CN106656922A - Flow analysis based protective method and device against network attack - Google Patents
Flow analysis based protective method and device against network attack Download PDFInfo
- Publication number
- CN106656922A CN106656922A CN201510729059.9A CN201510729059A CN106656922A CN 106656922 A CN106656922 A CN 106656922A CN 201510729059 A CN201510729059 A CN 201510729059A CN 106656922 A CN106656922 A CN 106656922A
- Authority
- CN
- China
- Prior art keywords
- network
- access
- webserver
- attack source
- traffics
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a flow analysis based protective method against a network attack. The method comprises that a network flow between a network server and a network router is collected; a network access parameter in the network flow is analyzed; a target network access parameter corresponding to the network flow generated when a network attack source accesses the network server is searched by matching a preset rule; and according to the target network access parameter, the network attack source is forbidden establishing connection to the network server. According to schemes of the invention, no operation needs to be carried out on a client or an external server, and the learning cost of a user is reduced; and compared with a traditional manner in which an WAF server needs to be connected, the method and device aim at clients or external servers of all access network servers, safety detection can be carried out needless of connecting the WAF server, 100% safety protection is provided for the network server, and the total safety of the cloud computing network is improved.
Description
Technical field
The application is related to networking technology area, and in particular to a kind of network attack based on flow analysis is prevented
Maintaining method, and a kind of network attack protector based on flow analysis.
Background technology
While Web applications are increasingly enriched, web server has been increasingly becoming main target of attack,
The security incidents such as SQL injections, webpage tamper, web page horse hanging also frequently occur.
Generally using WAF (Web Application Firewall, web application firewalls) as access
Control device is right by parsing the request that web client is initiated strengthening the safety of web server
Content therein is detected, it is ensured that the legitimacy of request, blocks illegal request, and web can be taken
Business device is effectively protected.
The WAF of early stage is typically a kind of hardware device, and by series connection or bypass mode network is linked into
In, apply in general to IDC (Internet Data Center, Internet data center) machine rooms or enterprise uses
Family.In the currently prevailing system for cloud computing, there is provided be typically cloud WAF to the WAF of user, i.e. institute
Some WAF functions are provided by high in the clouds, it is not necessary in local disposition product.Its implementation is
By NS (Name Serve, the name server) records or CNAME records of changing user terminal
The WAF servers that (canonical name) imports network traffics.
There is following drawback in existing WAF:
1st, because the protection rule of the WAF of example, in hardware is predefined, there is rear defence in new leak
Shield Policy Updates are difficult.And the complexity of its deployment way and higher maintenance cost determine it not
Suitable for system for cloud computing environment.
2nd, need user oneself change NS records or CNAME records to realize security protection, increase
The learning cost of user is added;Also, the user terminal for not accessing WAF servers, it is impossible to right
Web server provides security protection, and 100% protection can not be reached in system for cloud computing, reduces cloud
The overall security of calculating network.
3rd, the process of existing WAF usually first completes to be determined again after the matching of network request and strictly all rules
The fixed request is intercepted or let slip, and increased the time delay that user accesses Web server.
4th, existing WAF is directed to the protection of single website or single Web service, for being directed to
The extensive vulnerability scanning perception of whole network is poor, for same attacker is to the big of system for cloud computing
Good linked protection is not made in scale scanning.
The content of the invention
The embodiment of the present application technical problem to be solved is to provide one kind and partly or entirely solves above-mentioned asking
The network attack protection method based on flow analysis of topic.
Accordingly, the embodiment of the present application additionally provides a kind of network attack protection dress based on flow analysis
Put, to the realization and application that ensure said method.
In order to solve the above problems, this application discloses a kind of network attack protection side based on flow analysis
Method, including:
Network traffics of the collection between the webserver and network routing device;
Parse the network access parameters in the network traffics;
By matching with presetting rule, the network flow produced by Attack Source access network services device is searched
Measure corresponding objective network and access parameter;
Accessing parameter according to the objective network forbids the Attack Source to build with the webserver
Vertical connection.
Preferably, network traffics bag of the collection between the webserver and network routing device
Include:
Using the network optical splitter, the net that are connected between the webserver and the network routing device
Network switch or hub, replicate the Network Provider servers and are sent to the network routing device
Network traffics.
Preferably, network traffics of the collection between the webserver and network routing device are also wrapped
Include:
The network traffics belonged to a network access are divided by network shunt device.
Preferably, the network traffics are TCP message, the net in the parsing network traffics
Network is accessed before parameter, and methods described also includes:
Determine the Http data that the TCP message is the once complete network access procedure of record.
Preferably, before the network access parameters in the parsing network traffics, methods described is also
Including:
If the Http data of the TCP message and the once complete network access procedure of non-recorded, root
According to the numbering that the TCP message is carried, the multiple TCP messages restructuring with a network access will be belonged to
For the Http data that record is accessed through the primary network of seven layer network transmission structures.
Preferably, the network access parameters include Uniform Resource Identifier, access originator IP, access purpose
At least one in IP, Host field, access link source, user agent, cookie and access request parameters
Kind.
Preferably, it is described by matching with presetting rule, search by Attack Source access network services device
The corresponding objective network of network traffics of generation accesses parameter to be included:
It is for the network traffics of the same network access of correspondence, the network access parameters are preset with described
Rule match, the presetting rule indicates that the Attack Source accesses what is carried during the webserver
At least one characteristic, the presetting rule includes a plurality of sub-rule;
If the network access parameters are matched with sub-rule described at least one, it is determined that corresponding network flow
Measure and access the network traffics that the webserver is produced for the Attack Source, and by corresponding network
Access parameter and access parameter as objective network.
Preferably, it is described that the Attack Source is forbidden with the net according to objective network access parameter
Network server is set up and is connected as, and according to parameter is accessed with the objective network a same network access is belonged to
Other at least one network access parameters, forbid the Attack Source to set up with the webserver and connect
Connect.
Preferably, the objective network accesses parameter includes the uniform resource identifier of the Attack Source
Symbol;The Attack Source is forbidden with the network service according to objective network access parameter described
Device is set up before connection, and methods described also includes:
In the network traffics with a network access corresponding with the Uniform Resource Identifier, extract described
The access originator IP of Attack Source.
Preferably, the basis and the objective network access parameter belong to network access other
At least one network access parameters, forbid the Attack Source to set up with the webserver and are connected bag
Include:
The webserver described in Real-time Collection is sent to the network traffics of the network routing device;
If access originator IP of access originator IP and the Attack Source recorded in the network traffics
Match somebody with somebody, then by sending connection reset message to interrupt to the Attack Source or the webserver
State the connection between Attack Source and the webserver.
Preferably, the basis and the objective network access parameter belong to network access other
At least one network access parameters, forbid the Attack Source to set up with the webserver and are connected bag
Include:
The access originator IP of the Attack Source is notified in network cluster residing for the webserver
Including multiple webservers, with by each webserver in the visit for receiving the Attack Source
When asking the network access request of source IP, interrupt and the connection between the Attack Source.
Present invention also provides a kind of network attack protector based on flow analysis, including:
Flow collection module, for network flow of the collection between the webserver and network routing device
Amount;
Parameter analysis of electrochemical module, for parsing the network traffics in network access parameters;
Parameter searching modul, for by matching with presetting rule, lookup to access network by Attack Source
The corresponding objective network of network traffics that server is produced accesses parameter;
Connection disabled module, for according to the objective network access parameter forbid the Attack Source with
The webserver sets up connection.
Preferably, the flow collection module includes:
Flow replicates submodule, and the webserver is connected to the network routing device for adopting
Between network optical splitter, the network switch or hub, replicate the Network Provider servers and send
To the network traffics of the network routing device.
