CN105939342A - HTTP attack detection method and device - Google Patents

HTTP attack detection method and device Download PDF

Info

Publication number
CN105939342A
CN105939342A CN201610203948.6A CN201610203948A CN105939342A CN 105939342 A CN105939342 A CN 105939342A CN 201610203948 A CN201610203948 A CN 201610203948A CN 105939342 A CN105939342 A CN 105939342A
Authority
CN
China
Prior art keywords
period
stages
sample
http
threshold value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610203948.6A
Other languages
Chinese (zh)
Inventor
田佳星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201610203948.6A priority Critical patent/CN105939342A/en
Publication of CN105939342A publication Critical patent/CN105939342A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a HTTP attack detection method. The method is applied to network equipment. The method comprises the following steps of: counting the number of HTTP request messages and the number of HTTP response messages received in a current detection period; calculating the number ratio of the HTTP request messages to the HTTP response messages received in the current detection period; and determining that a HTTP attack is detected when the number ratio is greater than or equal to a detection threshold value in a time period, which the current detection period belongs to. Due to application of the embodiment of the invention, the HTTP attack is detected in a manner of calculating the message number ratio; therefore, the identification rate of a discrete HTTP attack is effectively increased; and normal operation of a server is ensured.

Description

HTTP attack detection method and device
Technical field
The application relates to communication technical field, particularly relates to a kind of HTTP attack detection method and device.
Background technology
It is a kind of typical that HTTP (HyperText Transfer Protocol, HTML (Hypertext Markup Language)) attacks Network application layer attacks.Server is when being attacked by HTTP, it will usually receiving substantial amounts of HTTP please Seek message, owing to needs process too much HTTP request message, so it is possible to server exception can be caused Busy, even paralyse.
Summary of the invention
In view of this, the application provides a kind of HTTP attack detection method and device, is used for solving existing skill Discrimination this problem low in art, discrete type HTTP attacked.
Specifically, the application is achieved by the following technical solution:
The application provides a kind of HTTP attack detection method, and described method is applied on network devices, including:
The quantity of the HTTP request message received in the statistics current detection cycle and http response message Quantity;
The described HTTP request message received in calculating the current detection cycle and described http response message Quantity ratio;
When described quantity is than the detection threshold value in the period belonging to the current detection cycle, determine detection Attack to HTTP.
Optionally, determine that belonging to the described detection cycle, the process of the detection threshold value of period includes:
Multiple period will be divided into the sampling period according to default Time segments division rule;
For each period, calculate the HTTP request message that receives in each detection cycle in the described period with One number of stages of http response message compares sample;
Sample is compared by meeting two number of stages that a pre-conditioned number of stages is defined as the described period than sample;
Two number of stages according to the period identical in multiple sampling periods determine the detection threshold value of described period than sample.
Optionally, described a pre-conditioned number of stages will be met it will be defined as than sample two progression of described period Amount ratio sample, including:
The described period is respectively detected a number of stages in the cycle and is defined as two grades of the described period than the maximum of sample Quantity compares sample.
Optionally, when described two number of stages according to the period identical in multiple sampling periods determine described than sample The detection threshold value of section, including:
Determine that in the described identical period, two number of stages are than the maximum of sample;
Calculate the detection of described period than the maximum of sample and default weighted value according to described two number of stages Threshold value.
Optionally, according to described two number of stages than the maximum of sample and default weighted value, utilize following The detection threshold value of formula calculating described period:
T=Smax× W,
Wherein, T represents described detection threshold value, SmaxRepresent described two number of stages maximum than sample, W Represent described default weighted value.
The application also provides for a kind of HTTP attack detecting device, and described device is applied on network devices, bag Include:
Quantity statistics unit, the quantity of the HTTP request message received in adding up the current detection cycle And the quantity of http response message;
Quantity is than computing unit, the described HTTP request message received in calculating the current detection cycle Quantity ratio with described http response message;
Attack determines unit, for when described quantity is than the inspection in the period belonging to the current detection cycle When surveying threshold value, determine and detect that HTTP attacks.
Optionally, described device also includes:
Time segments division unit, for being divided into multiple period the sampling period according to the Time segments division rule preset;
One number of stages is than computing unit, for for each period, calculates in the described period in each detection cycle The HTTP request message received compares sample with a number of stages of http response message;
Two number of stages ratios determine unit, for more described than sample is defined as by meeting a pre-conditioned number of stages Two number of stages of period compare sample;
Threshold value determination unit, for determining than sample according to two number of stages of period identical in multiple sampling periods The detection threshold value of described period.
Optionally, described two number of stages ratios determine that unit specifically for respectively detecting one-level in the cycle by the described period Two number of stages that quantity is defined as the described period than the maximum of sample compare sample.
Optionally, described threshold value determination unit, including:
Maximum determines subelement, for determining that in the described identical period, two number of stages are than the maximum of sample;
Threshold calculations subelement, is used for according to described two number of stages than the maximum of sample and default weighting Value calculates the detection threshold value of described period.
Optionally, described threshold calculations subelement utilize following formula calculate the described period detection threshold value:
T=Smax× W,
Wherein, T represents described detection threshold value, SmaxRepresent described two number of stages maximum than sample, W Represent described default weighted value.
Application the embodiment of the present application, the HTTP that the network equipment receives in can calculating the current detection cycle please Seek the quantity ratio of message and response message, when described quantity is than the period belonging to the current detection cycle Detection threshold value time, the HTTP request message amount that receives in determining the detection cycle increases severely, the most really Regular inspection measures HTTP and attacks.By the way of calculating message amount ratio, HTTP is attacked and detects, The discrimination that discrete type HTTP is attacked can be effectively improved, and then guarantee the normal operation of server.
Accompanying drawing explanation
Fig. 1 is the applied field of a kind of HTTP attack detecting embodiment shown in the application one exemplary embodiment Scape schematic diagram;
Fig. 2 is a kind of embodiment stream arranging day part detection threshold value shown in the application one exemplary embodiment Cheng Tu;
Fig. 3 is an enforcement of a kind of HTTP attack detection method shown in the application one exemplary embodiment Example flow chart;
Fig. 4 is a kind of hardware for HTTP attack detecting device shown in the application one exemplary embodiment Structure chart;
Fig. 5 is the block diagram of a kind of HTTP attack detecting device shown in the application one exemplary embodiment;
Fig. 6 is the block diagram of a kind of threshold determination module shown in the application one exemplary embodiment;
Fig. 7 is the block diagram of the another kind of threshold determination module shown in the application one exemplary embodiment.
Detailed description of the invention
Here will illustrate exemplary embodiment in detail, its example represents in the accompanying drawings.Following retouches Stating when relating to accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous key element. Embodiment described in following exemplary embodiment does not represent all embodiment party consistent with the application Formula.On the contrary, they only with describe in detail in appended claims, the application some in terms of mutually one The example of the apparatus and method caused.
It is only merely for describing the purpose of specific embodiment at term used in this application, and is not intended to be limiting this Application." a kind of ", " described " of singulative used in the application and appended claims " it is somebody's turn to do " be also intended to include most form, unless context clearly shows that other implications.It is also understood that Term "and/or" used herein refer to and comprise any of one or more project of listing being associated or Likely combine.
Although should be appreciated that may use term first, second, third, etc. to describe various letter in the application Breath, but these information should not necessarily be limited by these terms.These terms are only used for same type of information district each other Separately.Such as, in the case of without departing from the application scope, the first information can also be referred to as the second information, Similarly, the second information can also be referred to as the first information.Depend on linguistic context, word as used in this " if " can be construed to " ... time " or " when ... time " or " in response to determining ".
In prior art, the network equipment can detect whether to be subject to according to the source IP address of HTTP request message HTTP attacks, concrete, and the network equipment, please for each HTTP after receiving HTTP request message Seek message, the source IP address of described HTTP request message can be parsed, and add up in the current detection cycle The quantity of the HTTP request message that the source IP address that receives is identical, if the HTTP that source IP address is identical The quantity of request message exceedes Protection Threshold, then may determine that and detect that HTTP attacks.In like manner, network sets For using same method, source port number or URL address detected according to HTTP request message are No attacked by HTTP.
But in actual applications, with the progress of Internet technology, major part HTTP attacks and the most no longer makes With fixing IP address, fixing port numbers or fixing URL address, but structure is a large amount of by discrete IP Address, discrete end slogan and the HTTP request message of or discrete URL address composition, such HTTP please The discretization degree seeking message is the highest, in this case, uses above-mentioned any one side of the prior art Method, the quantity that statistics obtains all possibly cannot touch the Protection Threshold of correspondence, thus HTTP cannot be detected Attack, server exception still can be caused busy, even paralyse.
For solving prior art problem, the application provides a kind of HTTP attack detection method and the dress of correspondence Putting, with reference to shown in Fig. 1, the method can be applied on network devices, and the described network equipment can be exchange Machine, fire wall etc. have the network equipment of HTTP attack detecting function, it addition, except setting as client Outward, the client device shown in Fig. 1 is also for the PC (Personal Computer, personal computer) of standby example Can include that panel computer etc. has the terminal unit of network access functions.Concrete, the application can add up The HTTP request message amount received in the current detection cycle and http response message amount, and count The described HTTP request message received in calculating the current detection cycle and the quantity of described http response message Ratio, owing to the process performance of server is limited, attacks so being whether subjected to HTTP, and server exists The response message quantity returned in one detection cycle is all limited, so the application network equipment can be When described quantity is than the detection threshold value of period belonging to the current detection cycle, determines and HTTP detected Attack, thus detect by calculating HTTP to be attacked by the way of message amount ratio, be effectively improved to from Dissipate the discrimination that type HTTP is attacked, and then guarantee the normal operation of server.
In the embodiment of the present application, before the network equipment proceeds by HTTP attack detecting, need first to set Put the detection threshold value of day part, as in figure 2 it is shown, the application arrange the described period detection threshold value can be below Step:
Step 201: multiple period will be divided into the sampling period according to default Time segments division rule.
In the embodiment of the present application, the duration in described sampling period and quantity can be configured by management personnel, Such as: the network equipment sampling that is a few days ago set to after network device initiating can be determined inspection by management personnel Survey the time of threshold value, for example, the duration in described employing cycle can be set to 1 day by management personnel, Quantity is set to 3.
In the present embodiment, based on default Time segments division rule, the sampling period can be divided into multiple Period.As a example by the dividing precision of described period is 1 hour, can by time sampling period of a length of 1 day Being divided into 24 periods, such as, 8 o'clock of one day were a period to 9 o'clock.Advise with described Time segments division Then it is similar to, it is also possible to be multiple detection cycles by each Time segments division, such as: for each period, can Being 60 detection cycles according to the time precision of 1 minute by described Time segments division.It should be noted that Management personnel can the factor such as performance based on the network equipment, adjust the Time segments division rule preset, such as According to the time precision of 2 hours, each sampling period can be divided into 12 periods etc., the application couple This is not particularly limited.
Step 202: for each period, calculating the HTTP received in each detection cycle in the described period please Message is asked to compare sample with a number of stages of http response message.
In the embodiment of the present application, for each period, the network equipment can first be added up in the described period and respectively examine The quantity of the HTTP request message received in the survey cycle and the quantity of http response message, and calculate The described HTTP request message received in each detection cycle in the described period and described http response message Quantity ratio, for ease of describe, the quantity in each detection cycle can be compared sample than referred to as one number of stages. Such as, the network equipment can be 8 o'clock to 9 o'clock these periods of the 1st day, for 60 inspections of this period The survey cycle, the quantity of the HTTP request message received in adding up each detection cycle and http response The quantity of message, and calculate HTTP request message and the one of http response message in each detection cycle Number of stages is than sample, with detection week each in obtaining the 1st day 8 o'clock to 60 detection cycles of 9 o'clock period One number of stages of phase compares sample.
Step 203: a pre-conditioned number of stages will be met be defined as than sample the two number of stages ratios of described period Sample.
In the embodiment of the present application, the network equipment can compare sample according to the number of stages in each detection cycle Determine two number of stages of each period than sample, such as: the described period can be chosen and respectively detect one-level in the cycle Quantity compares sample than the maximum of sample as two number of stages of described period.For example, the network equipment can With 60 number of stages at the 1st day 8 o'clock to 9 o'clock than sample in select maximum of T1As this period Two number of stages compare sample.Using same method, the network equipment can also be at the 2nd day 8 o'clock to 9 o'clock 60 number of stages select maximum of T than in sample2As two number of stages of this period than sample, 60 number of stages of 3 days 8 o'clock to 9 o'clock select maximum of T than in sample3As this period two grades Quantity compares sample.The like, the network equipment can determine that two number of stages of each period compare sample.
Step 204: determine the described period than sample according to two number of stages of period identical in multiple sampling periods Detection threshold value.
In the embodiment of the present application, the network equipment can be according to two number of stages of period identical in multiple sampling periods The detection threshold value of described period is determined than sample.Concrete, the network equipment can first determine the described identical period In two number of stages than the maximum of sample, and according to described two number of stages than the maximum of sample and default Weighted value, use following formula calculate the described period detection threshold value:
T=Smax× W,
Wherein, T represents described detection threshold value, SmaxRepresent described period two number of stages maximum than sample, W represents default weighted value.
Still as a example by the citing in step 203, for 8 o'clock to the 9 o'clock periods in three sampling periods, permissible First determine T1、T2And T3These three two number of stages is than the maximum of sample, it is assumed that maximum is T2, then According to T2And the weighted value preset: W=2, utilize above-mentioned formula to calculate the inspection to 9 o'clock this period in 8 o'clock Survey threshold value T(8-9)For: T2×2.In like manner, the network equipment can use same method, calculates every Detection threshold value in the individual period.
In another example, management personnel can also manually arrange the detection threshold value in each period.Tool Body, the network equipment, can after in being calculated each sampling period, two number of stages of each period are than sample So that two number of stages of day part in the described sampling period are shown with default form than sample, such as: In the 1st day, two number of stages of day part are shown with the form of broken line graph than sample, in like manner, Two number of stages of day part in other sampling periods are also shown with the form of broken line graph than sample.Pipe The reason personnel broken line graph by each sampling period, can find out that the network equipment connect within per period intuitively The HTTP request message received and the variation tendency of http response message amount ratio, such that it is able to according to Variation tendency and experience manually arrange the detection threshold value of each period.It should be noted that set such Putting in mode, management personnel need not arrange weighted value.
The HTTP attack detection method and the device that there is provided the application below in conjunction with the accompanying drawings illustrate.
See Fig. 3, for an embodiment flow chart of the application HTTP attack detection method, this enforcement Example is described from network equipment side, comprises the following steps:
Step 301: the quantity of the HTTP request message received in the statistics current detection cycle and HTTP The quantity of response message.
In the embodiment of the present application, the network equipment is receiving HTTP request message and http response message Afterwards, quantity and the http response of HTTP request message are received in the current detection cycle can being added up The quantity of message.Such as, the HTTP request report that the network equipment received within the statistics current detection cycle Literary composition quantity time, can start from scratch, often receive a HTTP request message and just add one, described During current detection end cycle, the HTTP that current value receives in being the described current detection cycle please Seek the quantity of message.In like manner, the network equipment receives in can using the method statistics current detection cycle The quantity of http response message.
Step 302: the described HTTP request message received in calculating the current detection cycle and described HTTP The quantity ratio of response message.
In the embodiment of the present application, the network equipment, after execution of step 301, can use following formula, The described HTTP request message received in calculating the current detection cycle and the number of described http response message Amount ratio:
Q=M/N,
Wherein, the HTTP request message that Q receives in representing the current detection cycle and http response message Quantity ratio, M is the quantity of the HTTP request message received in the current detection cycle, and N is current inspection The quantity of the http response message received in the survey cycle.
Step 303: when described quantity is than the detection threshold value in the period belonging to the current detection cycle, Determine and detect that HTTP attacks.
Typically, since the process performance of server is limited, attack so being whether subjected to HTTP Hit, the limited amount of the HTTP request message that can process in the server unit interval.It is subject at server To HTTP attack time, the HTTP request message amount that it receives can increase severely at short notice, but single The quantity of the http response message that can return in bit time is still maintained in normal range, so being subject to Attack to HTTP, may result in the HTTP request message amount that the network equipment in the unit interval receives Become big with the ratio of http response message amount.This characteristic attacked based on HTTP, the network equipment By the way of calculating message amount ratio, HTTP can be attacked and detect.
In the embodiment of the present application, the network equipment during judging that whether server is attacked by HTTP, Can first determine the affiliated period in current detection cycle, thus get the inspection of period belonging to the current detection cycle Survey threshold value, finally calculated quantity in the described current detection cycle is compared than with described detection threshold value Relatively, when described quantity is than the detection threshold value in the period belonging to the current detection cycle, it may be determined that The HTTP request message amount received in the current detection cycle is too much, beyond normal range, by This determines and detects that HTTP attacks;When described quantity is than the detection in the period belonging to the current detection cycle During threshold value, the quantity of the HTTP request message received in the current detection cycle is described within normal range, It is not affected by HTTP in may determine that the current detection cycle to attack.
In one example, when the network equipment detects that HTTP attacks, HTTP can be attacked and carry out Protection, such as: the HTTP request message received is carried out filtration etc., and meanwhile, the network equipment can also Generating alarm log, remind management personnel to be attacked by HTTP, management personnel are referred to existing network and attack feelings Condition is protected targetedly.
As seen from the above-described embodiment, the HTTP that the network equipment receives in can calculating the current detection cycle please Seek the quantity ratio of message and response message, when described quantity is than the period belonging to the current detection cycle During detection threshold value, the HTTP request message amount received in determining the detection cycle increases severely, it is thus determined that inspection Measure HTTP to attack.As can be seen here, by the way of calculating message amount ratio, HTTP attack is examined Survey, the discrimination that discrete type HTTP is attacked can be effectively improved, and then guarantee the normal operation of server.
Corresponding with the embodiment of aforementioned a kind of HTTP attack detection method, present invention also provides one The embodiment of HTTP attack detecting device.
The embodiment of the application a kind of HTTP attack detecting device can be applied on network devices.Device is real Execute example to be realized by software, it is also possible to realize by the way of hardware or software and hardware combining.With software As a example by realization, as the device on a logical meaning, it is that the processor by its place network equipment is by non- Computer program instructions corresponding in volatile memory reads and runs formation in internal memory.From hardware view For, as shown in Figure 4, the one for the application a kind of HTTP attack detecting device place network equipment is hard Part structure chart, except the processor shown in Fig. 4, internal memory, network interface and nonvolatile memory it Outward, in embodiment, the equipment at device place generally can also include other hardware, such as turning of responsible process message Send out chip etc.;This equipment from the point of view of from hardware configuration, it is also possible that distributed equipment, potentially includes multiple Interface card, in order to carry out the extension of Message processing at hardware view.
With reference to Fig. 5, it is an embodiment block diagram of the application a kind of HTTP attack detecting device, described HTTP Attack detecting device 500 can be applied on the network equipment shown in earlier figures 4, includes: quantity statistics Unit 510, quantity determine unit 530 than computing unit 520 and attack.
With reference to Fig. 6, described HTTP attack detecting device 500 can also include: Time segments division unit 540, One number of stages determines unit 560 and threshold value determination unit 570 than computing unit 550, two number of stages ratio.
With reference to Fig. 7, described threshold value determination unit 570 can also include: maximum determines subelement 571 and threshold Value computation subunit 572.
Wherein, described quantity statistics unit 510, the HTTP received in adding up the current detection cycle The quantity of request message and the quantity of http response message;
Described quantity is than computing unit 520, and the described HTTP received in calculating the current detection cycle please Seek the quantity ratio of message and described http response message;
Described attack determines unit 530, for when described quantity is than the period belonging to the current detection cycle In detection threshold value time, determine and detect that HTTP attacks.
Described Time segments division unit 540, for will be divided into many according to the Time segments division rule preset in the sampling period The individual period;
A described number of stages, than computing unit 550, for for each period, calculates in the described period and respectively detects The HTTP request message received in cycle compares sample with a number of stages of http response message;
Described two number of stages ratios determine unit 560, for determining meeting a pre-conditioned number of stages than sample Two number of stages for the described period compare sample;
Described threshold value determination unit 570, for comparing sample according to two number of stages of period identical in multiple sampling periods This determines the detection threshold value of described period.
Optionally, described two number of stages ratios determine that unit 560 is specifically for respectively detecting the described period in the cycle Two number of stages that one number of stages is defined as the described period than the maximum of sample compare sample.
Described maximum determines subelement 571, for determining in the described identical period that two number of stages are than sample Big value;
Described threshold calculations subelement 572, for and presetting than the maximum of sample according to described two number of stages Weighted value calculate the described period detection threshold value.
Optionally, described threshold calculations subelement 572, utilize following formula to calculate the detection threshold of described period Value:
T=Smax× W,
Wherein, T represents described detection threshold value, SmaxRepresent described two number of stages maximum than sample, W Represent described default weighted value.
As seen from the above-described embodiment, the HTTP that the network equipment receives in can calculating the current detection cycle The quantity ratio of request message and response message, when described quantity ratio is time belonging to the current detection cycle During the detection threshold value of section, it may be determined that the HTTP request message amount that receives in the detection cycle increases severely, It is thus determined that detect that HTTP attacks.As can be seen here, to HTTP by the way of calculating message amount ratio Attack detects, and can be effectively improved the discrimination attacking discrete type HTTP, and then guarantee service The normal operation of device.
In said apparatus, the function of unit and the process that realizes of effect specifically refer to corresponding step in said method Rapid realizes process, does not repeats them here.
For device embodiment, owing to it corresponds essentially to embodiment of the method, so relevant part sees The part of embodiment of the method illustrates.Device embodiment described above is only schematically, wherein The described unit illustrated as separating component can be or may not be physically separate, as unit The parts of display can be or may not be physical location, i.e. may be located at a place, or also may be used To be distributed on multiple NE.Some or all of module therein can be selected according to the actual needs Realize the purpose of the application scheme.Those of ordinary skill in the art in the case of not paying creative work, I.e. it is appreciated that and implements.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, all in this Shen Within spirit please and principle, any modification, equivalent substitution and improvement etc. done, should be included in this Shen Within the scope of please protecting.

Claims (10)

1. a HTTP attack detection method, it is characterised in that described method is applied on network devices, Including:
The quantity of the HTTP request message received in the statistics current detection cycle and http response message Quantity;
The described HTTP request message received in calculating the current detection cycle and described http response message Quantity ratio;
When described quantity is than the detection threshold value in the period belonging to the current detection cycle, determine detection Attack to HTTP.
Method the most according to claim 1, it is characterised in that determine the period belonging to the described detection cycle The process of detection threshold value include:
Multiple period will be divided into the sampling period according to default Time segments division rule;
For each period, calculate the HTTP request message that receives in each detection cycle in the described period with One number of stages of http response message compares sample;
Sample is compared by meeting two number of stages that a pre-conditioned number of stages is defined as the described period than sample;
Two number of stages according to the period identical in multiple sampling periods determine the detection threshold value of described period than sample.
Method the most according to claim 2, it is characterised in that described will meet pre-conditioned one-level Quantity is defined as two number of stages of described period than sample than sample, including:
The described period is respectively detected a number of stages in the cycle and is defined as two grades of the described period than the maximum of sample Quantity compares sample.
Method the most according to claim 2, it is characterised in that described according to phase in multiple sampling periods Determine the detection threshold value of described period than sample with two number of stages of period, including:
Determine that in the described identical period, two number of stages are than the maximum of sample;
Calculate the detection of described period than the maximum of sample and default weighted value according to described two number of stages Threshold value.
Method the most according to claim 4, it is characterised in that according to described two number of stages than sample Maximum and default weighted value, utilize following formula calculate the described period detection threshold value:
T=Smax× W,
Wherein, T represents described detection threshold value, SmaxRepresent described two number of stages maximum than sample, W Represent described default weighted value.
6. a HTTP attack detecting device, it is characterised in that described device is applied on network devices, Including:
Quantity statistics unit, the quantity of the HTTP request message received in adding up the current detection cycle And the quantity of http response message;
Quantity is than computing unit, the described HTTP request message received in calculating the current detection cycle Quantity ratio with described http response message;
Attack determines unit, for when described quantity is than the inspection in the period belonging to the current detection cycle When surveying threshold value, determine and detect that HTTP attacks.
Device the most according to claim 6, it is characterised in that described device also includes:
Time segments division unit, for being divided into multiple period the sampling period according to the Time segments division rule preset;
One number of stages is than computing unit, for for each period, calculates in the described period in each detection cycle The HTTP request message received compares sample with a number of stages of http response message;
Two number of stages ratios determine unit, for more described than sample is defined as by meeting a pre-conditioned number of stages Two number of stages of period compare sample;
Threshold value determination unit, for determining than sample according to two number of stages of period identical in multiple sampling periods The detection threshold value of described period.
Device the most according to claim 7, it is characterised in that described two number of stages ratios determine that unit has Body number of stages in the described period is respectively detected the cycle is defined as the two of the described period than the maximum of sample Number of stages compares sample.
Device the most according to claim 7, it is characterised in that described threshold value determination unit, including:
Maximum determines subelement, for determining that in the described identical period, two number of stages are than the maximum of sample;
Threshold calculations subelement, is used for according to described two number of stages than the maximum of sample and default weighting Value calculates the detection threshold value of described period.
Device the most according to claim 9, it is characterised in that described threshold calculations subelement utilizes The detection threshold value of following formula calculating described period:
T=Smax× W,
Wherein, T represents described detection threshold value, SmaxRepresent described two number of stages maximum than sample, W Represent described default weighted value.
CN201610203948.6A 2016-03-31 2016-03-31 HTTP attack detection method and device Pending CN105939342A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610203948.6A CN105939342A (en) 2016-03-31 2016-03-31 HTTP attack detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610203948.6A CN105939342A (en) 2016-03-31 2016-03-31 HTTP attack detection method and device

Publications (1)

Publication Number Publication Date
CN105939342A true CN105939342A (en) 2016-09-14

Family

ID=57151314

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610203948.6A Pending CN105939342A (en) 2016-03-31 2016-03-31 HTTP attack detection method and device

Country Status (1)

Country Link
CN (1) CN105939342A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106778260A (en) * 2016-12-31 2017-05-31 网易无尾熊(杭州)科技有限公司 Attack detection method and device
CN107395637A (en) * 2017-08-29 2017-11-24 厦门安胜网络科技有限公司 Http tunnels active detecting method, terminal device and storage medium
CN108243149A (en) * 2016-12-23 2018-07-03 北京华为数字技术有限公司 A kind of network attack detecting method and device
CN109936543A (en) * 2017-12-18 2019-06-25 中国移动通信集团辽宁有限公司 Means of defence, device, equipment and the medium of ACK Flood attack
WO2019148714A1 (en) * 2018-01-31 2019-08-08 平安科技(深圳)有限公司 Ddos attack detection method and apparatus, and computer device and storage medium
CN112165445A (en) * 2020-08-13 2021-01-01 杭州数梦工场科技有限公司 Method, device, storage medium and computer equipment for detecting network attack

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101150586A (en) * 2007-11-20 2008-03-26 杭州华三通信技术有限公司 CC attack prevention method and device
CN101383832A (en) * 2008-10-07 2009-03-11 成都市华为赛门铁克科技有限公司 Challenging black hole attack defense method and device
CN101478540A (en) * 2008-12-31 2009-07-08 成都市华为赛门铁克科技有限公司 Method and apparatus for defending and challenge collapsar attack
CN101505218A (en) * 2009-03-18 2009-08-12 杭州华三通信技术有限公司 Detection method and apparatus for attack packet
CN102571547A (en) * 2010-12-29 2012-07-11 北京启明星辰信息技术股份有限公司 Method and device for controlling hyper text transport protocol (HTTP) traffic
US20130042319A1 (en) * 2011-08-10 2013-02-14 Sangfor Networks Company Limited Method and apparatus for detecting and defending against cc attack
CN104348811A (en) * 2013-08-05 2015-02-11 深圳市腾讯计算机系统有限公司 Method and device for detecting attack of DDoS (distributed denial of service)

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101150586A (en) * 2007-11-20 2008-03-26 杭州华三通信技术有限公司 CC attack prevention method and device
CN101383832A (en) * 2008-10-07 2009-03-11 成都市华为赛门铁克科技有限公司 Challenging black hole attack defense method and device
CN101478540A (en) * 2008-12-31 2009-07-08 成都市华为赛门铁克科技有限公司 Method and apparatus for defending and challenge collapsar attack
CN101505218A (en) * 2009-03-18 2009-08-12 杭州华三通信技术有限公司 Detection method and apparatus for attack packet
CN102571547A (en) * 2010-12-29 2012-07-11 北京启明星辰信息技术股份有限公司 Method and device for controlling hyper text transport protocol (HTTP) traffic
US20130042319A1 (en) * 2011-08-10 2013-02-14 Sangfor Networks Company Limited Method and apparatus for detecting and defending against cc attack
CN104348811A (en) * 2013-08-05 2015-02-11 深圳市腾讯计算机系统有限公司 Method and device for detecting attack of DDoS (distributed denial of service)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108243149A (en) * 2016-12-23 2018-07-03 北京华为数字技术有限公司 A kind of network attack detecting method and device
CN106778260A (en) * 2016-12-31 2017-05-31 网易无尾熊(杭州)科技有限公司 Attack detection method and device
CN106778260B (en) * 2016-12-31 2020-03-17 阿里巴巴(中国)有限公司 Attack detection method and device
CN107395637A (en) * 2017-08-29 2017-11-24 厦门安胜网络科技有限公司 Http tunnels active detecting method, terminal device and storage medium
CN109936543A (en) * 2017-12-18 2019-06-25 中国移动通信集团辽宁有限公司 Means of defence, device, equipment and the medium of ACK Flood attack
WO2019148714A1 (en) * 2018-01-31 2019-08-08 平安科技(深圳)有限公司 Ddos attack detection method and apparatus, and computer device and storage medium
CN112165445A (en) * 2020-08-13 2021-01-01 杭州数梦工场科技有限公司 Method, device, storage medium and computer equipment for detecting network attack

Similar Documents

Publication Publication Date Title
CN105939342A (en) HTTP attack detection method and device
US9462009B1 (en) Detecting risky domains
CN107465651B (en) Network attack detection method and device
CN105577608B (en) Network attack behavior detection method and device
CN110417778B (en) Access request processing method and device
CN107968791B (en) Attack message detection method and device
CN111600865B (en) Abnormal communication detection method and device, electronic equipment and storage medium
CN107682345B (en) IP address detection method and device and electronic equipment
CN106899549B (en) Network security detection method and device
CN110198313A (en) A kind of method and device of strategy generating
CN104954188B (en) Web log file safety analytical method based on cloud, device and system
CN105959290A (en) Detection method and device of attack message
US20120173712A1 (en) Method and device for identifying p2p application connections
CN111083157B (en) Method and device for processing message filtering rules
CN109413071A (en) A kind of anomalous traffic detection method and device
US20170149814A1 (en) Real-Time Detection of Abnormal Network Connections in Streaming Data
US10057155B2 (en) Method and apparatus for determining automatic scanning action
CN106921671B (en) network attack detection method and device
CN109067794B (en) Network behavior detection method and device
CN105939321B (en) A kind of DNS attack detection method and device
CN107426136B (en) Network attack identification method and device
CN108234516B (en) Method and device for detecting network flooding attack
CN116235172A (en) Prioritizing assets using security metrics
CN107135199B (en) Method and device for detecting webpage backdoor
CN110061998A (en) A kind of attack defense method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant after: Hangzhou Dipu Polytron Technologies Inc

Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant before: Hangzhou Dipu Technology Co., Ltd.

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20160914