CN105939342A - HTTP attack detection method and device - Google Patents
HTTP attack detection method and device Download PDFInfo
- Publication number
- CN105939342A CN105939342A CN201610203948.6A CN201610203948A CN105939342A CN 105939342 A CN105939342 A CN 105939342A CN 201610203948 A CN201610203948 A CN 201610203948A CN 105939342 A CN105939342 A CN 105939342A
- Authority
- CN
- China
- Prior art keywords
- period
- stages
- sample
- http
- threshold value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a HTTP attack detection method. The method is applied to network equipment. The method comprises the following steps of: counting the number of HTTP request messages and the number of HTTP response messages received in a current detection period; calculating the number ratio of the HTTP request messages to the HTTP response messages received in the current detection period; and determining that a HTTP attack is detected when the number ratio is greater than or equal to a detection threshold value in a time period, which the current detection period belongs to. Due to application of the embodiment of the invention, the HTTP attack is detected in a manner of calculating the message number ratio; therefore, the identification rate of a discrete HTTP attack is effectively increased; and normal operation of a server is ensured.
Description
Technical field
The application relates to communication technical field, particularly relates to a kind of HTTP attack detection method and device.
Background technology
It is a kind of typical that HTTP (HyperText Transfer Protocol, HTML (Hypertext Markup Language)) attacks
Network application layer attacks.Server is when being attacked by HTTP, it will usually receiving substantial amounts of HTTP please
Seek message, owing to needs process too much HTTP request message, so it is possible to server exception can be caused
Busy, even paralyse.
Summary of the invention
In view of this, the application provides a kind of HTTP attack detection method and device, is used for solving existing skill
Discrimination this problem low in art, discrete type HTTP attacked.
Specifically, the application is achieved by the following technical solution:
The application provides a kind of HTTP attack detection method, and described method is applied on network devices, including:
The quantity of the HTTP request message received in the statistics current detection cycle and http response message
Quantity;
The described HTTP request message received in calculating the current detection cycle and described http response message
Quantity ratio;
When described quantity is than the detection threshold value in the period belonging to the current detection cycle, determine detection
Attack to HTTP.
Optionally, determine that belonging to the described detection cycle, the process of the detection threshold value of period includes:
Multiple period will be divided into the sampling period according to default Time segments division rule;
For each period, calculate the HTTP request message that receives in each detection cycle in the described period with
One number of stages of http response message compares sample;
Sample is compared by meeting two number of stages that a pre-conditioned number of stages is defined as the described period than sample;
Two number of stages according to the period identical in multiple sampling periods determine the detection threshold value of described period than sample.
Optionally, described a pre-conditioned number of stages will be met it will be defined as than sample two progression of described period
Amount ratio sample, including:
The described period is respectively detected a number of stages in the cycle and is defined as two grades of the described period than the maximum of sample
Quantity compares sample.
Optionally, when described two number of stages according to the period identical in multiple sampling periods determine described than sample
The detection threshold value of section, including:
Determine that in the described identical period, two number of stages are than the maximum of sample;
Calculate the detection of described period than the maximum of sample and default weighted value according to described two number of stages
Threshold value.
Optionally, according to described two number of stages than the maximum of sample and default weighted value, utilize following
The detection threshold value of formula calculating described period:
T=Smax× W,
Wherein, T represents described detection threshold value, SmaxRepresent described two number of stages maximum than sample, W
Represent described default weighted value.
The application also provides for a kind of HTTP attack detecting device, and described device is applied on network devices, bag
Include:
Quantity statistics unit, the quantity of the HTTP request message received in adding up the current detection cycle
And the quantity of http response message;
Quantity is than computing unit, the described HTTP request message received in calculating the current detection cycle
Quantity ratio with described http response message;
Attack determines unit, for when described quantity is than the inspection in the period belonging to the current detection cycle
When surveying threshold value, determine and detect that HTTP attacks.
Optionally, described device also includes:
Time segments division unit, for being divided into multiple period the sampling period according to the Time segments division rule preset;
One number of stages is than computing unit, for for each period, calculates in the described period in each detection cycle
The HTTP request message received compares sample with a number of stages of http response message;
Two number of stages ratios determine unit, for more described than sample is defined as by meeting a pre-conditioned number of stages
Two number of stages of period compare sample;
Threshold value determination unit, for determining than sample according to two number of stages of period identical in multiple sampling periods
The detection threshold value of described period.
Optionally, described two number of stages ratios determine that unit specifically for respectively detecting one-level in the cycle by the described period
Two number of stages that quantity is defined as the described period than the maximum of sample compare sample.
Optionally, described threshold value determination unit, including:
Maximum determines subelement, for determining that in the described identical period, two number of stages are than the maximum of sample;
Threshold calculations subelement, is used for according to described two number of stages than the maximum of sample and default weighting
Value calculates the detection threshold value of described period.
Optionally, described threshold calculations subelement utilize following formula calculate the described period detection threshold value:
T=Smax× W,
Wherein, T represents described detection threshold value, SmaxRepresent described two number of stages maximum than sample, W
Represent described default weighted value.
Application the embodiment of the present application, the HTTP that the network equipment receives in can calculating the current detection cycle please
Seek the quantity ratio of message and response message, when described quantity is than the period belonging to the current detection cycle
Detection threshold value time, the HTTP request message amount that receives in determining the detection cycle increases severely, the most really
Regular inspection measures HTTP and attacks.By the way of calculating message amount ratio, HTTP is attacked and detects,
The discrimination that discrete type HTTP is attacked can be effectively improved, and then guarantee the normal operation of server.
Accompanying drawing explanation
Fig. 1 is the applied field of a kind of HTTP attack detecting embodiment shown in the application one exemplary embodiment
Scape schematic diagram;
Fig. 2 is a kind of embodiment stream arranging day part detection threshold value shown in the application one exemplary embodiment
Cheng Tu;
Fig. 3 is an enforcement of a kind of HTTP attack detection method shown in the application one exemplary embodiment
Example flow chart;
Fig. 4 is a kind of hardware for HTTP attack detecting device shown in the application one exemplary embodiment
Structure chart;
Fig. 5 is the block diagram of a kind of HTTP attack detecting device shown in the application one exemplary embodiment;
Fig. 6 is the block diagram of a kind of threshold determination module shown in the application one exemplary embodiment;
Fig. 7 is the block diagram of the another kind of threshold determination module shown in the application one exemplary embodiment.
Detailed description of the invention
Here will illustrate exemplary embodiment in detail, its example represents in the accompanying drawings.Following retouches
Stating when relating to accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous key element.
Embodiment described in following exemplary embodiment does not represent all embodiment party consistent with the application
Formula.On the contrary, they only with describe in detail in appended claims, the application some in terms of mutually one
The example of the apparatus and method caused.
It is only merely for describing the purpose of specific embodiment at term used in this application, and is not intended to be limiting this
Application." a kind of ", " described " of singulative used in the application and appended claims
" it is somebody's turn to do " be also intended to include most form, unless context clearly shows that other implications.It is also understood that
Term "and/or" used herein refer to and comprise any of one or more project of listing being associated or
Likely combine.
Although should be appreciated that may use term first, second, third, etc. to describe various letter in the application
Breath, but these information should not necessarily be limited by these terms.These terms are only used for same type of information district each other
Separately.Such as, in the case of without departing from the application scope, the first information can also be referred to as the second information,
Similarly, the second information can also be referred to as the first information.Depend on linguistic context, word as used in this
" if " can be construed to " ... time " or " when ... time " or " in response to determining ".
In prior art, the network equipment can detect whether to be subject to according to the source IP address of HTTP request message
HTTP attacks, concrete, and the network equipment, please for each HTTP after receiving HTTP request message
Seek message, the source IP address of described HTTP request message can be parsed, and add up in the current detection cycle
The quantity of the HTTP request message that the source IP address that receives is identical, if the HTTP that source IP address is identical
The quantity of request message exceedes Protection Threshold, then may determine that and detect that HTTP attacks.In like manner, network sets
For using same method, source port number or URL address detected according to HTTP request message are
No attacked by HTTP.
But in actual applications, with the progress of Internet technology, major part HTTP attacks and the most no longer makes
With fixing IP address, fixing port numbers or fixing URL address, but structure is a large amount of by discrete IP
Address, discrete end slogan and the HTTP request message of or discrete URL address composition, such HTTP please
The discretization degree seeking message is the highest, in this case, uses above-mentioned any one side of the prior art
Method, the quantity that statistics obtains all possibly cannot touch the Protection Threshold of correspondence, thus HTTP cannot be detected
Attack, server exception still can be caused busy, even paralyse.
For solving prior art problem, the application provides a kind of HTTP attack detection method and the dress of correspondence
Putting, with reference to shown in Fig. 1, the method can be applied on network devices, and the described network equipment can be exchange
Machine, fire wall etc. have the network equipment of HTTP attack detecting function, it addition, except setting as client
Outward, the client device shown in Fig. 1 is also for the PC (Personal Computer, personal computer) of standby example
Can include that panel computer etc. has the terminal unit of network access functions.Concrete, the application can add up
The HTTP request message amount received in the current detection cycle and http response message amount, and count
The described HTTP request message received in calculating the current detection cycle and the quantity of described http response message
Ratio, owing to the process performance of server is limited, attacks so being whether subjected to HTTP, and server exists
The response message quantity returned in one detection cycle is all limited, so the application network equipment can be
When described quantity is than the detection threshold value of period belonging to the current detection cycle, determines and HTTP detected
Attack, thus detect by calculating HTTP to be attacked by the way of message amount ratio, be effectively improved to from
Dissipate the discrimination that type HTTP is attacked, and then guarantee the normal operation of server.
In the embodiment of the present application, before the network equipment proceeds by HTTP attack detecting, need first to set
Put the detection threshold value of day part, as in figure 2 it is shown, the application arrange the described period detection threshold value can be below
Step:
Step 201: multiple period will be divided into the sampling period according to default Time segments division rule.
In the embodiment of the present application, the duration in described sampling period and quantity can be configured by management personnel,
Such as: the network equipment sampling that is a few days ago set to after network device initiating can be determined inspection by management personnel
Survey the time of threshold value, for example, the duration in described employing cycle can be set to 1 day by management personnel,
Quantity is set to 3.
In the present embodiment, based on default Time segments division rule, the sampling period can be divided into multiple
Period.As a example by the dividing precision of described period is 1 hour, can by time sampling period of a length of 1 day
Being divided into 24 periods, such as, 8 o'clock of one day were a period to 9 o'clock.Advise with described Time segments division
Then it is similar to, it is also possible to be multiple detection cycles by each Time segments division, such as: for each period, can
Being 60 detection cycles according to the time precision of 1 minute by described Time segments division.It should be noted that
Management personnel can the factor such as performance based on the network equipment, adjust the Time segments division rule preset, such as
According to the time precision of 2 hours, each sampling period can be divided into 12 periods etc., the application couple
This is not particularly limited.
Step 202: for each period, calculating the HTTP received in each detection cycle in the described period please
Message is asked to compare sample with a number of stages of http response message.
In the embodiment of the present application, for each period, the network equipment can first be added up in the described period and respectively examine
The quantity of the HTTP request message received in the survey cycle and the quantity of http response message, and calculate
The described HTTP request message received in each detection cycle in the described period and described http response message
Quantity ratio, for ease of describe, the quantity in each detection cycle can be compared sample than referred to as one number of stages.
Such as, the network equipment can be 8 o'clock to 9 o'clock these periods of the 1st day, for 60 inspections of this period
The survey cycle, the quantity of the HTTP request message received in adding up each detection cycle and http response
The quantity of message, and calculate HTTP request message and the one of http response message in each detection cycle
Number of stages is than sample, with detection week each in obtaining the 1st day 8 o'clock to 60 detection cycles of 9 o'clock period
One number of stages of phase compares sample.
Step 203: a pre-conditioned number of stages will be met be defined as than sample the two number of stages ratios of described period
Sample.
In the embodiment of the present application, the network equipment can compare sample according to the number of stages in each detection cycle
Determine two number of stages of each period than sample, such as: the described period can be chosen and respectively detect one-level in the cycle
Quantity compares sample than the maximum of sample as two number of stages of described period.For example, the network equipment can
With 60 number of stages at the 1st day 8 o'clock to 9 o'clock than sample in select maximum of T1As this period
Two number of stages compare sample.Using same method, the network equipment can also be at the 2nd day 8 o'clock to 9 o'clock
60 number of stages select maximum of T than in sample2As two number of stages of this period than sample,
60 number of stages of 3 days 8 o'clock to 9 o'clock select maximum of T than in sample3As this period two grades
Quantity compares sample.The like, the network equipment can determine that two number of stages of each period compare sample.
Step 204: determine the described period than sample according to two number of stages of period identical in multiple sampling periods
Detection threshold value.
In the embodiment of the present application, the network equipment can be according to two number of stages of period identical in multiple sampling periods
The detection threshold value of described period is determined than sample.Concrete, the network equipment can first determine the described identical period
In two number of stages than the maximum of sample, and according to described two number of stages than the maximum of sample and default
Weighted value, use following formula calculate the described period detection threshold value:
T=Smax× W,
Wherein, T represents described detection threshold value, SmaxRepresent described period two number of stages maximum than sample,
W represents default weighted value.
Still as a example by the citing in step 203, for 8 o'clock to the 9 o'clock periods in three sampling periods, permissible
First determine T1、T2And T3These three two number of stages is than the maximum of sample, it is assumed that maximum is T2, then
According to T2And the weighted value preset: W=2, utilize above-mentioned formula to calculate the inspection to 9 o'clock this period in 8 o'clock
Survey threshold value T(8-9)For: T2×2.In like manner, the network equipment can use same method, calculates every
Detection threshold value in the individual period.
In another example, management personnel can also manually arrange the detection threshold value in each period.Tool
Body, the network equipment, can after in being calculated each sampling period, two number of stages of each period are than sample
So that two number of stages of day part in the described sampling period are shown with default form than sample, such as:
In the 1st day, two number of stages of day part are shown with the form of broken line graph than sample, in like manner,
Two number of stages of day part in other sampling periods are also shown with the form of broken line graph than sample.Pipe
The reason personnel broken line graph by each sampling period, can find out that the network equipment connect within per period intuitively
The HTTP request message received and the variation tendency of http response message amount ratio, such that it is able to according to
Variation tendency and experience manually arrange the detection threshold value of each period.It should be noted that set such
Putting in mode, management personnel need not arrange weighted value.
The HTTP attack detection method and the device that there is provided the application below in conjunction with the accompanying drawings illustrate.
See Fig. 3, for an embodiment flow chart of the application HTTP attack detection method, this enforcement
Example is described from network equipment side, comprises the following steps:
Step 301: the quantity of the HTTP request message received in the statistics current detection cycle and HTTP
The quantity of response message.
In the embodiment of the present application, the network equipment is receiving HTTP request message and http response message
Afterwards, quantity and the http response of HTTP request message are received in the current detection cycle can being added up
The quantity of message.Such as, the HTTP request report that the network equipment received within the statistics current detection cycle
Literary composition quantity time, can start from scratch, often receive a HTTP request message and just add one, described
During current detection end cycle, the HTTP that current value receives in being the described current detection cycle please
Seek the quantity of message.In like manner, the network equipment receives in can using the method statistics current detection cycle
The quantity of http response message.
Step 302: the described HTTP request message received in calculating the current detection cycle and described HTTP
The quantity ratio of response message.
In the embodiment of the present application, the network equipment, after execution of step 301, can use following formula,
The described HTTP request message received in calculating the current detection cycle and the number of described http response message
Amount ratio:
Q=M/N,
Wherein, the HTTP request message that Q receives in representing the current detection cycle and http response message
Quantity ratio, M is the quantity of the HTTP request message received in the current detection cycle, and N is current inspection
The quantity of the http response message received in the survey cycle.
Step 303: when described quantity is than the detection threshold value in the period belonging to the current detection cycle,
Determine and detect that HTTP attacks.
Typically, since the process performance of server is limited, attack so being whether subjected to HTTP
Hit, the limited amount of the HTTP request message that can process in the server unit interval.It is subject at server
To HTTP attack time, the HTTP request message amount that it receives can increase severely at short notice, but single
The quantity of the http response message that can return in bit time is still maintained in normal range, so being subject to
Attack to HTTP, may result in the HTTP request message amount that the network equipment in the unit interval receives
Become big with the ratio of http response message amount.This characteristic attacked based on HTTP, the network equipment
By the way of calculating message amount ratio, HTTP can be attacked and detect.
In the embodiment of the present application, the network equipment during judging that whether server is attacked by HTTP,
Can first determine the affiliated period in current detection cycle, thus get the inspection of period belonging to the current detection cycle
Survey threshold value, finally calculated quantity in the described current detection cycle is compared than with described detection threshold value
Relatively, when described quantity is than the detection threshold value in the period belonging to the current detection cycle, it may be determined that
The HTTP request message amount received in the current detection cycle is too much, beyond normal range, by
This determines and detects that HTTP attacks;When described quantity is than the detection in the period belonging to the current detection cycle
During threshold value, the quantity of the HTTP request message received in the current detection cycle is described within normal range,
It is not affected by HTTP in may determine that the current detection cycle to attack.
In one example, when the network equipment detects that HTTP attacks, HTTP can be attacked and carry out
Protection, such as: the HTTP request message received is carried out filtration etc., and meanwhile, the network equipment can also
Generating alarm log, remind management personnel to be attacked by HTTP, management personnel are referred to existing network and attack feelings
Condition is protected targetedly.
As seen from the above-described embodiment, the HTTP that the network equipment receives in can calculating the current detection cycle please
Seek the quantity ratio of message and response message, when described quantity is than the period belonging to the current detection cycle
During detection threshold value, the HTTP request message amount received in determining the detection cycle increases severely, it is thus determined that inspection
Measure HTTP to attack.As can be seen here, by the way of calculating message amount ratio, HTTP attack is examined
Survey, the discrimination that discrete type HTTP is attacked can be effectively improved, and then guarantee the normal operation of server.
Corresponding with the embodiment of aforementioned a kind of HTTP attack detection method, present invention also provides one
The embodiment of HTTP attack detecting device.
The embodiment of the application a kind of HTTP attack detecting device can be applied on network devices.Device is real
Execute example to be realized by software, it is also possible to realize by the way of hardware or software and hardware combining.With software
As a example by realization, as the device on a logical meaning, it is that the processor by its place network equipment is by non-
Computer program instructions corresponding in volatile memory reads and runs formation in internal memory.From hardware view
For, as shown in Figure 4, the one for the application a kind of HTTP attack detecting device place network equipment is hard
Part structure chart, except the processor shown in Fig. 4, internal memory, network interface and nonvolatile memory it
Outward, in embodiment, the equipment at device place generally can also include other hardware, such as turning of responsible process message
Send out chip etc.;This equipment from the point of view of from hardware configuration, it is also possible that distributed equipment, potentially includes multiple
Interface card, in order to carry out the extension of Message processing at hardware view.
With reference to Fig. 5, it is an embodiment block diagram of the application a kind of HTTP attack detecting device, described HTTP
Attack detecting device 500 can be applied on the network equipment shown in earlier figures 4, includes: quantity statistics
Unit 510, quantity determine unit 530 than computing unit 520 and attack.
With reference to Fig. 6, described HTTP attack detecting device 500 can also include: Time segments division unit 540,
One number of stages determines unit 560 and threshold value determination unit 570 than computing unit 550, two number of stages ratio.
With reference to Fig. 7, described threshold value determination unit 570 can also include: maximum determines subelement 571 and threshold
Value computation subunit 572.
Wherein, described quantity statistics unit 510, the HTTP received in adding up the current detection cycle
The quantity of request message and the quantity of http response message;
Described quantity is than computing unit 520, and the described HTTP received in calculating the current detection cycle please
Seek the quantity ratio of message and described http response message;
Described attack determines unit 530, for when described quantity is than the period belonging to the current detection cycle
In detection threshold value time, determine and detect that HTTP attacks.
Described Time segments division unit 540, for will be divided into many according to the Time segments division rule preset in the sampling period
The individual period;
A described number of stages, than computing unit 550, for for each period, calculates in the described period and respectively detects
The HTTP request message received in cycle compares sample with a number of stages of http response message;
Described two number of stages ratios determine unit 560, for determining meeting a pre-conditioned number of stages than sample
Two number of stages for the described period compare sample;
Described threshold value determination unit 570, for comparing sample according to two number of stages of period identical in multiple sampling periods
This determines the detection threshold value of described period.
Optionally, described two number of stages ratios determine that unit 560 is specifically for respectively detecting the described period in the cycle
Two number of stages that one number of stages is defined as the described period than the maximum of sample compare sample.
Described maximum determines subelement 571, for determining in the described identical period that two number of stages are than sample
Big value;
Described threshold calculations subelement 572, for and presetting than the maximum of sample according to described two number of stages
Weighted value calculate the described period detection threshold value.
Optionally, described threshold calculations subelement 572, utilize following formula to calculate the detection threshold of described period
Value:
T=Smax× W,
Wherein, T represents described detection threshold value, SmaxRepresent described two number of stages maximum than sample, W
Represent described default weighted value.
As seen from the above-described embodiment, the HTTP that the network equipment receives in can calculating the current detection cycle
The quantity ratio of request message and response message, when described quantity ratio is time belonging to the current detection cycle
During the detection threshold value of section, it may be determined that the HTTP request message amount that receives in the detection cycle increases severely,
It is thus determined that detect that HTTP attacks.As can be seen here, to HTTP by the way of calculating message amount ratio
Attack detects, and can be effectively improved the discrimination attacking discrete type HTTP, and then guarantee service
The normal operation of device.
In said apparatus, the function of unit and the process that realizes of effect specifically refer to corresponding step in said method
Rapid realizes process, does not repeats them here.
For device embodiment, owing to it corresponds essentially to embodiment of the method, so relevant part sees
The part of embodiment of the method illustrates.Device embodiment described above is only schematically, wherein
The described unit illustrated as separating component can be or may not be physically separate, as unit
The parts of display can be or may not be physical location, i.e. may be located at a place, or also may be used
To be distributed on multiple NE.Some or all of module therein can be selected according to the actual needs
Realize the purpose of the application scheme.Those of ordinary skill in the art in the case of not paying creative work,
I.e. it is appreciated that and implements.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, all in this Shen
Within spirit please and principle, any modification, equivalent substitution and improvement etc. done, should be included in this Shen
Within the scope of please protecting.
Claims (10)
1. a HTTP attack detection method, it is characterised in that described method is applied on network devices,
Including:
The quantity of the HTTP request message received in the statistics current detection cycle and http response message
Quantity;
The described HTTP request message received in calculating the current detection cycle and described http response message
Quantity ratio;
When described quantity is than the detection threshold value in the period belonging to the current detection cycle, determine detection
Attack to HTTP.
Method the most according to claim 1, it is characterised in that determine the period belonging to the described detection cycle
The process of detection threshold value include:
Multiple period will be divided into the sampling period according to default Time segments division rule;
For each period, calculate the HTTP request message that receives in each detection cycle in the described period with
One number of stages of http response message compares sample;
Sample is compared by meeting two number of stages that a pre-conditioned number of stages is defined as the described period than sample;
Two number of stages according to the period identical in multiple sampling periods determine the detection threshold value of described period than sample.
Method the most according to claim 2, it is characterised in that described will meet pre-conditioned one-level
Quantity is defined as two number of stages of described period than sample than sample, including:
The described period is respectively detected a number of stages in the cycle and is defined as two grades of the described period than the maximum of sample
Quantity compares sample.
Method the most according to claim 2, it is characterised in that described according to phase in multiple sampling periods
Determine the detection threshold value of described period than sample with two number of stages of period, including:
Determine that in the described identical period, two number of stages are than the maximum of sample;
Calculate the detection of described period than the maximum of sample and default weighted value according to described two number of stages
Threshold value.
Method the most according to claim 4, it is characterised in that according to described two number of stages than sample
Maximum and default weighted value, utilize following formula calculate the described period detection threshold value:
T=Smax× W,
Wherein, T represents described detection threshold value, SmaxRepresent described two number of stages maximum than sample, W
Represent described default weighted value.
6. a HTTP attack detecting device, it is characterised in that described device is applied on network devices,
Including:
Quantity statistics unit, the quantity of the HTTP request message received in adding up the current detection cycle
And the quantity of http response message;
Quantity is than computing unit, the described HTTP request message received in calculating the current detection cycle
Quantity ratio with described http response message;
Attack determines unit, for when described quantity is than the inspection in the period belonging to the current detection cycle
When surveying threshold value, determine and detect that HTTP attacks.
Device the most according to claim 6, it is characterised in that described device also includes:
Time segments division unit, for being divided into multiple period the sampling period according to the Time segments division rule preset;
One number of stages is than computing unit, for for each period, calculates in the described period in each detection cycle
The HTTP request message received compares sample with a number of stages of http response message;
Two number of stages ratios determine unit, for more described than sample is defined as by meeting a pre-conditioned number of stages
Two number of stages of period compare sample;
Threshold value determination unit, for determining than sample according to two number of stages of period identical in multiple sampling periods
The detection threshold value of described period.
Device the most according to claim 7, it is characterised in that described two number of stages ratios determine that unit has
Body number of stages in the described period is respectively detected the cycle is defined as the two of the described period than the maximum of sample
Number of stages compares sample.
Device the most according to claim 7, it is characterised in that described threshold value determination unit, including:
Maximum determines subelement, for determining that in the described identical period, two number of stages are than the maximum of sample;
Threshold calculations subelement, is used for according to described two number of stages than the maximum of sample and default weighting
Value calculates the detection threshold value of described period.
Device the most according to claim 9, it is characterised in that described threshold calculations subelement utilizes
The detection threshold value of following formula calculating described period:
T=Smax× W,
Wherein, T represents described detection threshold value, SmaxRepresent described two number of stages maximum than sample, W
Represent described default weighted value.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610203948.6A CN105939342A (en) | 2016-03-31 | 2016-03-31 | HTTP attack detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610203948.6A CN105939342A (en) | 2016-03-31 | 2016-03-31 | HTTP attack detection method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105939342A true CN105939342A (en) | 2016-09-14 |
Family
ID=57151314
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610203948.6A Pending CN105939342A (en) | 2016-03-31 | 2016-03-31 | HTTP attack detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105939342A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106778260A (en) * | 2016-12-31 | 2017-05-31 | 网易无尾熊(杭州)科技有限公司 | Attack detection method and device |
CN107395637A (en) * | 2017-08-29 | 2017-11-24 | 厦门安胜网络科技有限公司 | Http tunnels active detecting method, terminal device and storage medium |
CN108243149A (en) * | 2016-12-23 | 2018-07-03 | 北京华为数字技术有限公司 | A kind of network attack detecting method and device |
CN109936543A (en) * | 2017-12-18 | 2019-06-25 | 中国移动通信集团辽宁有限公司 | Means of defence, device, equipment and the medium of ACK Flood attack |
WO2019148714A1 (en) * | 2018-01-31 | 2019-08-08 | 平安科技(深圳)有限公司 | Ddos attack detection method and apparatus, and computer device and storage medium |
CN112165445A (en) * | 2020-08-13 | 2021-01-01 | 杭州数梦工场科技有限公司 | Method, device, storage medium and computer equipment for detecting network attack |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101150586A (en) * | 2007-11-20 | 2008-03-26 | 杭州华三通信技术有限公司 | CC attack prevention method and device |
CN101383832A (en) * | 2008-10-07 | 2009-03-11 | 成都市华为赛门铁克科技有限公司 | Challenging black hole attack defense method and device |
CN101478540A (en) * | 2008-12-31 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for defending and challenge collapsar attack |
CN101505218A (en) * | 2009-03-18 | 2009-08-12 | 杭州华三通信技术有限公司 | Detection method and apparatus for attack packet |
CN102571547A (en) * | 2010-12-29 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Method and device for controlling hyper text transport protocol (HTTP) traffic |
US20130042319A1 (en) * | 2011-08-10 | 2013-02-14 | Sangfor Networks Company Limited | Method and apparatus for detecting and defending against cc attack |
CN104348811A (en) * | 2013-08-05 | 2015-02-11 | 深圳市腾讯计算机系统有限公司 | Method and device for detecting attack of DDoS (distributed denial of service) |
-
2016
- 2016-03-31 CN CN201610203948.6A patent/CN105939342A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101150586A (en) * | 2007-11-20 | 2008-03-26 | 杭州华三通信技术有限公司 | CC attack prevention method and device |
CN101383832A (en) * | 2008-10-07 | 2009-03-11 | 成都市华为赛门铁克科技有限公司 | Challenging black hole attack defense method and device |
CN101478540A (en) * | 2008-12-31 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for defending and challenge collapsar attack |
CN101505218A (en) * | 2009-03-18 | 2009-08-12 | 杭州华三通信技术有限公司 | Detection method and apparatus for attack packet |
CN102571547A (en) * | 2010-12-29 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Method and device for controlling hyper text transport protocol (HTTP) traffic |
US20130042319A1 (en) * | 2011-08-10 | 2013-02-14 | Sangfor Networks Company Limited | Method and apparatus for detecting and defending against cc attack |
CN104348811A (en) * | 2013-08-05 | 2015-02-11 | 深圳市腾讯计算机系统有限公司 | Method and device for detecting attack of DDoS (distributed denial of service) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108243149A (en) * | 2016-12-23 | 2018-07-03 | 北京华为数字技术有限公司 | A kind of network attack detecting method and device |
CN106778260A (en) * | 2016-12-31 | 2017-05-31 | 网易无尾熊(杭州)科技有限公司 | Attack detection method and device |
CN106778260B (en) * | 2016-12-31 | 2020-03-17 | 阿里巴巴(中国)有限公司 | Attack detection method and device |
CN107395637A (en) * | 2017-08-29 | 2017-11-24 | 厦门安胜网络科技有限公司 | Http tunnels active detecting method, terminal device and storage medium |
CN109936543A (en) * | 2017-12-18 | 2019-06-25 | 中国移动通信集团辽宁有限公司 | Means of defence, device, equipment and the medium of ACK Flood attack |
WO2019148714A1 (en) * | 2018-01-31 | 2019-08-08 | 平安科技(深圳)有限公司 | Ddos attack detection method and apparatus, and computer device and storage medium |
CN112165445A (en) * | 2020-08-13 | 2021-01-01 | 杭州数梦工场科技有限公司 | Method, device, storage medium and computer equipment for detecting network attack |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105939342A (en) | HTTP attack detection method and device | |
US9462009B1 (en) | Detecting risky domains | |
CN107465651B (en) | Network attack detection method and device | |
CN105577608B (en) | Network attack behavior detection method and device | |
CN110417778B (en) | Access request processing method and device | |
CN107968791B (en) | Attack message detection method and device | |
CN111600865B (en) | Abnormal communication detection method and device, electronic equipment and storage medium | |
CN107682345B (en) | IP address detection method and device and electronic equipment | |
CN106899549B (en) | Network security detection method and device | |
CN110198313A (en) | A kind of method and device of strategy generating | |
CN104954188B (en) | Web log file safety analytical method based on cloud, device and system | |
CN105959290A (en) | Detection method and device of attack message | |
US20120173712A1 (en) | Method and device for identifying p2p application connections | |
CN111083157B (en) | Method and device for processing message filtering rules | |
CN109413071A (en) | A kind of anomalous traffic detection method and device | |
US20170149814A1 (en) | Real-Time Detection of Abnormal Network Connections in Streaming Data | |
US10057155B2 (en) | Method and apparatus for determining automatic scanning action | |
CN106921671B (en) | network attack detection method and device | |
CN109067794B (en) | Network behavior detection method and device | |
CN105939321B (en) | A kind of DNS attack detection method and device | |
CN107426136B (en) | Network attack identification method and device | |
CN108234516B (en) | Method and device for detecting network flooding attack | |
CN116235172A (en) | Prioritizing assets using security metrics | |
CN107135199B (en) | Method and device for detecting webpage backdoor | |
CN110061998A (en) | A kind of attack defense method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant before: Hangzhou Dipu Technology Co., Ltd. |
|
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160914 |