Preferably, the flow collection module also includes:
Traffic partition submodule, for passing through network shunt device to belonging to the net with a network access
Network flow is divided.
Preferably, the network traffics are TCP message, and described device also includes:
Flow judge module, for the network access parameters in the parsing network traffics before,
Determine the Http data that the TCP message is the once complete network access procedure of record.
Preferably, described device also includes:
Flow recombination module, for the network access parameters in the parsing network traffics before,
If the Http data of the TCP message and the once complete network access procedure of non-recorded, according to institute
The numbering of TCP message carrying is stated, the multiple TCP messages belonged to a network access are reassembled as into note
Record the Http data of the primary network access through seven layer network transmission structures.
Preferably, the network access parameters include Uniform Resource Identifier, access originator IP, access purpose
At least one in IP, Host field, access link source, user agent, cookie and access request parameters
Kind.
Preferably, the parameter searching modul includes:
Rule match submodule, for for the network traffics of the same network access of correspondence, by the net
Network accesses parameter and matches with the presetting rule, and the presetting rule indicates that the Attack Source accesses institute
At least one characteristic carried during the webserver is stated, the presetting rule includes a plurality of sub-rule;
Attack traffic determination sub-module, if for sub-rule described in the network access parameters and at least one
Matching, it is determined that corresponding network traffics are that the Attack Source accesses what the webserver was produced
Network traffics, and access parameter using corresponding network access parameters as objective network.
Preferably, the connection disabled module, specifically for basis and the objective network parameter category is accessed
In other at least one network access parameters with a network access, forbid the Attack Source and institute
State the webserver and set up connection.
Preferably, the objective network accesses parameter includes the uniform resource identifier of the Attack Source
Symbol;Described device also includes:
IP extraction modules, for forbidding the network attack according to objective network access parameter described
Source is set up before being connected with the webserver, corresponding with the Uniform Resource Identifier with once net
In the network traffics that network is accessed, the access originator IP of the Attack Source is extracted.
Preferably, the connection disabled module includes:
Real-time traffic acquisition submodule, sends to the network road for the webserver described in Real-time Collection
By the network traffics of equipment;
First disconnecting submodule, if in the network traffics record access originator IP with it is described
The access originator IP matchings of Attack Source, then by the Attack Source or the webserver
Send connection reset message to interrupt the connection between the Attack Source and the webserver.
Preferably, the connection disabled module includes:
Second disconnecting submodule, for the access originator IP of the Attack Source to be notified into described
Multiple webservers that network cluster residing for the webserver includes, to be existed by each webserver
When receiving the network access request of access originator IP of the Attack Source, interruption is attacked with the network
The connection hit between source.
Compared with prior art, the embodiment of the present application includes advantages below:
According to the embodiment of the present application, the network flow between the webserver and network routing device is gathered
Amount, and the network access parameters of correlation are therefrom parsed, further by matching with presetting rule, search
The corresponding objective network of network traffics produced by Attack Source access network services device accesses parameter, and
The network attack of attack source is monitored on this basis, forbids Attack Source to set up with the webserver
Connection.Using the scheme of the embodiment of the present application, without the need for carrying out any setting to client or external server
Operation, reduces the learning cost of user;The mode for accessing WAF servers is needed compared to tradition,
The embodiment of the present application is directed to the client or external server of all access network services devices, without the need for accessing
WAF servers, can be carried out safety detection, for the security protection that the webserver provides 100%,
Improve the overall security of system for cloud computing.
Also, the embodiment of the present application accesses ginseng by the objective network that rule match excavates Attack Source
Real-time network traffics are monitored on this basis by number, interim to network request compared to traditional
Carry out the mode that rule match is detected, it is possible to reduce user accesses the time delay of Web server, contracting
Short user obtains the stand-by period of network service.
The corresponding system of the embodiment of the present application can be deployed in a software form any suitable server or
Hardware unit, is protected by the way of rule, new leakage compared to the WAF of example, in hardware using predefined
Hole is only updated after occurring to protection rule, and deployment is convenient and simple, greatly reduces and safeguards into
This, can be preferably applied for system for cloud computing environment.
According to the embodiment of the present application, the objective network of the Attack Source of excavation can also be accessed parameter and be led to
All-network server is known into network cluster, such that it is able to be directed to same Attack Source to cloud computing
The large-scale scanning of network carries out linked protection.
Also, the application can also access parameter by identification objective network, and association is with a network access
At least one of network access parameters, with the network access parameters for associating be according to carrying out attack protection,
Such that it is able to more fully be protected Attack Source, it is to avoid rule match imperfection causes protection not
Enough comprehensive problems.
Further, traditional firewall is operated in OSI (Open System Interconnect, open system
System interconnection) seven layer model third and fourth layer, cannot meet at present web application seven layers of protection requirements.
Can recombinate what record was accessed through the primary network of seven layer network transmission structures in the embodiment of the present application
Http data, according to the multiple network of the Http data of seven layer network transmission structures parameter identification net is accessed
Network attack source, to forbid its access network services device, compared to the tradition for being only operated at third and fourth layer
Fire wall, the network protection of the embodiment of the present application more fully, preferably maintains the peace of the webserver
Entirely.
Described above is only the general introduction of technical scheme, in order to better understand the application's
Technological means, and being practiced according to the content of specification, and in order to allow the above-mentioned of the application and
Other objects, features and advantages can become apparent, below especially exemplified by the specific embodiment party of the application
Formula.
Description of the drawings
Fig. 1 is shown according to a kind of network attack protection method embodiment 1 based on flow analysis of the application
The step of flow chart;
Fig. 2 is shown according to a kind of network attack protection method embodiment 2 based on flow analysis of the application
The step of flow chart;
Fig. 3 shows hardware device connection diagram in the example of the embodiment of the present application;
Fig. 4 shows the schematic diagram of TCP message restructuring in the example of the embodiment of the present application;
Fig. 5 shows the schematic diagram that attack is blocked in the example of the embodiment of the present application;
Fig. 6 is shown according to a kind of network attack protector embodiment 1 based on flow analysis of the application
Structured flowchart;
Fig. 7 is shown according to a kind of network attack protector embodiment 2 based on flow analysis of the application
Structured flowchart.
Specific embodiment
It is understandable to enable the above-mentioned purpose of the application, feature and advantage to become apparent from, with reference to attached
Figure and specific embodiment are described in further detail to the application.
With reference to Fig. 1, a kind of network attack protection method based on flow analysis for showing the application is implemented
The step of example 1 flow chart, specifically may include steps of:
Step 101, gathers the network traffics between the webserver and network routing device.
When client or external server access the internet that Network Provider is provided, network access request Jing
Network routing device is sent to the webserver of Network Provider offers, and the webserver is visited according to network
Ask that request feedack is further sent to network routing device from the webserver, be further conveyed to
Client or external server.
In the embodiment of the present application, the network traffics gathered between the webserver and network routing device,
Both the network traffics sent to network routing device had been included from the webserver, and had also included from network route setting
Preparation delivers to the network traffics of the webserver, and multiple client or outer is have recorded in the network traffics of collection
Multiple access process of portion's server to the webserver, and in access process the webserver receive or
The entire packet for sending.
Step 102, parses the network access parameters in the network traffics.
The parameter related to this access internet is have recorded in network traffics, network access parameters are designated as,
Parsing parameter can be further used for the Attack Source of the analytical attack webserver, Attack Source
Can be one end of the random access webserver, such as client or other external servers, network
The various data that parameter can be that network traffics include are accessed, the application is not restricted to this.
In a preferred embodiment of the present application, the network access parameters for obtaining are parsed from network traffics can
With including Uniform Resource Identifier URI, access originator IP, access purpose IP, Host field, access chain
Fetch at least one of source, user agent (User Agent), cookie and access request parameters.
