CN105871834A - Method and device for computing malice index - Google Patents
Method and device for computing malice index Download PDFInfo
- Publication number
- CN105871834A CN105871834A CN201610187740.XA CN201610187740A CN105871834A CN 105871834 A CN105871834 A CN 105871834A CN 201610187740 A CN201610187740 A CN 201610187740A CN 105871834 A CN105871834 A CN 105871834A
- Authority
- CN
- China
- Prior art keywords
- malice index
- aggressive behavior
- index
- malice
- period
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Embodiments of the invention provide a method and a device for computing a malice index. The method comprises the steps of determining an Internet protocol (IP) address corresponding to attack behavior when detecting the attack behavior; obtaining the recorded malice index corresponding to the IP address according to the IP address; and computing and updating the malice index corresponding to the IP address based on the recorded malice index. According to the method, the malice index is only iteratively computed and updated according to the recorded malice index and the current attack condition, such as the attack condition in the period or the short time, so that the storage of a large amount of logs is not needed, and thus the occupation of a storage space is reduced, and meanwhile, one or more attack behavior within a predetermined time is recorded as one attack behavior, so that a condition that each malice index is close to 1 can be avoided, and the accuracy for distinguishing the malice index of each IP is improved.
Description
Technical field
Embodiments of the present invention relate to field of computer technology, more specifically, the embodiment party of the present invention
Formula relates to a kind of method and apparatus calculating malice index.
Background technology
This part is it is intended that the embodiments of the present invention stated in claims provide background or upper and lower
Literary composition.Description herein is not because being included in this part just recognize it is prior art.
Defend at existing DDoS (Distributed Denial of Service, distributed denial of service)
In system, there is blacklist IP (Internet Protocol, Internet protocol), white list IP and ash
List IP, wherein: blacklist IP can refer to malice IP that manual confirmation is crossed in DDoS system of defense,
The access behavior of these IP can directly abandon;White list IP can refer to manually in DDoS system of defense
Acknowledged good will IP, the access behavior of these IP can directly let pass, the IP of such as affiliate;Ash
List IP can refer to the IP once having aggressive behavior in DDoS system of defense.
IP only one of which grade in existing gray list IP, it is impossible to accurately distinguish in gray list IP each
The malice index of IP, wherein, the size of the malice degree of the IP during maliciously index can refer to gray list IP,
The number of times attacked before being worth this IP of the biggest expression is the most.Such as, the name of the people doing bad thing is ash name
IP in single IP, the mode treating the people doing bad thing in prior art is the same.
In order to accurately distinguish the malice index of the different IP in gray list IP, it is also proposed that some are counted in prior art
The method calculating malice index, generally uses based on access log or the mode of abnormal access amount/total visit capacity
Calculate.
Summary of the invention
But, use mode based on access log to need to store the data of access every time, take a large amount of
Memory space, and owing to being often a large amount of attacks centralized in the short time when attacking, use abnormal
The calculated result of mode of visit capacity/total visit capacity be one level off to 1 numeral, it is impossible to accurately
The malice index of each IP is distinguished on ground, such as, in anti-rubbish mail, and every spam note one
Secondary Deviant Behavior, an every normal email normal behaviour of note, the evil of the IP in anti-rubbish mail
Mean that number is abnormal access amount/total visit capacity, even if the normal access time is far longer than the abnormal access time,
But producing a large amount of access times in being often the short time due to abnormal access, therefore, each had this type of
The malice index of the IP of abnormal access all tends to 1, it is impossible to distinguish the malice index of each IP exactly, this
It it is the most bothersome process.
To this end, be highly desirable to the method and apparatus calculating malice index of a kind of improvement, reduce storage
Taking of space, and accurately distinguish the malice index of different IP.
In the present context, embodiments of the present invention expectation provides a kind of method calculating malice index
And device.
In the first aspect of embodiment of the present invention, it is provided that a kind of method calculating malice index,
Including:
When n-th aggressive behavior being detected, determine and the interconnection corresponding to described n-th aggressive behavior
FidonetFido IP address, calculate described n-th aggressive behavior occur time first time point currently belonging to
Period 1;
Calculate belonging to the second time point when the N-1 time aggressive behavior relevant to described IP address occurs
Second round, and obtain when described the N-1 time aggressive behavior has performed first malice index,
Before described second time point is positioned at described first time point;
According to described first malice index, described period 1 and described second round, calculate described
The second malice index that n-th aggressive behavior has obtained when having performed.
In one embodiment, method described according to the abovementioned embodiments of the present invention, in the scheduled time
Interior one or many is attacked and is designated as an aggressive behavior.
In certain embodiments, according to the method described in any of the above-described embodiment of the present invention, calculate institute
State the period 1 that first time point when n-th aggressive behavior occurs is currently affiliated, including:
The calculated period 1 meets following regular:
M1=(t1-T0)/T+1;
Wherein, described m1 is the described period 1, and described t1 is described first time point, and described T0 is
The startup time point of detection aggressive behavior, described T is preset value ,/represent and divide exactly;
Calculate the second round belonging to the second time point when the N-1 time aggressive behavior occurs, including:
Meet calculated second round following regular:
M2=(t2-T0)/T+1;
Wherein, described m2 is described second round, and described t2 is described second time point.
In certain embodiments, according to the method described in any of the above-described embodiment of the present invention, if described
Period 1 from be described second round in different cycles, according to described first malice index, described the
One cycle and described second round, calculate the obtained when described n-th aggressive behavior has performed
Two malice indexes, including:
Calculated second malice index meets following regular:
EI1=EI2* (1/2) ^ (m1-m2)+1
Wherein, described EI1 is described second malice index, and described EI2 is described first malice index, institute
Stating m1 is the described period 1, and described m2 is described second round.
In certain embodiments, according to the method described in any of the above-described embodiment of the present invention, if described
Period 1 and described second round are the identical cycle, and described second malice index is equal to described first
Maliciously index adds 1.
In certain embodiments, according to the method described in any of the above-described embodiment of the present invention, calculate
After the second malice index that described n-th aggressive behavior has obtained when having performed, described method is also wrapped
Include:
With the described first malice index recorded in described second malice index replacement system, with described
Described second round recorded in period 1 replacement system.
In the second aspect of embodiment of the present invention, it is provided that a kind of device calculating malice index,
Including:
Detector unit, is used for detecting aggressive behavior;
Determine unit, for determining and the internet protocol address corresponding to n-th aggressive behavior;
Computing unit, for when described detector unit detects described n-th aggressive behavior, calculates
The period 1 that first time point when described n-th aggressive behavior occurs is currently affiliated;
Described computing unit is additionally operable to, and calculates the N-1 time aggressive behavior relevant to described IP address and sends out
The second round belonging to the second time point time raw, and when described the N-1 time aggressive behavior has performed
The the first malice index obtained, before described second time point is positioned at described first time point;
Described computing unit is additionally operable to, according to described first malice index, described period 1 and described
Second round, calculate the second malice index obtained when described n-th aggressive behavior has performed.
In one embodiment, device described according to the abovementioned embodiments of the present invention, in the scheduled time
Interior one or many is attacked and is designated as an aggressive behavior.
In certain embodiments, according to the device described in any of the above-described embodiment of the present invention, described meter
Calculate unit and calculate the period 1 that first time point when described n-th aggressive behavior occurs is currently affiliated
Time, particularly as follows:
The described computing unit calculated period 1 meets following regular:
M1=(t1-T0)/T+1;
Wherein, described m1 is the described period 1, and described t1 is described first time point, and described T0 is
The startup time point of detection aggressive behavior, described T is preset value ,/represent and divide exactly;
Described computing unit calculates belonging to the second time point second when the N-1 time aggressive behavior occurs
During the cycle, particularly as follows:
Described computing unit meets following regular calculated second round:
M2=(t2-T0)/T+1;
Wherein, described m2 is described second round, and described t2 is described second time point.
In certain embodiments, according to the device described in any of the above-described embodiment of the present invention, if described
Period 1 from be described second round in different cycles, described computing unit according to described first malice
Index, described period 1 and described second round, calculate and performed in described n-th aggressive behavior
During the second malice index obtained during one-tenth, particularly as follows:
The calculated second malice index of described computing unit meets following regular:
EI1=EI2* (1/2) ^ (m1-m2)+1
Wherein, described EI1 is described second malice index, and described EI2 is described first malice index, institute
Stating m1 is the described period 1, and described m2 is described second round.
In certain embodiments, according to the device described in any of the above-described embodiment of the present invention, if described
Period 1 and described second round are the identical cycle, and described second malice index is equal to described first
Maliciously index adds 1.
In certain embodiments, according to the device described in any of the above-described embodiment of the present invention, described dress
Put and also include replacement unit, described the recorded in described second maliciously index replacement system
One malice index, with the described second round recorded in described period 1 replacement system.
In the third aspect of embodiment of the present invention, it is provided that a kind of method calculating malice index,
Including:
When aggressive behavior being detected, determine the internet protocol address that described aggressive behavior is corresponding;
Malice index according to record corresponding to IP address described in described IP address acquisition;And
Malice index based on record, calculates and updates the malice index that described IP address is corresponding.
In one embodiment, method described according to the abovementioned embodiments of the present invention, described calculating is also
Update the malice index that described IP address is corresponding, including:
It is further added by a constant after being decayed in time by the malice index of described record, generates new malice and refer to
Number;
Using described new malice index as the malice index after renewal.
In certain embodiments, according to the method described in any of the above-described embodiment of the present invention, described side
Method also includes:
Calculate and current period m1 corresponding during described aggressive behavior detected;
Obtain the record period m2 that the malice exponent pair of described record is answered.
In certain embodiments, according to the method described in any of the above-described embodiment of the present invention, if described
Current period and described record period are same period m 1=m2, and described calculating also updates described IP ground
The malice index that location is corresponding, including:
The malice index of described record is increased a constant a:EI1=EI2+a, and described EI1 is described IP
The malice index that address is corresponding after updating, described EI2 is the malice index of described record before;
If described current period and described record period are different cycles m1 ≠ m2, described calculating also updates
The malice index that described IP address is corresponding, including:
A constant a it is further added by after being decayed in time by the malice index of described record,
EI1=EI2*b^ (m1-m2)+a, described b are the positive number less than 1.
In certain embodiments, according to the method described in any of the above-described embodiment of the present invention, Qi Zhong
One or many in the scheduled time is attacked and is designated as an aggressive behavior.
In certain embodiments, according to the method described in any of the above-described embodiment of the present invention, described side
Method also includes:
When the system of initialization, malice index corresponding for described IP address is set to 0.
In the fourth aspect of embodiment of the present invention, it is provided that a kind of device calculating malice index,
Including:
Detector unit, is used for detecting aggressive behavior;
Determine unit, for when described detector unit detects aggressive behavior, determine that described attack is gone
For corresponding internet protocol address;
Acquiring unit, for the malice of the record corresponding according to IP address described in described IP address acquisition
Index;And
Computing unit, for malice index based on record, calculates and to update described IP address corresponding
Maliciously index.
In one embodiment, device described according to the abovementioned embodiments of the present invention, described calculating list
Unit specifically for:
It is further added by a constant after being decayed in time by the malice index of described record, generates new malice and refer to
Number;
Using described new malice index as the malice index after renewal.
In certain embodiments, according to the device described in any of the above-described embodiment of the present invention, described meter
Calculation unit is additionally operable to, and calculates and current period m1 corresponding during described aggressive behavior detected;
Described acquiring unit is additionally operable to, and obtains the record period m2 that the malice exponent pair of described record is answered.
In certain embodiments, according to the device described in any of the above-described embodiment of the present invention, if described
Current period and described record period are same period m 1=m2, and described computing unit calculates and updates
During malice index corresponding to described IP address, particularly as follows:
The malice index of described record is increased a constant a:EI1=EI2+a, and described EI1 is described IP
The malice index that address is corresponding after updating, described EI2 is the malice index of described record before;
If described current period and described record period are different cycles m1 ≠ m2, described computing unit meter
When calculating and update malice index corresponding to described IP address, particularly as follows:
A constant a it is further added by after being decayed in time by the malice index of described record,
EI1=EI2*b^ (m1-m2)+a, described b are the positive number less than 1.
In certain embodiments, according to the device described in any of the above-described embodiment of the present invention, Qi Zhong
One or many in the scheduled time is attacked and is designated as an aggressive behavior.
In certain embodiments, according to the device described in any of the above-described embodiment of the present invention, described dress
Put and also include that malice index arranges unit, for when the system of initialization, by corresponding for described IP address
Maliciously index is set to 0.
In the 5th aspect of embodiment of the present invention, it is provided that a kind of method updating malice index,
Including:
Malice index is made to decay in time;And
When aggressive behavior having been detected, malice index is made to increase.
In one embodiment, method described according to the abovementioned embodiments of the present invention, wherein predetermined
One or many in time is attacked and is designated as an aggressive behavior.
In the 6th aspect of embodiment of the present invention, it is provided that a kind of device updating malice index,
Including:
Maliciously exponential damping unit, is used for making malice index decay in time;
Detector unit, is used for detecting aggressive behavior;
Maliciously index increases unit, for when aggressive behavior having been detected, makes malice index increase.
In one embodiment, device described according to the abovementioned embodiments of the present invention, wherein predetermined
One or many in time is attacked and is designated as an aggressive behavior.
The present invention proposes a kind of method calculating malice index: when aggressive behavior being detected, determine institute
State the internet protocol address that aggressive behavior is corresponding;According to IP address described in described IP address acquisition
The malice index of corresponding record;And based on the malice index recorded, calculate and update described IP ground
The malice index that location is corresponding, in this scenario, maliciously the calculating of index is no longer based on the attack note of record
Record, and according only to the malice index of record and in current attack situation such as this cycle or the short time
Interior attack situation calculates iteratively and updates malice index, this way it is not necessary to a large amount of log,
Reduce and memory space is taken, meanwhile, by by the one or many aggressive behavior in the scheduled time
It is designated as an aggressive behavior, each malice index can be avoided all to level off to 1, improve each IP of differentiation
The accuracy of malice index.
Accompanying drawing explanation
By with reference to accompanying drawing read detailed description below, exemplary embodiment of the invention above-mentioned with
And other objects, features and advantages will become prone to understand.In the accompanying drawings, with exemplary and unrestricted
The mode of property shows some embodiments of the present invention, wherein:
Fig. 1 schematically shows of the method calculating malice index according to embodiment of the present invention
Plant flow chart;
Fig. 2 schematically shows the method calculating malice index according to embodiment of the present invention again
One flow chart;
Fig. 3 schematically shows the stream of the method updating malice index according to embodiment of the present invention
Cheng Tu;
Fig. 4 schematically shows of the device calculating malice index according to embodiment of the present invention
Plant schematic diagram;
Fig. 5 schematically shows the another of the device calculating malice index according to embodiment of the present invention
A kind of schematic diagram;
Fig. 6 schematically shows of the device updating malice index according to embodiment of the present invention
Plant schematic diagram;
Fig. 7 schematically shows the dress calculating or updating malice index according to embodiment of the present invention
The another kind of schematic diagram put;
Fig. 8 schematically shows the dress calculating or updating malice index according to embodiment of the present invention
The another kind of schematic diagram put;
In the accompanying drawings, identical or corresponding label represents identical or corresponding part.
Detailed description of the invention
Principle and the spirit of the present invention are described below with reference to some illustrative embodiments.Should manage
Solve, be given these embodiments be only used to make those skilled in the art better understood when and then
Realize the present invention, and limit the scope of the present invention the most by any way.On the contrary, it is provided that these are implemented
Mode is to make the disclosure more thorough and complete, and can the scope of the present disclosure intactly be passed
Reach to those skilled in the art.
Art technology skilled artisan knows that, embodiments of the present invention can be implemented as a kind of system,
Device, equipment, method or computer program.Therefore, the disclosure can be implemented as following
Form, it may be assumed that hardware, completely software (including firmware, resident software, microcode etc.) completely,
Or the form that hardware and software combines.
According to the embodiment of the present invention, it is proposed that a kind of method and apparatus calculating malice index.
In this article, any number of elements in accompanying drawing is used to example and unrestricted, and any life
Name is only used for distinguishing, and does not have any limitation.
Below technical term involved in the present invention is briefly described.
DDoS: can refer to assailant utilize a large amount of distributed puppet's machine as Attack Platform, simultaneously to one
Individual or multiple targets send substantial amounts of request so that be hacked target paralysis and cannot provide normal service
Aggressive behavior.
HTTP (HyperText Transfer Protocol, HTML (Hypertext Markup Language)) Flood: crowd can be referred to
One in many ddos attacks type, the attack that it is initiated in layer 7 agreement for Web service, tool
There are the features such as attack pattern is simple, defend the impact of filtration difficulty, main frame greatly.
Principle and essence below with reference to some representative embodiments of the present invention, in detail the explaination present invention
God.
Summary of the invention
The inventors discovered that, calculate malice index according to the mode of abnormal access amount/total visit capacity at present
Mode does not only take up substantial amounts of memory space, and calculated malice index all tends to 1, so can not
Accurately distinguish the malice index of each IP, it is therefore proposed that a kind of new scheme calculating malice index,
In the program, when aggressive behavior being detected, determine the Internet protocol IP that described aggressive behavior is corresponding
Address;Malice index according to record corresponding to IP address described in described IP address acquisition;And based on
The malice index of record, calculates and updates the malice index that described IP address is corresponding, and the method makes to dislike
Mean number calculating be no longer based on record attack record, and according only to record malice index and work as
Attack situation in front attack situation such as this cycle or in the short time calculates iteratively and updates evil
Mean number, so, it is to avoid storage substantial amounts of access record, improve the utilization rate of memory space.
Meanwhile, by the one or many attack in the scheduled time is designated as an aggressive behavior, it is to avoid each
Maliciously index all levels off to 1, improves the accuracy of the malice index distinguishing each IP.
After the ultimate principle describing the present invention, introduce the various unrestricted of the present invention in detail below
Property embodiment.
Application scenarios overview
With reference to foregoing description, such as, when aggressive behavior being detected, determine the IP ground that aggressive behavior is corresponding
Location is an IP address, and the malice index obtaining record corresponding to an IP address is first maliciously to refer to
Number, then, based on record first malice index, calculate and update first malice index, so,
Avoid the substantial amounts of access record of storage, improve the utilization rate of memory space.In one embodiment,
It is designated as an aggressive behavior, it is to avoid each maliciously refers to by being attacked by the one or many in the scheduled time
Number all levels off to 1, improves the accuracy of the malice index distinguishing each IP.
It should be noted that the equipment of occurred aggressive behavior can be Netease's clothes in the embodiment of the present invention
Business device, it is also possible to other servers or equipment, is not specifically limited at this.
Illustrative methods
Below in conjunction with application described above scene, describe with reference to Fig. 1, Fig. 2 and show according to the present invention
The method being used for calculating malice index of example embodiment.And further, it is also possible to reference to Fig. 3
Describe according to exemplary embodiment of the invention for update malice index method.
It should be noted that above-mentioned application scenarios is for only for ease of and understand spirit and principles of the present invention
And illustrate, embodiments of the present invention are the most unrestricted.On the contrary, the enforcement of the present invention
Mode can apply to any scene being suitable for.
Fig. 1 schematically show according to embodiment of the present invention for calculate malice index method
The schematic flow sheet of 10.As it is shown in figure 1, the method 10 can include step 100,110,120.
Method 10 starts from step 100: when aggressive behavior being detected, determines that described aggressive behavior is corresponding
Internet protocol address.
In the embodiment of the present invention, alternatively, one or many in the given time is attacked and is designated as once
Aggressive behavior.Such as, there occurs 1 attack in the given time, be then designated as within this scheduled time
There occurs an aggressive behavior.The most such as, within a certain scheduled time, there occurs 10000 attacks,
Such as extensive aggression, the most still it is designated as within this scheduled time, there occurs an aggressive behavior, by making a reservation for
One or many aggressive behavior in time is designated as an aggressive behavior, can be prevented effectively from each malice
Index all levels off to 1, and then improves the accuracy of the malice index distinguishing each IP, certainly, in reality
Border application in, be not limited to aforesaid way, it is also possible to by the aggressive behavior in this scheduled time time
Number scale is the number of times of the attack actually occurred.
After step 100, it is also possible to perform step 110: according to IP described in described IP address acquisition
The malice index of the record that address is corresponding.
After step 110, it is also possible to perform step 120: malice index based on record, calculating is also
Update the malice index that described IP address is corresponding.
The method makes the calculating of malice index be no longer based on the attack record of record, and according only to record
Malice index and current attack situation such as this cycle in or the short time in attack situation iteration
Formula ground calculates and updates malice index.In one embodiment, often increase an aggressive behavior, update
Once malice index.So attack record will need not, by substantial amounts of record, improve memory space
Utilization rate.
In the embodiment of the present invention, described calculating when updating malice index corresponding to described IP address, can
Selection of land, can be in the following way:
It is further added by a constant after being decayed in time by the malice index of described record, generates new malice and refer to
Number;
Using described new malice index as the malice index after renewal.
So, certain aggressive behavior malice when just occurring is maximum, and decay malice in time is gradually lowered.
In the embodiment of the present invention, further, described method also includes operating as follows:
Calculate and current period m1 corresponding during described aggressive behavior detected;
Obtain the record period m2 that the malice exponent pair of described record is answered.
Such as, the attack occurred in lower for certain IP 1 hour is designated as 1 aggressive behavior, using 1 day as
In one cycle, in such a cycle, at most there is 24 aggressive behaviors.
Wherein, if described current period and described record period are same period m 1=m2, described meter
When calculating and update malice index corresponding to described IP address, it is alternatively possible in the following way:
The malice index of described record is increased a constant a:EI1=EI2+a, and described EI1 is described IP
The malice index that address is corresponding after updating, described EI2 is the malice index of described record before;
If described current period and described record period are different cycles m1 ≠ m2, described calculating also updates
During malice index corresponding to described IP address, it is alternatively possible in the following way:
A constant a it is further added by after being decayed in time by the malice index of described record,
EI1=EI2*b^ (m1-m2)+a, described b are the positive number less than 1.
It is it is to say, if m1=m2, described EI1 are directly equal to EI2 and add a, if m1 ≠ m2, described
EI1 is equal to the value additive constant a after described EI2 decay.
In the embodiment of the present invention, further, described method also includes operating as follows:
When the system of initialization, malice index corresponding for described IP address is set to 0.
The present invention proposes a kind of method calculating malice index: when aggressive behavior being detected, determines described
The internet protocol address that aggressive behavior is corresponding;According to IP address pair described in described IP address acquisition
The malice index of the record answered;And based on the malice index recorded, calculate and update described IP address
Corresponding malice index, in this scenario, for a certain IP, is no longer based on the attack recording gauge of record
Calculate malice index, according only to the most recorded malice index and current attack situation, update described
The malice index that IP address is corresponding, this way it is not necessary to a large amount of log, reduces memory space
Account for.Meanwhile, by the one or many aggressive behavior in the scheduled time is designated as an aggressive behavior,
Each malice index can be avoided all to level off to 1, improve malice index accurate distinguishing each IP
Degree.
The present invention also proposes the another kind of method calculating malice index, and Fig. 2 schematically shows basis
The schematic flow sheet of the method 20 for calculating malice index of embodiment of the present invention.As in figure 2 it is shown,
The method 20 can include step 200,210,220.
Method 20 starts from step 200: when n-th aggressive behavior being detected, determines and described n-th
Internet protocol address corresponding to aggressive behavior, calculates when described n-th aggressive behavior occurs
The period 1 that first time point is currently affiliated.
In the embodiment of the present invention, alternatively, by predetermined amount of time one or many attack be designated as
Aggressive behavior.Such as, between the 7:00-8:00 of certain day, there occurs 1 attack, be then designated as at this
An aggressive behavior is there occurs in time;Between 7:00-8:00, there occurs 10000 attacks, be also denoted as
An aggressive behavior is there occurs within this time;The one or many occurred between 9:00-10:00 is attacked
It is also denoted as there occurs an aggressive behavior.
In the embodiment of the present invention, alternatively, one or many in the given time is attacked and is designated as once
Aggressive behavior.Such as, within a certain cycle, there occurs 1 attack, be then designated as within this cycle occurring
Aggressive behavior.The most such as, within a certain cycle, there occurs 10000 attacks, be the most still designated as
An aggressive behavior is there occurs within this cycle.
It is designated as once attacking by being attacked by the one or many in a time zone or in the scheduled time
Behavior, can be prevented effectively from each malice index and all level off to 1, and then improves and distinguish each IP's
The maliciously accuracy of index.
Certainly, in actual applications, it is not limited to aforesaid way, it is also possible to by attacking in this cycle
The number of times hitting behavior is designated as the number of times of the attack actually occurred.
In the embodiment of the present invention, calculate first time point when described n-th aggressive behavior occurs current
Belonging to period 1 time, it is alternatively possible in the following way:
The calculated period 1 meets following rule, such as formula one:
M1=(t1-T0)/T+1 (formula one)
Wherein, described m1 is the described period 1, and described t1 is described first time point, and described T0 is
The startup time point of detection aggressive behavior, described T is preset value ,/represent and divide exactly.
After step 200, it is also possible to perform step 210: calculate relevant to described IP address the
The second round belonging to the second time point when N-1 aggressive behavior occurs, and at described the N-1 time
The the first malice index obtained when aggressive behavior has performed, when described second time point is positioned at described first
Between point before.
In the embodiment of the present invention, calculate belonging to the second time point when the N-1 time aggressive behavior occurs
During second round, it is alternatively possible in the following way:
Meet following rule calculated second round, such as formula two:
M2=(t2-T0)/T+1 (formula two)
Wherein, described m2 is described second round, and described t2 is described second time point.
After step 210, it is also possible to perform step 220: according to described first malice index, institute
State period 1 and described second round, calculate and obtain when described n-th aggressive behavior has performed
Second malice index.
In the embodiment of the present invention, if the described period 1 from be described second round in different cycles, root
According to described first malice index, described period 1 and described second round, calculate in described n-th
During the second malice index obtained when aggressive behavior has performed, it is alternatively possible in the following way:
Calculated second malice index meets following rule, such as formula three:
EI1=EI2* (1/2) ^ (m1-m2)+1 (formula three)
Wherein, described EI1 is described second malice index, and described EI2 is described first malice index, institute
Stating m1 is the described period 1, and described m2 is described second round.
In the embodiment of the present invention, alternatively, if described period 1 and described second round are identical
In the cycle, described second malice index adds 1 equal to described first malice index.
If it is to say, described period 1 and described second round are the identical cycle, described second
Maliciously index is directly equal to described first malice index and adds 1, if described period 1 and described second round
For the cycle differed, described second malice index adds equal to the value after described first malice exponential damping
1。
In the embodiment of the present invention, further, in order to calculate the attack row after n-th aggressive behavior
For malice index, calculate second maliciously referring to of having obtained when described n-th aggressive behavior has performed
After number, described method also includes operating as follows:
With the described first malice index recorded in described second malice index replacement system, with described
Described second round recorded in period 1 replacement system.
So, when calculating the 3rd malice index for the aggressive behavior after n-th aggressive behavior,
The period 1 that first time point when if described n-th aggressive behavior occurs is currently affiliated, and described
The period 3 that the 3rd time point when aggressive behavior after n-th aggressive behavior occurs is currently affiliated
During for the identical cycle, described 3rd malice index is directly equal to described second malice index and adds 1;If institute
State the period 1 that first time point when n-th aggressive behavior occurs is currently affiliated, and described N
The 3rd time point when aggressive behavior after secondary aggressive behavior occurs currently belonging to period 3 be not
During the identical cycle, using formula four to calculate the 3rd malice index, wherein, the 3rd time point is positioned at the
Before one time point:
EI3=EI1* (1/2) ^ (m3-m1)+1 (formula four)
Wherein, described EI1 is described second malice index, and described EI3 is described 3rd malice index, institute
Stating m1 is the described period 1, and described m3 is the described period 3.
Such as: the T=3600 second, whole system started 2: 10: 10 on the 20th January in 2016, record
T0=1453227010, when 5: 20: 10 on the 20th January in 2016, i.e. t=1453238410, detect
During the first time aggressive behavior of certain IP=1.1.1.1, now calculate period m 1=belonging to current point in time
(1,453,238,410 1453227010)/3600+1=4, i.e. cycle are 4, and use EI1=EI2*
(1/2) ^ (m1-m2)+1 (formula three) calculates EI1, owing to EI2 is 0, therefore, the EI1=1 calculated;
When 12: 20: 10 on the 20th January in 2016, i.e. t=1453263610, IP=1.1.1.1 again detected
Second time aggressive behavior, now calculate period m 2=(1453263610 belonging to current point in time
1453227010)/3600+1=11, in i.e. the 11st cycle, and uses EI1=EI2*
(1/2) ^ (m1-m2)+1 (formula three) calculates EI1, now, owing to EI2 is 1, m1=11, m2=4, because of
This, EI1=1* (1/2) the ^7+1 ≈ 1 calculated;Further, can be by calculated EI1
1 and 11 it is updated to respectively, in order to subsequent calculations malice index with the cycle.
The present invention proposes a kind of method calculating malice index: when n-th aggressive behavior being detected, really
Determine and the internet protocol address corresponding to described n-th aggressive behavior, calculate described n-th
The period 1 that first time point when aggressive behavior occurs is currently affiliated;Calculate and described IP address phase
The second round belonging to the second time point during the N-1 time aggressive behavior generation closed, and described the
The first malice index that N-1 aggressive behavior has obtained when having performed, described second time point is positioned at described
Before first time point;According to described first malice index, described period 1 and described second round,
The second malice index that calculating has obtained when described n-th aggressive behavior has performed, in this scenario,
For a certain IP of execution n-th aggressive behavior, the attack record calculating being no longer based on record maliciously refers to
Number, according only to period 1 corresponding to the n-th aggressive behavior of this IP, the N-1 time aggressive behavior pair
The second round answered and the obtain when described the N-1 time aggressive behavior has performed first malice index,
Calculate the second malice index obtained when n-th aggressive behavior has performed, this way it is not necessary in a large number
Log, reduce memory space is taken, meanwhile, by by within a time period once or
Multiple attack is designated as an aggressive behavior, it is to avoid each malice index all levels off to 1, and then improves district
Divide the accuracy of the malice index of each IP.
Fig. 3 schematically show according to embodiment of the present invention for update malice index method
The schematic flow sheet of 30.As it is shown on figure 3, the method 30 can include step 300,310.
Method 30 starts from step 300: make malice index decay in time;
After step 300, it is also possible to perform step 310: when aggressive behavior having been detected, make evil
Mean number increase.
In one embodiment, when being not detected by aggressive behavior, maliciously index declines the most in real time
Subtract so that the malice of certain aggressive behavior decays in time.When aggressive behavior being detected, maliciously
Index increases by a constant, decays the most in real time.
In the embodiment of the present invention, alternatively, one or many in the given time is attacked and is designated as once
Aggressive behavior.Such as, within a certain scheduled time, there occurs 1 attack, be then designated as in this pre-timing
In there occurs an aggressive behavior.The most such as, there occurs within a certain scheduled time 10000 times and attack
Hit, be the most still designated as within this scheduled time, there occurs an aggressive behavior, by by the scheduled time
One or many aggressive behavior is designated as an aggressive behavior, can be prevented effectively from each malice index and all become
It is bordering on 1, and then improves the accuracy of the malice index distinguishing each IP, certainly, in actual applications,
It is not limited to aforesaid way, it is also possible to the number of times of the aggressive behavior in this scheduled time is designated as reality
The number of times of the attack occurred.
The present invention proposes a kind of method updating malice index: make malice index decay in time;Work as inspection
When having measured aggressive behavior, make malice index increase, in this scenario, make malice index decline in time
Subtract;When aggressive behavior having been detected, making malice index increase, the method makes malice index more
Newly it is no longer based on the attack record of record, but when aggressive behavior having been detected, according to the evil of decay
Mean that number increases to realize updating, this way it is not necessary to a large amount of log, reduce and memory space is accounted for
With, meanwhile, by the one or many aggressive behavior in the scheduled time is designated as an aggressive behavior,
Each malice index can be avoided all to level off to 1, improve malice index accurate distinguishing each IP
Degree.
Example devices
After the method describing exemplary embodiment of the invention, it follows that with reference to Fig. 4,5 right
Exemplary embodiment of the invention, describe for calculating the device of malice index, and with reference to Fig. 6 pair
Exemplary embodiment of the invention, for update malice index device describe.
Fig. 4 schematically shows the device for calculating malice index according to embodiment of the present invention
The schematic diagram of 40.As shown in Figure 4, this device 40 may include that
Detector unit 400, is used for detecting aggressive behavior;
Determine unit 410, for when described detector unit 400 detects aggressive behavior, determine described
The internet protocol address that aggressive behavior is corresponding;
Acquiring unit 420, for the evil of the record corresponding according to IP address described in described IP address acquisition
Mean number;And
Computing unit 430, for malice index based on record, calculates and updates described IP address pair
The malice index answered.
The method makes the calculating of malice index be no longer based on the attack record of record, and according only to record
Malice index and current attack situation such as this cycle in or the short time in attack situation iteration
Formula ground calculates and updates malice index.In one embodiment, often increase an aggressive behavior, update
Once malice index.So attack record will need not, by substantial amounts of record, improve memory space
Utilization rate.
In the embodiment of the present invention, alternatively, one or many in the given time is attacked and is designated as once
Aggressive behavior.Such as, there occurs 1 attack in the given time, be then designated as within this scheduled time
There occurs an aggressive behavior.The most such as, within a certain scheduled time, there occurs 10000 attacks,
Such as extensive aggression, the most still it is designated as within this scheduled time, there occurs an aggressive behavior, by making a reservation for
One or many aggressive behavior in time is designated as an aggressive behavior, can be prevented effectively from each malice
Index all levels off to 1, and then improves the accuracy of the malice index distinguishing each IP, certainly, in reality
Border application in, be not limited to aforesaid way, it is also possible to by the aggressive behavior in this scheduled time time
Number scale is the number of times of the attack actually occurred.
In the embodiment of the present invention, alternatively, described computing unit 430 specifically for:
It is further added by a constant after being decayed in time by the malice index of described record, generates new malice and refer to
Number;
Using described new malice index as the malice index after renewal.
So, certain aggressive behavior malice when just occurring is maximum, and decay malice in time is gradually lowered.
In the embodiment of the present invention, further, described computing unit 430 is additionally operable to, and calculating detects
Current period m1 corresponding during described aggressive behavior;
Described acquiring unit 420 is additionally operable to, and obtains the record period that the malice exponent pair of described record is answered
m2。
Such as, the attack occurred in lower for certain IP 1 hour is designated as 1 aggressive behavior, using 1 day as
In one cycle, in such a cycle, at most there is 24 aggressive behaviors.
In the embodiment of the present invention, alternatively, if described current period and described record period are same
Period m 1=m2, when described computing unit 430 calculates and updates malice index corresponding to described IP address,
Particularly as follows:
The malice index of described record is increased a constant a:EI1=EI2+a, and described EI1 is described IP
The malice index that address is corresponding after updating, described EI2 is the malice index of described record before;
If described current period and described record period are different cycles m1 ≠ m2, described computing unit
430 when calculating and update malice index corresponding to described IP address, particularly as follows:
A constant a it is further added by after being decayed in time by the malice index of described record,
EI1=EI2*b^ (m1-m2)+a, described b are the positive number less than 1.
It is it is to say, if m1=m2, described EI1 are directly equal to EI2 and add a, if m1 ≠ m2, described
EI1 is equal to the value additive constant a after described EI2 decay.
In the embodiment of the present invention, further, described device also includes that malice index arranges unit 440,
For when the system of initialization, malice index corresponding for described IP address being set to 0.
The present invention propose a kind of calculate malice index device: detector unit, be used for detecting aggressive behavior;
Determine unit, for when described detector unit detects aggressive behavior, determine described aggressive behavior pair
The internet protocol address answered;Acquiring unit, for according to IP ground described in described IP address acquisition
The malice index of the record that location is corresponding;And computing unit, for malice index based on record, meter
Calculate and update the malice index that described IP address is corresponding, in this scenario, for a certain IP, no longer base
Attack record in record calculates malice index, according only to the most recorded malice index and current
Attack situation, updates the malice index that described IP address is corresponding, this way it is not necessary to a large amount of log,
Reduce and memory space is taken, meanwhile, by by the one or many aggressive behavior in the scheduled time
It is designated as an aggressive behavior, each malice index can be avoided all to level off to 1, improve each IP of differentiation
The accuracy of malice index.
The present invention also proposes the another kind of device calculating malice index, and Fig. 5 schematically shows according to this
The schematic diagram of the device 50 for calculating malice index of invention embodiment.As it is shown in figure 5, this dress
Put 50 may include that
Detector unit 500, is used for detecting aggressive behavior;
Determine unit 510, for determining and the Internet protocol IP ground corresponding to n-th aggressive behavior
Location;
Computing unit 520, for detecting described n-th aggressive behavior in described detector unit 500
Time, calculate the period 1 that first time point when described n-th aggressive behavior occurs is currently affiliated;
Described computing unit 520 is additionally operable to, and calculates the N-1 time attack row relevant to described IP address
The second round belonging to the second time point during for occurring, and perform in described the N-1 time aggressive behavior
The the first malice index obtained time complete, before described second time point is positioned at described first time point;
Described computing unit 520 is additionally operable to, according to described first malice index, the described period 1 and
Described second round, calculate second obtained when described n-th aggressive behavior has performed and maliciously refer to
Number.
In the embodiment of the present invention, alternatively, by predetermined amount of time one or many attack be designated as
Aggressive behavior.Such as, between the 7:00-8:00 of certain day, there occurs 1 attack, be then designated as at this
An aggressive behavior is there occurs in time;Between 7:00-8:00, there occurs 10000 attacks, be also denoted as
An aggressive behavior is there occurs within this time;The one or many occurred between 9:00-10:00 is attacked
It is also denoted as there occurs an aggressive behavior.
In the embodiment of the present invention, alternatively, one or many in the given time is attacked and is designated as once
Aggressive behavior.Such as, within a certain cycle, there occurs 1 attack, be then designated as within this cycle occurring
Aggressive behavior.The most such as, within a certain cycle, there occurs 10000 attacks, be the most still designated as
An aggressive behavior is there occurs within this cycle.
It is designated as once attacking by being attacked by the one or many in a time zone or in the scheduled time
Behavior, can be prevented effectively from each malice index and all level off to 1, and then improves and distinguish each IP's
The maliciously accuracy of index.
Certainly, in actual applications, it is not limited to aforesaid way, it is also possible to by attacking in this cycle
The number of times hitting behavior is designated as the number of times of the attack actually occurred.
In the embodiment of the present invention, alternatively, described computing unit 520 calculates described n-th and attacks row
For occur time first time point currently belonging to period 1 time, particularly as follows:
The described computing unit 520 calculated period 1 meets following rule, such as formula one:
M1=(t1-T0)/T+1 (formula one)
Wherein, described m1 is the described period 1, and described t1 is described first time point, and described T0 is
The startup time point of detection aggressive behavior, described T is preset value ,/represent and divide exactly;
Described computing unit 520 calculates belonging to the second time point when the N-1 time aggressive behavior occurs
During second round, particularly as follows:
Described computing unit 520 meets following rule, such as formula two calculated second round:
M2=(t2-T0)/T+1 (formula two)
Wherein, described m2 is described second round, and described t2 is described second time point.
In the embodiment of the present invention, alternatively, if the described period 1 from be described second round different
In the cycle, described computing unit 520 is according to described first malice index, described period 1 and described the
Two cycles, when calculating the second malice index obtained when described n-th aggressive behavior has performed,
Particularly as follows:
The calculated second malice index of described computing unit 520 meets following rule, such as formula three:
EI1=EI2* (1/2) ^ (m1-m2)+1 (formula three)
Wherein, described EI1 is described second malice index, and described EI2 is described first malice index, institute
Stating m1 is the described period 1, and described m2 is described second round.
In the embodiment of the present invention, alternatively, if described period 1 and described second round are identical
In the cycle, described second malice index adds 1 equal to described first malice index.
If it is to say, described period 1 and described second round are the identical cycle, described second
Maliciously index is directly equal to described first malice index and adds 1, if described period 1 and described second round
For the cycle differed, described second malice index adds equal to the value after described first malice exponential damping
1。
In the embodiment of the present invention, further, in order to calculate the attack row after n-th aggressive behavior
For malice index, described device also includes replacement unit 530, for described second malice index replace
Change the described first malice index recorded in system, recorded in described period 1 replacement system
Described second round.
So, the 3rd of the aggressive behavior after computing unit 520 calculates for n-th aggressive behavior
Maliciously during index, if described n-th aggressive behavior occur time first time point currently belonging to first
The 3rd current institute of time point when aggressive behavior after cycle, and described n-th aggressive behavior occurs
When the period 3 belonged to is the identical cycle, described 3rd malice index is directly equal to described second malice
Index adds 1;First week that first time point when if described n-th aggressive behavior occurs is currently affiliated
The 3rd time point when aggressive behavior after phase, and described n-th aggressive behavior occurs is currently affiliated
Period 3 when being the cycle differed, use formula four to calculate the 3rd malice index, wherein, the
Before three time points are positioned at first time point:
EI3=EI1* (1/2) ^ (m3-m1)+1 (formula four)
Wherein, described EI1 is described second malice index, and described EI3 is described 3rd malice index, institute
Stating m1 is the described period 1, and described m3 is the described period 3.
Such as: the T=3600 second, whole system started 2: 10: 10 on the 20th January in 2016,
Record T0=1453227010, when 5: 20: 10 on the 20th January in 2016, i.e. t=1453238410,
When the first time aggressive behavior of certain IP=1.1.1.1 being detected, now calculate the cycle belonging to current point in time
M1=(1,453,238,410 1453227010)/3600+1=4, i.e. cycle is 4, and uses EI1=EI2
* (1/2) ^ (m1-m2)+1 (formula three) calculates EI1, owing to EI2 is 0, therefore, the EI1=1 calculated;
When 12: 20: 10 on the 20th January in 2016, i.e. t=1453263610, again detect
The second time aggressive behavior of IP=1.1.1.1, now calculates period m 2=belonging to current point in time
(1,453,263,610 1453227010)/3600+1=11, in i.e. the 11st cycle, and uses EI1=
EI2* (1/2) ^ (m1-m2)+1 (formula three) calculates EI1, now, owing to EI2 is 1, m1=11, m2=4,
Therefore, EI1=1* (1/2) the ^7+1 ≈ 1 calculated;Further, can be by calculated
EI1 and cycle are updated to 1 and 11 respectively, in order to subsequent calculations malice index.
The present invention propose a kind of calculate malice index device: detector unit, be used for detecting aggressive behavior;
Determine unit, for determining and the internet protocol address corresponding to n-th aggressive behavior;Calculate
Unit, for when described detector unit detects described n-th aggressive behavior, calculates described N
The period 1 that first time point when secondary aggressive behavior occurs is currently affiliated;Described computing unit is also used
In, calculate belonging to the second time point when the N-1 time aggressive behavior relevant to described IP address occurs
Second round, and obtain when described the N-1 time aggressive behavior has performed first malice index,
Before described second time point is positioned at described first time point;Described computing unit is additionally operable to, according to institute
State the first malice index, described period 1 and described second round, calculate and attack in described n-th
The the second malice index obtained when behavior has performed, in this scenario, attacks for performing n-th
The a certain IP of behavior, the attack record being no longer based on record calculates malice index, according only to the of this IP
Second round that period 1 corresponding to n times aggressive behavior, the N-1 time aggressive behavior are corresponding and in institute
State the first malice index obtained when the N-1 time aggressive behavior has performed, calculate n-th aggressive behavior
The the second malice index obtained when having performed, this way it is not necessary to a large amount of log, reduces depositing
Taking of storage space, meanwhile, is designated as once attacking by being attacked by the one or many within a time period
Hit behavior, it is to avoid each malice index all levels off to 1, and then improve and distinguish the malice of each IP and refer to
The accuracy of number.
Fig. 6 schematically shows the device for updating malice index according to embodiment of the present invention
The schematic diagram of 60.As shown in Figure 6, this device 60 may include that
Maliciously exponential damping unit 600, is used for making malice index decay in time;
Detector unit 610, is used for detecting aggressive behavior;
Maliciously index increases unit 620, for when aggressive behavior having been detected, makes malice index increase.
In one embodiment, when being not detected by aggressive behavior, maliciously index declines the most in real time
Subtract so that the malice of certain aggressive behavior decays in time.When aggressive behavior being detected, maliciously
Index increases by a constant, decays the most in real time.
In the embodiment of the present invention, alternatively, one or many in the given time is attacked and is designated as once
Aggressive behavior.Such as, within a certain scheduled time, there occurs 1 attack, be then designated as in this pre-timing
In there occurs an aggressive behavior.The most such as, there occurs within a certain scheduled time 10000 times and attack
Hit, be the most still designated as within this scheduled time, there occurs an aggressive behavior, meanwhile, by by timing in advance
Interior one or many aggressive behavior is designated as an aggressive behavior, can be prevented effectively from each and maliciously refer to
Number all levels off to 1, and then improves the accuracy of the malice index distinguishing each IP, certainly, in reality
In application, it is not limited to aforesaid way, it is also possible to by the number of times of the aggressive behavior in this scheduled time
It is designated as the number of times of the attack actually occurred.
The present invention propose a kind of update malice index device: maliciously exponential damping unit, be used for making evil
Mean that number is decayed in time;Detector unit, is used for detecting aggressive behavior;Maliciously index increases unit,
For when aggressive behavior having been detected, making malice index increase, the method makes malice index more
Newly it is no longer based on the attack record of record, but when aggressive behavior having been detected, according to the evil of decay
Mean that number increases to realize updating, this way it is not necessary to a large amount of log, reduce and memory space is accounted for
With, meanwhile, by the one or many aggressive behavior in the scheduled time is designated as an aggressive behavior,
Each malice index can be avoided all to level off to 1, improve malice index accurate distinguishing each IP
Degree.
Example devices
After the method and apparatus describing exemplary embodiment of the invention, it follows that introduce root
According to the present invention another exemplary embodiment for calculating malice index or updating malice index
Device.
Person of ordinary skill in the field it is understood that various aspects of the invention can be implemented as be
System, method or program product.Therefore, various aspects of the invention can be implemented as following form,
Hardware embodiment, completely Software Implementation (including firmware, microcode etc.) i.e.: completely,
Or the embodiment that hardware and software aspect combines, may be collectively referred to as " circuit ", " module " here or " be
System ".
In the embodiment that some are possible, according to the present invention be used for calculate malice index or renewal
Maliciously the device of index can at least include at least one processing unit and at least one memory element.
Wherein, described memory element has program stored therein code, when described program code is held by described processing unit
During row so that described processing unit performs the root described in this specification above-mentioned " illustrative methods " part
According to the various illustrative embodiments of the present invention be used for calculate malice index or update malice index method
In step.
Such as, described processing unit can perform step 100 as shown in Figure 1: attack row detected
For time, determine the internet protocol address that described aggressive behavior is corresponding;Step 110: according to described
The malice index of the record that IP address described in IP address acquisition is corresponding;And, step 120: based on note
The malice index of record, calculates and updates the malice index that described IP address is corresponding.
The most such as, described processing unit can also perform step 200 as shown in Figure 2: detects
During n times aggressive behavior, determine and the internet protocol address corresponding to described n-th aggressive behavior,
Calculate the period 1 that first time point when described n-th aggressive behavior occurs is currently affiliated;Step
210: calculate the second time point institute when the N-1 time aggressive behavior relevant to described IP address occurs
The second round belonged to, and the first malice index obtained when described the N-1 time aggressive behavior has performed,
Before described second time point is positioned at described first time point;Step 220: maliciously refer to according to described first
Period 1 several, described and described second round, calculate and performed in described n-th aggressive behavior
Time obtain second malice index.
The most such as, described processing unit can also carry out step 300 as shown in Figure 3: makes maliciously to refer to
Number is decayed in time;Step 310: when aggressive behavior having been detected, makes malice index increase.
Referring to Fig. 7 describe according to the embodiment of the invention for calculate malice index
Or update the device 70 of malice index.What Fig. 7 showed is used for calculating malice index or updating malice
The device 70 of index is only an example, should be to the function of the embodiment of the present invention and range band
Carry out any restriction.
As it is shown in fig. 7, by calculating malice index or updating the device 70 of malice index in terms of general
The form performance of calculation equipment.For calculating malice index or updating the assembly of the maliciously device 70 of index
Can include but not limited to: at least one processing unit 716 above-mentioned, at least one memory element above-mentioned
728, the bus 718 of different system assembly (including memory element 728 and processing unit 716) is connected.
Bus 718 represents one or more in a few class bus structures, including memory bus or deposit
Memory controller, peripheral bus, AGP, processor or use in multiple bus structures
Any bus-structured local bus.
Memory element 728 can include the computer-readable recording medium of form of volatile memory, such as random access memory
Memorizer (RAM) 730 and/or cache memory 732, it is also possible to read only memory further
(ROM)734。
Memory element 728 can also include having the program of one group of (at least one) program module 742/
Utility 740, such program module 742 includes but not limited to: operating system, one or many
Individual application program, other program module and routine data, each in these examples or certain group
Conjunction potentially includes the realization of network environment.
Can also be with one or more for calculating the device 70 of malice index or renewal malice index
External equipment 714 (such as keyboard, sensing equipment, bluetooth equipment etc.) communicate, also can with one or
Multiple enable a user to be used for calculating malice index with this or to update the device 70 of malice index mutual
Equipment communicate, and/or with make this for calculate malice index or update malice index device 70
Any equipment (the such as router, modulatedemodulate that can communicate with other calculating equipment one or more
Adjust device etc.) communication.This communication can be passed through input/output (I/O) interface 722 and carry out.Further,
Network adapter 720 can also be passed through for calculating the device 70 of malice index or renewal malice index
With one or more network (such as LAN (LAN), wide area network (WAN) and/or public network
Network, such as the Internet) communication.As it can be seen, network adapter 720 is passed through bus 718 and is used for
Calculate malice index or update other module communication of the maliciously device 70 of index.It should be understood that to the greatest extent
Not shown in pipe figure, can in conjunction with for calculate malice index or update malice index device 70 make
By other hardware and/or software module, include but not limited to: at microcode, device driver, redundancy
Reason unit, external disk drive array, RAID system, tape drive and data backup to store system
System etc..
Exemplary process product
In the embodiment that some are possible, various aspects of the invention are also implemented as a kind of program
The form of product, it includes program code, when described program product runs on the terminal device, institute
State program code to retouch for making described terminal unit perform in this specification above-mentioned " illustrative methods " part
State according to the various illustrative embodiments of the present invention for calculate malice index or update maliciously refer to
Step in the method for number,
Such as, described processing unit can perform step 100 as shown in Figure 1: attack row detected
For time, determine the internet protocol address that described aggressive behavior is corresponding;Step 110: according to described
The malice index of the record that IP address described in IP address acquisition is corresponding;And, step 120: based on note
The malice index of record, calculates and updates the malice index that described IP address is corresponding.
The most such as, described terminal unit can also perform step 200 as shown in Figure 2: detects
During n times aggressive behavior, determine and the internet protocol address corresponding to described n-th aggressive behavior,
Calculate the period 1 that first time point when described n-th aggressive behavior occurs is currently affiliated;Step
210: calculate the second time point institute when the N-1 time aggressive behavior relevant to described IP address occurs
The second round belonged to, and the first malice index obtained when described the N-1 time aggressive behavior has performed,
Before described second time point is positioned at described first time point;Step 220: maliciously refer to according to described first
Period 1 several, described and described second round, calculate and performed in described n-th aggressive behavior
Time obtain second malice index.
The most such as, described processing unit can also carry out step 300 as shown in Figure 3: makes maliciously to refer to
Number is decayed in time;Step 310: when aggressive behavior having been detected, makes malice index increase.
Described program product can use the combination in any of one or more computer-readable recording medium.Computer-readable recording medium can
To be readable signal medium or readable storage medium storing program for executing.Readable storage medium storing program for executing can be such as but not
It is limited to the system of electricity, magnetic, optical, electromagnetic, infrared ray or quasiconductor, device or device, or
The combination that person is arbitrarily above.The more specifically example (non exhaustive list) of readable storage medium storing program for executing includes:
Have the electrical connection of one or more wire, portable disc, hard disk, random access memory (RAM),
Read only memory (ROM), erasable type programmable read only memory (EPROM or flash memory), light
Fibre, portable compact disc read only memory (CD-ROM), light storage device, magnetic memory device or
The combination of above-mentioned any appropriate.
As shown in Figure 8, describe according to the embodiment of the present invention for calculate malice index or
Updating the program product 80 of malice index, it can use portable compact disc read only memory
(CD-ROM) and include program code, it is possible at terminal unit, such as run in PC.So
And, the program product of the present invention is not limited to this, and in this document, readable storage medium storing program for executing can be any
Comprising or store the tangible medium of program, this program can be commanded execution system, device or device
Use or in connection.
The data letter that readable signal medium can include in a base band or propagate as a carrier wave part
Number, wherein carry readable program code.The data signal of this propagation can take various forms,
Include but not limited to electromagnetic signal, optical signal or the combination of above-mentioned any appropriate.Readable
Signal media can also is that any computer-readable recording medium beyond readable storage medium storing program for executing, and this computer-readable recording medium can be sent out
Send, propagate or transmit for being used or in connection by instruction execution system, device or device
The program used.
The program code comprised on computer-readable recording medium can with any suitable medium transmission, including but
It is not limited to wireless, wired, optical cable, RF etc., or the combination of above-mentioned any appropriate.
Can write for performing present invention behaviour with the combination in any of one or more programming languages
The program code made, described programming language includes that object oriented program language is such as
Java, C++ etc., also include process type programming language such as " C " language or similar of routine
Programming language.Program code can perform the most on the user computing device, partly with
Perform on the equipment of family, as an independent software kit execution, part part the most on the user computing device
Perform on a remote computing or perform in remote computing device or server completely.Relating to
And in the situation of remote computing device, remote computing device can be by the network packet of any kind
Include LAN (LAN) or wide area network (WAN) is connected to user and calculates equipment, or, permissible
It is connected to external computing device (such as utilizing ISP to pass through Internet connection).
Although it should be noted that, being referred in above-detailed for calculating malice index or renewal
If the maliciously equipment for drying of the equipment of index or sub-device, but this division is the most enforceable.
It practice, according to the embodiment of the present invention, the feature of two or more devices above-described and merit
Can be able to embody in one apparatus.Otherwise, feature and the function of an above-described device can
Embody with Further Division for by multiple devices.
Although additionally, describe the operation of the inventive method in the accompanying drawings with particular order, but, this
Not requiring that or implying according to this particular order to perform these operations, or to have to carry out complete
Operation shown in portion could realize desired result.Additionally or alternatively, it is convenient to omit some step,
Multiple steps are merged into a step perform, and/or a step is decomposed into the execution of multiple step.
Although describe spirit and principles of the present invention by reference to some detailed description of the invention, but should
This understanding, the present invention is not limited to disclosed detailed description of the invention, the division also unawareness to each side
The feature in these aspects of taste can not combine to be benefited, this division merely to statement side
Just.It is contemplated that various amendments included in containing spirit and scope of the appended claims and etc.
With arranging.
Claims (10)
1. the method calculating malice index, including:
When n-th aggressive behavior being detected, determine and the interconnection corresponding to described n-th aggressive behavior
FidonetFido IP address, calculate described n-th aggressive behavior occur time first time point currently belonging to
Period 1;
Calculate belonging to the second time point when the N-1 time aggressive behavior relevant to described IP address occurs
Second round, and obtain when described the N-1 time aggressive behavior has performed first malice index,
Before described second time point is positioned at described first time point;
According to described first malice index, described period 1 and described second round, calculate described
The second malice index that n-th aggressive behavior has obtained when having performed.
2. the method for claim 1, if the described period 1 from be described second round different
Cycle, according to described first malice index, described period 1 and described second round, calculate and exist
The second malice index that described n-th aggressive behavior has obtained when having performed, including:
Calculated second malice index meets following regular:
EI1=EI2* (1/2) ^ (m1-m2)+1
Wherein, described EI1 is described second malice index, and described EI2 is described first malice index, institute
Stating m1 is the described period 1, and described m2 is described second round.
3. method as claimed in claim 1 or 2, if the described period 1 with described second round be
In the identical cycle, described second malice index adds 1 equal to described first malice index.
4. calculate a device for malice index, including:
Detector unit, is used for detecting aggressive behavior;
Determine unit, for determining and the internet protocol address corresponding to n-th aggressive behavior;
Computing unit, for when described detector unit detects described n-th aggressive behavior, calculates
The period 1 that first time point when described n-th aggressive behavior occurs is currently affiliated;
Described computing unit is additionally operable to, and calculates the N-1 time aggressive behavior relevant to described IP address and sends out
The second round belonging to the second time point time raw, and when described the N-1 time aggressive behavior has performed
The the first malice index obtained, before described second time point is positioned at described first time point;
Described computing unit is additionally operable to, according to described first malice index, described period 1 and described
Second round, calculate the second malice index obtained when described n-th aggressive behavior has performed.
5. device as claimed in claim 4, if the described period 1 from be described second round different
Cycle, described computing unit according to described first malice index, described period 1 and described second
Cycle, when calculating the second malice index obtained when described n-th aggressive behavior has performed, tool
Body is:
The calculated second malice index of described computing unit meets following regular:
EI1=EI2* (1/2) ^ (m1-m2)+1
Wherein, described EI1 is described second malice index, and described EI2 is described first malice index, institute
Stating m1 is the described period 1, and described m2 is described second round.
6. the device as described in claim 4 or 5, if the described period 1 with described second round be
In the identical cycle, described second malice index adds 1 equal to described first malice index.
7. the method calculating malice index, including:
When aggressive behavior being detected, determine the internet protocol address that described aggressive behavior is corresponding;
Malice index according to record corresponding to IP address described in described IP address acquisition;And
Malice index based on record, calculates and updates the malice index that described IP address is corresponding.
8. calculate a device for malice index, including:
Detector unit, is used for detecting aggressive behavior;
Determine unit, for when described detector unit detects aggressive behavior, determine that described attack is gone
For corresponding internet protocol address;
Acquiring unit, for the malice of the record corresponding according to IP address described in described IP address acquisition
Index;And
Computing unit, for malice index based on record, calculates and to update described IP address corresponding
Maliciously index.
9. the method updating malice index, including:
Malice index is made to decay in time;And
When aggressive behavior having been detected, malice index is made to increase.
10. update a device for malice index, including:
Maliciously exponential damping unit, is used for making malice index decay in time;
Detector unit, is used for detecting aggressive behavior;
Maliciously index increases unit, for when aggressive behavior having been detected, makes malice index increase.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610187740.XA CN105871834B (en) | 2016-03-29 | 2016-03-29 | A kind of method and apparatus calculating malice index |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610187740.XA CN105871834B (en) | 2016-03-29 | 2016-03-29 | A kind of method and apparatus calculating malice index |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105871834A true CN105871834A (en) | 2016-08-17 |
| CN105871834B CN105871834B (en) | 2019-08-30 |
Family
ID=56625186
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610187740.XA Active CN105871834B (en) | 2016-03-29 | 2016-03-29 | A kind of method and apparatus calculating malice index |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105871834B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106572083A (en) * | 2016-10-18 | 2017-04-19 | 汉柏科技有限公司 | Log processing method and system |
| CN110061998A (en) * | 2019-04-25 | 2019-07-26 | 新华三信息安全技术有限公司 | A kind of attack defense method and device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040044912A1 (en) * | 2002-08-26 | 2004-03-04 | Iven Connary | Determining threat level associated with network activity |
| CN1692347A (en) * | 2003-02-26 | 2005-11-02 | 智行科技有限公司 | Security system and operating method thereof |
| CN1770700A (en) * | 2004-11-01 | 2006-05-10 | 中兴通讯股份有限公司 | Intimidation estimating method for computer attack |
| CN102137115A (en) * | 2011-04-22 | 2011-07-27 | 南京邮电大学 | Method for evaluating malicious code attack effect of communication network |
| CN102185858A (en) * | 2011-05-06 | 2011-09-14 | 山东中创软件商用中间件股份有限公司 | Web intrusion prevention method and system based on application layer |
| CN102739649A (en) * | 2012-05-25 | 2012-10-17 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for determining network threat level |
| US9241007B1 (en) * | 2013-07-18 | 2016-01-19 | Blue Pillar, Inc. | System, method, and computer program for providing a vulnerability assessment of a network of industrial automation devices |
-
2016
- 2016-03-29 CN CN201610187740.XA patent/CN105871834B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040044912A1 (en) * | 2002-08-26 | 2004-03-04 | Iven Connary | Determining threat level associated with network activity |
| CN1692347A (en) * | 2003-02-26 | 2005-11-02 | 智行科技有限公司 | Security system and operating method thereof |
| CN1770700A (en) * | 2004-11-01 | 2006-05-10 | 中兴通讯股份有限公司 | Intimidation estimating method for computer attack |
| CN102137115A (en) * | 2011-04-22 | 2011-07-27 | 南京邮电大学 | Method for evaluating malicious code attack effect of communication network |
| CN102185858A (en) * | 2011-05-06 | 2011-09-14 | 山东中创软件商用中间件股份有限公司 | Web intrusion prevention method and system based on application layer |
| CN102739649A (en) * | 2012-05-25 | 2012-10-17 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for determining network threat level |
| US9241007B1 (en) * | 2013-07-18 | 2016-01-19 | Blue Pillar, Inc. | System, method, and computer program for providing a vulnerability assessment of a network of industrial automation devices |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106572083A (en) * | 2016-10-18 | 2017-04-19 | 汉柏科技有限公司 | Log processing method and system |
| CN110061998A (en) * | 2019-04-25 | 2019-07-26 | 新华三信息安全技术有限公司 | A kind of attack defense method and device |
| CN110061998B (en) * | 2019-04-25 | 2022-03-22 | 新华三信息安全技术有限公司 | Attack defense method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105871834B (en) | 2019-08-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220060511A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| US20220210200A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| US11848966B2 (en) | Parametric analysis of integrated operational technology systems and information technology systems | |
| CN107743701B (en) | Global clustering of events based on malware similarity and online trust | |
| Dou et al. | A confidence-based filtering method for DDoS attack defense in cloud environment | |
| Zhang et al. | Protecting critical infrastructures against intentional attacks: A two-stage game with incomplete information | |
| JP6353498B2 (en) | System and method for generating an antivirus record set for detecting malware on user equipment | |
| JP2021533474A (en) | Node classification method, model training method, and its equipment, equipment and computer program | |
| KR102498093B1 (en) | Method and system for user device identification | |
| TW202123043A (en) | Adversarial attack detection method and device | |
| WO2017059279A1 (en) | Systems and methods for detecting vulnerabilities and privileged access using cluster outliers | |
| CN109711155A (en) | A kind of early warning determines method and apparatus | |
| Gulyás et al. | An efficient and robust social network de-anonymization attack | |
| CN111475838A (en) | Graph data anonymizing method, device and storage medium based on deep neural network | |
| CN111224941A (en) | Threat type identification method and device | |
| CN102724210A (en) | Network security analytical method for solving K maximum probability attack graph | |
| CN111147300B (en) | Network security alarm confidence evaluation method and device | |
| CN102752279B (en) | Simulation system and simulation method of social network service malicious code propagation | |
| CN105871834A (en) | Method and device for computing malice index | |
| WO2017138957A1 (en) | Visualization of associations among data records in a security information sharing platform | |
| CN109460930A (en) | A kind of method and relevant device of determining adventure account | |
| Luo et al. | A fictitious play‐based response strategy for multistage intrusion defense systems | |
| CN113518086B (en) | Network attack prediction method, device and storage medium | |
| JPWO2020070916A1 (en) | Calculation device, calculation method and calculation program | |
| González-Landero et al. | ABS‐DDoS: an agent‐based simulator about strategies of both DDoS attacks and their defenses, to achieve efficient data forwarding in sensor networks and IoT devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |