CN106302450A - A kind of based on the malice detection method of address and device in DDOS attack - Google Patents

A kind of based on the malice detection method of address and device in DDOS attack Download PDF

Info

Publication number
CN106302450A
CN106302450A CN201610671479.0A CN201610671479A CN106302450A CN 106302450 A CN106302450 A CN 106302450A CN 201610671479 A CN201610671479 A CN 201610671479A CN 106302450 A CN106302450 A CN 106302450A
Authority
CN
China
Prior art keywords
address
record
subset
item collection
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610671479.0A
Other languages
Chinese (zh)
Other versions
CN106302450B (en
Inventor
梁小毅
黄斌
韩方
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Huaduo Network Technology Co Ltd
Original Assignee
Guangzhou Huaduo Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Huaduo Network Technology Co Ltd filed Critical Guangzhou Huaduo Network Technology Co Ltd
Priority to CN201610671479.0A priority Critical patent/CN106302450B/en
Publication of CN106302450A publication Critical patent/CN106302450A/en
Application granted granted Critical
Publication of CN106302450B publication Critical patent/CN106302450B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of based on the malice detection method of address and device in DDOS attack.The method includes: obtain the header file of a packet in the middle of Preset Time window, by the default N number of field item design N item collection in this header file;The record of the subset comprising described N item collection is searched in the middle of the Candidate Set of described N number of field item design of the header file by present count packet;Set the minimum support of the times or frequency of described record;When the times or frequency of the record of any subset of described N item collection is less than described minimum support, the next packet of detection;When the times or frequency of described N item collection and the record of any subset thereof is not less than described minimum support, it is determined that the source address of a presently described packet is malice address.Use the present invention, can the IP address of the doubtful malicious attack of examination rapidly, assist system host to make quickly reaction time under attack, it is to avoid network paralysis.

Description

A kind of based on the malice detection method of address and device in DDOS attack
Technical field
The present invention relates to technical field of network security, more particularly, to based on the detection of malice address in DDOS attack Method and device.
Background technology
DDOS (Distributed Denial of Service, distributed denial of service) attacks and refers to by means of client/clothes Multiple computers are joined together as Attack Platform, one or more targets are started DDOS attack, from forming by business device technology Improve the power of Denial of Service attack again.Generally, assailant uses a stealing account that DDOS primary control program is arranged on one On individual computer, will be with a large amount of Agent communications at a time primary control program set, Agent has been installed within On many computers on network.With regard to offensive attack when Agent receives instruction.Utilize client/server technology, master control journey Sequence can in seconds activate the operation of hundreds and thousands of Agents.
Defense technique for DDOS attack mainly uses now: (1) reversely detects;(2) Protocol Stack Analysis and;(3) refer to Stricture of vagina identification.First, reversely detection is to carry out checking analysis to by the source address of packet, it is judged that such as verity, geographical Position, open-ended situation etc., determine IP address the most legal, but actually used in, limited resource does not allow all visits The address sources asked reversely detects, and reversely detection is suitable for examining further, instead filtering out a small amount of suspicious address The problem not solving how to filter out doubtful attack address from magnanimity address to Detection Techniques itself.Then, protocol stack Analysis is based on RFC (Request For Comments, a series of files being ranked with numbering) specification, due to each packet The most basic need of type meet RFC specification, and assailant exists the situation not meeting specification by the packet that instrument constructs, and now leads to Cross Protocol Stack Analysis and can detect that aggressive behavior, but along with the upgrading attacked, senior assailant still can construct to the greatest extent may be used Can meet the packet of protocol stack specification, increase the difficulty of Protocol Stack Analysis, this analytical tool can only tackle attacking of first stage The person of hitting, also cannot screen the IP address of malicious attack exactly.Finally, fingerprint recognition is the highest for identifying that DDOS attack has Precision, simultaneously need to the novel attack do not included temporarily in the middle of more resource consumption, and None-identified fingerprint base, at system host It is difficult to make quickly reaction time under attack.
Therefore, although the IP address of seat offence person has actual application value, but how from mass data packet communication Determine the IP address of malice, and ensure enough accuracys rate, it is especially desirable to take precautions against and the IP address normally accessed is piped off, Normal users is impacted, is that current industry has problem to be solved.
Summary of the invention
In view of the above problems, the present invention proposes a kind of based on the malice detection method of address and device in DDOS attack.
The embodiment of the present invention provides a kind of based in DDOS attack malice address detection method, including:
Obtain the header file of a packet in the middle of Preset Time window, by the default N number of field project team in this header file Become N item collection;
Search in the middle of the Candidate Set of described N number of field item design of the header file by present count packet and comprise institute State the record of the subset of N item collection;
Set the minimum support of the times or frequency of described record;
When the times or frequency of the record of any subset of described N item collection is less than described minimum support, detect next Individual packet;
When the times or frequency of described N item collection and the record of any subset thereof is not less than described minimum support, it is determined that The source address of a presently described packet is malice address.
Preferably, described default N number of field project, including source address, destination address, packet length, destination interface, protocol class At least three project in the middle of type, wherein, N >=3;Or, described preset N number of field project, including source address, destination address, Packet length, destination interface, protocol type, wherein, N >=5;Or, described default N number of field project, including source address, destination At least five project in the middle of location, packet length, destination interface, protocol type, source port, network path, wherein, N >=5.
Preferably, obtain in the middle of Preset Time window before the step of the header file of a packet, including:
The data packet flow of monitoring network, when described data packet flow is more than the first alarm threshold, obtains predetermined number Or the described several packets in preset duration.
Preferably, look in the middle of the Candidate Set of described N number of field item design of the header file by present count packet Look for the step of the record of the subset comprising described N item collection, including,
From the beginning of the unitary subset of described N item collection, to the N-1 unit subset of described N item collection, successively in the middle of described Candidate Set Search the record of the k unit subset comprising described N item collection, wherein, 1≤k≤N-1;
After the step of the minimum support of the times or frequency of the described record of described setting, also include,
When the times or frequency of the record of the k unit subset of described N item collection is not less than described minimum support, in described time The record of the k+1 unit subset comprising described N item collection is searched in the middle of selected works.
Preferably, when the times or frequency of described N item collection and the record of any subset thereof is not less than described minimum support Time, it is determined that after the source address of a presently described packet is the step of malice address, also include:
The times or frequency of the record of described N item collection is set to the value at risk of this malice address;
Set the Minimum support4 of the value at risk of described malice address;
When the data packet flow of monitoring network is more than the second alarm threshold, the value at risk limited in non-white list is more than The access of the malice address of described Minimum support4;
When the data packet flow monitoring network is less than three alarm threshold, analyze value at risk credible more than described minimum The address sources of the malice address of degree, and according to the result analyzed, this malice address is added described white list.
Correspondingly, embodiments provide a kind of based in DDOS attack malice address detection device, including:
Pointer acquiring unit, for obtaining the header file of a packet in the middle of Preset Time window, by this header file Preset N number of field item design N item collection;
Record search unit, for the time of the described N number of field item design at the header file by present count packet The record of the subset comprising described N item collection is searched in the middle of selected works;
Threshold sets unit, for setting the minimum support of the times or frequency of described record;
Pointer jump-transfer unit, the times or frequency for the record of any subset when described N item collection is less than described minimum During support, the next packet of detection;
Result identifying unit, for the times or frequency when described N item collection and the record of any subset thereof not less than described During minimum support, it is determined that the source address of a presently described packet is malice address.
Preferably, described pointer acquiring unit, including:
Project designating unit, for specifying default N number of field project;
Described N number of field project, including in the middle of source address, destination address, packet length, destination interface, protocol type extremely Few three projects, wherein, N >=3;Or,
Described default N number of field project, including source address, destination address, packet length, destination interface, protocol type, its In, N >=5;Or,
Described default N number of field project, including source address, destination address, packet length, destination interface, protocol type, source At least five project in the middle of mouth, network path, wherein, N >=5.
Preferably, including:
First Alarm Unit, for monitoring the data packet flow of network, when described data packet flow is more than the first alarm threshold During value, obtain the described several packets in predetermined number or preset duration.
Preferably, described record search unit, including:
Recursive lookup unit, for from the beginning of the unitary subset of described N item collection, to the N-1 unit subset of described N item collection, depends on The secondary record searching the k unit subset comprising described N item collection in the middle of described Candidate Set, wherein, 1≤k≤N-1;When described N item collection K unit subset record times or frequency not less than described minimum support time, in the middle of described Candidate Set search comprise institute State the record of the k+1 unit subset of N item collection.
Preferably, also include:
Value at risk unit, for being set to the risk of this malice address by the times or frequency of the record of described N item collection Valuation;
Credibility setup unit, for setting the Minimum support4 of the value at risk of described malice address;
Second Alarm Unit, for when the data packet flow of monitoring network is more than the second alarm threshold, limiting non-white name Value at risk in list is more than the access of the malice address of described Minimum support4;
3rd Alarm Unit, during for being less than three alarm threshold when the data packet flow monitoring network, analyzes risk and estimates Value is more than the address sources of the malice address of described Minimum support4, and adds described according to the result analyzed by this malice address White list.
Relative to prior art, the scheme that the present invention provides, obtain the head literary composition of a packet in the middle of detection time window Part, by the default N number of field item design N item collection in this header file.Although the data packet format of heterogeneous networks can be slightly different, But the data packet head file format for consolidated network type is consistent, the present invention only need to be in the header file of a packet The project information specified, just can analyze whether this packet is sent by the IP address of malice rapidly, easy and simple to handle, versatility By force.Before starting to analyze, first by described N number of field item design Candidate Set of the header file of present count packet, then The record of the subset comprising described N item collection is searched in the middle of this Candidate Set.This Candidate Set is to meet with the flow punching of bulk data bag When hitting, from the header file of this lot number packet, extract the set of the N number of field item design specified.Therefore, this Candidate Set The malicious data bag that DDOS attack person is sent is concealed by switching virtual IP, by when previous in the middle of corresponding packet The tracking of the relatedness between N item collection and the Candidate Set of packet is excavated, and i.e. can pass through a small amount of project data of N item rapidly Coupling relatedness, locks malicious IP addresses exactly.For the assurance of accuracy, can by set described record number of times or The minimum support of frequency realizes.The number of times that the subset of the N item collection of one packet occurs in the middle of described Candidate Set is the most, And/or the frequency of appearance is the biggest, then it represents that the probability that this packet is sent by malice address is the biggest.When appointing of described N item collection When the times or frequency of the record of one subset is less than described minimum support, the next packet of detection;When described N item collection and When the times or frequency of the record of any subset is not less than described minimum support, it is determined that the seedbed of a presently described packet Location is malice address.First advantage of this programme is, for the N item collection of the packet that malice address sends, appointing of this N item collection One nonvoid subset, relative to the times or frequency of the record of Candidate Set, necessarily exceedes minimum support.If because N item collection Arbitrary nonvoid subset I less than minimum support threshold value, when there being elements A to add in I, the new subset (A ∩ I) of composition is no May be more more than original subset I occurrence number or the frequency of occurrences.The newest subset (A ∩ I) is also not more than described minimum Support threshold.It follows that the subset that we are collected by N item carries out examination, may insure that the examination of non-malicious address Accuracy, it is to avoid affect the access of normal users;Meanwhile, second advantage of this programme is, by unitary subset or binary The set of the low orders such as collection is compared examination, and owing to element is less, the speed of examination can be very fast.So, use this Scheme, just can make quickly reaction, it is to avoid network paralysis when system host is under attack.3rd advantage of this programme It is, it is clear that the accuracy of this programme and N item concentrate number N of element also to have relation, and when N is the biggest, the project of analysis is the most, accurately Property is the highest.Meanwhile, the subset of N item collection is increased sharply as well as the increase of N.But due to aforementioned unitary subset or binary subset still Being the subset of described N item collection, the subset of these low orders still can promptly get rid of large quantities of non-malicious address, so, the increase of N After improving the accuracy analyzed, substantial amounts of computing can't be brought, also would not significantly decrease analysis speed, therefore can be full Requirement of real-time in the middle of the access of full internet.
Aspect and advantage that the present invention adds will part be given in the following description, and these will become from the following description Obtain substantially, or recognized by the practice of the present invention.
Accompanying drawing explanation
For the technical scheme being illustrated more clearly that in the embodiment of the present invention, in embodiment being described below required for make Accompanying drawing be briefly described, it should be apparent that, below describe in accompanying drawing be only some embodiments of the present invention, for From the point of view of those skilled in the art, on the premise of not paying creative work, it is also possible to obtain the attached of other according to these accompanying drawings Figure.
Fig. 1 is the schematic diagram of IP data packet format of the present invention;
Fig. 2 is that the present invention is a kind of based on the first embodiment flow chart of the detection method of malice address in DDOS attack;
Fig. 3 be first embodiment the n-th time window in the header file field project information schematic diagram of packet;
Fig. 4 is that the present invention is a kind of based on the second embodiment flow chart of the detection method of malice address in DDOS attack;
Fig. 5 is that the present invention is a kind of to be shown based on the second embodiment monitoring network of the detection method of malice address in DDOS attack It is intended to;
Fig. 6 is that the present invention is a kind of to be shown based on the second embodiment recursive lookup of the detection method of malice address in DDOS attack It is intended to;
Fig. 7 is that the present invention is a kind of based on the first embodiment schematic diagram of the detection device of malice address in DDOS attack;
Fig. 8 is that the present invention is a kind of based on the second embodiment schematic diagram of the detection device of malice address in DDOS attack.
Detailed description of the invention
In order to make those skilled in the art be more fully understood that the present invention program, below in conjunction with in the embodiment of the present invention Accompanying drawing, is clearly and completely described the technical scheme in the embodiment of the present invention.
In some flow processs of description in description and claims of this specification and above-mentioned accompanying drawing, contain according to Particular order occur multiple operations, but it should be clearly understood that these operation can not according to its occur in this article suitable Sequence performs or executed in parallel, the sequence number of operation such as 101,102 etc., is only used for distinguishing each different operation, sequence number Itself does not represent any execution sequence.It addition, these flow processs can include more or less of operation, and these operations can To perform in order or executed in parallel.It should be noted that " first ", " second " herein etc. describe, it is for distinguishing not Message together, equipment, module etc., do not represent sequencing, and not limiting " first " and " second " is different types.
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Describe, it is clear that described embodiment is only a part of embodiment of the present invention rather than whole embodiments wholely.Based on Embodiment in the present invention, the every other enforcement that those skilled in the art are obtained under not making creative work premise Example, broadly falls into the scope of protection of the invention.
For the angle of assailant, DDOS attack flow the most as much as possible simulate the mode of normal access with around Crossing detection, attack access difference maximum with both normal access is within the identical time, for the visit of DDOS attack purpose The amount of asking will be the decades of times of regular traffic visit capacity or even more, beyond the UPS upper performance score of server, thus reaches refusal service Purpose.This method utilizes this difference exactly, by beyond normal access times, through different modes (such as different source ports, no With network transmission path) for same destination host repeat send identical content packet find out.Such as, this programme can It is applied to IP packet.
Fig. 1 is the schematic diagram of IP data packet format of the present invention.For IP data packet format, specifically, can be from data The header file (such as the stem of Fig. 1) of bag extracts and the field project that is analyzed includes:
1. source address: stationary source address, it is therefore an objective to suspected attack source, location;
2. destination address: fixing destination address is required protection server, it is therefore an objective to analyze owning for this server Packet;
3. source port: allowing source port not repeat, this is owing to hacker is when attacking, and may open multiple simultaneously Service or process, send packet with multiple ports to destination address
4. destination interface: fixing destination interface is required protection Service-Port (service), it is therefore an objective to analyze for this end All packets of mouth (service);
5. agreement/protocol type: protocol type is broadly divided into UDP and TCP two kinds, owing to protocol type is high with attack pattern Degree is relevant, therefore fixed protocol type (when such as belonging to Transmission Control Protocol, can comprise Transmission Control Protocol zone bit information)
6. total length/packet length: fixed packet length, this is once to start attacker due to assailant, and attacker inclines To generating a large amount of regular lengths, the packet of identical content mails to destination host;
7.TTL (Time to live, life span): TTL reflects packet and arrived at the net of location by source address Network path, different TTL imply that packet arrives destination host from different paths.Attacking Packets is by the possible short time Follow different path and arrive destination host, therefore allow TTL not repeat.
In addition, as it is shown in figure 1, the header file of a packet (such as the stem of Fig. 1) can be extracted and be analyzed Field project also include: version, header file length/header length, Differentiated Services, mark, mark, sheet offset, header check With etc., explain the most one by one at this.
It addition, this programme can also be applied to other data packet format.Such as, for tcp data bag form, can extract Field project include source port (source port), destination interface (destination port), serial number (sequence Port), confirm number (acknowledgement port), TCP header file size, window size (window size), verification and (checksum), urgent pointer (urgent pointer) etc.;For UDP message bag form, extractible field project bag Include source port (source port), destination interface (destination port), length (length), verification and (checksum), pseudo-stem (pseudo header) etc.;For ARP data packet format, extractible field project includes firmly Part type, protocol type, hardware address length, length of protocol address, operation code, sender's hardware address, sender's agreement Address, target side hardware address, target side protocol address etc..In addition to above-mentioned data packet format, this programme can also be applied In analyzing ICMP packet, IPSEC packet, OSPF packet, Ethernet data bag etc., the form of these packets and phase The field project answered, numerous to list herein.As can be seen here, this programme can extract corresponding for different data packet formats Field project is analyzed, simple to operate, applied range.Below as a example by the IP data packet format of Fig. 1, in conjunction with Fig. 2, Fig. 3 First embodiment of the invention is described further.
Fig. 2 is that the present invention is a kind of based on the first embodiment flow chart of the detection method of malice address, bag in DDOS attack Include:
S101: obtain the header file of a packet in the middle of Preset Time window, by the default N number of field item in this header file Mesh composition N item collection;
S102: search in the middle of the Candidate Set of described N number of field item design of the header file by present count packet Comprise the record of the subset of described N item collection;
S103: set the minimum support of the times or frequency of described record;
S104: when the times or frequency of the record of any subset of described N item collection is less than described minimum support, detection Next packet;
S105: when the times or frequency of described N item collection and the record of any subset thereof is not less than described minimum support, Judge that the source address of a presently described packet is as malice address.
Fig. 3 be first embodiment the n-th time window in the header file field project information schematic diagram of packet.
Assume that system host has stored the header file field item of the packet of malicious access within the past period Mesh information.As it is shown on figure 3, the eight data bag records extracting now the time window of " g=189 " are analyzed.
First, pointer moves on to the Article 1 record of time window of " g=189 ".
Obtain the header file of the first packet of Article 1 record in the middle of " g=189 " time window, by this header file Preset N number of field item design N item collection.Although the data packet format of heterogeneous networks can be slightly different, but for consolidated network class The data packet head file format of type is consistent.
Preferably, described default N number of field project, including source address, destination address, packet length, destination interface, protocol class At least three project in the middle of type, wherein, N >=3;Or,
Preferably, described default N number of field project, including source address, destination address, packet length, destination interface, protocol class Type, wherein, N >=5;Or,
Preferably, described default N number of field project, including source address, destination address, packet length, destination interface, protocol class At least five project in the middle of type, source port, network path, wherein, N >=5.
In the middle of this first embodiment, it is assumed that N=3, presetting N number of field project is source address, destination address, packet length.That is, The N item collection of described first packet is { 78.210.156.40,119.84.68.11,40}.The present invention only need to be from the first packet Above-mentioned three field project information, just can analyze this packet rapidly and whether be sent by the IP address of malice, easy and simple to handle, Highly versatile.
Before starting to analyze, first by described N number of field item design Candidate Set of the header file of present count packet, Such as, within " g=001 " time window to " g=90 " time window, only have the normal access service of general 1,000 packets, but Increase sharply to 10,000 packets within " g=091 " time window to " g=180 " time window, be then likely to meet with malicious attack, Can be from the candidate of three field item designs such as the source address of the header file of these packets, destination address, packet length Collection, is analyzed first packet of next " g=189 " time window.Again for example, it is also possible to from historical record extract on One takes turns or Candidate Set that surge packet malicious attack record that upper one week or last month occur is analyzed as this.Again in this time Search in the middle of selected works and comprise the described N item collection { record of the subset of 78.210.156.40,119.84.68.11,40}.This Candidate Set It is when meeting with the flow attack of bulk data bag, from the header file of this lot number packet, extracts the N number of field item specified The set of mesh composition.Therefore, conceal DDOS attack person in the middle of the corresponding packet of this Candidate Set to be sent by switching virtual IP Malicious data bag, excavated by the tracking of the relatedness between N item collection and the Candidate Set to current first packet, the most permissible Mate relatedness rapidly by the project data that N item is a small amount of, lock malicious IP addresses exactly.
For the assurance of accuracy, can realize by setting the minimum support of the times or frequency of described record. Such as, set the minimum support of number of times of record as 300 times, and/or, sets the minimum support of the frequency recorded as 20%.The number of times that the subset of the N item collection of one packet occurs in the middle of described Candidate Set is the most, and/or the frequency occurred is more Greatly, then it represents that the probability that this packet is sent by malice address is the biggest.
When the times or frequency of the record of any subset of described N item collection is less than described minimum support, detect next Individual packet.Such as, { subset of 78.210.156.40,119.84.68.11,40} be { 78.210.156.40}'s for described N item collection Recording the number of times occurred at Candidate Set is 180 times, 300 times set less than minimum support.Then without calculating other subsets again Or the times or frequency that N item collection occurs, pointer can be jumped to the Article 2 record of the time window of currently " g=189 ".Or, { { record of 78.210.156.40,40} is candidate for the subset of 78.210.156.40,119.84.68.11,40} for described N item collection The frequency that collection occurs is 11%, 20% set less than minimum support, then calculate other subsets without continuation or N item collects Existing times or frequency, can jump to Article 2 record.
When the times or frequency of described N item collection and the record of any subset thereof is not less than described minimum support, it is determined that The source address of a presently described packet is malice address.That is, described N item collection 78.210.156.40,119.84.68.11, Unitary subset { 78.210.156.40}, { the 119.84.68.11}, { 40} of 40};Binary subset 78.210.156.40,40}, { 119.84.68.11,40}, { 78.210.156.40,119.84.68.11};Ternary subset 78.210.156.40, 119.84.68.11, among 40}, when N item collection { 78.210.156.40,119.84.68.11,40} itself and any of the above-described son thereof At least one in the middle of collection, at least one in the middle of the most above-mentioned unitary subset/binary subset/ternary subset, their record The frequency occurred at Candidate Set is not less than the 20% of minimum support setting, or, the number of times of appearance is all not less than minimum support 300 times set, then source address IP=78.210.156.40 of the Article 1 record packet of current " g=189 " time window For malice address.
Then, pointer moves on to the Article 2 record of time window of " g=189 ".As long as analyzing as before, the N of Article 2 record When the times or frequency of the record of any subset of item collection is less than described minimum support, the next packet of detection.Examine one by one Survey.
Finally, the detection analyses of eight records of time window to " g=189 " are completed.
First advantage of this programme is, for the N item collection of the packet that malice address sends, and this N item collection arbitrary non- Vacuous subset, relative to the times or frequency of the record of Candidate Set, necessarily exceedes minimum support.If because N item collection appoint One nonvoid subset I is less than minimum support threshold value, and when there being elements A to add in I, the new subset (A ∩ I) of composition is impossible More more than original subset I occurrence number or the frequency of occurrences.The newest subset (A ∩ I) is also not more than described minimum support Degree threshold value.It follows that the subset that we are collected by N item carries out examination, it is non-malicious address to be guaranteed the accurate of examination Property, it is to avoid affect the access of normal users;Meanwhile, second advantage of this programme is, by unitary subset or binary subset etc. The set of low order is compared examination, and owing to element is less, the speed of examination can be very fast.So, use this programme, Quickly reaction just can be made, it is to avoid network paralysis when system host is under attack.3rd advantage of this programme is, aobvious So the accuracy of this programme and N item concentrate number N of element also to have relation, and when N is the biggest, the project of analysis is the most, and accuracy is more High.Meanwhile, the subset of N item collection is increased sharply as well as the increase of N.But owing to aforementioned unitary subset or binary subset are still that institute Stating the subset of N item collection, the subset of these low orders still can promptly get rid of large quantities of non-malicious address, so, the increase of N is carrying After the accuracy of high analyte, substantial amounts of computing can't be brought, also would not significantly decrease analysis speed, therefore can meet real Requirement of real-time in the middle of internet access.
It should be added that, by foregoing description, being not difficult to learn, the present invention is with Apriori algorithm principle as base Plinth, is the innovatory algorithm specific implementation in network safety filed of Apriori.Compared with traditional Apriori, the present invention Scheme need not find out the frequent item set of N item collection, it is not required that the strong rule of each field in analysis N item collection.Such as, for aforementioned Example state N item collection 78.210.156.40,119.84.68.11,40}, even if subset therein 78.210.156.40, 119.84.68.11} in the middle of Candidate Set, the times or frequency of appearance is the highest, is in tradition Apriori algorithm concept Frequent item set, but as long as there being a subset, such as 40} right and wrong frequently, then, it is no need for continuing to calculate, until finding above-mentioned { 78.210.156.40,119.84.68.11} more need not calculate the strong rule of this frequent item set to final frequent item set.So, The innovatory algorithm of Apriori of the present invention is than traditional algorithm arithmetic speed faster.
Fig. 4 is that the present invention is a kind of based on the second embodiment flow chart of the detection method of malice address in DDOS attack.Fig. 4 Second embodiment is compared with Fig. 2 first embodiment, and Fig. 4 field project specifies the N item collection of N=5 to be analyzed, and analyzes and is more as the criterion Really.Meanwhile, by the way of recursive lookup, from unitary subset to N-1 unit subset one-dimensional, the recursive lookup of monolayer, screening is more Fast.
S201: the data packet flow of monitoring network, when described data packet flow is more than the first alarm threshold, obtains and presets Several packets in quantity or preset duration;
S202: obtain the header file of a packet in the middle of Preset Time window, by the default N number of field item in this header file Mesh composition N item collection;Described default N number of field project, including source address, destination address, packet length, destination interface, protocol type, Wherein, N >=5;
S203: from the beginning of the unitary subset of described N item collection, to the N-1 unit subset of described N item collection, successively described candidate The record of the k unit subset comprising described N item collection, wherein, 1≤k≤N-1 is searched in the middle of collection;
S204: set the minimum support of the times or frequency of described record;
S205: when the times or frequency of the record of the k unit subset of described N item collection is not less than described minimum support, The record of the k+1 unit subset comprising described N item collection is searched in the middle of described Candidate Set.
S206: when the times or frequency of the record of any subset of described N item collection is less than described minimum support, detection Next packet;
S207: when the times or frequency of described N item collection and the record of any subset thereof is not less than described minimum support, Judge that the source address of a presently described packet is as malice address.
Aforesaid first embodiment i.e. can apply to monitor in real time, it is also possible to for postmortem analysis.And this second enforcement Example is applied particularly to monitoring in real time.Fig. 5 is that the present invention is a kind of real based in DDOS attack the second of the detection method of malice address Execute example monitoring network diagram.As it is shown in figure 5, the present embodiment uses packet capturing software, to network real-time monitoring, the number of monitoring network According to packet stream amount, when described data packet flow is more than the first alarm threshold, obtain the several numbers in predetermined number or preset duration According to bag.First alarm threshold is the traffic handing capacity according to local system main frame and sets, when reaching this threshold value, and system master Machine need to enter guard state, it is to avoid network paralysis.Preferably, can from flow more than the moment of the first alarm threshold forward Review the several packets in one section of duration, be used for setting up Candidate Set;Can also be from flow more than moment of the first alarm threshold Rise review forward predetermined number, it is assumed that 10,000, packet, be used for setting up Candidate Set.
Owing to being monitoring in real time, the present embodiment starts more than the time window of the first alarm threshold at flow, when obtaining default Between the header file of a packet in the middle of window, by the default N number of field item design N item collection in this header file.Preferably, described Preset N number of field project, five projects such as including source address, destination address, packet length, destination interface, protocol type.With Fig. 3 Article 2 record as a example by, the N item collection of packet of embodiment two detection be 221.228.253.156,119.84.68.7, 1344,555, UDP}.
It follows that use recursive fashion to make a look up.
Fig. 6 is that the present invention is a kind of to be shown based on the second embodiment recursive lookup of the detection method of malice address in DDOS attack It is intended to.As shown in Figure 6, from the beginning of the unitary subset of described N item collection, to the N-1 unit subset of described N item collection, successively in described time The record of the k unit subset comprising described N item collection, wherein, 1≤k≤N-1 is searched in the middle of selected works.Set described record number of times or The minimum support of frequency;When the times or frequency of the record of the k unit subset of described N item collection is not less than described minimum support Time, in the middle of described Candidate Set, search the record of the k+1 unit subset comprising described N item collection.
Owing to the subset elements of low order is few, search that other are very fast, and the subset of high-order has only in low order subset Screening results among carry out secondary examination, so, the element of subset is the most, and it just needs the record of examination in the middle of Candidate Set The fewest.Such as, in the present embodiment two, during k=4, for 221.228.253.156,119.84.68.7,1344, and 555} this The examination of individual quaternary subset, because before this quaternary subset of examination, all ternary subsets of this quaternary subset are complete sieve Look into, and obtain the ternary examination set of all ternary subsets.Obviously, ternary examination set simply accounts for few portion of original Candidate Set Point, so, it is only necessary to wherein in the middle of ternary examination set to carrying out 221.228.253.156,119.84.68.7, 1344,555} bis-examinations.As can be seen here, recursive fashion can improve the arithmetic speed of the present invention further, and avoids weight Check is looked for.
It should be added that, except using recursive fashion to make a look up, it is also possible to according to the field of particular data packet The feature of project, carries out depth lookup.Such as, the address of our system host to be protected is exactly certain several destination address, Now, destination address field (DAF) project is very important, and it should be prioritized.Briefly, if packet Destination address is not the address of our system host to be protected, then without considering.So, for the N item collection of the present embodiment two { 221.228.253.156,119.84.68.7,1344,555, UDP} can use depth examination, from comprising destination address field (DAF) Subset preferentially begin look for, concrete looked-up sequence is: first, 119.84.68.7}, 119.84.68.7,555}, 119.84.68.7,1344} ... until to N item collection { 221.228.253.156,119.84.68.7,1344,555, UDP} complete or collected works Examination.Obviously, the subset of high-order also has only among the screening results of low order subset carry out secondary examination, is avoided that repetition Search.Also from the beginning of the unitary subset of described N item collection, the N-1 unit subset to described N item collection is searched successively.But benefit In the assurance to destination address, we are without requiring to look up all unitary subsets of described N item collection, the such as, { son of this class of 555} Collection, so, recurrence combines the lookup mode of depth, and the algorithm of meeting let us further speeds up.
When the times or frequency of the record of any subset of described N item collection is less than described minimum support, detect next Individual packet;When the times or frequency of described N item collection and the record of any subset thereof is not less than described minimum support, it is determined that The source address of a presently described packet is malice address.Preferably, embodiment two considers using frequency as support, will be It is x (0≤x≤1) that little support arranges parameter, shows that finding out all repetition rate ratios in the middle of Candidate Set by this algorithm surpasses Cross the source address in the set comprising N item collection of x, by rationally arranging x, the source address extracted in this way, will have the highest Probability is the malicious IP addresses attacking destination address.Such as, in the middle of the present embodiment two, x=30%, and above-mentioned N item collection { 221.228.253.156,119.84.68.7,1344, the frequency of 555, UDP} complete or collected works is 85%, now, assert 221.228.253.156 being malice IP, we can allow system host that these malicious IP addresses are carried out current limliting speed limit, to avoid Network paralysis, service disruption.
Further, the present embodiment two can also comprise the steps:
S208: the times or frequency of the record of described N item collection is set to the value at risk of this malice address;
S209: set the Minimum support4 of the value at risk of described malice address;
S210: when the data packet flow of monitoring network is more than the second alarm threshold, the risk limited in non-white list is estimated Value is more than the access of the malice address of described Minimum support4;
S211: when monitoring the data packet flow of network less than three alarm threshold, analyze value at risk more than described The address sources of the malice address of little credibility, and according to the result analyzed, this malice address is added described white list.
As it was previously stated, during monitoring in real time, when the data packet flow of monitoring network is more than the first alarm threshold, System host initially enters guard state, collects suspicious packet;When the data packet flow of monitoring network is more than the second alarm During threshold value, system host is complete analysis, starts to limit the access of malice address, makes data packet flow return normal access Amount;When the data packet flow monitoring network is less than three alarm threshold, aforesaid restriction possibly cannot have influence on avoiding The access of part normal users, now, owing to cpu resource, the memory resource of system host are sufficient, it is possible to use reversely detect Technology, by analyzing the value at risk address sources more than the malice address of described Minimum support4, and according to the result analyzed This malice address is added described white list, to avoid the impact on normal users.
The advantage of above-mentioned preferred embodiment is, in script scheme, the N item exceeding minimum support is concentrated corresponding source Address lists location blacklist mala fide in, on the basis of carrying out limiting access.The times or frequency of the record of described N item collection is arranged For the value at risk of this malice address, set the Minimum support4 of the value at risk of described malice address.According to value at risk with The comparison of the Minimum support4 preset, rejects the malice address in white list, so can avoid the void in normal access service False address (such as, Agent IP) is included into the row of malice address.When this is due to malicious attack, the address dummy of use is to tend to The mode of completely random, and in normal access service, the single address dummy of fixing use (such as, Agent IP) repeats the frequency given out a contract for a project Not over minimum support on rate theory, just in case exceeding minimum support, this preferred embodiment is by arranging I again Reliability, sorts from high to low according to aforementioned risk valuation.The value at risk of normal access service can be than the wind of malicious access business Danger valuation is lower, limits the access that the value at risk in non-white list is more than the malice address of described Minimum support4, just can make Often the address dummy in access service is not limited.
In sum, the present invention is based on Apriori algorithm principle, and improves it, is allowed to good to data packet format Good adapt to, the present invention can Mining Frequent correlation rule, from minimum dimension (the most single key element) froms the beginning of, find to meet and give frequency Or the single key element of number of times level, then spread apart and construct double key element collection from meeting the single key element of the frequency of occurrences, it is to avoid be many The complete combination problem of key element, improves screening efficiency.
Fig. 7 is that the present invention is a kind of based on the first embodiment schematic diagram of the detection device of malice address, bag in DDOS attack Include:
Pointer acquiring unit, for obtaining the header file of a packet in the middle of Preset Time window, by this header file Preset N number of field item design N item collection;
Record search unit, for the time of the described N number of field item design at the header file by present count packet The record of the subset comprising described N item collection is searched in the middle of selected works;
Threshold sets unit, for setting the minimum support of the times or frequency of described record;
Pointer jump-transfer unit, the times or frequency for the record of any subset when described N item collection is less than described minimum During support, the next packet of detection;
Result identifying unit, for the times or frequency when described N item collection and the record of any subset thereof not less than described During minimum support, it is determined that the source address of a presently described packet is malice address.
The first embodiment of Fig. 7 with Fig. 2 is corresponding, and in Fig. 7, the method for operation of unit is identical with method.
Fig. 8 is that the present invention is a kind of based on the second embodiment schematic diagram of the detection device of malice address in DDOS attack.
As shown in Figure 8, described pointer acquiring unit, including:
Project designating unit, for specifying default N number of field project;
Described N number of field project, including in the middle of source address, destination address, packet length, destination interface, protocol type extremely Few three projects, wherein, N >=3;Or,
Described default N number of field project, including source address, destination address, packet length, destination interface, protocol type, its In, N >=5;Or,
Described default N number of field project, including source address, destination address, packet length, destination interface, protocol type, source At least five project in the middle of mouth, network path, wherein, N >=5.
As shown in Figure 8, including:
First Alarm Unit, for monitoring the data packet flow of network, when described data packet flow is more than the first alarm threshold During value, obtain the described several packets in predetermined number or preset duration.
As shown in Figure 8, described record search unit, including:
Recursive lookup unit, for from the beginning of the unitary subset of described N item collection, to the N-1 unit subset of described N item collection, depends on The secondary record searching the k unit subset comprising described N item collection in the middle of described Candidate Set, wherein, 1≤k≤N-1;When described N item collection K unit subset record times or frequency not less than described minimum support time, in the middle of described Candidate Set search comprise institute State the record of the k+1 unit subset of N item collection.
Second embodiment of Fig. 8 with Fig. 4 is corresponding, and in Fig. 8, the method for operation of unit is identical with method.
Wherein in the middle of a preferred embodiment, also include:
Value at risk unit, for being set to the risk of this malice address by the times or frequency of the record of described N item collection Valuation;
Credibility setup unit, for setting the Minimum support4 of the value at risk of described malice address;
Second Alarm Unit, for when the data packet flow of monitoring network is more than the second alarm threshold, limiting non-white name Value at risk in list is more than the access of the malice address of described Minimum support4;
3rd Alarm Unit, during for being less than three alarm threshold when the data packet flow monitoring network, analyzes risk and estimates Value is more than the address sources of the malice address of described Minimum support4, and adds described according to the result analyzed by this malice address White list.
Wherein in the middle of an embodiment, the workflow of said apparatus is summarized as follows:
(1) data packet flow of goal systems main frame reaches the first alarm threshold, triggers network packet capturing;
(2) part of the header file in extraction packet capturing file, comprises the field project specified, forms N item collection;
(3) for given minimum support, find the N item collection meeting condition, and collect source address therein;
(4) source address in white list is rejected;
(5) sort from high to low according to the value at risk of N item collection, set Minimum support4, to more than Minimum support4 Source address limits it successively and accesses, until network and system host recover normal visit capacity;
(6) amount to be visited falls after rise, under the cpu resource of system host, memory resource license premise, to restricted part Source address uses reversely detection, examines its true identity.Further confirm that malice address, or reject address dummy.
The beneficial effect that technical solution of the present invention is brought:
(1) detection is accurately, it is ensured that the significance that the malice address of discovery is respectively provided with in statistical significance, it is to avoid artificial judgment Subjectivity and one-sidedness.
(2) by minimum support is adjusted flexibly, can control find the quantity of malice address and characterize its malice degree Value at risk.
(3) Analysis interference that in normal access service, false IP address is caused is avoided.
(4) hit according to value at risk sequence, can be by the IP that in the middle of limiting, malice degree is high on a small quantity, by network and master Machine resource recovery is to acceptable level.
Those skilled in the art is it can be understood that arrive, for convenience and simplicity of description, and the system of foregoing description, The specific works process of device and unit, is referred to the corresponding process in preceding method embodiment, does not repeats them here.
Embodiment described above only have expressed the several embodiments of the present invention, and it describes more concrete and detailed, but also Therefore the restriction to the scope of the claims of the present invention can not be interpreted as.It should be pointed out that, for those of ordinary skill in the art For, without departing from the inventive concept of the premise, it is also possible to make some deformation and improvement, these broadly fall into the guarantor of the present invention Protect scope.Therefore, the protection domain of patent of the present invention should be as the criterion with claims.

Claims (10)

1. one kind based in DDOS attack malice address detection method, it is characterised in that including:
Obtain the header file of a packet in the middle of Preset Time window, by the default N number of field item design N item in this header file Collection;
Search in the middle of the Candidate Set of described N number of field item design of the header file by present count packet and comprise described N The record of the subset of item collection;
Set the minimum support of the times or frequency of described record;
When the times or frequency of the record of any subset of described N item collection is less than described minimum support, detect next number According to bag;
When the times or frequency of described N item collection and the record of any subset thereof is not less than described minimum support, it is determined that current The source address of one packet is malice address.
It is the most according to claim 1 based on the detection method of malice address in DDOS attack, it is characterised in that:
Described preset N number of field project, including in the middle of source address, destination address, packet length, destination interface, protocol type extremely Few three projects, wherein, N >=3;Or,
Described default N number of field project, including source address, destination address, packet length, destination interface, protocol type, wherein, N >= 5;Or,
Described preset N number of field project, including source address, destination address, packet length, destination interface, protocol type, source port, At least five project in the middle of network path, wherein, N >=5.
The most according to claim 1 based on the detection method of malice address in DDOS attack, it is characterised in that to obtain and preset In the middle of time window before the step of the header file of a packet, including:
The data packet flow of monitoring network, when described data packet flow is more than the first alarm threshold, obtains predetermined number or pre- If the described several packets in duration.
It is the most according to claim 1 based on the detection method of malice address in DDOS attack, it is characterised in that:
Search in the middle of the Candidate Set of described N number of field item design of the header file by present count packet and comprise described N The step of the record of the subset of item collection, including,
From the beginning of the unitary subset of described N item collection, to the N-1 unit subset of described N item collection, search in the middle of described Candidate Set successively Comprise the record of the k unit subset of described N item collection, wherein, 1≤k≤N-1;
After the step of the minimum support of the times or frequency of the described record of described setting, also include,
When the times or frequency of the record of the k unit subset of described N item collection is not less than described minimum support, at described Candidate Set The central record searching the k+1 unit subset comprising described N item collection.
The most according to claim 1 based on the detection method of malice address in DDOS attack, it is characterised in that as described N When the times or frequency of the record of item collection and any subset thereof is not less than described minimum support, it is determined that presently described data After the source address of bag is the step of malice address, also include:
The times or frequency of the record of described N item collection is set to the value at risk of this malice address;
Set the Minimum support4 of the value at risk of described malice address;
When the data packet flow of monitoring network is more than the second alarm threshold, limit the value at risk in non-white list more than described The access of the malice address of Minimum support4;
When the data packet flow monitoring network is less than three alarm threshold, analyze value at risk more than described Minimum support4 The maliciously address sources of address, and according to the result analyzed, this malice address is added described white list.
6. one kind based in DDOS attack malice address detection device, it is characterised in that including:
Pointer acquiring unit, for obtaining the header file of a packet in the middle of Preset Time window, by the default N in this header file Individual field item design N item collection;
Record search unit, for the Candidate Set of the described N number of field item design at the header file by present count packet The central record searching the subset comprising described N item collection;
Threshold sets unit, for setting the minimum support of the times or frequency of described record;
Pointer jump-transfer unit, the times or frequency for the record of any subset when described N item collection is supported less than described minimum When spending, the next packet of detection;
Result identifying unit, for the times or frequency when described N item collection and the record of any subset thereof not less than described minimum During support, it is determined that the source address of a presently described packet is malice address.
The most according to claim 1 based on the detection device of malice address in DDOS attack, it is characterised in that described pointer Acquiring unit, including:
Project designating unit, for specifying default N number of field project;
Described N number of field project, including at least three in the middle of source address, destination address, packet length, destination interface, protocol type Individual project, wherein, N >=3;Or,
Described default N number of field project, including source address, destination address, packet length, destination interface, protocol type, wherein, N >= 5;Or,
Described preset N number of field project, including source address, destination address, packet length, destination interface, protocol type, source port, At least five project in the middle of network path, wherein, N >=5.
The most according to claim 1 based on the detection device of malice address in DDOS attack, it is characterised in that to include:
First Alarm Unit, for monitoring the data packet flow of network, when described data packet flow is more than the first alarm threshold, Obtain the described several packets in predetermined number or preset duration.
The most according to claim 1 based on the detection device of malice address in DDOS attack, it is characterised in that described record Search unit, including:
Recursive lookup unit, for from the beginning of the unitary subset of described N item collection, to the N-1 unit subset of described N item collection, exists successively The record of the k unit subset comprising described N item collection, wherein, 1≤k≤N-1 is searched in the middle of described Candidate Set;K when described N item collection When the times or frequency of the record of unit's subset is not less than described minimum support, searches in the middle of described Candidate Set and comprise described N The record of the k+1 unit subset of item collection.
The most according to claim 1 based on the detection device of malice address in DDOS attack, it is characterised in that also to include:
Value at risk unit, for being set to the value at risk of this malice address by the times or frequency of the record of described N item collection;
Credibility setup unit, for setting the Minimum support4 of the value at risk of described malice address;
Second Alarm Unit, for when the data packet flow of monitoring network is more than the second alarm threshold, limiting in non-white list Value at risk more than the access of malice address of described Minimum support4;
3rd Alarm Unit, during for being less than three alarm threshold when the data packet flow monitoring network, analyzes value at risk big In the address sources of the malice address of described Minimum support4, and according to the result analyzed, this malice address is added described white name Single.
CN201610671479.0A 2016-08-15 2016-08-15 A kind of detection method and device based on malice address in DDOS attack Active CN106302450B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610671479.0A CN106302450B (en) 2016-08-15 2016-08-15 A kind of detection method and device based on malice address in DDOS attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610671479.0A CN106302450B (en) 2016-08-15 2016-08-15 A kind of detection method and device based on malice address in DDOS attack

Publications (2)

Publication Number Publication Date
CN106302450A true CN106302450A (en) 2017-01-04
CN106302450B CN106302450B (en) 2019-08-30

Family

ID=57671581

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610671479.0A Active CN106302450B (en) 2016-08-15 2016-08-15 A kind of detection method and device based on malice address in DDOS attack

Country Status (1)

Country Link
CN (1) CN106302450B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685636A (en) * 2017-03-22 2017-05-17 电子科技大学 Frequency analysis method combined with data locality features
CN107332856A (en) * 2017-07-28 2017-11-07 腾讯科技(深圳)有限公司 Detection method, device, storage medium and the electronic installation of address information
CN108965207A (en) * 2017-05-19 2018-12-07 北京京东尚科信息技术有限公司 Machine Activity recognition method and apparatus
CN111581328A (en) * 2020-04-21 2020-08-25 浙江华途信息安全技术股份有限公司 Data comparison detection method and system
CN111801925A (en) * 2018-02-13 2020-10-20 区块链控股有限公司 Block chain based system and method for propagating data in a network
CN113645176A (en) * 2020-05-11 2021-11-12 北京观成科技有限公司 Method and device for detecting counterfeit flow and electronic equipment
US11563772B2 (en) 2019-09-26 2023-01-24 Radware, Ltd. Detection and mitigation DDoS attacks performed over QUIC communication protocol
CN116866055A (en) * 2023-07-26 2023-10-10 中科驭数(北京)科技有限公司 Method, device, equipment and medium for defending data flooding attack

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101640666A (en) * 2008-08-01 2010-02-03 北京启明星辰信息技术股份有限公司 Device and method for controlling flow quantity facing to target network
CN102882881A (en) * 2012-10-10 2013-01-16 常州大学 Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service
CN104348811A (en) * 2013-08-05 2015-02-11 深圳市腾讯计算机系统有限公司 Method and device for detecting attack of DDoS (distributed denial of service)
CN105282169A (en) * 2015-11-04 2016-01-27 中国电子科技集团公司第四十一研究所 DDoS attack warning method and system based on SDN controller threshold
CN105306475A (en) * 2015-11-05 2016-02-03 天津理工大学 Network intrusion detection method based on association rule classification
CN105719155A (en) * 2015-09-14 2016-06-29 南京理工大学 Association rule algorithm based on Apriori improved algorithm
CN105847283A (en) * 2016-05-13 2016-08-10 深圳市傲天科技股份有限公司 Information entropy variance analysis-based abnormal traffic detection method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101640666A (en) * 2008-08-01 2010-02-03 北京启明星辰信息技术股份有限公司 Device and method for controlling flow quantity facing to target network
CN102882881A (en) * 2012-10-10 2013-01-16 常州大学 Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service
CN104348811A (en) * 2013-08-05 2015-02-11 深圳市腾讯计算机系统有限公司 Method and device for detecting attack of DDoS (distributed denial of service)
CN105719155A (en) * 2015-09-14 2016-06-29 南京理工大学 Association rule algorithm based on Apriori improved algorithm
CN105282169A (en) * 2015-11-04 2016-01-27 中国电子科技集团公司第四十一研究所 DDoS attack warning method and system based on SDN controller threshold
CN105306475A (en) * 2015-11-05 2016-02-03 天津理工大学 Network intrusion detection method based on association rule classification
CN105847283A (en) * 2016-05-13 2016-08-10 深圳市傲天科技股份有限公司 Information entropy variance analysis-based abnormal traffic detection method

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685636A (en) * 2017-03-22 2017-05-17 电子科技大学 Frequency analysis method combined with data locality features
CN108965207A (en) * 2017-05-19 2018-12-07 北京京东尚科信息技术有限公司 Machine Activity recognition method and apparatus
CN108965207B (en) * 2017-05-19 2021-02-26 北京京东尚科信息技术有限公司 Machine behavior identification method and device
CN107332856A (en) * 2017-07-28 2017-11-07 腾讯科技(深圳)有限公司 Detection method, device, storage medium and the electronic installation of address information
CN111801925A (en) * 2018-02-13 2020-10-20 区块链控股有限公司 Block chain based system and method for propagating data in a network
CN111801925B (en) * 2018-02-13 2023-04-18 区块链控股有限公司 Block chain based system and method for propagating data in a network
US11563772B2 (en) 2019-09-26 2023-01-24 Radware, Ltd. Detection and mitigation DDoS attacks performed over QUIC communication protocol
CN111581328A (en) * 2020-04-21 2020-08-25 浙江华途信息安全技术股份有限公司 Data comparison detection method and system
CN113645176A (en) * 2020-05-11 2021-11-12 北京观成科技有限公司 Method and device for detecting counterfeit flow and electronic equipment
CN113645176B (en) * 2020-05-11 2023-08-08 北京观成科技有限公司 Method and device for detecting fake flow and electronic equipment
CN116866055A (en) * 2023-07-26 2023-10-10 中科驭数(北京)科技有限公司 Method, device, equipment and medium for defending data flooding attack
CN116866055B (en) * 2023-07-26 2024-02-27 中科驭数(北京)科技有限公司 Method, device, equipment and medium for defending data flooding attack

Also Published As

Publication number Publication date
CN106302450B (en) 2019-08-30

Similar Documents

Publication Publication Date Title
CN106302450B (en) A kind of detection method and device based on malice address in DDOS attack
CN109951500B (en) Network attack detection method and device
Protić Review of KDD Cup ‘99, NSL-KDD and Kyoto 2006+ datasets
CN109600363B (en) Internet of things terminal network portrait and abnormal network access behavior detection method
Hoque et al. An implementation of intrusion detection system using genetic algorithm
CN106027559B (en) Large scale network scanning detection method based on network session statistical nature
KR100800370B1 (en) Network attack signature generation
US8307441B2 (en) Log-based traceback system and method using centroid decomposition technique
CN108289088A (en) Abnormal traffic detection system and method based on business model
Seufert et al. Machine learning for automatic defence against distributed denial of service attacks
CN104135474B (en) Intrusion Detection based on host goes out the Network anomalous behaviors detection method of in-degree
Sabri et al. Identifying false alarm rates for intrusion detection system with data mining
CN109951419A (en) A kind of APT intrusion detection method based on attack chain attack rule digging
CN112769833B (en) Method and device for detecting command injection attack, computer equipment and storage medium
CN112769827B (en) Network attack agent end detection and tracing method and device
Riadi et al. Internet forensics framework based-on clustering
Frye et al. An ontology-based system to identify complex network attacks
u Nisa et al. Detection of slow port scanning attacks
Chakir et al. An efficient method for evaluating alerts of Intrusion Detection Systems
Zali et al. Real-time intrusion detection alert correlation and attack scenario extraction based on the prerequisite-consequence approach
CN109309679A (en) A kind of Network scan detection method and detection system based on TCP flow state
Raheja et al. Rule‐Based Approach for Botnet Behavior Analysis
Leghris et al. Improved security intrusion detection using intelligent techniques
KR100977827B1 (en) Apparatus and method detecting connection mailcious web server system
CN106993005A (en) The method for early warning and system of a kind of webserver

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant