CN106302450B - A kind of detection method and device based on malice address in DDOS attack - Google Patents

A kind of detection method and device based on malice address in DDOS attack Download PDF

Info

Publication number
CN106302450B
CN106302450B CN201610671479.0A CN201610671479A CN106302450B CN 106302450 B CN106302450 B CN 106302450B CN 201610671479 A CN201610671479 A CN 201610671479A CN 106302450 B CN106302450 B CN 106302450B
Authority
CN
China
Prior art keywords
address
record
data packet
subset
item collection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610671479.0A
Other languages
Chinese (zh)
Other versions
CN106302450A (en
Inventor
梁小毅
黄斌
韩方
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Huaduo Network Technology Co Ltd
Original Assignee
Guangzhou Huaduo Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Huaduo Network Technology Co Ltd filed Critical Guangzhou Huaduo Network Technology Co Ltd
Priority to CN201610671479.0A priority Critical patent/CN106302450B/en
Publication of CN106302450A publication Critical patent/CN106302450A/en
Application granted granted Critical
Publication of CN106302450B publication Critical patent/CN106302450B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Abstract

The invention discloses a kind of detection method and device based on malice address in DDOS attack.This method comprises: the header file of a data packet in preset time window is obtained, by presetting N number of field item design N item collection in the header file;The record of the subset comprising the N item collection is searched in the Candidate Set of N number of field item design of the header file by present count data packet;Set the minimum support of the times or frequency of the record;When the times or frequency of the record of any subset of the N item collection is less than the minimum support, next data packet is detected;When the N item collection and its times or frequency of the record of any subset are not less than the minimum support, determine that the source address of a presently described data packet is malice address.Using the present invention, can the rapidly doubtful malicious attack of screening IP address, assist system host to make quick reaction when under attack, avoid network paralysis.

Description

A kind of detection method and device based on malice address in DDOS attack
Technical field
The present invention relates to technical field of network security, more particularly, to the detection based on malice address in DDOS attack Method and device.
Background technique
DDOS (Distributed Denial of Service, distributed denial of service) attack refers to by means of client/clothes It is engaged in device technology, multiple computers is joined together as Attack Platform, DDOS attack is started to one or more targets, from forming The power of Denial of Service attack is improved again.In general, DDOS primary control program is mounted on one using a stealing account by attacker On a computer, it will be communicated with a large amount of broker programs in the time primary control program that one sets, broker program has been installed within On many computers on network.With regard to offensive attack when broker program receives instruction.Utilize client/server technology, master control journey Sequence can activate the operation of hundreds and thousands of secondary broker programs in seconds.
It is mainly used for the defense technique of DDOS attack now: (1) reversed detection;(2) Protocol Stack Analysis and;(3) refer to Line identification.Firstly, reversed detection is to carry out verifying analysis to the source address by data packet, such as authenticity is judged, it is geographical Position, open-ended situation etc. determine whether IP address is legal, but in actual use, limited resource does not allow to all visits The address sources asked reversely are detected, and reversed detection is suitable for further verifying to having filtered out a small amount of suspicious address, instead To Detection Techniques itself, there is no solve the problems, such as how doubtful attack address is filtered out from magnanimity address.Then, protocol stack Analysis is based on a series of RFC (Request For Comments, files being ranked with number) specification, due to each data packet Type is most basic need to meet RFC specification, and the data packet that attacker is constructed by tool has the situation for not meeting specification, leads at this time Crossing Protocol Stack Analysis can detect that attack, but with the upgrading of attack, advanced attacker, which still can construct, to the greatest extent may be used The data packet that protocol stack specification can be met increases the difficulty of Protocol Stack Analysis, which can only cope with attacking for first stage The person of hitting also can not accurately screen the IP address of malicious attack.Finally, fingerprint recognition for identification DDOS attack have it is highest Precision, while more resource consumptions are needed, and can not identify the novel attack that do not include temporarily in fingerprint base, in system host It is difficult to make quick reaction when under attack.
Therefore, although the IP address of seat offence person has practical application value, how from mass data packet communication It determining the IP address of malice, and guarantees enough accuracys rate, it is especially desirable to prevention pipes off the IP address normally accessed, Normal users are impacted, are current industry problems to be solved.
Summary of the invention
In view of the above problems, the invention proposes a kind of detection method and device based on malice address in DDOS attack.
A kind of detection method based on malice address in DDOS attack is provided in the embodiment of the present invention, comprising:
The header file for obtaining a data packet in preset time window, by presetting N number of field project team in the header file At N item collection;
Search in the Candidate Set of N number of field item design of the header file by present count data packet includes institute State the record of the subset of N item collection;
Set the minimum support of the times or frequency of the record;
When the times or frequency of the record of any subset of the N item collection is less than the minimum support, detect next A data packet;
When the N item collection and its times or frequency of the record of any subset are not less than the minimum support, determine The source address of a presently described data packet is malice address.
Preferably, described to preset N number of field project, including source address, destination address, packet length, destination port, protocol class At least three projects in type, wherein N >=3;Preset N number of field project alternatively, described, including source address, destination address, Packet length, destination port, protocol type, wherein N >=5;Alternatively, described preset N number of field project, including source address, destination Location, packet length, destination port, protocol type, source port, at least five projects in network path, wherein N >=5.
Preferably, before the step of obtaining the header file of a data packet in preset time window, comprising:
The data packet flow for monitoring network obtains preset quantity when the data packet flow is more than the first alarm threshold Or several data packets in preset duration.
Preferably, it is looked into the Candidate Set of N number of field item design of the header file by present count data packet The step of including the record of subset of the N item collection is looked for, including,
Since the unitary subset of the N item collection, to the N-1 member subset of the N item collection, successively in the Candidate Set Search the record of the k member subset comprising the N item collection, wherein 1≤k≤N-1;
After the minimum support of the times or frequency of the setting record the step of, further include,
When the times or frequency of the record of the k member subset of the N item collection is not less than the minimum support, in the time The record of the k+1 member subset comprising the N item collection is searched in selected works.
Preferably, when the N item collection and its times or frequency of the record of any subset are not less than the minimum support When, after the step of determining the source address of a presently described data packet for malice address, further includes:
Set the times or frequency of the record of the N item collection to the value at risk of the malice address;
Set the Minimum support4 of the value at risk of the malice address;
When the data packet flow for monitoring network is more than the second alarm threshold, the value at risk limited in non-white list is greater than The access of the malice address of the Minimum support4;
When the data packet flow for monitoring network is lower than third alarm threshold, it is credible that analysis value at risk is greater than the minimum The address sources of the malice address of degree, and the malice address is added by the white list according to the result of analysis.
Correspondingly, the embodiment of the invention provides a kind of detection devices based on malice address in DDOS attack, comprising:
Pointer acquiring unit, for obtaining the header file of a data packet in preset time window, by the header file Preset N number of field item design N item collection;
Record search unit, the time for N number of field item design in the header file by present count data packet The record of the subset comprising the N item collection is searched in selected works;
Threshold sets unit, the minimum support of the times or frequency for setting the record;
The times or frequency of pointer jump-transfer unit, the record for any subset when the N item collection is less than the minimum When support, next data packet is detected;
Result judgement unit, the times or frequency for the record when the N item collection and its any subset is not less than described When minimum support, determine that the source address of a presently described data packet is malice address.
Preferably, the pointer acquiring unit, comprising:
Project designating unit, for specifying preset N number of field project;
N number of field project, including in source address, destination address, packet length, destination port, protocol type extremely Few three projects, wherein N >=3;Alternatively,
It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type, In, N >=5;Alternatively,
It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type, source At least five projects in mouth, network path, wherein N >=5.
Preferably, comprising:
First Alarm Unit, for monitoring the data packet flow of network, when the data packet flow is more than the first alarm threshold When value, several data packets in preset quantity or preset duration are obtained.
Preferably, the record search unit, comprising:
Recursive lookup unit, for since the unitary subset of the N item collection, to the N-1 member subset of the N item collection, according to The secondary record that the k member subset comprising the N item collection is searched in the Candidate Set, wherein 1≤k≤N-1;When the N item collection K member subset record times or frequency be not less than the minimum support when, in the Candidate Set search include institute State the record of the k+1 member subset of N item collection.
Preferably, further includes:
Value at risk unit, for setting the times or frequency of the record of the N item collection to the risk of the malice address Valuation;
Confidence level setup unit, the Minimum support4 of the value at risk for setting the malice address;
Second Alarm Unit, for limiting non-white name when the data packet flow for monitoring network is more than the second alarm threshold Value at risk in list is greater than the access of the malice address of the Minimum support4;
Third Alarm Unit, for when the data packet flow for monitoring network is lower than third alarm threshold, analysis risk to be estimated Value is greater than the address sources of the malice address of the Minimum support4, and will be described in the addition of the malice address according to the result of analysis White list.
Compared with the existing technology, scheme provided by the invention obtains the head text of a data packet in detection time window Part, by presetting N number of field item design N item collection in the header file.Although the data packet format of heterogeneous networks can be slightly different, But the data packet head file format of consolidated network type is consistent, the present invention only need to be out of, a data packet header file Specified project information, can rapidly analyze whether the data packet is issued by the IP address of malice, easy to operate, versatility By force.Before starting analysis, first by N number of field item design Candidate Set of the header file of present count data packet, then The record of the subset comprising the N item collection is searched in the Candidate Set.The Candidate Set is in the flow punching for meeting with bulk data packet When hitting, the set of specified N number of field item design is extracted from the header file of the lot number data packet.Therefore, the Candidate Set The prior data bank that DDOS attack person is issued by switching virtual IP address is concealed in corresponding data packet, by when previous The tracking of relevance between the N item collection and Candidate Set of data packet is excavated, it can rapidly by N a small amount of project datas Relevance is matched, malicious IP addresses are accurately locked.For the assurance of accuracy, can by set the record number or The minimum support of frequency is realized.The number that the subset of the N item collection of one data packet occurs in the Candidate Set is more, And/or the frequency occurred is bigger, then it represents that a possibility that data packet is issued by malice address is bigger.When appointing for the N item collection When the times or frequency of the record of one subset is less than the minimum support, next data packet is detected;When the N item collection and its When the times or frequency of the record of any subset is not less than the minimum support, with determining the source of a presently described data packet Location is malice address.First advantage of this programme is, for the N item collection for the data packet that malice address issues, which appoints Times or frequency of one nonvoid subset relative to the record of Candidate Set, necessarily more than minimum support.If because of N item collection Any nonvoid subset I be less than minimum support threshold value, when there is elements A to be added in I, the new subset (A ∩ I) of composition is no It may be more than original subset I frequency of occurrence or the frequency of occurrences.Therefore new subset (A ∩ I) will not be greater than the minimum Support threshold.It follows that we carry out screening by the subset of N item collection, may insure to the screening of non-malicious address Accuracy avoids the access for influencing normal users;Meanwhile second advantage of this programme is, passes through unitary subset or binary Screening is compared in the set of the low orders such as collection, and since element is less, the speed of screening can be very fast.So using this Scheme can make quick reaction when system host is under attack, avoid network paralysis.The third advantage of this programme It is, it is clear that the number N of element also has relationship in the accuracy and N item collection of this programme, and when N is bigger, the project of analysis is more, accurately Property is higher.Meanwhile the subset of N item collection can also increase sharply with the increase of N.But still due to aforementioned unitary subset or binary subset It is the subset of the N item collection, the subset of these low orders still can promptly exclude large quantities of non-malicious addresses, so, the increase of N After the accuracy for improving analysis, a large amount of operation can't be brought, would not also reduce analysis speed significantly, therefore can be full Requirement of real-time in full internet access.
The additional aspect of the present invention and advantage will be set forth in part in the description, these will become from the following description Obviously, or practice through the invention is recognized.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those skilled in the art, without creative efforts, it can also be obtained according to these attached drawings other attached Figure.
Fig. 1 is the schematic diagram of IP data packet format of the present invention;
Fig. 2 is a kind of flow chart of first embodiment based on the detection method of malice address in DDOS attack of the present invention;
Fig. 3 is the header file field project information schematic diagram of data packet in the n-th time window of first embodiment;
Fig. 4 is a kind of flow chart of the second embodiment based on the detection method of malice address in DDOS attack of the present invention;
Fig. 5 is that a kind of second embodiment monitoring network based on the detection method of malice address in DDOS attack of the present invention shows It is intended to;
Fig. 6 is that a kind of second embodiment recursive lookup based on the detection method of malice address in DDOS attack of the present invention is shown It is intended to;
Fig. 7 is a kind of first embodiment schematic diagram based on the detection device of malice address in DDOS attack of the present invention;
Fig. 8 is a kind of second embodiment schematic diagram based on the detection device of malice address in DDOS attack of the present invention.
Specific embodiment
In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described.
In some processes of the description in description and claims of this specification and above-mentioned attached drawing, contain according to Multiple operations that particular order occurs, but it should be clearly understood that these operations can not be what appears in this article suitable according to its Sequence is executed or is executed parallel, and serial number of operation such as 101,102 etc. is only used for distinguishing each different operation, serial number It itself does not represent and any executes sequence.In addition, these processes may include more or fewer operations, and these operations can To execute or execute parallel in order.It should be noted that the description such as " first " herein, " second ", is for distinguishing not Same message, equipment, module etc., does not represent sequencing, does not also limit " first " and " second " and be different type.
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those skilled in the art's every other implementation obtained without making creative work Example, shall fall within the protection scope of the present invention.
For the angle of attacker, DDOS attack flow actually as much as possible simulate the mode that normally accesses with around Detection is crossed, the maximum difference of both attack access and normal access is at the same time, for the visit of DDOS attack purpose The amount of asking will be the decades of times or even more, the UPS upper performance score beyond server of regular traffic amount of access, to reach refusal service Purpose.This method is exactly to utilize the difference, will exceed normal access times, through different modes (such as different source ports, no With network transmission path) repeat to send the data packet of identical content for same destination host and find out.For example, this programme can Applied to IP data packet.
Fig. 1 is the schematic diagram of IP data packet format of the present invention.It, specifically, can be from a data for IP data packet format The header file (stem of such as Fig. 1) of packet extracts and the field project analyzed includes:
1. source address: fixed source address, it is therefore an objective to position suspected attack source;
2. destination address: fixed purpose address is required protection server, it is therefore an objective to which analysis is for all of the server Data packet;
3. source port: allowing source port not repeat, this is because hacker when attacking, may open multiple simultaneously Service or process send data packet to destination address with multiple ports
4. destination port: fixed purpose port is required protection Service-Port (service), it is therefore an objective to which analysis is directed to the end All data packets of mouth (service);
5. agreement/protocol type: protocol type is broadly divided into UDP and two kinds of TCP, since protocol type and attack pattern are high Degree is related, therefore fixed protocol type (may include Transmission Control Protocol zone bit information when such as belonging to Transmission Control Protocol)
6. total length/packet length: fixed packet length, this is because attacker once starts attacker, attacker inclines To a large amount of regular lengths are generated, the data packet of identical content is sent to destination host;
7.TTL (Time to live, life span): TTL reflects the net that data packet is arrived at the destination location by source address Network path, different TTL imply that data packet reaches destination host from different paths.Attacking Packets are by the possible short time It follows different paths and reaches destination host, therefore TTL is allowed not repeat.
In addition to this, as shown in Figure 1, the header file (stem of such as Fig. 1) of a data packet can be extracted and be analyzed Field project further include: version, header file length/header length, Differentiated Services, identify, mark, piece offset, header check With etc., it does not explain one by one herein.
In addition, this programme also can be applied to other data packet formats.For example, being directed to TCP data packet format, can extract Field project include source port (source port), destination port (destination port), serial number (sequence Port), confirm number (acknowledgement port), TCP header file size, window size (window size), verification and (checksum), urgent pointer (urgent pointer) etc.;For UDP message packet format, extractible field project packet Include source port (source port), destination port (destination port), length (length), verification and (checksum), pseudo- stem (pseudo header) etc.;For ARP data packet format, extractible field project includes hard Part type, protocol type, hardware address length, length of protocol address, operation code, sender's hardware address, sender's agreement Address, target side hardware address, target side protocol address etc..In addition to above-mentioned data packet format, this programme can also be applied In analysis ICMP data packet, IPSEC data packet, OSPF data packet, Ethernet data bag etc., the format and phase of these data packets The field project answered, it is numerous to list herein.It can be seen that this programme can be directed to different data packet formats, extract corresponding Field project is analyzed, easy to operate, is had a wide range of application.Below by taking the IP data packet format of Fig. 1 as an example, in conjunction with Fig. 2, Fig. 3 First embodiment of the invention is described further.
Fig. 2 is a kind of flow chart of first embodiment based on the detection method of malice address in DDOS attack of the present invention, packet It includes:
S101: the header file of a data packet in preset time window is obtained, by presetting N number of field item in the header file Mesh forms N item collection;
S102: it is searched in the Candidate Set of N number of field item design of the header file by present count data packet The record of subset comprising the N item collection;
S103: the minimum support of the times or frequency of the record is set;
S104: when the times or frequency of the record of any subset of the N item collection is less than the minimum support, detection Next data packet;
S105: when the N item collection and its times or frequency of the record of any subset are not less than the minimum support, The source address for determining a presently described data packet is malice address.
Fig. 3 is the header file field project information schematic diagram of data packet in the n-th time window of first embodiment.
Assuming that system host has stored the header file field item of the data packet of malicious access within the past period Mesh information.As shown in figure 3, the eight data packets record for extracting the time window of " g=189 " now is analyzed.
Firstly, pointer moves on to first record of the time window of " g=189 ".
The header file for obtaining the first data packet of first record in " g=189 " time window, by the header file Preset N number of field item design N item collection.Although the data packet format of heterogeneous networks can be slightly different, for consolidated network class The data packet head file format of type is consistent.
Preferably, described to preset N number of field project, including source address, destination address, packet length, destination port, protocol class At least three projects in type, wherein N >=3;Alternatively,
Preferably, described to preset N number of field project, including source address, destination address, packet length, destination port, protocol class Type, wherein N >=5;Alternatively,
Preferably, described to preset N number of field project, including source address, destination address, packet length, destination port, protocol class Type, source port, at least five projects in network path, wherein N >=5.
In this first embodiment, it is assumed that N=3, presetting N number of field project is source address, destination address, packet length.That is, The N item collection of first data packet is { 78.210.156.40,119.84.68.11,40 }.The present invention only need to be from the first data packet Above-mentioned three field project information, can rapidly analyze the data packet whether by malice IP address issue, it is easy to operate, It is versatile.
Before starting analysis, N number of field item design Candidate Set of the first header file by present count data packet, For example, only have the normal access business of general 1,000 data packets within from " g=001 " time window to " g=90 " time window, but It increases sharply within from " g=091 " time window to " g=180 " time window to 10,000 data packets, is then likely to meet with malicious attack, It can be from the candidate of the three field item design such as the source address of the header file of 10,000 data packets, destination address, packet length Collection analyzes first data packet of following " g=189 " time window.In another example can also from historical record extract on The Candidate Set that the surge data packet malicious attack record that one wheel or upper one week or last month occur is analyzed as this.Again in the time The record of the subset comprising the N item collection { 78.210.156.40,119.84.68.11,40 } is searched in selected works.The Candidate Set It is that specified N number of field item is extracted from the header file of the lot number data packet when meeting with the flow attack of bulk data packet The set of mesh composition.Therefore, DDOS attack person is concealed in the corresponding data packet of the Candidate Set to issue by switching virtual IP address Prior data bank, excavated by the tracking of the N item collection to current first data packet and the relevance between Candidate Set, it can Relevance is rapidly matched by N a small amount of project datas, accurately locks malicious IP addresses.
For the assurance of accuracy, can be realized by the minimum support of the times or frequency of the setting record. For example, set the minimum support of the number of record as 300 times, and/or, set the minimum support of the frequency of record as 20%.The number that the subset of the N item collection of one data packet occurs in the Candidate Set is more, and/or the frequency occurred is got over Greatly, then it represents that a possibility that data packet is issued by malice address is bigger.
When the times or frequency of the record of any subset of the N item collection is less than the minimum support, detect next A data packet.For example, the subset { 78.210.156.40 } of the N item collection { 78.210.156.40,119.84.68.11,40 } The number for being recorded in Candidate Set appearance is 180 times, less than 300 times of minimum support setting.It then no longer needs to calculate other subsets Or the times or frequency that N item collection occurs, pointer can be jumped to the Article 2 record of the time window of current " g=189 ".Alternatively, The subset { 78.210.156.40,40 } of the N item collection { 78.210.156.40,119.84.68.11,40 } is recorded in candidate The frequency that collection occurs is 11%, less than the 20% of minimum support setting, then without continuing to calculate other subsets or N item collection goes out Existing times or frequency can jump to Article 2 record.
When the N item collection and its times or frequency of the record of any subset are not less than the minimum support, determine The source address of a presently described data packet is malice address.That is, the N item collection 78.210.156.40,119.84.68.11, 40 } unitary subset { 78.210.156.40 }, { 119.84.68.11 }, { 40 };Binary subset { 78.210.156.40,40 }, { 119.84.68.11,40 }, { 78.210.156.40,119.84.68.11 };Ternary subset 78.210.156.40, 119.84.68.11, among 40 }, when N item collection { 78.210.156.40,119.84.68.11,40 } itself and its any of the above-described son Collection at least one of is worked as, such as above-mentioned unitary subset/binary subset/ternary subset at least one of is worked as, their record It is not less than the 20% of minimum support setting in the frequency that Candidate Set occurs, or, the number occurred is not less than minimum support 300 times of setting, then first of the time window of current " g=189 " records the source address IP=78.210.156.40 of data packet For malice address.
Then, pointer moves on to the Article 2 record of the time window of " g=189 ".As long as analysis is as before, the N that Article 2 records When the times or frequency of the record of any subset of item collection is less than the minimum support, next data packet is detected.It examines one by one It surveys.
Finally, completing the detection and analysis to eight records of the time window of " g=189 ".
First advantage of this programme be, for the N item collection for the data packet that malice address issues, the N item collection it is any non- Times or frequency of the vacuous subset relative to the record of Candidate Set, necessarily more than minimum support.Because if N item collection is appointed One nonvoid subset I is less than minimum support threshold value, and when there is elements A to be added in I, the new subset (A ∩ I) of composition can not It is more than original subset I frequency of occurrence or the frequency of occurrences.Therefore new subset (A ∩ I) will not be greater than the minimum support Spend threshold value.It follows that we carry out screening by the subset of N item collection, it is that can ensure non-malicious address the accurate of screening Property, avoid the access for influencing normal users;Meanwhile second advantage of this programme is to pass through unitary subset or binary subset etc. Screening is compared in the set of low order, and since element is less, the speed of screening can be very fast.So using this programme, Quick reaction can be made when system host is under attack, avoid network paralysis.The third advantage of this programme is to show The number N of element also has relationship in the accuracy and N item collection of right this programme, and when N is bigger, the project of analysis is more, and accuracy is got over It is high.Meanwhile the subset of N item collection can also increase sharply with the increase of N.But since aforementioned unitary subset or binary subset are still institute The subset of N item collection is stated, the subset of these low orders still can promptly exclude large quantities of non-malicious addresses, so, the increase of N is mentioning After the accuracy of high analyte, a large amount of operation can't be brought, analysis speed would not be also reduced significantly, therefore be able to satisfy reality Requirement of real-time in internet access.
It should be added that being not difficult to learn by foregoing description, the present invention is using Apriori algorithm principle as base Plinth is specific implementation of the innovatory algorithm in network safety filed of Apriori.Compared with traditional Apriori, the present invention Scheme does not need to find out the frequent item set of N item collection, does not need the strong rule of each field in analysis N item collection yet.For example, for aforementioned Example states N item collection { 78.210.156.40,119.84.68.11,40 }, even if subset therein 78.210.156.40, 119.84.68.11 } in Candidate Set, the times or frequency of appearance is very high, is in traditional Apriori algorithm concept Frequent item set, but as long as having a subset, such as { 40 } are non-frequent, then, it is above-mentioned until finding just without continuing to calculate Final frequent item set { 78.210.156.40,119.84.68.11 }, need not more calculate the strong rule of the frequent item set.So The innovatory algorithm of Apriori of the present invention is faster than traditional algorithm arithmetic speed.
Fig. 4 is a kind of flow chart of the second embodiment based on the detection method of malice address in DDOS attack of the present invention.Fig. 4 For second embodiment compared with Fig. 2 first embodiment, Fig. 4 field project specifies the N item collection of N=5 to be analyzed, subject to analysis more Really.Meanwhile by way of recursive lookup, from unitary subset to the recursive lookup of N-1 member subset one-dimensional, single layer, screening is more Fast.
S201: monitoring the data packet flow of network, when the data packet flow is more than the first alarm threshold, obtains default Several data packets in quantity or preset duration;
S202: the header file of a data packet in preset time window is obtained, by presetting N number of field item in the header file Mesh forms N item collection;It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type, Wherein, N >=5;
S203: since the unitary subset of the N item collection, to the N-1 member subset of the N item collection, successively in the candidate The record of the k member subset comprising the N item collection is searched in collection, wherein 1≤k≤N-1;
S204: the minimum support of the times or frequency of the record is set;
S205: when the times or frequency of the record of the k member subset of the N item collection is not less than the minimum support, The record of the k+1 member subset comprising the N item collection is searched in the Candidate Set.
S206: when the times or frequency of the record of any subset of the N item collection is less than the minimum support, detection Next data packet;
S207: when the N item collection and its times or frequency of the record of any subset are not less than the minimum support, The source address for determining a presently described data packet is malice address.
First embodiment above-mentioned can be applied to real-time monitoring, can be used for ex-post analysis.And this second implementation Example is applied particularly to real-time monitoring.Fig. 5 is that the present invention a kind of second based on the detection method of malice address in DDOS attack is real Apply example monitoring network diagram.As shown in figure 5, the present embodiment monitors the number of network to network real-time monitoring using packet capturing software Several numbers in preset quantity or preset duration are obtained when the data packet flow is more than the first alarm threshold according to packet stream amount According to packet.First alarm threshold is set according to the traffic handing capacity of local system host, when reaching the threshold value, system master Machine need to avoid network paralysis into guard state is entered.It preferably, can be from the time of flow be more than the first alarm threshold forward Several data packets in one section of duration are traced, for setting up Candidate Set;At the time of can also being more than the first alarm threshold from flow Rise trace preset quantity forward, it is assumed that 10,000, data packet, for setting up Candidate Set.
Due to being real-time monitoring, the present embodiment starts in the time window that flow is more than the first alarm threshold, when obtaining default Between in window a data packet header file, by presetting N number of field item design N item collection in the header file.Preferably, described Preset five projects such as N number of field project, including source address, destination address, packet length, destination port, protocol type.With Fig. 3 Article 2 record for, embodiment two detect data packet N item collection be 221.228.253.156,119.84.68.7, 1344,555, UDP }.
Next, being searched using recursive fashion.
Fig. 6 is that a kind of second embodiment recursive lookup based on the detection method of malice address in DDOS attack of the present invention is shown It is intended to.As shown in fig. 6, since the unitary subset of the N item collection, to the N-1 member subset of the N item collection, successively in the time The record of the k member subset comprising the N item collection is searched in selected works, wherein 1≤k≤N-1.Set the record number or The minimum support of frequency;When the times or frequency of the record of the k member subset of the N item collection is not less than the minimum support When, the record of the k+1 member subset comprising the N item collection is searched in the Candidate Set.
Since the subset elements of low order are few, it is very fast to search other, and the subset of high-order is only needed in low order subset Screening results among carry out secondary screening, so, the element of subset is more, and the record of screening is needed in Candidate Set just It is fewer.For example, in the present embodiment two, when k=4, for { 221.228.253.156,119.84.68.7,1344,555 } this The screening of a quaternary subset, because all ternary subsets of the quaternary subset have been completed to sieve before the screening quaternary subset It looks into, and obtains the ternary screening set of all ternary subsets.Obviously, ternary screening set is to account for few portion of original Candidate Set Point, so, it is only necessary to wherein in ternary screening set to progress 221.228.253.156,119.84.68.7, 1344,555 } secondary screening.It can be seen that recursive fashion can be further improved arithmetic speed of the invention, and avoid weight Check is looked for.
It should be added that in addition to using recursive fashion to be searched, it can also be according to the field of particular data packet The characteristics of project, Lai Jinhang depth are searched.For example, the address of our system hosts to be protected is exactly certain several destination address, At this point, destination address field (DAF) project is very important, should be prioritized.Briefly, if data packet Destination address is not the address of our system hosts to be protected, then without considering.So, for the N item collection of the present embodiment two { 221.228.253.156,119.84.68.7,1344,555, UDP } can use depth screening, from including destination address field (DAF) Subset preferentially begin looking for, specific looked-up sequence are as follows: be { 119.84.68.7 } first, { 119.84.68.7,555 }, { 119.84.68.7,1344 } ... is until to N item collection { 221.228.253.156,119.84.68.7,1344,555, UDP } complete or collected works Screening.Obviously, the subset of high-order also only needs to carry out secondary screening among the screening results of low order subset, is avoided that repetition It searches.Also since the unitary subset of the N item collection, the N-1 member subset to the N item collection is successively searched.But it benefits In the assurance to destination address, we are woth no need to search all unitary subsets of the N item collection, for example, the son of { 555 } this kind Collection, so, the algorithm of the lookup mode of recurrence combination depth, meeting let us is further speeded up.
When the times or frequency of the record of any subset of the N item collection is less than the minimum support, detect next A data packet;When the N item collection and its times or frequency of the record of any subset are not less than the minimum support, determine The source address of a presently described data packet is malice address.Preferably, embodiment two considers using frequency as support, will most Small support setting parameter is x (0≤x≤1), shows that finding out all repetition rate ratios in Candidate Set by this algorithm surpasses The source address in the set comprising N item collection of x is crossed, by the way that x is rationally arranged, the source address extracted in this way will have very high Probability is the malicious IP addresses for attacking destination address.For example, in the present embodiment two, x=30%, and above-mentioned N item collection The frequency of { 221.228.253.156,119.84.68.7,1344,555, UDP } complete or collected works is 85%, at this point, assert It 221.228.253.156 is malice IP, we can allow system host to carry out current limliting speed limit to these malicious IP addresses, to avoid Network paralysis, service disruption.
Further, the present embodiment two can also include the following steps:
S208: the times or frequency of the record of the N item collection is set to the value at risk of the malice address;
S209: the Minimum support4 of the value at risk of the malice address is set;
S210: when the data packet flow for monitoring network is more than the second alarm threshold, the risk limited in non-white list is estimated Value is greater than the access of the malice address of the Minimum support4;
S211: when the data packet flow for monitoring network is lower than third alarm threshold, analysis value at risk be greater than it is described most The address sources of the malice address of small confidence level, and the malice address is added by the white list according to the result of analysis.
As previously mentioned, during real-time monitoring, when the data packet flow for monitoring network is more than the first alarm threshold, System host initially enters guard state, collects suspicious data packet;When the data packet flow of monitoring network is more than the second alarm When threshold value, system host has been completed to analyze, and starts the access for limiting malice address, and data packet flow is made to return normal access Amount;When the data packet flow for monitoring network is lower than third alarm threshold, limitation above-mentioned may not influence in which can avoid The access of part normal users, at this point, reversed detection can be used since the cpu resource of system host, memory resource are sufficient Technology is greater than the address sources of the malice address of the Minimum support4 by analysis value at risk, and according to the result of analysis The white list is added in the malice address, to avoid the influence to normal users.
The advantage of above-mentioned preferred embodiment is, in script scheme to corresponding source in the N item collection for being more than minimum support Address is included in maliciously location blacklist, on the basis of carrying out limitation access.The times or frequency of the record of the N item collection is arranged For the value at risk of the malice address, the Minimum support4 of the value at risk of the malice address is set.According to value at risk with The malice address in white list is rejected in the comparison of preset Minimum support4, in this way can be to avoid the void in normal access business False address (for example, Agent IP) is included into the column of malice address.This is because the address dummy used is to tend to when malicious attack The mode of completely random, and the normally fixed frequency for repeating to give out a contract for a project using single address dummy (for example, Agent IP) in access business Minimum support is not exceeded on rate theory, just in case being more than minimum support, this preferred embodiment can by the way that minimum is arranged again Reliability sorts from high to low according to aforementioned risk valuation.The value at risk of normal access business can be than the wind of malicious access business Dangerous valuation is lower, limits the access that the value at risk in non-white list is greater than the malice address of the Minimum support4, can make just Frequentation asks that the address dummy in business is not limited.
In conclusion the present invention is based on Apriori algorithm principles, and improve to it, it is allowed to good to data packet format It is good to adapt to, the present invention can Mining Frequent correlation rule find to meet given frequency since minimum dimension (i.e. single element) ing Or the single element of number level, double element collection then are constructed from meeting the single element of the frequency of occurrences and spread apart, and are avoided more The complete combination problem of element, improves screening efficiency.
Fig. 7 is a kind of first embodiment schematic diagram based on the detection device of malice address in DDOS attack of the present invention, packet It includes:
Pointer acquiring unit, for obtaining the header file of a data packet in preset time window, by the header file Preset N number of field item design N item collection;
Record search unit, the time for N number of field item design in the header file by present count data packet The record of the subset comprising the N item collection is searched in selected works;
Threshold sets unit, the minimum support of the times or frequency for setting the record;
The times or frequency of pointer jump-transfer unit, the record for any subset when the N item collection is less than the minimum When support, next data packet is detected;
Result judgement unit, the times or frequency for the record when the N item collection and its any subset is not less than described When minimum support, determine that the source address of a presently described data packet is malice address.
Fig. 7 is corresponding with the first embodiment of Fig. 2, identical in the method for operation with method of unit in Fig. 7.
Fig. 8 is a kind of second embodiment schematic diagram based on the detection device of malice address in DDOS attack of the present invention.
As shown in figure 8, the pointer acquiring unit, comprising:
Project designating unit, for specifying preset N number of field project;
N number of field project, including in source address, destination address, packet length, destination port, protocol type extremely Few three projects, wherein N >=3;Alternatively,
It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type, In, N >=5;Alternatively,
It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type, source At least five projects in mouth, network path, wherein N >=5.
As shown in Figure 8, comprising:
First Alarm Unit, for monitoring the data packet flow of network, when the data packet flow is more than the first alarm threshold When value, several data packets in preset quantity or preset duration are obtained.
As shown in figure 8, the record search unit, comprising:
Recursive lookup unit, for since the unitary subset of the N item collection, to the N-1 member subset of the N item collection, according to The secondary record that the k member subset comprising the N item collection is searched in the Candidate Set, wherein 1≤k≤N-1;When the N item collection K member subset record times or frequency be not less than the minimum support when, in the Candidate Set search include institute State the record of the k+1 member subset of N item collection.
Fig. 8 is corresponding with the second embodiment of Fig. 4, identical in the method for operation with method of unit in Fig. 8.
Wherein in a preferred embodiment, further includes:
Value at risk unit, for setting the times or frequency of the record of the N item collection to the risk of the malice address Valuation;
Confidence level setup unit, the Minimum support4 of the value at risk for setting the malice address;
Second Alarm Unit, for limiting non-white name when the data packet flow for monitoring network is more than the second alarm threshold Value at risk in list is greater than the access of the malice address of the Minimum support4;
Third Alarm Unit, for when the data packet flow for monitoring network is lower than third alarm threshold, analysis risk to be estimated Value is greater than the address sources of the malice address of the Minimum support4, and will be described in the addition of the malice address according to the result of analysis White list.
Wherein in one embodiment, the workflow of above-mentioned apparatus is summarized as follows:
(1) data packet flow of goal systems host reaches the first alarm threshold, triggers network packet capturing;
(2) part for extracting the header file in packet capturing file forms N item collection comprising specified field project;
(3) for giving minimum support, the N item collection for the condition that meets is found, and collect source address therein;
(4) source address in white list is rejected;
(5) it is sorted from high to low according to the value at risk of N item collection, sets Minimum support4, to greater than Minimum support4 Source address successively limits its access, until network and system host restore normal amount of access;
(6) amount to be visited is fallen after rise, under the premise of the cpu resource of system host, memory resource license, to being restricted part Source address verifies its true identity using reversed detection.It further confirms that malice address, or rejects address dummy.
Technical solution of the present invention bring the utility model has the advantages that
(1) detection is accurate, guarantees that the malice address of discovery all has the conspicuousness in statistical significance, avoids artificial judgment Subjectivity and one-sidedness.
(2) by the way that minimum support is adjusted flexibly, can control the quantity of discovery malice address and characterizes its degree of malice Value at risk.
(3) Analysis interference caused by false IP address in normal access business is avoided.
(4) it is hit according to value at risk sequence, it can be by limiting the IP that a small amount of malice degree is high in the middle, by network and master Machine resource recovery is to acceptable level.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
The embodiments described above only express several embodiments of the present invention, and the description thereof is more specific and detailed, but simultaneously Limitations on the scope of the patent of the present invention therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to guarantor of the invention Protect range.Therefore, the scope of protection of the patent of the invention shall be subject to the appended claims.

Claims (10)

1. a kind of detection method based on malice address in ddos attack characterized by comprising
The header file for obtaining a data packet in preset time window, by presetting N number of field item design N in the header file Collection;
Search in the Candidate Set of N number of field item design of the header file by present count data packet includes the N The record of the subset of item collection;
Set the minimum support of the minimum support of the number of the record or the frequency of the record;
When the times or frequency of the record of any subset of the N item collection is less than the minimum support, next number is detected According to packet;
When the N item collection and its times or frequency of the record of any subset are not less than the minimum support, determine current The source address of one data packet is malice address.
2. the detection method according to claim 1 based on malice address in ddos attack, it is characterised in that:
It is described to preset N number of field project, including in source address, destination address, packet length, destination port, protocol type extremely Few three projects, wherein N >=3;Alternatively,
It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type, wherein N >= 5;Alternatively,
It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type, source port, At least five projects in network path, wherein N >=5.
3. the detection method according to claim 1 based on malice address in ddos attack, which is characterized in that obtain default In time window the step of the header file of a data packet before, comprising:
The data packet flow for monitoring network obtains preset quantity or pre- when the data packet flow is more than the first alarm threshold If several data packets in duration.
4. the detection method according to claim 1 based on malice address in ddos attack, it is characterised in that:
Search in the Candidate Set of N number of field item design of the header file by present count data packet includes the N The step of record of the subset of item collection, including,
Since the unitary subset of the N item collection, to the N-1 member subset of the N item collection, successively searched in the Candidate Set The record of k member subset comprising the N item collection, wherein 1≤k≤N-1;
After the minimum support of the times or frequency of the setting record the step of, further include,
When the times or frequency of the record of the k member subset of the N item collection is not less than the minimum support, in the Candidate Set The record of the k+1 member subset comprising the N item collection is searched in the middle.
5. the detection method according to claim 1 based on malice address in ddos attack, which is characterized in that as the N When the times or frequency of the record of item collection and its any subset is not less than the minimum support, a presently described data are determined After the step of source address of packet is malice address, further includes:
Set the times or frequency of the record of the N item collection to the value at risk of the malice address;
Set the Minimum support4 of the value at risk of the malice address;
When the data packet flow for monitoring network is more than the second alarm threshold, the value at risk in non-white list is limited greater than described The access of the malice address of Minimum support4;
When the data packet flow for monitoring network is lower than third alarm threshold, analysis value at risk is greater than the Minimum support4 The address sources of malice address, and the malice address is added by the white list according to the result of analysis.
6. a kind of detection device based on malice address in ddos attack characterized by comprising
Pointer acquiring unit, for obtaining the header file of a data packet in preset time window, by the default N in the header file A field item design N item collection;
Record search unit, the Candidate Set for N number of field item design in the header file by present count data packet The record of the subset comprising the N item collection is searched in the middle;
Threshold sets unit is supported for setting the minimum support of the number of the record or the minimum of the frequency of the record Degree;
Pointer jump-transfer unit, the times or frequency of the record for any subset when the N item collection are less than the minimum support When spending, next data packet is detected;
Result judgement unit, for being not less than the minimum when the N item collection and its times or frequency of the record of any subset When support, determine that the source address of a presently described data packet is malice address.
7. the detection device according to claim 6 based on malice address in ddos attack, which is characterized in that the pointer Acquiring unit, comprising:
Project designating unit, for specifying preset N number of field project;
N number of field project, including at least three in source address, destination address, packet length, destination port, protocol type A project, wherein N >=3;Alternatively,
It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type, wherein N >= 5;Alternatively,
It is described to preset N number of field project, including source address, destination address, packet length, destination port, protocol type, source port, At least five projects in network path, wherein N >=5.
8. the detection device according to claim 6 based on malice address in ddos attack characterized by comprising
First Alarm Unit, for monitoring the data packet flow of network, when the data packet flow is more than the first alarm threshold, Obtain several data packets in preset quantity or preset duration.
9. the detection device according to claim 6 based on malice address in ddos attack, which is characterized in that the record Searching unit, comprising:
Recursive lookup unit, for the N-1 member subset of the N item collection, successively existing since the unitary subset of the N item collection The record of the k member subset comprising the N item collection is searched in the Candidate Set, wherein 1≤k≤N-1;As the k of the N item collection When the times or frequency of the record of first subset is not less than the minimum support, searching in the Candidate Set includes the N The record of the k+1 member subset of item collection.
10. the detection device according to claim 6 based on malice address in ddos attack, which is characterized in that further include:
Value at risk unit, for setting the times or frequency of the record of the N item collection to the value at risk of the malice address;
Confidence level setup unit, the Minimum support4 of the value at risk for setting the malice address;
Second Alarm Unit, for limiting in non-white list when the data packet flow for monitoring network is more than the second alarm threshold Value at risk be greater than the Minimum support4 malice address access;
Third Alarm Unit, for when the data packet flow for monitoring network is lower than third alarm threshold, analysis value at risk to be big Address sources in the malice address of the Minimum support4, and the malice address is added by the white name according to the result of analysis It is single.
CN201610671479.0A 2016-08-15 2016-08-15 A kind of detection method and device based on malice address in DDOS attack Active CN106302450B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610671479.0A CN106302450B (en) 2016-08-15 2016-08-15 A kind of detection method and device based on malice address in DDOS attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610671479.0A CN106302450B (en) 2016-08-15 2016-08-15 A kind of detection method and device based on malice address in DDOS attack

Publications (2)

Publication Number Publication Date
CN106302450A CN106302450A (en) 2017-01-04
CN106302450B true CN106302450B (en) 2019-08-30

Family

ID=57671581

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610671479.0A Active CN106302450B (en) 2016-08-15 2016-08-15 A kind of detection method and device based on malice address in DDOS attack

Country Status (1)

Country Link
CN (1) CN106302450B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685636B (en) * 2017-03-22 2019-11-08 电子科技大学 A kind of frequency analysis method of combined data locality characteristic
CN108965207B (en) * 2017-05-19 2021-02-26 北京京东尚科信息技术有限公司 Machine behavior identification method and device
CN107332856B (en) * 2017-07-28 2021-01-29 腾讯科技(深圳)有限公司 Address information detection method and device, storage medium and electronic device
GB201802347D0 (en) * 2018-02-13 2018-03-28 Nchain Holdings Ltd Computer-implemented system and method
US11563772B2 (en) 2019-09-26 2023-01-24 Radware, Ltd. Detection and mitigation DDoS attacks performed over QUIC communication protocol
CN111581328A (en) * 2020-04-21 2020-08-25 浙江华途信息安全技术股份有限公司 Data comparison detection method and system
CN113645176B (en) * 2020-05-11 2023-08-08 北京观成科技有限公司 Method and device for detecting fake flow and electronic equipment
CN116866055B (en) * 2023-07-26 2024-02-27 中科驭数(北京)科技有限公司 Method, device, equipment and medium for defending data flooding attack

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101640666A (en) * 2008-08-01 2010-02-03 北京启明星辰信息技术股份有限公司 Device and method for controlling flow quantity facing to target network
CN102882881A (en) * 2012-10-10 2013-01-16 常州大学 Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service
CN104348811A (en) * 2013-08-05 2015-02-11 深圳市腾讯计算机系统有限公司 Method and device for detecting attack of DDoS (distributed denial of service)
CN105282169A (en) * 2015-11-04 2016-01-27 中国电子科技集团公司第四十一研究所 DDoS attack warning method and system based on SDN controller threshold
CN105306475A (en) * 2015-11-05 2016-02-03 天津理工大学 Network intrusion detection method based on association rule classification
CN105719155A (en) * 2015-09-14 2016-06-29 南京理工大学 Association rule algorithm based on Apriori improved algorithm
CN105847283A (en) * 2016-05-13 2016-08-10 深圳市傲天科技股份有限公司 Information entropy variance analysis-based abnormal traffic detection method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101640666A (en) * 2008-08-01 2010-02-03 北京启明星辰信息技术股份有限公司 Device and method for controlling flow quantity facing to target network
CN102882881A (en) * 2012-10-10 2013-01-16 常州大学 Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service
CN104348811A (en) * 2013-08-05 2015-02-11 深圳市腾讯计算机系统有限公司 Method and device for detecting attack of DDoS (distributed denial of service)
CN105719155A (en) * 2015-09-14 2016-06-29 南京理工大学 Association rule algorithm based on Apriori improved algorithm
CN105282169A (en) * 2015-11-04 2016-01-27 中国电子科技集团公司第四十一研究所 DDoS attack warning method and system based on SDN controller threshold
CN105306475A (en) * 2015-11-05 2016-02-03 天津理工大学 Network intrusion detection method based on association rule classification
CN105847283A (en) * 2016-05-13 2016-08-10 深圳市傲天科技股份有限公司 Information entropy variance analysis-based abnormal traffic detection method

Also Published As

Publication number Publication date
CN106302450A (en) 2017-01-04

Similar Documents

Publication Publication Date Title
CN106302450B (en) A kind of detection method and device based on malice address in DDOS attack
Protić Review of KDD Cup ‘99, NSL-KDD and Kyoto 2006+ datasets
CN109600363B (en) Internet of things terminal network portrait and abnormal network access behavior detection method
US8307441B2 (en) Log-based traceback system and method using centroid decomposition technique
CN111756759B (en) Network attack tracing method, device and equipment
CN108289088A (en) Abnormal traffic detection system and method based on business model
CN106027559A (en) Network session statistical characteristic based large-scale network scanning detection method
CN105763561B (en) A kind of attack defense method and device
CN104135474B (en) Intrusion Detection based on host goes out the Network anomalous behaviors detection method of in-degree
KR20120068612A (en) Dns query traffic monitoring and processing method and apparatus
JP2001217834A (en) System for tracking access chain, network system, method and recording medium
CN110224970B (en) Safety monitoring method and device for industrial control system
Sabri et al. Identifying false alarm rates for intrusion detection system with data mining
CN108270722A (en) A kind of attack detection method and device
Lee et al. Abnormal behavior-based detection of Shodan and Censys-like scanning
CN106357660A (en) Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system
Riadi et al. Internet forensics framework based-on clustering
CN112769833A (en) Method and device for detecting command injection attack, computer equipment and storage medium
KR20190028076A (en) Visualization method and visualization apparatus
CN112217777A (en) Attack backtracking method and equipment
KR20200109875A (en) Harmful ip determining method
Abushwereb et al. Attack based DoS attack detection using multiple classifier
Pack et al. Detecting HTTP tunneling activities
AlZoubi et al. The effect of using honeypot network on system security
KR101991736B1 (en) Correlation visualization method and correlation visualization apparatus

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant