CN106302450B - A kind of detection method and device based on malice address in DDOS attack - Google Patents
A kind of detection method and device based on malice address in DDOS attack Download PDFInfo
- Publication number
- CN106302450B CN106302450B CN201610671479.0A CN201610671479A CN106302450B CN 106302450 B CN106302450 B CN 106302450B CN 201610671479 A CN201610671479 A CN 201610671479A CN 106302450 B CN106302450 B CN 106302450B
- Authority
- CN
- China
- Prior art keywords
- address
- record
- data packet
- subset
- item collection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Abstract
The invention discloses a kind of detection method and device based on malice address in DDOS attack.This method comprises: the header file of a data packet in preset time window is obtained, by presetting N number of field item design N item collection in the header file;The record of the subset comprising the N item collection is searched in the Candidate Set of N number of field item design of the header file by present count data packet;Set the minimum support of the times or frequency of the record;When the times or frequency of the record of any subset of the N item collection is less than the minimum support, next data packet is detected;When the N item collection and its times or frequency of the record of any subset are not less than the minimum support, determine that the source address of a presently described data packet is malice address.Using the present invention, can the rapidly doubtful malicious attack of screening IP address, assist system host to make quick reaction when under attack, avoid network paralysis.
Description
Technical field
The present invention relates to technical field of network security, more particularly, to the detection based on malice address in DDOS attack
Method and device.
Background technique
DDOS (Distributed Denial of Service, distributed denial of service) attack refers to by means of client/clothes
It is engaged in device technology, multiple computers is joined together as Attack Platform, DDOS attack is started to one or more targets, from forming
The power of Denial of Service attack is improved again.In general, DDOS primary control program is mounted on one using a stealing account by attacker
On a computer, it will be communicated with a large amount of broker programs in the time primary control program that one sets, broker program has been installed within
On many computers on network.With regard to offensive attack when broker program receives instruction.Utilize client/server technology, master control journey
Sequence can activate the operation of hundreds and thousands of secondary broker programs in seconds.
It is mainly used for the defense technique of DDOS attack now: (1) reversed detection;(2) Protocol Stack Analysis and;(3) refer to
Line identification.Firstly, reversed detection is to carry out verifying analysis to the source address by data packet, such as authenticity is judged, it is geographical
Position, open-ended situation etc. determine whether IP address is legal, but in actual use, limited resource does not allow to all visits
The address sources asked reversely are detected, and reversed detection is suitable for further verifying to having filtered out a small amount of suspicious address, instead
To Detection Techniques itself, there is no solve the problems, such as how doubtful attack address is filtered out from magnanimity address.Then, protocol stack
Analysis is based on a series of RFC (Request For Comments, files being ranked with number) specification, due to each data packet
Type is most basic need to meet RFC specification, and the data packet that attacker is constructed by tool has the situation for not meeting specification, leads at this time
Crossing Protocol Stack Analysis can detect that attack, but with the upgrading of attack, advanced attacker, which still can construct, to the greatest extent may be used
The data packet that protocol stack specification can be met increases the difficulty of Protocol Stack Analysis, which can only cope with attacking for first stage
The person of hitting also can not accurately screen the IP address of malicious attack.Finally, fingerprint recognition for identification DDOS attack have it is highest
Precision, while more resource consumptions are needed, and can not identify the novel attack that do not include temporarily in fingerprint base, in system host
It is difficult to make quick reaction when under attack.
Therefore, although the IP address of seat offence person has practical application value, how from mass data packet communication
It determining the IP address of malice, and guarantees enough accuracys rate, it is especially desirable to prevention pipes off the IP address normally accessed,
Normal users are impacted, are current industry problems to be solved.
Summary of the invention
In view of the above problems, the invention proposes a kind of detection method and device based on malice address in DDOS attack.
A kind of detection method based on malice address in DDOS attack is provided in the embodiment of the present invention, comprising:
The header file for obtaining a data packet in preset time window, by presetting N number of field project team in the header file
At N item collection;
Search in the Candidate Set of N number of field item design of the header file by present count data packet includes institute
State the record of the subset of N item collection;
Set the minimum support of the times or frequency of the record;
When the times or frequency of the record of any subset of the N item collection is less than the minimum support, detect next
A data packet;
When the N item collection and its times or frequency of the record of any subset are not less than the minimum support, determine
The source address of a presently described data packet is malice address.
Preferably, described to preset N number of field project, including source address, destination address, packet length, destination port, protocol class
At least three projects in type, wherein N >=3;Preset N number of field project alternatively, described, including source address, destination address,
Packet length, destination port, protocol type, wherein N >=5;Alternatively, described preset N number of field project, including source address, destination
Location, packet length, destination port, protocol type, source port, at least five projects in network path, wherein N >=5.
Preferably, before the step of obtaining the header file of a data packet in preset time window, comprising:
The data packet flow for monitoring network obtains preset quantity when the data packet flow is more than the first alarm threshold
Or several data packets in preset duration.
Preferably, it is looked into the Candidate Set of N number of field item design of the header file by present count data packet
The step of including the record of subset of the N item collection is looked for, including,
Since the unitary subset of the N item collection, to the N-1 member subset of the N item collection, successively in the Candidate Set
Search the record of the k member subset comprising the N item collection, wherein 1≤k≤N-1;
After the minimum support of the times or frequency of the setting record the step of, further include,
When the times or frequency of the record of the k member subset of the N item collection is not less than the minimum support, in the time
The record of the k+1 member subset comprising the N item collection is searched in selected works.
Preferably, when the N item collection and its times or frequency of the record of any subset are not less than the minimum support
When, after the step of determining the source address of a presently described data packet for malice address, further includes:
Set the times or frequency of the record of the N item collection to the value at risk of the malice address;
Set the Minimum support4 of the value at risk of the malice address;
When the data packet flow for monitoring network is more than the second alarm threshold, the value at risk limited in non-white list is greater than
The access of the malice address of the Minimum support4;
When the data packet flow for monitoring network is lower than third alarm threshold, it is credible that analysis value at risk is greater than the minimum
The address sources of the malice address of degree, and the malice address is added by the white list according to the result of analysis.
Correspondingly, the embodiment of the invention provides a kind of detection devices based on malice address in DDOS attack, comprising:
Pointer acquiring unit, for obtaining the header file of a data packet in preset time window, by the header file
Preset N number of field item design N item collection;
Record search unit, the time for N number of field item design in the header file by present count data packet
The record of the subset comprising the N item collection is searched in selected works;
Threshold sets unit, the minimum support of the times or frequency for setting the record;
The times or frequency of pointer jump-transfer unit, the record for any subset when the N item collection is less than the minimum
When support, next data packet is detected;
Result judgement unit, the times or frequency for the record when the N item collection and its any subset is not less than described
When minimum support, determine that the source address of a presently described data packet is malice address.
Preferably, the pointer acquiring unit, comprising:
Project designating unit, for specifying preset N number of field project;
N number of field project, including in source address, destination address, packet length, destination port, protocol type extremely
Few three projects, wherein N >=3;Alternatively,
It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type,
In, N >=5;Alternatively,
It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type, source
At least five projects in mouth, network path, wherein N >=5.
Preferably, comprising:
First Alarm Unit, for monitoring the data packet flow of network, when the data packet flow is more than the first alarm threshold
When value, several data packets in preset quantity or preset duration are obtained.
Preferably, the record search unit, comprising:
Recursive lookup unit, for since the unitary subset of the N item collection, to the N-1 member subset of the N item collection, according to
The secondary record that the k member subset comprising the N item collection is searched in the Candidate Set, wherein 1≤k≤N-1;When the N item collection
K member subset record times or frequency be not less than the minimum support when, in the Candidate Set search include institute
State the record of the k+1 member subset of N item collection.
Preferably, further includes:
Value at risk unit, for setting the times or frequency of the record of the N item collection to the risk of the malice address
Valuation;
Confidence level setup unit, the Minimum support4 of the value at risk for setting the malice address;
Second Alarm Unit, for limiting non-white name when the data packet flow for monitoring network is more than the second alarm threshold
Value at risk in list is greater than the access of the malice address of the Minimum support4;
Third Alarm Unit, for when the data packet flow for monitoring network is lower than third alarm threshold, analysis risk to be estimated
Value is greater than the address sources of the malice address of the Minimum support4, and will be described in the addition of the malice address according to the result of analysis
White list.
Compared with the existing technology, scheme provided by the invention obtains the head text of a data packet in detection time window
Part, by presetting N number of field item design N item collection in the header file.Although the data packet format of heterogeneous networks can be slightly different,
But the data packet head file format of consolidated network type is consistent, the present invention only need to be out of, a data packet header file
Specified project information, can rapidly analyze whether the data packet is issued by the IP address of malice, easy to operate, versatility
By force.Before starting analysis, first by N number of field item design Candidate Set of the header file of present count data packet, then
The record of the subset comprising the N item collection is searched in the Candidate Set.The Candidate Set is in the flow punching for meeting with bulk data packet
When hitting, the set of specified N number of field item design is extracted from the header file of the lot number data packet.Therefore, the Candidate Set
The prior data bank that DDOS attack person is issued by switching virtual IP address is concealed in corresponding data packet, by when previous
The tracking of relevance between the N item collection and Candidate Set of data packet is excavated, it can rapidly by N a small amount of project datas
Relevance is matched, malicious IP addresses are accurately locked.For the assurance of accuracy, can by set the record number or
The minimum support of frequency is realized.The number that the subset of the N item collection of one data packet occurs in the Candidate Set is more,
And/or the frequency occurred is bigger, then it represents that a possibility that data packet is issued by malice address is bigger.When appointing for the N item collection
When the times or frequency of the record of one subset is less than the minimum support, next data packet is detected;When the N item collection and its
When the times or frequency of the record of any subset is not less than the minimum support, with determining the source of a presently described data packet
Location is malice address.First advantage of this programme is, for the N item collection for the data packet that malice address issues, which appoints
Times or frequency of one nonvoid subset relative to the record of Candidate Set, necessarily more than minimum support.If because of N item collection
Any nonvoid subset I be less than minimum support threshold value, when there is elements A to be added in I, the new subset (A ∩ I) of composition is no
It may be more than original subset I frequency of occurrence or the frequency of occurrences.Therefore new subset (A ∩ I) will not be greater than the minimum
Support threshold.It follows that we carry out screening by the subset of N item collection, may insure to the screening of non-malicious address
Accuracy avoids the access for influencing normal users;Meanwhile second advantage of this programme is, passes through unitary subset or binary
Screening is compared in the set of the low orders such as collection, and since element is less, the speed of screening can be very fast.So using this
Scheme can make quick reaction when system host is under attack, avoid network paralysis.The third advantage of this programme
It is, it is clear that the number N of element also has relationship in the accuracy and N item collection of this programme, and when N is bigger, the project of analysis is more, accurately
Property is higher.Meanwhile the subset of N item collection can also increase sharply with the increase of N.But still due to aforementioned unitary subset or binary subset
It is the subset of the N item collection, the subset of these low orders still can promptly exclude large quantities of non-malicious addresses, so, the increase of N
After the accuracy for improving analysis, a large amount of operation can't be brought, would not also reduce analysis speed significantly, therefore can be full
Requirement of real-time in full internet access.
The additional aspect of the present invention and advantage will be set forth in part in the description, these will become from the following description
Obviously, or practice through the invention is recognized.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for
For those skilled in the art, without creative efforts, it can also be obtained according to these attached drawings other attached
Figure.
Fig. 1 is the schematic diagram of IP data packet format of the present invention;
Fig. 2 is a kind of flow chart of first embodiment based on the detection method of malice address in DDOS attack of the present invention;
Fig. 3 is the header file field project information schematic diagram of data packet in the n-th time window of first embodiment;
Fig. 4 is a kind of flow chart of the second embodiment based on the detection method of malice address in DDOS attack of the present invention;
Fig. 5 is that a kind of second embodiment monitoring network based on the detection method of malice address in DDOS attack of the present invention shows
It is intended to;
Fig. 6 is that a kind of second embodiment recursive lookup based on the detection method of malice address in DDOS attack of the present invention is shown
It is intended to;
Fig. 7 is a kind of first embodiment schematic diagram based on the detection device of malice address in DDOS attack of the present invention;
Fig. 8 is a kind of second embodiment schematic diagram based on the detection device of malice address in DDOS attack of the present invention.
Specific embodiment
In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention
Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described.
In some processes of the description in description and claims of this specification and above-mentioned attached drawing, contain according to
Multiple operations that particular order occurs, but it should be clearly understood that these operations can not be what appears in this article suitable according to its
Sequence is executed or is executed parallel, and serial number of operation such as 101,102 etc. is only used for distinguishing each different operation, serial number
It itself does not represent and any executes sequence.In addition, these processes may include more or fewer operations, and these operations can
To execute or execute parallel in order.It should be noted that the description such as " first " herein, " second ", is for distinguishing not
Same message, equipment, module etc., does not represent sequencing, does not also limit " first " and " second " and be different type.
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those skilled in the art's every other implementation obtained without making creative work
Example, shall fall within the protection scope of the present invention.
For the angle of attacker, DDOS attack flow actually as much as possible simulate the mode that normally accesses with around
Detection is crossed, the maximum difference of both attack access and normal access is at the same time, for the visit of DDOS attack purpose
The amount of asking will be the decades of times or even more, the UPS upper performance score beyond server of regular traffic amount of access, to reach refusal service
Purpose.This method is exactly to utilize the difference, will exceed normal access times, through different modes (such as different source ports, no
With network transmission path) repeat to send the data packet of identical content for same destination host and find out.For example, this programme can
Applied to IP data packet.
Fig. 1 is the schematic diagram of IP data packet format of the present invention.It, specifically, can be from a data for IP data packet format
The header file (stem of such as Fig. 1) of packet extracts and the field project analyzed includes:
1. source address: fixed source address, it is therefore an objective to position suspected attack source;
2. destination address: fixed purpose address is required protection server, it is therefore an objective to which analysis is for all of the server
Data packet;
3. source port: allowing source port not repeat, this is because hacker when attacking, may open multiple simultaneously
Service or process send data packet to destination address with multiple ports
4. destination port: fixed purpose port is required protection Service-Port (service), it is therefore an objective to which analysis is directed to the end
All data packets of mouth (service);
5. agreement/protocol type: protocol type is broadly divided into UDP and two kinds of TCP, since protocol type and attack pattern are high
Degree is related, therefore fixed protocol type (may include Transmission Control Protocol zone bit information when such as belonging to Transmission Control Protocol)
6. total length/packet length: fixed packet length, this is because attacker once starts attacker, attacker inclines
To a large amount of regular lengths are generated, the data packet of identical content is sent to destination host;
7.TTL (Time to live, life span): TTL reflects the net that data packet is arrived at the destination location by source address
Network path, different TTL imply that data packet reaches destination host from different paths.Attacking Packets are by the possible short time
It follows different paths and reaches destination host, therefore TTL is allowed not repeat.
In addition to this, as shown in Figure 1, the header file (stem of such as Fig. 1) of a data packet can be extracted and be analyzed
Field project further include: version, header file length/header length, Differentiated Services, identify, mark, piece offset, header check
With etc., it does not explain one by one herein.
In addition, this programme also can be applied to other data packet formats.For example, being directed to TCP data packet format, can extract
Field project include source port (source port), destination port (destination port), serial number (sequence
Port), confirm number (acknowledgement port), TCP header file size, window size (window size), verification and
(checksum), urgent pointer (urgent pointer) etc.;For UDP message packet format, extractible field project packet
Include source port (source port), destination port (destination port), length (length), verification and
(checksum), pseudo- stem (pseudo header) etc.;For ARP data packet format, extractible field project includes hard
Part type, protocol type, hardware address length, length of protocol address, operation code, sender's hardware address, sender's agreement
Address, target side hardware address, target side protocol address etc..In addition to above-mentioned data packet format, this programme can also be applied
In analysis ICMP data packet, IPSEC data packet, OSPF data packet, Ethernet data bag etc., the format and phase of these data packets
The field project answered, it is numerous to list herein.It can be seen that this programme can be directed to different data packet formats, extract corresponding
Field project is analyzed, easy to operate, is had a wide range of application.Below by taking the IP data packet format of Fig. 1 as an example, in conjunction with Fig. 2, Fig. 3
First embodiment of the invention is described further.
Fig. 2 is a kind of flow chart of first embodiment based on the detection method of malice address in DDOS attack of the present invention, packet
It includes:
S101: the header file of a data packet in preset time window is obtained, by presetting N number of field item in the header file
Mesh forms N item collection;
S102: it is searched in the Candidate Set of N number of field item design of the header file by present count data packet
The record of subset comprising the N item collection;
S103: the minimum support of the times or frequency of the record is set;
S104: when the times or frequency of the record of any subset of the N item collection is less than the minimum support, detection
Next data packet;
S105: when the N item collection and its times or frequency of the record of any subset are not less than the minimum support,
The source address for determining a presently described data packet is malice address.
Fig. 3 is the header file field project information schematic diagram of data packet in the n-th time window of first embodiment.
Assuming that system host has stored the header file field item of the data packet of malicious access within the past period
Mesh information.As shown in figure 3, the eight data packets record for extracting the time window of " g=189 " now is analyzed.
Firstly, pointer moves on to first record of the time window of " g=189 ".
The header file for obtaining the first data packet of first record in " g=189 " time window, by the header file
Preset N number of field item design N item collection.Although the data packet format of heterogeneous networks can be slightly different, for consolidated network class
The data packet head file format of type is consistent.
Preferably, described to preset N number of field project, including source address, destination address, packet length, destination port, protocol class
At least three projects in type, wherein N >=3;Alternatively,
Preferably, described to preset N number of field project, including source address, destination address, packet length, destination port, protocol class
Type, wherein N >=5;Alternatively,
Preferably, described to preset N number of field project, including source address, destination address, packet length, destination port, protocol class
Type, source port, at least five projects in network path, wherein N >=5.
In this first embodiment, it is assumed that N=3, presetting N number of field project is source address, destination address, packet length.That is,
The N item collection of first data packet is { 78.210.156.40,119.84.68.11,40 }.The present invention only need to be from the first data packet
Above-mentioned three field project information, can rapidly analyze the data packet whether by malice IP address issue, it is easy to operate,
It is versatile.
Before starting analysis, N number of field item design Candidate Set of the first header file by present count data packet,
For example, only have the normal access business of general 1,000 data packets within from " g=001 " time window to " g=90 " time window, but
It increases sharply within from " g=091 " time window to " g=180 " time window to 10,000 data packets, is then likely to meet with malicious attack,
It can be from the candidate of the three field item design such as the source address of the header file of 10,000 data packets, destination address, packet length
Collection analyzes first data packet of following " g=189 " time window.In another example can also from historical record extract on
The Candidate Set that the surge data packet malicious attack record that one wheel or upper one week or last month occur is analyzed as this.Again in the time
The record of the subset comprising the N item collection { 78.210.156.40,119.84.68.11,40 } is searched in selected works.The Candidate Set
It is that specified N number of field item is extracted from the header file of the lot number data packet when meeting with the flow attack of bulk data packet
The set of mesh composition.Therefore, DDOS attack person is concealed in the corresponding data packet of the Candidate Set to issue by switching virtual IP address
Prior data bank, excavated by the tracking of the N item collection to current first data packet and the relevance between Candidate Set, it can
Relevance is rapidly matched by N a small amount of project datas, accurately locks malicious IP addresses.
For the assurance of accuracy, can be realized by the minimum support of the times or frequency of the setting record.
For example, set the minimum support of the number of record as 300 times, and/or, set the minimum support of the frequency of record as
20%.The number that the subset of the N item collection of one data packet occurs in the Candidate Set is more, and/or the frequency occurred is got over
Greatly, then it represents that a possibility that data packet is issued by malice address is bigger.
When the times or frequency of the record of any subset of the N item collection is less than the minimum support, detect next
A data packet.For example, the subset { 78.210.156.40 } of the N item collection { 78.210.156.40,119.84.68.11,40 }
The number for being recorded in Candidate Set appearance is 180 times, less than 300 times of minimum support setting.It then no longer needs to calculate other subsets
Or the times or frequency that N item collection occurs, pointer can be jumped to the Article 2 record of the time window of current " g=189 ".Alternatively,
The subset { 78.210.156.40,40 } of the N item collection { 78.210.156.40,119.84.68.11,40 } is recorded in candidate
The frequency that collection occurs is 11%, less than the 20% of minimum support setting, then without continuing to calculate other subsets or N item collection goes out
Existing times or frequency can jump to Article 2 record.
When the N item collection and its times or frequency of the record of any subset are not less than the minimum support, determine
The source address of a presently described data packet is malice address.That is, the N item collection 78.210.156.40,119.84.68.11,
40 } unitary subset { 78.210.156.40 }, { 119.84.68.11 }, { 40 };Binary subset { 78.210.156.40,40 },
{ 119.84.68.11,40 }, { 78.210.156.40,119.84.68.11 };Ternary subset 78.210.156.40,
119.84.68.11, among 40 }, when N item collection { 78.210.156.40,119.84.68.11,40 } itself and its any of the above-described son
Collection at least one of is worked as, such as above-mentioned unitary subset/binary subset/ternary subset at least one of is worked as, their record
It is not less than the 20% of minimum support setting in the frequency that Candidate Set occurs, or, the number occurred is not less than minimum support
300 times of setting, then first of the time window of current " g=189 " records the source address IP=78.210.156.40 of data packet
For malice address.
Then, pointer moves on to the Article 2 record of the time window of " g=189 ".As long as analysis is as before, the N that Article 2 records
When the times or frequency of the record of any subset of item collection is less than the minimum support, next data packet is detected.It examines one by one
It surveys.
Finally, completing the detection and analysis to eight records of the time window of " g=189 ".
First advantage of this programme be, for the N item collection for the data packet that malice address issues, the N item collection it is any non-
Times or frequency of the vacuous subset relative to the record of Candidate Set, necessarily more than minimum support.Because if N item collection is appointed
One nonvoid subset I is less than minimum support threshold value, and when there is elements A to be added in I, the new subset (A ∩ I) of composition can not
It is more than original subset I frequency of occurrence or the frequency of occurrences.Therefore new subset (A ∩ I) will not be greater than the minimum support
Spend threshold value.It follows that we carry out screening by the subset of N item collection, it is that can ensure non-malicious address the accurate of screening
Property, avoid the access for influencing normal users;Meanwhile second advantage of this programme is to pass through unitary subset or binary subset etc.
Screening is compared in the set of low order, and since element is less, the speed of screening can be very fast.So using this programme,
Quick reaction can be made when system host is under attack, avoid network paralysis.The third advantage of this programme is to show
The number N of element also has relationship in the accuracy and N item collection of right this programme, and when N is bigger, the project of analysis is more, and accuracy is got over
It is high.Meanwhile the subset of N item collection can also increase sharply with the increase of N.But since aforementioned unitary subset or binary subset are still institute
The subset of N item collection is stated, the subset of these low orders still can promptly exclude large quantities of non-malicious addresses, so, the increase of N is mentioning
After the accuracy of high analyte, a large amount of operation can't be brought, analysis speed would not be also reduced significantly, therefore be able to satisfy reality
Requirement of real-time in internet access.
It should be added that being not difficult to learn by foregoing description, the present invention is using Apriori algorithm principle as base
Plinth is specific implementation of the innovatory algorithm in network safety filed of Apriori.Compared with traditional Apriori, the present invention
Scheme does not need to find out the frequent item set of N item collection, does not need the strong rule of each field in analysis N item collection yet.For example, for aforementioned
Example states N item collection { 78.210.156.40,119.84.68.11,40 }, even if subset therein 78.210.156.40,
119.84.68.11 } in Candidate Set, the times or frequency of appearance is very high, is in traditional Apriori algorithm concept
Frequent item set, but as long as having a subset, such as { 40 } are non-frequent, then, it is above-mentioned until finding just without continuing to calculate
Final frequent item set { 78.210.156.40,119.84.68.11 }, need not more calculate the strong rule of the frequent item set.So
The innovatory algorithm of Apriori of the present invention is faster than traditional algorithm arithmetic speed.
Fig. 4 is a kind of flow chart of the second embodiment based on the detection method of malice address in DDOS attack of the present invention.Fig. 4
For second embodiment compared with Fig. 2 first embodiment, Fig. 4 field project specifies the N item collection of N=5 to be analyzed, subject to analysis more
Really.Meanwhile by way of recursive lookup, from unitary subset to the recursive lookup of N-1 member subset one-dimensional, single layer, screening is more
Fast.
S201: monitoring the data packet flow of network, when the data packet flow is more than the first alarm threshold, obtains default
Several data packets in quantity or preset duration;
S202: the header file of a data packet in preset time window is obtained, by presetting N number of field item in the header file
Mesh forms N item collection;It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type,
Wherein, N >=5;
S203: since the unitary subset of the N item collection, to the N-1 member subset of the N item collection, successively in the candidate
The record of the k member subset comprising the N item collection is searched in collection, wherein 1≤k≤N-1;
S204: the minimum support of the times or frequency of the record is set;
S205: when the times or frequency of the record of the k member subset of the N item collection is not less than the minimum support,
The record of the k+1 member subset comprising the N item collection is searched in the Candidate Set.
S206: when the times or frequency of the record of any subset of the N item collection is less than the minimum support, detection
Next data packet;
S207: when the N item collection and its times or frequency of the record of any subset are not less than the minimum support,
The source address for determining a presently described data packet is malice address.
First embodiment above-mentioned can be applied to real-time monitoring, can be used for ex-post analysis.And this second implementation
Example is applied particularly to real-time monitoring.Fig. 5 is that the present invention a kind of second based on the detection method of malice address in DDOS attack is real
Apply example monitoring network diagram.As shown in figure 5, the present embodiment monitors the number of network to network real-time monitoring using packet capturing software
Several numbers in preset quantity or preset duration are obtained when the data packet flow is more than the first alarm threshold according to packet stream amount
According to packet.First alarm threshold is set according to the traffic handing capacity of local system host, when reaching the threshold value, system master
Machine need to avoid network paralysis into guard state is entered.It preferably, can be from the time of flow be more than the first alarm threshold forward
Several data packets in one section of duration are traced, for setting up Candidate Set;At the time of can also being more than the first alarm threshold from flow
Rise trace preset quantity forward, it is assumed that 10,000, data packet, for setting up Candidate Set.
Due to being real-time monitoring, the present embodiment starts in the time window that flow is more than the first alarm threshold, when obtaining default
Between in window a data packet header file, by presetting N number of field item design N item collection in the header file.Preferably, described
Preset five projects such as N number of field project, including source address, destination address, packet length, destination port, protocol type.With Fig. 3
Article 2 record for, embodiment two detect data packet N item collection be 221.228.253.156,119.84.68.7,
1344,555, UDP }.
Next, being searched using recursive fashion.
Fig. 6 is that a kind of second embodiment recursive lookup based on the detection method of malice address in DDOS attack of the present invention is shown
It is intended to.As shown in fig. 6, since the unitary subset of the N item collection, to the N-1 member subset of the N item collection, successively in the time
The record of the k member subset comprising the N item collection is searched in selected works, wherein 1≤k≤N-1.Set the record number or
The minimum support of frequency;When the times or frequency of the record of the k member subset of the N item collection is not less than the minimum support
When, the record of the k+1 member subset comprising the N item collection is searched in the Candidate Set.
Since the subset elements of low order are few, it is very fast to search other, and the subset of high-order is only needed in low order subset
Screening results among carry out secondary screening, so, the element of subset is more, and the record of screening is needed in Candidate Set just
It is fewer.For example, in the present embodiment two, when k=4, for { 221.228.253.156,119.84.68.7,1344,555 } this
The screening of a quaternary subset, because all ternary subsets of the quaternary subset have been completed to sieve before the screening quaternary subset
It looks into, and obtains the ternary screening set of all ternary subsets.Obviously, ternary screening set is to account for few portion of original Candidate Set
Point, so, it is only necessary to wherein in ternary screening set to progress 221.228.253.156,119.84.68.7,
1344,555 } secondary screening.It can be seen that recursive fashion can be further improved arithmetic speed of the invention, and avoid weight
Check is looked for.
It should be added that in addition to using recursive fashion to be searched, it can also be according to the field of particular data packet
The characteristics of project, Lai Jinhang depth are searched.For example, the address of our system hosts to be protected is exactly certain several destination address,
At this point, destination address field (DAF) project is very important, should be prioritized.Briefly, if data packet
Destination address is not the address of our system hosts to be protected, then without considering.So, for the N item collection of the present embodiment two
{ 221.228.253.156,119.84.68.7,1344,555, UDP } can use depth screening, from including destination address field (DAF)
Subset preferentially begin looking for, specific looked-up sequence are as follows: be { 119.84.68.7 } first, { 119.84.68.7,555 },
{ 119.84.68.7,1344 } ... is until to N item collection { 221.228.253.156,119.84.68.7,1344,555, UDP } complete or collected works
Screening.Obviously, the subset of high-order also only needs to carry out secondary screening among the screening results of low order subset, is avoided that repetition
It searches.Also since the unitary subset of the N item collection, the N-1 member subset to the N item collection is successively searched.But it benefits
In the assurance to destination address, we are woth no need to search all unitary subsets of the N item collection, for example, the son of { 555 } this kind
Collection, so, the algorithm of the lookup mode of recurrence combination depth, meeting let us is further speeded up.
When the times or frequency of the record of any subset of the N item collection is less than the minimum support, detect next
A data packet;When the N item collection and its times or frequency of the record of any subset are not less than the minimum support, determine
The source address of a presently described data packet is malice address.Preferably, embodiment two considers using frequency as support, will most
Small support setting parameter is x (0≤x≤1), shows that finding out all repetition rate ratios in Candidate Set by this algorithm surpasses
The source address in the set comprising N item collection of x is crossed, by the way that x is rationally arranged, the source address extracted in this way will have very high
Probability is the malicious IP addresses for attacking destination address.For example, in the present embodiment two, x=30%, and above-mentioned N item collection
The frequency of { 221.228.253.156,119.84.68.7,1344,555, UDP } complete or collected works is 85%, at this point, assert
It 221.228.253.156 is malice IP, we can allow system host to carry out current limliting speed limit to these malicious IP addresses, to avoid
Network paralysis, service disruption.
Further, the present embodiment two can also include the following steps:
S208: the times or frequency of the record of the N item collection is set to the value at risk of the malice address;
S209: the Minimum support4 of the value at risk of the malice address is set;
S210: when the data packet flow for monitoring network is more than the second alarm threshold, the risk limited in non-white list is estimated
Value is greater than the access of the malice address of the Minimum support4;
S211: when the data packet flow for monitoring network is lower than third alarm threshold, analysis value at risk be greater than it is described most
The address sources of the malice address of small confidence level, and the malice address is added by the white list according to the result of analysis.
As previously mentioned, during real-time monitoring, when the data packet flow for monitoring network is more than the first alarm threshold,
System host initially enters guard state, collects suspicious data packet;When the data packet flow of monitoring network is more than the second alarm
When threshold value, system host has been completed to analyze, and starts the access for limiting malice address, and data packet flow is made to return normal access
Amount;When the data packet flow for monitoring network is lower than third alarm threshold, limitation above-mentioned may not influence in which can avoid
The access of part normal users, at this point, reversed detection can be used since the cpu resource of system host, memory resource are sufficient
Technology is greater than the address sources of the malice address of the Minimum support4 by analysis value at risk, and according to the result of analysis
The white list is added in the malice address, to avoid the influence to normal users.
The advantage of above-mentioned preferred embodiment is, in script scheme to corresponding source in the N item collection for being more than minimum support
Address is included in maliciously location blacklist, on the basis of carrying out limitation access.The times or frequency of the record of the N item collection is arranged
For the value at risk of the malice address, the Minimum support4 of the value at risk of the malice address is set.According to value at risk with
The malice address in white list is rejected in the comparison of preset Minimum support4, in this way can be to avoid the void in normal access business
False address (for example, Agent IP) is included into the column of malice address.This is because the address dummy used is to tend to when malicious attack
The mode of completely random, and the normally fixed frequency for repeating to give out a contract for a project using single address dummy (for example, Agent IP) in access business
Minimum support is not exceeded on rate theory, just in case being more than minimum support, this preferred embodiment can by the way that minimum is arranged again
Reliability sorts from high to low according to aforementioned risk valuation.The value at risk of normal access business can be than the wind of malicious access business
Dangerous valuation is lower, limits the access that the value at risk in non-white list is greater than the malice address of the Minimum support4, can make just
Frequentation asks that the address dummy in business is not limited.
In conclusion the present invention is based on Apriori algorithm principles, and improve to it, it is allowed to good to data packet format
It is good to adapt to, the present invention can Mining Frequent correlation rule find to meet given frequency since minimum dimension (i.e. single element) ing
Or the single element of number level, double element collection then are constructed from meeting the single element of the frequency of occurrences and spread apart, and are avoided more
The complete combination problem of element, improves screening efficiency.
Fig. 7 is a kind of first embodiment schematic diagram based on the detection device of malice address in DDOS attack of the present invention, packet
It includes:
Pointer acquiring unit, for obtaining the header file of a data packet in preset time window, by the header file
Preset N number of field item design N item collection;
Record search unit, the time for N number of field item design in the header file by present count data packet
The record of the subset comprising the N item collection is searched in selected works;
Threshold sets unit, the minimum support of the times or frequency for setting the record;
The times or frequency of pointer jump-transfer unit, the record for any subset when the N item collection is less than the minimum
When support, next data packet is detected;
Result judgement unit, the times or frequency for the record when the N item collection and its any subset is not less than described
When minimum support, determine that the source address of a presently described data packet is malice address.
Fig. 7 is corresponding with the first embodiment of Fig. 2, identical in the method for operation with method of unit in Fig. 7.
Fig. 8 is a kind of second embodiment schematic diagram based on the detection device of malice address in DDOS attack of the present invention.
As shown in figure 8, the pointer acquiring unit, comprising:
Project designating unit, for specifying preset N number of field project;
N number of field project, including in source address, destination address, packet length, destination port, protocol type extremely
Few three projects, wherein N >=3;Alternatively,
It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type,
In, N >=5;Alternatively,
It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type, source
At least five projects in mouth, network path, wherein N >=5.
As shown in Figure 8, comprising:
First Alarm Unit, for monitoring the data packet flow of network, when the data packet flow is more than the first alarm threshold
When value, several data packets in preset quantity or preset duration are obtained.
As shown in figure 8, the record search unit, comprising:
Recursive lookup unit, for since the unitary subset of the N item collection, to the N-1 member subset of the N item collection, according to
The secondary record that the k member subset comprising the N item collection is searched in the Candidate Set, wherein 1≤k≤N-1;When the N item collection
K member subset record times or frequency be not less than the minimum support when, in the Candidate Set search include institute
State the record of the k+1 member subset of N item collection.
Fig. 8 is corresponding with the second embodiment of Fig. 4, identical in the method for operation with method of unit in Fig. 8.
Wherein in a preferred embodiment, further includes:
Value at risk unit, for setting the times or frequency of the record of the N item collection to the risk of the malice address
Valuation;
Confidence level setup unit, the Minimum support4 of the value at risk for setting the malice address;
Second Alarm Unit, for limiting non-white name when the data packet flow for monitoring network is more than the second alarm threshold
Value at risk in list is greater than the access of the malice address of the Minimum support4;
Third Alarm Unit, for when the data packet flow for monitoring network is lower than third alarm threshold, analysis risk to be estimated
Value is greater than the address sources of the malice address of the Minimum support4, and will be described in the addition of the malice address according to the result of analysis
White list.
Wherein in one embodiment, the workflow of above-mentioned apparatus is summarized as follows:
(1) data packet flow of goal systems host reaches the first alarm threshold, triggers network packet capturing;
(2) part for extracting the header file in packet capturing file forms N item collection comprising specified field project;
(3) for giving minimum support, the N item collection for the condition that meets is found, and collect source address therein;
(4) source address in white list is rejected;
(5) it is sorted from high to low according to the value at risk of N item collection, sets Minimum support4, to greater than Minimum support4
Source address successively limits its access, until network and system host restore normal amount of access;
(6) amount to be visited is fallen after rise, under the premise of the cpu resource of system host, memory resource license, to being restricted part
Source address verifies its true identity using reversed detection.It further confirms that malice address, or rejects address dummy.
Technical solution of the present invention bring the utility model has the advantages that
(1) detection is accurate, guarantees that the malice address of discovery all has the conspicuousness in statistical significance, avoids artificial judgment
Subjectivity and one-sidedness.
(2) by the way that minimum support is adjusted flexibly, can control the quantity of discovery malice address and characterizes its degree of malice
Value at risk.
(3) Analysis interference caused by false IP address in normal access business is avoided.
(4) it is hit according to value at risk sequence, it can be by limiting the IP that a small amount of malice degree is high in the middle, by network and master
Machine resource recovery is to acceptable level.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
The embodiments described above only express several embodiments of the present invention, and the description thereof is more specific and detailed, but simultaneously
Limitations on the scope of the patent of the present invention therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art
For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to guarantor of the invention
Protect range.Therefore, the scope of protection of the patent of the invention shall be subject to the appended claims.
Claims (10)
1. a kind of detection method based on malice address in ddos attack characterized by comprising
The header file for obtaining a data packet in preset time window, by presetting N number of field item design N in the header file
Collection;
Search in the Candidate Set of N number of field item design of the header file by present count data packet includes the N
The record of the subset of item collection;
Set the minimum support of the minimum support of the number of the record or the frequency of the record;
When the times or frequency of the record of any subset of the N item collection is less than the minimum support, next number is detected
According to packet;
When the N item collection and its times or frequency of the record of any subset are not less than the minimum support, determine current
The source address of one data packet is malice address.
2. the detection method according to claim 1 based on malice address in ddos attack, it is characterised in that:
It is described to preset N number of field project, including in source address, destination address, packet length, destination port, protocol type extremely
Few three projects, wherein N >=3;Alternatively,
It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type, wherein N >=
5;Alternatively,
It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type, source port,
At least five projects in network path, wherein N >=5.
3. the detection method according to claim 1 based on malice address in ddos attack, which is characterized in that obtain default
In time window the step of the header file of a data packet before, comprising:
The data packet flow for monitoring network obtains preset quantity or pre- when the data packet flow is more than the first alarm threshold
If several data packets in duration.
4. the detection method according to claim 1 based on malice address in ddos attack, it is characterised in that:
Search in the Candidate Set of N number of field item design of the header file by present count data packet includes the N
The step of record of the subset of item collection, including,
Since the unitary subset of the N item collection, to the N-1 member subset of the N item collection, successively searched in the Candidate Set
The record of k member subset comprising the N item collection, wherein 1≤k≤N-1;
After the minimum support of the times or frequency of the setting record the step of, further include,
When the times or frequency of the record of the k member subset of the N item collection is not less than the minimum support, in the Candidate Set
The record of the k+1 member subset comprising the N item collection is searched in the middle.
5. the detection method according to claim 1 based on malice address in ddos attack, which is characterized in that as the N
When the times or frequency of the record of item collection and its any subset is not less than the minimum support, a presently described data are determined
After the step of source address of packet is malice address, further includes:
Set the times or frequency of the record of the N item collection to the value at risk of the malice address;
Set the Minimum support4 of the value at risk of the malice address;
When the data packet flow for monitoring network is more than the second alarm threshold, the value at risk in non-white list is limited greater than described
The access of the malice address of Minimum support4;
When the data packet flow for monitoring network is lower than third alarm threshold, analysis value at risk is greater than the Minimum support4
The address sources of malice address, and the malice address is added by the white list according to the result of analysis.
6. a kind of detection device based on malice address in ddos attack characterized by comprising
Pointer acquiring unit, for obtaining the header file of a data packet in preset time window, by the default N in the header file
A field item design N item collection;
Record search unit, the Candidate Set for N number of field item design in the header file by present count data packet
The record of the subset comprising the N item collection is searched in the middle;
Threshold sets unit is supported for setting the minimum support of the number of the record or the minimum of the frequency of the record
Degree;
Pointer jump-transfer unit, the times or frequency of the record for any subset when the N item collection are less than the minimum support
When spending, next data packet is detected;
Result judgement unit, for being not less than the minimum when the N item collection and its times or frequency of the record of any subset
When support, determine that the source address of a presently described data packet is malice address.
7. the detection device according to claim 6 based on malice address in ddos attack, which is characterized in that the pointer
Acquiring unit, comprising:
Project designating unit, for specifying preset N number of field project;
N number of field project, including at least three in source address, destination address, packet length, destination port, protocol type
A project, wherein N >=3;Alternatively,
It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type, wherein N >=
5;Alternatively,
It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type, source port,
At least five projects in network path, wherein N >=5.
8. the detection device according to claim 6 based on malice address in ddos attack characterized by comprising
First Alarm Unit, for monitoring the data packet flow of network, when the data packet flow is more than the first alarm threshold,
Obtain several data packets in preset quantity or preset duration.
9. the detection device according to claim 6 based on malice address in ddos attack, which is characterized in that the record
Searching unit, comprising:
Recursive lookup unit, for the N-1 member subset of the N item collection, successively existing since the unitary subset of the N item collection
The record of the k member subset comprising the N item collection is searched in the Candidate Set, wherein 1≤k≤N-1;As the k of the N item collection
When the times or frequency of the record of first subset is not less than the minimum support, searching in the Candidate Set includes the N
The record of the k+1 member subset of item collection.
10. the detection device according to claim 6 based on malice address in ddos attack, which is characterized in that further include:
Value at risk unit, for setting the times or frequency of the record of the N item collection to the value at risk of the malice address;
Confidence level setup unit, the Minimum support4 of the value at risk for setting the malice address;
Second Alarm Unit, for limiting in non-white list when the data packet flow for monitoring network is more than the second alarm threshold
Value at risk be greater than the Minimum support4 malice address access;
Third Alarm Unit, for when the data packet flow for monitoring network is lower than third alarm threshold, analysis value at risk to be big
Address sources in the malice address of the Minimum support4, and the malice address is added by the white name according to the result of analysis
It is single.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610671479.0A CN106302450B (en) | 2016-08-15 | 2016-08-15 | A kind of detection method and device based on malice address in DDOS attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610671479.0A CN106302450B (en) | 2016-08-15 | 2016-08-15 | A kind of detection method and device based on malice address in DDOS attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106302450A CN106302450A (en) | 2017-01-04 |
CN106302450B true CN106302450B (en) | 2019-08-30 |
Family
ID=57671581
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610671479.0A Active CN106302450B (en) | 2016-08-15 | 2016-08-15 | A kind of detection method and device based on malice address in DDOS attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106302450B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106685636B (en) * | 2017-03-22 | 2019-11-08 | 电子科技大学 | A kind of frequency analysis method of combined data locality characteristic |
CN108965207B (en) * | 2017-05-19 | 2021-02-26 | 北京京东尚科信息技术有限公司 | Machine behavior identification method and device |
CN107332856B (en) * | 2017-07-28 | 2021-01-29 | 腾讯科技(深圳)有限公司 | Address information detection method and device, storage medium and electronic device |
GB201802347D0 (en) * | 2018-02-13 | 2018-03-28 | Nchain Holdings Ltd | Computer-implemented system and method |
US11563772B2 (en) | 2019-09-26 | 2023-01-24 | Radware, Ltd. | Detection and mitigation DDoS attacks performed over QUIC communication protocol |
CN111581328A (en) * | 2020-04-21 | 2020-08-25 | 浙江华途信息安全技术股份有限公司 | Data comparison detection method and system |
CN113645176B (en) * | 2020-05-11 | 2023-08-08 | 北京观成科技有限公司 | Method and device for detecting fake flow and electronic equipment |
CN116866055B (en) * | 2023-07-26 | 2024-02-27 | 中科驭数(北京)科技有限公司 | Method, device, equipment and medium for defending data flooding attack |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101640666A (en) * | 2008-08-01 | 2010-02-03 | 北京启明星辰信息技术股份有限公司 | Device and method for controlling flow quantity facing to target network |
CN102882881A (en) * | 2012-10-10 | 2013-01-16 | 常州大学 | Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service |
CN104348811A (en) * | 2013-08-05 | 2015-02-11 | 深圳市腾讯计算机系统有限公司 | Method and device for detecting attack of DDoS (distributed denial of service) |
CN105282169A (en) * | 2015-11-04 | 2016-01-27 | 中国电子科技集团公司第四十一研究所 | DDoS attack warning method and system based on SDN controller threshold |
CN105306475A (en) * | 2015-11-05 | 2016-02-03 | 天津理工大学 | Network intrusion detection method based on association rule classification |
CN105719155A (en) * | 2015-09-14 | 2016-06-29 | 南京理工大学 | Association rule algorithm based on Apriori improved algorithm |
CN105847283A (en) * | 2016-05-13 | 2016-08-10 | 深圳市傲天科技股份有限公司 | Information entropy variance analysis-based abnormal traffic detection method |
-
2016
- 2016-08-15 CN CN201610671479.0A patent/CN106302450B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101640666A (en) * | 2008-08-01 | 2010-02-03 | 北京启明星辰信息技术股份有限公司 | Device and method for controlling flow quantity facing to target network |
CN102882881A (en) * | 2012-10-10 | 2013-01-16 | 常州大学 | Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service |
CN104348811A (en) * | 2013-08-05 | 2015-02-11 | 深圳市腾讯计算机系统有限公司 | Method and device for detecting attack of DDoS (distributed denial of service) |
CN105719155A (en) * | 2015-09-14 | 2016-06-29 | 南京理工大学 | Association rule algorithm based on Apriori improved algorithm |
CN105282169A (en) * | 2015-11-04 | 2016-01-27 | 中国电子科技集团公司第四十一研究所 | DDoS attack warning method and system based on SDN controller threshold |
CN105306475A (en) * | 2015-11-05 | 2016-02-03 | 天津理工大学 | Network intrusion detection method based on association rule classification |
CN105847283A (en) * | 2016-05-13 | 2016-08-10 | 深圳市傲天科技股份有限公司 | Information entropy variance analysis-based abnormal traffic detection method |
Also Published As
Publication number | Publication date |
---|---|
CN106302450A (en) | 2017-01-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106302450B (en) | A kind of detection method and device based on malice address in DDOS attack | |
Protić | Review of KDD Cup ‘99, NSL-KDD and Kyoto 2006+ datasets | |
CN109600363B (en) | Internet of things terminal network portrait and abnormal network access behavior detection method | |
US8307441B2 (en) | Log-based traceback system and method using centroid decomposition technique | |
CN111756759B (en) | Network attack tracing method, device and equipment | |
CN108289088A (en) | Abnormal traffic detection system and method based on business model | |
CN106027559A (en) | Network session statistical characteristic based large-scale network scanning detection method | |
CN105763561B (en) | A kind of attack defense method and device | |
CN104135474B (en) | Intrusion Detection based on host goes out the Network anomalous behaviors detection method of in-degree | |
KR20120068612A (en) | Dns query traffic monitoring and processing method and apparatus | |
JP2001217834A (en) | System for tracking access chain, network system, method and recording medium | |
CN110224970B (en) | Safety monitoring method and device for industrial control system | |
Sabri et al. | Identifying false alarm rates for intrusion detection system with data mining | |
CN108270722A (en) | A kind of attack detection method and device | |
Lee et al. | Abnormal behavior-based detection of Shodan and Censys-like scanning | |
CN106357660A (en) | Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system | |
Riadi et al. | Internet forensics framework based-on clustering | |
CN112769833A (en) | Method and device for detecting command injection attack, computer equipment and storage medium | |
KR20190028076A (en) | Visualization method and visualization apparatus | |
CN112217777A (en) | Attack backtracking method and equipment | |
KR20200109875A (en) | Harmful ip determining method | |
Abushwereb et al. | Attack based DoS attack detection using multiple classifier | |
Pack et al. | Detecting HTTP tunneling activities | |
AlZoubi et al. | The effect of using honeypot network on system security | |
KR101991736B1 (en) | Correlation visualization method and correlation visualization apparatus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |