer data bag of reference period x �� is the quantity of the application layer data bag of the Wednesday of record in the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding.

Described N be greater than 1 positive integer. Such as described N can equal 2,3,4,7,6,10,21 or other values.

Can find out, above-mentioned flow baseline update method is a kind of based on the flow baseline update method without supervision learning method, by contrasting current discharge in period of time discharge in period of time value corresponding to flow baseline, be conducive to the impact that elimination flow is uprushed, fallen sharply and bring as far as possible, and then be conducive to improving the handiness carrying out Traffic Anomaly judgement based on flow baseline further.

For ease of better understanding and implement the technique scheme of the embodiment of the present invention, the application scene concrete below in conjunction with some is further described.

See Fig. 3-a, Fig. 3-b and Fig. 3-c, the schematic flow sheet of a kind of applied layer fast-attack detection method that Fig. 3-a provides for an alternative embodiment of the invention. The method that Fig. 3-a illustrates specifically can be implemented in the network architecture shown in Fig. 3-b or Fig. 3-c. As shown in Fig. 3-a, a kind of applied layer fast-attack detection method that an alternative embodiment of the invention provides can comprise:

301, detect device and obtained the flow being entered server by core exchange board by bypass mode.

Wherein, detection device can directly link with core exchange board, or detection device also links with core exchange board by a point optical switch.

302, the quantity of the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow entering described server in device K the period of statistics is detected; Enter in period x in detection device K the period of statistics in the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server, carry the quantity of the application layer data bag of active internetwork-ing agreement address k. Described period x is any one period among described K the period.

303, if the quantity entering the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in K the period that detection device counts meets preset threshold condition, and, enter among the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server within period x counted, when the quantity carrying the application layer data bag of active internetwork-ing agreement address k is more than or equal to Second Threshold, applied layer fast-attack alarm can be carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j.

For example, the monitoring period assuming flow baseline is 1 week, and unit Period Length is 1 day, identify the quantity of the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow entering described server that can have recorded each day in 1 week in present flow rate baseline corresponding to j with described CGI (Common Gateway Interface). Concrete for example, it is assumed that period x is Monday, then the quantity of the application layer data bag of reference period x �� is the quantity of the application layer data bag of the Monday of record in the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding. Concrete again for example, it is assumed that the current period is Wednesday, then the quantity of the application layer data bag of reference period x �� is the quantity of the application layer data bag of the Wednesday of record in the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding.

Again such as, the monitoring period assuming flow baseline is 1 day, and unit Period Length is 1 hour, the quantity of the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow entering described server that can have recorded 0 in 1 day o'clock in 24 o'clock each hour in flow baseline corresponding to j is then identified with described CGI (Common Gateway Interface), concrete example as, assume that period x is at 9 o'clock to 10 o'clock, then the quantity of the application layer data bag of reference period x �� is the quantity of the application layer data bag of 9 o'clock to 10 o'clock of record in the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding. concrete for example, it is assumed that period x is 13 o'clock to 14 o'clock again, then the quantity of the application layer data bag of reference period x �� is the quantity of the application layer data bag of 13 o'clock to 14 o'clock of record in the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding.

Again such as, the monitoring period assuming flow baseline is 1 day, and unit Period Length is 1 minute, then identifies with described CGI (Common Gateway Interface) and flow baseline corresponding to j can have recorded the quantity that 0 in 1 day o'clock entered the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server to every minute in 24 o'clock. As assumed, period x is 5: 35 minutes 1 to concrete example, then the quantity of the application layer data bag of reference period x �� is the quantity of the application layer data bag of 5: 35 minutes 1 of record in the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding. Again concrete example as, assume that period x is 15: 58 minutes 1, then the quantity of the application layer data bag of reference period x �� can be the quantity of the application layer data bag of 15: 58 minutes 1 of record in the present flow rate baseline that described CGI (Common Gateway Interface) mark j is corresponding, analogizes with this.

Can find out, the present embodiment detection device enter within K the period counted in the flow of described server carry object internetwork-ing agreement address i and after the quantity of application layer data bag that CGI (Common Gateway Interface) identifies j meets preset threshold condition, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, wherein, the statistic data of the aspects such as the quantity of the application layer data bag carrying internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j owing to reference to, practice finds to be conducive to like this carrying out applied layer fast-attack alarm more accurately, visible this is conducive to improving applied layer fast-attack alarm accuracy.

Further, see Fig. 3-d, detection device such as can have module architectures shown in Fig. 3-d, some seven layers of module carry the quantity of object IP address with the application layer data bag of different CGI (Common Gateway Interface) mark for adding up, and add up in the application layer data bag carrying different CGI (Common Gateway Interface) mark, quantity of application layer data bag carrying not source IP address etc., summarizing module is for gathering the statistics of each four layers of module and seven layers of module, and alarm module then carries out the alarming processing of applied layer fast-attack for more gathering structure.

See the schematic flow sheet of a kind of applied layer fast-attack detection method that Fig. 4-a and Fig. 4-b, Fig. 4-a provide for an alternative embodiment of the invention. The method that Fig. 4-a illustrates specifically can be implemented in the network architecture shown in Fig. 4-b. As depicted in fig. 4-a, a kind of applied layer fast-attack detection method that an alternative embodiment of the invention provides can comprise:

401, server obtains the flow being entered server by core exchange board.

That is, applied layer fast-attack detection device section is deployed among server.

402, server enters the quantity of the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in K the period of statistics; Enter in period x in server K the period of statistics in the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server, carry the quantity of the application layer data bag of active internetwork-ing agreement address k. Described period x is any one period among described K the period.

403, if the quantity entering the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in K the period that server counts meets preset threshold condition, and, enter among the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server within period x counted, when the quantity carrying the application layer data bag of active internetwork-ing agreement address k is more than or equal to Second Threshold, applied layer fast-attack alarm can be carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j.

Can find out, after the quantity of application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j that the present embodiment server enters in the flow of described server within K the period counted meets preset threshold condition, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, wherein, the statistic data of the aspects such as the quantity of the application layer data bag carrying internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j owing to reference to, practice finds to be conducive to like this carrying out applied layer fast-attack alarm more accurately, visible this is conducive to improving applied layer fast-attack alarm accuracy.

The embodiment of the present invention also provides a kind of applied layer fast-attack detection device 500, comprising:

Acquiring unit 510, for obtaining the flow entering server.

Statistic unit 520, carries object internetwork-ing agreement address i and the quantity of application layer data bag of CGI (Common Gateway Interface) mark j for adding up in the flow entering described server in K period.

Attack alarm unit 530, if the quantity for the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow entering described server in K period counting meets preset threshold condition, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, described K be more than or equal to 1 positive integer, described object internetwork-ing agreement address i is one of them internetwork-ing agreement address of described server.

Optionally, in some possible enforcement modes of the present invention, described for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j carry out applied layer fast-attack alarm in, attack alarm unit specifically for, enter among the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server within period x counted, when the quantity carrying the application layer data bag of active internetwork-ing agreement address k is more than or equal to Second Threshold, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, described period x is any one period among described K the period.

Optionally, in some possible enforcement modes of the present invention, entering in described period x among the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server, the quantity carrying the application layer data bag of described source internetwork-ing agreement address k is greater than or equal to the quantity of the application layer data bag carrying other internetwork-ing agreement addresses, source;

Or,

Described source internetwork-ing agreement address k enters in described period x to carry object internetwork-ing agreement address i and one of them internetwork-ing agreement address, source entrained by application layer data bag of CGI (Common Gateway Interface) mark j in the flow of described server;

Optionally, in some possible enforcement modes of the present invention, period x is any one period among described K the period; Wherein,

Described preset threshold condition comprises: the quantity entering the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in described period x, is greater than or equal to the quantity identifying the application layer data bag of the period with described period x with mapping relation of record in present flow rate baseline corresponding to j with described CGI (Common Gateway Interface);

Or,

Described preset threshold condition comprises: the quantity entering the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in described period x is greater than or equal to the 3rd threshold value.

Optionally, in some possible enforcement modes of the present invention, described K is greater than or equal to 2, and described K the period is K period of continuous print or described K period when being the interval between adjacent time interval, and length is less than or equals K the period of interval threshold.

It should be appreciated that the function of each function module of the detection device 500 of the present embodiment can according to the method specific implementation in aforesaid method embodiment, its specific implementation process with reference to the associated description of aforesaid method embodiment, can repeat no more herein.

Can find out, the quantity that the present embodiment detection device 500 enters the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server within K the period counted meets preset threshold condition, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, wherein, the statistic data of the aspects such as the quantity of the application layer data bag carrying internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j is with reference to due to alarm, practice finds to be conducive to like this carrying out applied layer fast-attack alarm more accurately, visible this is conducive to improving applied layer fast-attack alarm accuracy.

See the structure block diagram that Fig. 6, Fig. 6 are the detection devices 600 that another embodiment of the present invention provides.

Wherein, detect device 600 can comprise: at least 1 treater 601, storer 605 and at least 1 communication bus 602. The connection communication of communication bus 602 for realizing between these assemblies. Wherein, this detection device 600 optionally comprises user interface 603, and (such as touch-screen, liquid-crystal display, holographic imaging are (English: Holographic) or projection (English: Projector) etc.), click equipment (such as mouse, track ball (English: trackball) touch-sensitive plate or touch-screen etc.), camera and/or pickup device etc. to comprise indicating meter.

Wherein, this detection device 600 also can comprise at least 1 network interface 604.

Wherein, storer 605 can comprise read-only storage and random access memory, and provides instruction and data to treater 601. Wherein, the part in storer 605 can also comprise non-volatile random access memory.

In some embodiments, storer 605 stores following element, can execution module or data structure, or their subset, or their expansion collection:

Operating system 6051, comprises various system program, for realizing various basic business and process hardware based task.

Application program module 6052, comprises various application program, for realizing various applied business.

In embodiments of the present invention, by calling program or the instruction that storer 605 stores, treater 601 obtains the flow entering server; Add up the quantity of the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow entering described server in K period; If the quantity entering the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in K the period counted meets preset threshold condition, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, described K be more than or equal to 1 positive integer, described object internetwork-ing agreement address i is one of them internetwork-ing agreement address of described server.

Optionally, in some possible enforcement modes of the present invention, described for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j carry out applied layer fast-attack alarm in, treater 601 specifically for, enter among the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server within period x counted, when the quantity carrying the application layer data bag of active internetwork-ing agreement address k is more than or equal to Second Threshold, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, described period x is any one period among described K the period.

Or,

It should be appreciated that the function of each function module of the detection device 600 of the present embodiment can according to the method specific implementation in aforesaid method embodiment, its specific implementation process with reference to the associated description of aforesaid method embodiment, can repeat no more herein.

Can find out, the quantity that the present embodiment detection device 600 enters the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server within K the period counted meets preset threshold condition, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, wherein, the statistic data of the aspects such as the quantity of the application layer data bag carrying internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j is with reference to due to alarm, practice finds to be conducive to like this carrying out applied layer fast-attack alarm more accurately, visible this is conducive to improving applied layer fast-attack alarm accuracy.

See the block diagram that Fig. 7, Fig. 7 are the communication systems that another embodiment of the present invention provides.

Wherein, communication system comprises server 710 and detection device 720.

Wherein, the flow that device 720 enters server 710 for obtaining is detected; Add up the quantity of the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow entering described server in K period; If the quantity entering the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in K the period counted meets preset threshold condition, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, described K be more than or equal to 1 positive integer, described object internetwork-ing agreement address i is one of them internetwork-ing agreement address of described server.

Optionally, in some possible enforcement modes of the present invention, described for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j carry out applied layer fast-attack alarm in, detection device 720 specifically for, enter among the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server within period x counted, when the quantity carrying the application layer data bag of active internetwork-ing agreement address k is more than or equal to Second Threshold, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, described period x is any one period among described K the period.

Or,

Can find out, the quantity that the present embodiment detection device 720 enters the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server within K the period counted meets preset threshold condition, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, wherein, the statistic data of the aspects such as the quantity of the application layer data bag carrying internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j is with reference to due to alarm, practice finds to be conducive to like this carrying out applied layer fast-attack alarm more accurately, visible this is conducive to improving applied layer fast-attack alarm accuracy.

The embodiment of the present invention also provides a kind of computer-readable storage medium, and wherein, this computer-readable storage medium can have program stored therein, and comprises in aforesaid method embodiment the part or all of step of any a kind of applied layer fast-attack detection method recorded when this program performs.

It should be noted that, for aforesaid each embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not by the restriction of described sequence of operation, because according to the present invention, some step can adopt other orders or carry out simultaneously. Secondly, those skilled in the art also should know, the embodiment described in specification sheets all belongs to preferred embodiment, and involved action and module might not be that the present invention is necessary.

In the above-described embodiments, the description of each embodiment is all emphasized particularly on different fields, certain embodiment there is no the part described in detail, it is possible to see the associated description of other embodiments.

In several embodiments that the application provides, it should be appreciated that, disclosed device, realizes by other mode. Such as, device embodiment described above is only schematic, the such as division of described unit, it is only a kind of logic function to divide, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or another system can be integrated into, or some features can be ignored, or does not perform. Another point, shown or discussed coupling each other or directly coupling or communication connection can be the indirect coupling by some interfaces, device or unit or communication connection, it is possible to be electrical or other form.

The described unit illustrated as separating component or can may not be and physically separates, and the parts as unit display can be or may not be physical location, namely can be positioned at a place, or can also be distributed on multiple NE. Some or all of unit wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.

In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it is also possible to is that the independent physics of each unit exists, it is also possible to two or more unit are in a unit integrated. Above-mentioned integrated unit both can adopt the form of hardware to realize, it is also possible to adopts the form of software functional unit to realize.

If described integrated unit realize using the form of software functional unit and as independent production marketing or when using, it is possible to be stored in a computer read/write memory medium. Based on such understanding, the technical scheme of the present invention in essence or says that part prior art contributed or all or part of of this technical scheme can embody with the form of software product, this computer software product is stored in a storage media, comprises some instructions with so that computer equipment (can be Personal Computer, server or the network equipment etc.) performs all or part of step of method described in each embodiment of the present invention. And aforesaid storage media comprises: USB flash disk, read-only storage (ROM, Read-OnlyMemory), random access memory (RAM, RandomAccessMemory), portable hard drive, magnetic disc or CD etc. various can be program code stored medium.

The above, above embodiment only in order to the technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment to invention has been detailed description, it will be understood by those within the art that: the technical scheme described in foregoing embodiments still can be modified by it, or wherein part technology feature is carried out equivalent replacement; And these amendments or replacement, do not make the scope of the essence disengaging various embodiments of the present invention technical scheme of appropriate technical solution.

Claims

1. an applied layer fast-attack detection method, it is characterised in that, comprising:

Obtain the flow entering server;

2. method according to claim 1, it is characterized in that, described for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j carry out applied layer fast-attack alarm, comprise: among the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j entering in the flow of described server within period x counted, when the quantity carrying the application layer data bag of active internetwork-ing agreement address k is more than or equal to Second Threshold, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, described period x is any one period among described K the period.

3. method according to claim 2, it is characterized in that, entering in described period x among the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server, the quantity carrying the application layer data bag of described source internetwork-ing agreement address k is greater than or equal to the quantity of the application layer data bag carrying other internetwork-ing agreement addresses, source.

4. method according to claim 2, it is characterised in that,

Described source internetwork-ing agreement address k enters in described period x to carry object internetwork-ing agreement address i and one of them internetwork-ing agreement address, source entrained by application layer data bag of CGI (Common Gateway Interface) mark j in the flow of described server.

5. method according to the arbitrary item of Claims 1-4, it is characterised in that, period x is any one period among described K the period; Wherein,

Described preset threshold condition comprises: the quantity entering the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in described period x, it is greater than or equal to the quantity identifying the application layer data bag of reference period x �� of record in present flow rate baseline corresponding to j with described CGI (Common Gateway Interface), wherein, described have mapping relation with reference to period x �� and described period x;

Or,

6. method according to the arbitrary item of claim 1 to 5, it is characterised in that, described K is greater than or equal to 2, and described K the period is K period of continuous print or described K period when being the interval between adjacent time interval, and length is less than or equals K the period of interval threshold.

7. an applied layer fast-attack detection device, it is characterised in that, comprising:

Acquiring unit, for obtaining the flow entering server;

8. device according to claim 7, it is characterised in that,

Described for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j carry out applied layer fast-attack alarm in, described attack alarm unit specifically for, enter among the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server within period x counted, when the quantity carrying the application layer data bag of active internetwork-ing agreement address k is more than or equal to Second Threshold, applied layer fast-attack alarm is carried out for described object internetwork-ing agreement address i and described CGI (Common Gateway Interface) mark j, described period x is any one period among described K the period.

9. device according to claim 8, it is characterised in that,

Entering in described period x among the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server, the quantity carrying the application layer data bag of described source internetwork-ing agreement address k is greater than or equal to the quantity of the application layer data bag carrying other internetwork-ing agreement addresses, source;

Or,

10. device according to the arbitrary item of claim 7 to 9, it is characterised in that, period x is any one period among described K the period; Wherein,

Described preset threshold condition comprises: the quantity entering the application layer data bag carrying object internetwork-ing agreement address i and CGI (Common Gateway Interface) mark j in the flow of described server in described period x, being greater than or equal to the quantity identifying the application layer data bag of reference period x �� of record in present flow rate baseline corresponding to j with described CGI (Common Gateway Interface), described have mapping relation with reference to period x �� and described period x;

Or,

11. devices according to the arbitrary item of claim 7 to 10, it is characterised in that, described K is greater than or equal to 2, and described K the period is K period of continuous print or described K period when being the interval between adjacent time interval, and length is less than or equals K the period of interval threshold.

12. 1 kinds of communication systems, it is characterised in that, comprising: server and detection device;