Wherein, URI is the web page address that network access request correspondence is accessed;Access originator IP is transmission net
The IP address of the client of network access request;Access the IP that purpose IP is the server for preserving the webpage
Address;The webpage domain name that the request of Host field identifications is accessed;Access link source (Refferer) to represent
The previous webpage of the source of current web page, i.e. current accessed webpage is linked to, by taking picture as an example,
Refferer refers to the webpage that the picture is located;User agent (User-Agent) is a kind of special string
Head so that server is capable of identify that the operating system that client uses and version, cpu type, browses
Device and version, browser renders engine, browser language, browser plug-in etc.;Access request parameters bag
Include the corresponding structured data of such as GET, POST.
Specifically, when client accesses webpage, network access request is sent to the webserver, with
The access request of Http (Hyper Text Transfer Protocol, HTTP) form is
Example, access request is by an initial row, one or more header field, a sky that simply header field terminates
Row and optional message body composition.Header field includes general head, request header, head response and entity head four
Individual part, wherein, request header contain client or external server to the webserver transmit with regard to
Access request or with regard to client place terminal or the additional information of external server.
Shown Http network access requests in the following example:
GET http://download.microtool.de:80/somedata.exe
Host:download.microtool.de
Accept:*/*
Pragma:no-cache
Cache-Control:no-cache
Referer:http://download.microtool.de/
User-Agent:Mozilla/4.04[en](Win95;I;Nav)
Range:Bytes=554554-
Wherein, URI is http://download.microtool.de:80/somedata.exe, Host are
Download.microtool.de, Referer are http://download.microtool.de/, User-Agent
For Mozilla/4.04 [en] (Win95;I;Nav).
Step 103, by matching with presetting rule, searches and is produced by Attack Source access network services device
The corresponding objective network of raw network traffics accesses parameter.
Attack Source is analyzed in advance, in network access during the access internet of statistics network attack source
The various features data carried in parameter, further set up according to these characteristic screening Attack Sources
Corresponding objective network accesses the rule of parameter.
For example, presetting rule can be included or not comprising certain default spy in network access parameters
Data (such as and) are levied, or the number of times that certain characteristic occurs exceedes or less than certain threshold value etc.
Various situations.Presetting rule can be a rule, it is also possible to be made up of many rules, can set full
Sufficient strictly all rules or a number of rule, then the network access parameters be defined as objective network access ginseng
Number.In implementing, any suitable rule, the application can also be adopted not to be limited this.
Step 104, accesses parameter and forbids the Attack Source with the network according to the objective network
Server sets up connection.
The corresponding objective network of Attack Source is parsed and analyzed from network traffics to access after parameter,
When access behavior between client or external server and the webserver is monitored, can be according to mesh
Mark network access parameters monitor the behavior of Attack Source, and then are finding Attack Source access network clothes
During business device, forbid being connected with webserver foundation.
Specifically can for example find that carrying the objective network in network traffics accesses by monitoring traffic in network
Network attack is prevented during parameter;Or, the three-way handshake in concrete monitoring traffic in network or four times
Wave, by monitoring particular network access parameter therein network attack is prevented;It can also be selected
His any suitable mode, the application is not limited to this.
To sum up, according to the embodiment of the present application, gather between the webserver and network routing device
Network traffics, and the network access parameters of correlation are therefrom parsed, further by matching with presetting rule,
Search the corresponding objective network of network traffics produced by Attack Source access network services device and access ginseng
Number, and the network attack of attack source is monitored on this basis, forbid Attack Source with the network service
Device sets up connection.Using the scheme of the embodiment of the present application, without the need for carrying out appointing to client or external server
What arranges operation, reduces the learning cost of user;Need to access WAF servers compared to tradition
Mode, the embodiment of the present application is directed to the client or external server of all access network services devices, without the need for
WAF servers are accessed, safety detection is can be carried out, the safety for providing 100% for the webserver is prevented
Shield, improves the overall security of system for cloud computing.
Also, the embodiment of the present application accesses ginseng by the objective network that rule match excavates Attack Source
Real-time network traffics are monitored on this basis by number, interim to network request compared to traditional
Carry out the mode that rule match is detected, it is possible to reduce user accesses the time delay of Web server, contracting
Short user obtains the stand-by period of network service.
The corresponding system of the embodiment of the present application can be deployed in a software form any suitable server or
Hardware unit, for example, can be deployed in and be connected to network flow between the webserver and network routing device
On the collecting device of amount, or it is deployed on the webserver, or step 101-103 is deployed in adopts
On collection equipment, step 104 is deployed in a certain layer in multiple protocol layers of the webserver, for example, for
Using the webserver of OSI seven layer models, step 104 correspondence can be implemented in IP layer (three-layer networks
Network layers), or TCP/UDP layers (four layers of transport layer) etc., for the protection of this layer.Compared to hardware shape
By the way of predefined protection rule, new leak being updated i.e. rule the WAF of formula occurs
Can, deployment is convenient and simple, greatly reduces maintenance cost, can be preferably applied for system for cloud computing ring
Border.
In the embodiment of the present application, it is preferable that the step 101 can include:
Sub-step S1, employing are connected to the net between the webserver and the network routing device
Network optical splitter, the network switch or hub, replicate the Network Provider servers and are sent to the net
The network traffics of network routing device.
Net can be gathered by arranging network optical splitter between the webserver and network routing device
The image file of network flow, network optical splitter is connected to Optical Fiber Transmission process, for by Optical Fiber Transmission
Data replicated, i.e., original flow normal pass, while the flow of monitoring is copied to supply point
Analysis is used.Can be with the setting network switch, hub between the webserver and network routing device
Or other any suitable equipment are gathering the image file of network traffics, the application is not limited this
System.Wherein, network optical splitter is connected to Optical Fiber Transmission process, for being entered by the data of Optical Fiber Transmission
Row is replicated, i.e., original flow normal pass, while the flow of monitoring is copied to use for analysis;
The network switch is the hardware for expanding network, more connectivity ports can be provided for sub-network, so as to expand
The terminal device accessed in exhibition network;Hub plays the signal to receiving in network transmission and carries out again
Raw shaping amplifies to expand the effect of the transmission range of network.Compared to the network switch and hub, lead to
Cross optical splitter and obtain the impact that mirror image flow can avoid to switch or hub cpu performance.
In the embodiment of the present application, it is preferable that can also will be connected to the webserver with the network
The equipment such as network optical splitter, the network switch or collector between routing device and network shunt device connect
Connect, the step 101 can also include:By network shunt device to belonging to the institute with a network access
State network traffics to be divided.
The link data of collection is further separated into acquisition interface by network shunt device, is that internet information is supervised safely
Control system acquisition data.By to network shunt device input data, being replicated, being converged, being filtered, being assisted
The steps such as view conversion, ensure that the all-network flow that consolidated network is accessed is defeated from same interface during output
Go out.Specifically can according in network traffics packet carry IP address, access time, access originator IP,
Access purpose IP etc.) network traffics of not homogeneous are divided, it is also possible to according to other default marks
Divided.
In the embodiment of the present application, it is preferable that the step 103 can include:
Sub-step S2, the network traffics for corresponding to a same network access, by network access ginseng
Number is matched with the presetting rule, and the presetting rule indicates that the Attack Source accesses the network clothes
At least one characteristic carried during business device, the presetting rule includes a plurality of sub-rule;
If sub-step S3, the network access parameters are matched with sub-rule described at least one, it is determined that
Corresponding network traffics are that the Attack Source accesses the network traffics that the webserver is produced, and
Parameter is accessed using corresponding network access parameters as objective network.
The presetting rule for meeting Attack Source is pre-set, the network traffics matched with the presetting rule are then
For Attack Source access network services device when the network traffics that produce.Presetting rule can be according to actual need
Setting is asked, for example, preset rule can be arranged according to the characteristic in Attack Source map network flow
Then.Specific rule match can in different ways, for example, and presetting rule is network access parameters
Include that possessing the number of times that this feature data occur in certain characteristic, or network access parameters exceeds
Certain threshold value etc., the application is not limited to this.
It is described that the Attack Source is forbidden according to objective network access parameter in the embodiment of the present application
Set up with the webserver and be connected as, belong to once net according to parameter is accessed with the objective network
Other at least one network access parameters that network is accessed, forbid the Attack Source with the network service
Device sets up connection.
In implementing, the objective network of lookup can be accessed parameter and be added to blocking list, with this
Objective network accesses parameter as the mark of monitoring Attack Source, and for example, identification URI includes " and "
Afterwards, determine the URI and access network generation for attack source, network can be monitored and forbidden according to the URI
Connection of the attack source to the webserver;Can be to access parameter according to the objective network, lookup belongs to therewith
In other at least one network access parameters with a network access, the network access parameters of lookup are added
Blocking list is added to, using the network access parameters as the mark of monitoring Attack Source.For example, recognize
URI is that attack source accesses network generation including the URI after " and ", is determined, further searches for this
In access after the IP of Attack Source, can according to demand be set, can both have been adopted URI,
Connection of the Attack Source to the webserver can be monitored and forbidden according to the IP.
Therefore, parameter is accessed by recognizing objective network, and is associated with least in a network access
Individual network access parameters, are according to attack protection is carried out, such that it is able to right with the network access parameters for associating
Attack Source is more fully protected, it is to avoid rule match imperfection causes protection not enough comprehensively to be asked
Topic.
It should be understood that in order to realize more fully protecting, can also be to as much as possible in network traffics
Network access parameters are associated, and whether can determine network traffics before network access parameters are extracted
For complete Http data, if it is not, can then carry out data recombination to obtain complete Http data.
Accordingly preferably, the objective network accesses parameter can include the unified money of the Attack Source
Source identifier URI;The Attack Source and institute are forbidden according to objective network access parameter described
State the webserver to set up before connection, methods described can also include:
In the network traffics with a network access corresponding with the Uniform Resource Identifier, extract described
The access originator IP of Attack Source.
Further, in a preferred embodiment of the present application, monitor in real time Attack Source can be passed through
The network traffics of generation are connected forbidding Attack Source and the webserver to set up, and the step 104 can
To include:
The webserver described in sub-step S5, Real-time Collection is sent to the network of the network routing device
Flow;
If the visit of access originator IP and the Attack Source recorded in sub-step S6, the network traffics
Ask that source IP is matched, then by sending connection reset report to the Attack Source or the webserver
Text is interrupting the connection between the Attack Source and the webserver.
Whether by Real-time Collection network traffics, recognize in network traffics includes Attack Source to the application
Access originator IP, if including, it is determined that for the network traffics that Attack Source is produced.Particularly preferably, may be used
To recognize the access originator IP of Attack Source by three-way handshake information in parsing network traffics, when above-mentioned
When step 104 is deployed in collecting device, can be carried out by the three-way handshake information in parsing network traffics
Identification, when above-mentioned steps 104 are deployed in a certain layer of the webserver, can receive three in the layer
During secondary handshaking information, the access originator IP of Attack Source is recognized.
Three-way handshake agreement refer to send data preparatory stage, there is provided the destination server of server and
Need to carry out three interactions between client or external server:
Shake hands for the first time:Client or external server send SYN bags (SYN=j) to destination server,
And into SYN_SEND states, wait target business device to confirm.
Second handshake:Destination server receives SYN bags, it is necessary to confirm SYN (ACK=j+1), together
When oneself also send a SYN bag (SYN=k), i.e. SYN-ACK bags, now destination server enters
Enter SYN_RECV states.
Third time is shaken hands:Client or external server receive the SYN-ACK bags of destination server, to
Destination server sends and confirms bag ACK (ACK=k+1), and this bag is sent, client or external service
Device and destination server enter ESTABLISHED states, complete three-way handshake.
After connection establishment, client or external server and destination server can just proceed by data biography
It is defeated.
In the embodiment of the present application, destination server can be sent to by monitor client or external server
SYN messages or destination server are sent to the SYN-ACK messages of client or external server, pass through
Analytic message, recognizes the access originator IP of Attack Source, further can be by destination server or visitor
Family end/external server sends connection reset message (RST messages) to interrupt Attack Source and network
Connection between server.
Further, in another preferred embodiment of the present application, the webserver can be set and prevents net
Network attack source access network services device, the step 104 can include:
Sub-step S7, the access originator IP of the Attack Source is notified residing for the webserver
Multiple webservers that network cluster includes, to receive the network by each webserver
During the network access request of the access originator IP of attack source, interrupt and the connection between the Attack Source.
Recognize that certain Attack Source is accessed after the network traffics that certain webserver is produced, can extract
The access originator IP of the Attack Source, further reaches prevention network access by recognizing access originator IP
The purpose that source accesses, the webserver that can specifically notify access originator IP to access to it, preventing should
Attack Source accesses the webserver, or while access originator IP is sent to into the network of its access
Multiple webservers in network cluster residing for server, prevent the Attack Source from accessing the network collection
All-network server in group, such that it is able to be directed to same Attack Source to the big of system for cloud computing
Scale scanning carries out linked protection.
With reference to Fig. 2, a kind of network attack protection method based on flow analysis for showing the application is implemented
The step of example 2 flow chart, specifically may include steps of:
Step 201, gathers the network traffics between the webserver and network routing device, described
Network traffics are TCP message.
Client or external server set up network connection in transport network layer and the webserver, further
Carry out data transmission in application layer.The difference of the host-host protocol adopted according to transport network layer, network traffics
Can be the data of the different-format under correspondence host-host protocol.The host-host protocol adopted with transport network layer for
As a example by Transmission Control Protocol (Transmission Control Protocol transmission control protocols), correspondence is in application
The host-host protocol that adopts of layer for Http (HyperText Transfer Protocol, HTTP),
The network traffics of the application correspondence monitoring are TCP message.
Step 202, determines the Http that the TCP message is the once complete network access procedure of record
Data.
Carry out data transmission through the layer network transmission structure of osi model seven in network access procedure, from it is low to
Height is followed successively by application layer, expression layer, session layer, transport layer, Internet, data link layer and physical layer,
Therefore, once complete network access procedure have recorded the Http numbers through this seven layer networks transmission structure
According to.
It will be appreciated that the network traffics of complete network access process of record, including through many
Layer network host-host protocol increases to many kinds of parameters in network traffics, such as complete http data, to planting
The complete multiple network of class accesses parameter and carries out rule match, it is possible to achieve more fully protect, if network
Flow is simultaneously imperfect, can be recombinated, for example, can carry out for the network traffics of osi model transmission
Seven layers of restructuring.
Judge that whether TCP message is Http data and when have recorded once complete network access procedure,
Can first by the way that whether judge can including HTTP, GET, PUT or POST field in TCP message
To determine whether TCP message is Http requests, determine whether whether the message is that complete Http please
Ask.It is preferred that can be by determining that HTTP request head terminate to be defined as complete Http requests, can be with
By any suitable determination methods such as keyword judgement, message length judgements.To judge that request header terminates
As a example by, for HTTP GET requests, if detect with r n r n ending, it is determined that the request header terminates;
For HTTP POST request heads, if detect with r n r n ending, and data division length symbol
Close the length that Content-Length fields are specified in request header, it is determined that the request header terminates.
Step 203, if the Http of the TCP message and the once complete network access procedure of non-recorded
Data, the then numbering for being carried according to the TCP message will belong to the multiple TCP with a network access
Packet reassembling is the Http data for recording the primary network access through seven layer network transmission structures.
If the TCP message is Http data and records once complete network access procedure, can be with
Extracting directly network access parameters therein, if not recording once complete network access procedure, need
Incomplete TCP message is recombinated.
Belonging to can carry the message numbering of association with the TCP message of a network access procedure, therefore,
The TCP message combination of identical message numbering can be will be provided with, obtains recording once complete network access
The Http data of process.Preferably, belong to and compiled with the message of the TCP message of a network access procedure
Number can be incremented by units of byte, the message numbering of latter TCP message is previous TCP message
Message numbering and the previous TCP message length sum, therefore, if detecting multiple TCP message symbols
The coding rule is closed, then be can determine to belong to the multiple TCP messages with a network access procedure.
Step 204, parses the network access parameters in the network traffics.
Step 205, by matching with presetting rule, searches and is produced by Attack Source access network services device
The corresponding objective network of raw network traffics accesses parameter.
Multiple network is have recorded in the Http data obtained after restructuring and accesses parameter, can be according to actual need
Ask and be correspondingly arranged one or more rule and matched, carry out such that it is able to access parameter according to multiple network
Identification, to monitoring Attack Source more fully.
Step 206, accesses parameter and forbids the Attack Source with the network according to the objective network
Server sets up connection.
It is that foundation carries out network attack protection that specifically parameter can be accessed according to the objective network for finding,
Can extract and record in the Http data of complete network access procedure many are recorded once after seven layers of restructuring
Individual network access parameters, by the objective network for finding at least the one of parameter and record in Http data is accessed
Individual network access parameters are associated, and are that foundation carries out network attack with the related network access parameters of institute
Protection, specifically adopting which kind of network access parameters can be arranged according to the actual requirements for foundation, the application couple
This is not limited.
According to the embodiment of the present application, the network flow between the webserver and network routing device is gathered
Amount, and the network access parameters of correlation are therefrom parsed, further by matching with presetting rule, search
The corresponding objective network of network traffics produced by Attack Source access network services device accesses parameter, and
The network attack of attack source is monitored on this basis, forbids Attack Source to set up with the webserver
Connection.Using the scheme of the embodiment of the present application, without the need for carrying out any setting to client or external server
Operation, reduces the learning cost of user;The mode for accessing WAF servers is needed compared to tradition,
The embodiment of the present application is directed to the client or external server of all access network services devices, without the need for accessing
WAF servers, can be carried out safety detection, for the security protection that the webserver provides 100%,
Improve the overall security of system for cloud computing.
Also, the embodiment of the present application accesses ginseng by the objective network that rule match excavates Attack Source
Real-time network traffics are monitored on this basis by number, interim to network request compared to traditional
Carry out the mode that rule match is detected, it is possible to reduce user accesses the time delay of Web server, contracting
Short user obtains the stand-by period of network service.
The corresponding system of the embodiment of the present application can be deployed in a software form any suitable server or
Hardware unit, is protected by the way of rule, new leakage compared to the WAF of example, in hardware using predefined
Hole occurs being updated rule, and deployment is convenient and simple, greatly reduces maintenance cost, Ke Yigeng
System for cloud computing environment is applied to well.
According to the embodiment of the present application, the objective network of the Attack Source of excavation can also be accessed parameter and be led to
All-network server is known into network cluster, such that it is able to be directed to same Attack Source to cloud computing
The large-scale scanning of network carries out linked protection.
Further, traditional firewall is operated in OSI (Open System Interconnect, open system
System interconnection) seven layer model third and fourth layer, cannot meet at present web application seven layers of protection requirements.
Can recombinate what record was accessed through the primary network of seven layer network transmission structures in the embodiment of the present application
Http data, according to the multiple network of the Http data of seven layer network transmission structures parameter identification net is accessed
Network attack source, to forbid its access network services device, compared to the tradition for being only operated at third and fourth layer
Traditional firewall, the network protection of the embodiment of the present application more fully, preferably maintains the webserver
Safety.
It should be noted that for embodiment of the method, in order to be briefly described, therefore it is all expressed as one
The combination of actions of series, but those skilled in the art should know, and the embodiment of the present application does not receive institute
The restriction of the sequence of movement of description, because according to the embodiment of the present application, some steps can adopt other
Order while is carried out.Secondly, those skilled in the art also should know, described in the specification
Embodiment belong to preferred embodiment, involved action not necessarily the embodiment of the present application is musted
Must.
To make those skilled in the art be better understood from the application, below by way of specific example to the application reality
Apply illustrating based on the network attack protectiving scheme of flow analysis for example.
Hardware device connection diagram in an example of the embodiment of the present application is shown with reference to Fig. 3.
Server and core road in ISP (Internet Service Provider, ISP)
By optical splitter and current divider is connected between device, flow carries out light splitting from carrier side, then by shunting
Device, reaches collector, is distributed to collector 1 and collector 2.Collector is the reception clothes of mirror image flow
Business device, is generally fitted with being applied to the Broadcom of network interface card ten thousand of process demand, runs and realizes the application reality
The bypass WAF systems of example are applied, flow collection subsystem, HTTP restructuring subsystems, HTTP can be included
Information extraction subsystem, rule match subsystem, bypass blocking subsystem and the part of daily record subsystem six.
The implementation process of application scheme is as follows:
Collector drives and receives after data traffic, chooses the data traffic of transmission to destination interface and replicates,
Further seven layers of restructuring are carried out by HTTP restructuring subsystems.
Fig. 4 shows the schematic diagram of TCP message restructuring in the example of the embodiment of the present application.
HTTP restructuring subsystems are recombinated the TCP segment of same stream, obtain complete
HTTP request, the process of restructuring includes:
For drive upload destination interface (being herein port 80) each TCP message, according to
The keywords such as HTTP, GET, PUT or POST are defined as HTTP request, then further check
Whether the message is complete HTTP request, is if so, then sent to HTTP information extraction subsystems,
Otherwise cache the message;When being recombinated for the HTTP request in caching, caching the foundation of restructuring is
TCP sequence numbers, after the completion of restructuring, most at last all complete HTTP requests are sent to HTTP information and carry
Take subsystem.
HTTP information extractions subsystem is processed the HTTP information of end of recombinating, and is extracted therein
The information such as URI, source IP, purpose IP, Host, Refferer, user agent, cookie, required parameter
For rule match.
Rule match subsystem carries out all rule according to the relevant information that HTTP information extractions subsystem is extracted
Matching then, if the match is successful is then considered attack for a wherein rule, and by the IP of attacker
In being added to obstruct list, the IP is forbidden to access the Web server in all cloud computing clusters.WAF
Rule for a plurality of sub-rule directly with or key logical expression.Every sub-rule is single HTTP
It is a sub-rule that " and " is included in the feature description of information, such as URI, and URI is that HTTP information is carried
Take a kind of HTTP information that subsystem is extracted.
Attacker is carried out intercepting to be implemented by bypass blocking subsystem.Bypass blocking principle is by mirror
As flow monitors in real time the TCP three-way handshake information of malice IP, by sending TCP RST messages, make
Malice IP cannot set up TCP and be connected with VM, so as to reach the purpose of VM in protection cloud computing cluster.
Fig. 5 shows the schematic diagram that attack is blocked in the example of the embodiment of the present application, and specific flow process includes:
1st, the attacker IP for hitting rule is intercepted subsystem by rule match subsystem by calling bypass
API is added to obstruct list.
2nd, external server sends SYN messages to cloud computing VM, and collector monitor in real time is by cloud computing
Cluster inner machine is sent to the SYN-ACK messages of external server, purpose IP that message is included with
Intercepting list carries out accurately mate.
If the 3, in list is intercepted, it is attacker IP to purpose IP, according to SYN-ACK's
TCP sequence numbers, organize a TCP RST message to be sent to the server in cloud computing VM, the message
Middle purpose IP is cloud computing cluster server IP, and source IP is attack IP.
4th, the company between attacker IP and cloud computing VM can be interrupted by transmission TCP RST messages
Connect so that the attacker IP intercepted in list can not complete TCP three-way handshake, it is impossible to continue to attack cloud
The server of computing cluster.
5th, the event that daily record subsystem record Web attacks and blocking are attacked, in record attack is had
Person source IP, by attack IP, query-attack, attack hit rule numbers, intercept event source IP, source
Mouth, purpose IP, Xining etc..
, wherein it is desired to explanation is, it is also possible to intercepted when SYN messages send and Match IP
Operation, bypass blocking subsystem can also reach blocking and hold for three times to RST is sent by attacker
Hand purpose.
Preferably, the driving packet receiving module in flow collection subsystem can have DPDK, pf_ring,
Libpcap, ixgbe drive the accomplished in many ways such as modification;Realize the generation of the embodiment of the present application methods described
Code can be write using any suitable language, such as C language;Can be using any in implementing
Applicable processor architecture, (The X86architecture, microprocessor is held can preferably to adopt X86
Capable computer language instruction set) framework.
With reference to Fig. 6, a kind of network attack protector embodiment based on flow analysis of the application is shown
1 structured flowchart, specifically can include such as lower module:
Flow collection module 301, for net of the collection between the webserver and network routing device
Network flow.
Parameter analysis of electrochemical module 302, for parsing the network traffics in network access parameters.
Parameter searching modul 303, for by matching with presetting rule, searching and being accessed by Attack Source
The corresponding objective network of network traffics that the webserver is produced accesses parameter.
Connection disabled module 304, for accessing parameter according to the objective network network attack is forbidden
Source is set up with the webserver and is connected.
In the embodiment of the present application, it is preferable that the flow collection module can include:
Flow replicates submodule, and the webserver is connected to the network routing device for adopting
Between network optical splitter, the network switch or hub, replicate the Network Provider servers and send
To the network traffics of the network routing device.
It is further preferred that the flow collection module can also include:
Traffic partition submodule, for passing through network shunt device to belonging to the net with a network access
Network flow is divided.
In the embodiment of the present application, it is preferable that the network access parameters include Uniform Resource Identifier, visit
Source IP is asked, purpose IP, Host field is accessed, is accessed link source, user agent, cookie and visit
Ask at least one of required parameter.
In the embodiment of the present application, it is preferable that the parameter searching modul includes:
Rule match submodule, for for the network traffics of the same network access of correspondence, by the net
Network accesses parameter and matches with the presetting rule, and the presetting rule indicates that the Attack Source accesses institute
At least one characteristic carried during the webserver is stated, the presetting rule includes a plurality of sub-rule;
Attack traffic determination sub-module, if for sub-rule described in the network access parameters and at least one
Matching, it is determined that corresponding network traffics are that the Attack Source accesses what the webserver was produced
Network traffics, and access parameter using corresponding network access parameters as objective network.
In the embodiment of the present application, it is preferable that the connection disabled module, can be specifically for basis and institute
State objective network and access other at least one network access parameters that parameter belongs to a same network access, prohibit
Only the Attack Source is set up with the webserver and is connected.
In the embodiment of the present application, it is preferable that the objective network accesses parameter and can attack including the network
Hit the Uniform Resource Identifier in source;Described device can also include:
IP extraction modules, for forbidding the network attack according to objective network access parameter described
Source is set up before being connected with the webserver, corresponding with the Uniform Resource Identifier with once net
In the network traffics that network is accessed, the access originator IP of the Attack Source is extracted.
In the embodiment of the present application, it is preferable that the connection disabled module includes:
Real-time traffic acquisition submodule, sends to the network road for the webserver described in Real-time Collection
By the network traffics of equipment;
First disconnecting submodule, if in the network traffics record access originator IP with it is described
The access originator IP matchings of Attack Source, then by the Attack Source or the webserver
Send connection reset message to interrupt the connection between the Attack Source and the webserver.
In the embodiment of the present application, it is preferable that the connection disabled module includes:
Second disconnecting submodule, for the access originator IP of the Attack Source to be notified into described
Multiple webservers that network cluster residing for the webserver includes, to be existed by each webserver
When receiving the network access request of access originator IP of the Attack Source, interruption is attacked with the network
The connection hit between source.
According to the embodiment of the present application, the network flow between the webserver and network routing device is gathered
Amount, and the network access parameters of correlation are therefrom parsed, further by matching with presetting rule, search
The corresponding objective network of network traffics produced by Attack Source access network services device accesses parameter, and
The network attack of attack source is monitored on this basis, forbids Attack Source to set up with the webserver
Connection.Using the scheme of the embodiment of the present application, without the need for carrying out any setting to client or external server
Operation, reduces the learning cost of user;The mode for accessing WAF servers is needed compared to tradition,
The embodiment of the present application is directed to the client or external server of all access network services devices, without the need for accessing
WAF servers, can be carried out safety detection, for the security protection that the webserver provides 100%,
Improve the overall security of system for cloud computing.
Also, the embodiment of the present application accesses ginseng by the objective network that rule match excavates Attack Source
Real-time network traffics are monitored on this basis by number, interim to network request compared to traditional
Carry out the mode that rule match is detected, it is possible to reduce user accesses the time delay of Web server, contracting
Short user obtains the stand-by period of network service.
The application can also access parameter by identification objective network, in the same network access of association extremely
Few network access parameters, are according to carrying out attack protection, so as to can with the network access parameters for associating
More fully to be protected Attack Source, it is to avoid rule match imperfection causes protection not comprehensive enough
Problem.
The corresponding system of the embodiment of the present application can be deployed in a software form any suitable server or
Hardware unit, is protected by the way of rule, new leakage compared to the WAF of example, in hardware using predefined
Hole occurs being updated rule, and deployment is convenient and simple, greatly reduces maintenance cost, Ke Yigeng
System for cloud computing environment is applied to well.
Additionally, according to the embodiment of the present application, the objective network of the Attack Source for excavating can also be accessed
Parameter notifies into network cluster all-network server, such that it is able to be directed to same Attack Source pair
The large-scale scanning of system for cloud computing carries out linked protection.
With reference to Fig. 7, a kind of network attack protector embodiment based on flow analysis of the application is shown
2 structured flowchart, specifically can include such as lower module:
Flow collection module 401, for net of the collection between the webserver and network routing device
Network flow, the network traffics are TCP message.
Flow judge module 402, for determining that the TCP message is the once complete network access of record
The Http data of process.
Flow recombination module 403, if for the TCP message and the once complete network access of non-recorded
The Http data of process, the then numbering for being carried according to the TCP message will belong to same primary network and visit
The multiple TCP messages asked are reassembled as what record was accessed through the primary network of seven layer network transmission structures
Http data.
Parameter analysis of electrochemical module 404, for parsing the network traffics in network access parameters.
Parameter searching modul 405, for by matching with presetting rule, searching and being accessed by Attack Source
The corresponding objective network of network traffics that the webserver is produced accesses parameter.
Connection disabled module 406, for accessing parameter according to the objective network network attack is forbidden
Source is set up with the webserver and is connected.
According to the embodiment of the present application, the network flow between the webserver and network routing device is gathered
Amount, and the network access parameters of correlation are therefrom parsed, further by matching with presetting rule, search
The corresponding objective network of network traffics produced by Attack Source access network services device accesses parameter, and
The network attack of attack source is monitored on this basis, forbids Attack Source to set up with the webserver
Connection.Using the scheme of the embodiment of the present application, without the need for carrying out any setting to client or external server
Operation, reduces the learning cost of user;The mode for accessing WAF servers is needed compared to tradition,
The embodiment of the present application is directed to the client or external server of all access network services devices, without the need for accessing
WAF servers, can be carried out safety detection, for the security protection that the webserver provides 100%,
Improve the overall security of system for cloud computing.
Also, the embodiment of the present application accesses ginseng by the objective network that rule match excavates Attack Source
Real-time network traffics are monitored on this basis by number, interim to network request compared to traditional
Carry out the mode that rule match is detected, it is possible to reduce user accesses the time delay of Web server, contracting
Short user obtains the stand-by period of network service.
The corresponding system of the embodiment of the present application can be deployed in a software form any suitable server or
Hardware unit, is protected by the way of rule, new leakage compared to the WAF of example, in hardware using predefined
Hole occurs being updated rule, and deployment is convenient and simple, greatly reduces maintenance cost, Ke Yigeng
System for cloud computing environment is applied to well.
According to the embodiment of the present application, the objective network of the Attack Source of excavation can also be accessed parameter and be led to
All-network server is known into network cluster, such that it is able to be directed to same Attack Source to cloud computing
The large-scale scanning of network carries out linked protection.
Further, traditional firewall is operated in OSI (Open System Interconnect, open system
System interconnection) seven layer model third and fourth layer, cannot meet at present web application seven layers of protection requirements.
Can recombinate what record was accessed through the primary network of seven layer network transmission structures in the embodiment of the present application
Http data, according to the multiple network of the Http data of seven layer network transmission structures parameter identification net is accessed
Network attack source, to forbid its access network services device, compared to the tradition for being only operated at third and fourth layer
Traditional firewall, the network protection of the embodiment of the present application more fully, preferably maintains the webserver
Safety.
For device embodiment, due to itself and embodiment of the method basic simlarity, so the ratio of description
Relatively simple, related part is illustrated referring to the part of embodiment of the method.
Each embodiment in this specification is described by the way of progressive, and each embodiment is stressed
Be all difference with other embodiment, between each embodiment identical similar part mutually referring to
.
Those skilled in the art are it should be appreciated that the embodiment of the embodiment of the present application can be provided as method, dress
Put or computer program.Therefore, the embodiment of the present application can using complete hardware embodiment, completely
Software implementation or the form with reference to the embodiment in terms of software and hardware.And, the embodiment of the present application
Can adopt can be situated between in one or more computers for wherein including computer usable program code with storage
The computer journey implemented in matter (including but not limited to magnetic disc store, CD-ROM, optical memory etc.)
The form of sequence product.
In a typical configuration, the computer equipment includes one or more processors
(CPU), input/output interface, network interface and internal memory.Internal memory potentially includes computer-readable medium
In volatile memory, the shape such as random access memory (RAM) and/or Nonvolatile memory
Formula, such as read-only storage (ROM) or flash memory (flash RAM).Internal memory is computer-readable medium
Example.Computer-readable medium includes permanent and non-permanent, removable and non-removable media
Information Store can be realized by any method or technique.Information can be computer-readable instruction,
Data structure, the module of program or other data.The example of the storage medium of computer includes, but
It is not limited to phase transition internal memory (PRAM), static RAM (SRAM), dynamic random to deposit
Access to memory (DRAM), other kinds of random access memory (RAM), read-only storage
(ROM), Electrically Erasable Read Only Memory (EEPROM), fast flash memory bank or other in
Deposit technology, read-only optical disc read-only storage (CD-ROM), digital versatile disc (DVD) or other
Optical storage, magnetic cassette tape, tape magnetic rigid disk storage other magnetic storage apparatus or it is any its
His non-transmission medium, can be used to store the information that can be accessed by a computing device.According to herein
Define, computer-readable medium does not include the computer readable media (transitory media) of non-standing,
Such as the data-signal and carrier wave of modulation.
The embodiment of the present application is with reference to the method according to the embodiment of the present application, terminal device (system) and meter
The flow chart and/or block diagram of calculation machine program product is describing.It should be understood that can be by computer program instructions
Each flow process and/or square frame and flow chart and/or square frame in flowchart and/or block diagram
The combination of flow process and/or square frame in figure.Can provide these computer program instructions to all-purpose computer,
The processor of special-purpose computer, Embedded Processor or other programmable data processing terminal equipments is producing
One machine so that by the computing device of computer or other programmable data processing terminal equipments
Instruction produce for realizing in one flow process of flow chart or one square frame of multiple flow processs and/or block diagram or
The device of the function of specifying in multiple square frames.
These computer program instructions may be alternatively stored in can guide computer or other programmable datas to process
In the computer-readable memory that terminal device works in a specific way so that be stored in the computer-readable
Instruction in memory is produced and includes the manufacture of command device, and command device realization is in flow chart one
The function of specifying in flow process or one square frame of multiple flow processs and/or block diagram or multiple square frames.
These computer program instructions can also be loaded into computer or other programmable data processing terminals set
It is standby upper so that execution series of operation steps is in terms of producing on computer or other programmable terminal equipments
The process that calculation machine is realized, so as to the instruction performed on computer or other programmable terminal equipments provides use
In realization in one flow process of flow chart or one square frame of multiple flow processs and/or block diagram or multiple square frames
The step of function of specifying.
Although having been described for the preferred embodiment of the embodiment of the present application, those skilled in the art are once
Basic creative concept is known, then other change and modification can be made to these embodiments.So,
Claims are intended to be construed to include preferred embodiment and fall into the institute of the embodiment of the present application scope
Have altered and change.
Finally, in addition it is also necessary to explanation, herein, such as first and second or the like relation art
Language is used merely to make a distinction an entity or operation with another entity or operation, and not necessarily
Requirement either to be implied and there is any this actual relation or order between these entities or operation.And
And, term " including ", "comprising" or its any other variant are intended to including for nonexcludability, from
And the process, method, article or the terminal device that include a series of key elements are not only wanted including those
Element, but also including other key elements being not expressly set out, or also include for this process, side
The intrinsic key element of method, article or terminal device.In the absence of more restrictions, by sentence
The key element that "including a ..." is limited, it is not excluded that in process, method, thing including the key element
Also there is other identical element in product or terminal device.
Above to a kind of network attack protection method and one kind based on flow analysis provided herein
Based on the network attack protector of flow analysis, it is described in detail, it is used herein specifically
Individual example is set forth to the principle and embodiment of the application, and the explanation of above example is only intended to
Help understands the present processes and its core concept;Simultaneously for the general technology people of this area
Member, according to the thought of the application, will change in specific embodiments and applications,
In sum, this specification content should not be construed as the restriction to the application.
Claims (22)
1. a kind of network attack protection method based on flow analysis, it is characterised in that include:
Network traffics of the collection between the webserver and network routing device;
Parse the network access parameters in the network traffics;
By matching with presetting rule, the network flow produced by Attack Source access network services device is searched
Measure corresponding objective network and access parameter;
Accessing parameter according to the objective network forbids the Attack Source to build with the webserver
Vertical connection.
2. the method for claim 1, it is characterised in that the collection is through the webserver
Network traffics between network routing device include:
Using the network optical splitter, the net that are connected between the webserver and the network routing device
Network switch or hub, replicate the Network Provider servers and are sent to the network routing device
Network traffics.
3. the method for claim 1, it is characterised in that the collection is through the webserver
Network traffics between network routing device also include:
The network traffics belonged to a network access are divided by network shunt device.
4. the method for claim 1, it is characterised in that the network traffics are TCP message,
Before network access parameters in the parsing network traffics, methods described also includes:
Determine the Http data that the TCP message is the once complete network access procedure of record.
5. method as claimed in claim 4, it is characterised in that in the parsing network traffics
In network access parameters before, methods described also includes:
If the Http data of the TCP message and the once complete network access procedure of non-recorded, root
According to the numbering that the TCP message is carried, the multiple TCP messages restructuring with a network access will be belonged to
For the Http data that record is accessed through the primary network of seven layer network transmission structures.
6. the method for claim 1, it is characterised in that the network access parameters include system
One resource identifier, access originator IP, access purpose IP, Host field, access link source, user
At least one of agency, cookie and access request parameters.
7. the method for claim 1, it is characterised in that described by matching with presetting rule,
Search the corresponding objective network of network traffics produced by Attack Source access network services device and access ginseng
Number includes:
It is for the network traffics of the same network access of correspondence, the network access parameters are preset with described
Rule match, the presetting rule indicates that the Attack Source accesses what is carried during the webserver
At least one characteristic, the presetting rule includes a plurality of sub-rule;
If the network access parameters are matched with sub-rule described at least one, it is determined that corresponding network flow
Measure and access the network traffics that the webserver is produced for the Attack Source, and by corresponding network
Access parameter and access parameter as objective network.
8. the method for claim 1, it is characterised in that described to be visited according to the objective network
Ask that parameter is forbidden the Attack Source and the webserver to set up and is connected as, according to the target
Network access parameters belong to other at least one network access parameters with a network access, forbid described
Attack Source is set up with the webserver and is connected.
9. method as claimed in claim 8, it is characterised in that the objective network accesses parameter bag
Include the Uniform Resource Identifier of the Attack Source;Parameter taboo is accessed according to the objective network described
Before only the Attack Source is set up with the webserver and is connected, methods described also includes:
In the network traffics with a network access corresponding with the Uniform Resource Identifier, extract described
The access originator IP of Attack Source.
10. method as claimed in claim 9, it is characterised in that the basis and the objective network
Other at least one network access parameters that parameter belongs to a same network access are accessed, forbids the network
Attack source set up with the webserver be connected including:
The webserver described in Real-time Collection is sent to the network traffics of the network routing device;
If access originator IP of access originator IP and the Attack Source recorded in the network traffics
Match somebody with somebody, then by sending connection reset message to interrupt to the Attack Source or the webserver
State the connection between Attack Source and the webserver.
11. methods as claimed in claim 9, it is characterised in that the basis and the objective network
Other at least one network access parameters that parameter belongs to a same network access are accessed, forbids the network
Attack source set up with the webserver be connected including:
The access originator IP of the Attack Source is notified in network cluster residing for the webserver
Including multiple webservers, with by each webserver in the visit for receiving the Attack Source
When asking the network access request of source IP, interrupt and the connection between the Attack Source.
12. a kind of network attack protectors based on flow analysis, it is characterised in that include:
Flow collection module, for network flow of the collection between the webserver and network routing device
Amount;
Parameter analysis of electrochemical module, for parsing the network traffics in network access parameters;
Parameter searching modul, for by matching with presetting rule, lookup to access network by Attack Source
The corresponding objective network of network traffics that server is produced accesses parameter;
Connection disabled module, for according to the objective network access parameter forbid the Attack Source with
The webserver sets up connection.
13. devices as claimed in claim 12, it is characterised in that the flow collection module includes:
Flow replicates submodule, and the webserver is connected to the network routing device for adopting
Between network optical splitter, the network switch or hub, replicate the Network Provider servers and send
To the network traffics of the network routing device.
14. devices as claimed in claim 12, it is characterised in that the flow collection module is also wrapped
Include:
Traffic partition submodule, for passing through network shunt device to belonging to the net with a network access
Network flow is divided.
15. devices as claimed in claim 12, it is characterised in that the network traffics are TCP reports
Text, described device also includes:
Flow judge module, for the network access parameters in the parsing network traffics before,
Determine the Http data that the TCP message is the once complete network access procedure of record.
16. devices as claimed in claim 15, it is characterised in that described device also includes:
Flow recombination module, for the network access parameters in the parsing network traffics before,
If the Http data of the TCP message and the once complete network access procedure of non-recorded, according to institute
The numbering of TCP message carrying is stated, the multiple TCP messages belonged to a network access are reassembled as into note
Record the Http data of the primary network access through seven layer network transmission structures.
17. devices as claimed in claim 12, it is characterised in that the network access parameters include
Uniform Resource Identifier, access originator IP, access purpose IP, Host field, access link source, use
At least one of family agency, cookie and access request parameters.
18. devices as claimed in claim 12, it is characterised in that the parameter searching modul includes:
Rule match submodule, for for the network traffics of the same network access of correspondence, by the net
Network accesses parameter and matches with the presetting rule, and the presetting rule indicates that the Attack Source accesses institute
At least one characteristic carried during the webserver is stated, the presetting rule includes a plurality of sub-rule;
Attack traffic determination sub-module, if for sub-rule described in the network access parameters and at least one
Matching, it is determined that corresponding network traffics are that the Attack Source accesses what the webserver was produced
Network traffics, and access parameter using corresponding network access parameters as objective network.
19. devices as claimed in claim 12, it is characterised in that the connection disabled module, tool
Body be used for according to and the objective network access parameter belong to network access other at least one
Network access parameters, forbid the Attack Source to set up with the webserver and are connected.
20. devices as claimed in claim 12, it is characterised in that the objective network accesses parameter
Including the Uniform Resource Identifier of the Attack Source;Described device also includes:
IP extraction modules, for forbidding the network attack according to objective network access parameter described
Source is set up before being connected with the webserver, corresponding with the Uniform Resource Identifier with once net
In the network traffics that network is accessed, the access originator IP of the Attack Source is extracted.
21. devices as claimed in claim 20, it is characterised in that the connection disabled module includes:
Real-time traffic acquisition submodule, sends to the network road for the webserver described in Real-time Collection
By the network traffics of equipment;
First disconnecting submodule, if in the network traffics record access originator IP with it is described
The access originator IP matchings of Attack Source, then by the Attack Source or the webserver
Send connection reset message to interrupt the connection between the Attack Source and the webserver.
22. devices as claimed in claim 20, it is characterised in that the connection disabled module includes:
Second disconnecting submodule, for the access originator IP of the Attack Source to be notified into described
Multiple webservers that network cluster residing for the webserver includes, to be existed by each webserver
When receiving the network access request of access originator IP of the Attack Source, interruption is attacked with the network
The connection hit between source.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510729059.9A CN106656922A (en) | 2015-10-30 | 2015-10-30 | Flow analysis based protective method and device against network attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510729059.9A CN106656922A (en) | 2015-10-30 | 2015-10-30 | Flow analysis based protective method and device against network attack |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106656922A true CN106656922A (en) | 2017-05-10 |
Family
ID=58809459
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510729059.9A Pending CN106656922A (en) | 2015-10-30 | 2015-10-30 | Flow analysis based protective method and device against network attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106656922A (en) |
Cited By (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107241344A (en) * | 2017-06-30 | 2017-10-10 | 北京知道创宇信息技术有限公司 | Intercept method, apparatus and system of the client to the access of hostile network server |
CN108400995A (en) * | 2018-06-07 | 2018-08-14 | 北京广成同泰科技有限公司 | A kind of network attack identification method and identifying system compared based on flow rate mode |
CN109587156A (en) * | 2018-12-17 | 2019-04-05 | 广州天懋信息系统股份有限公司 | Abnormal network access connection identification and blocking-up method, system, medium and equipment |
CN110225062A (en) * | 2019-07-01 | 2019-09-10 | 北京微步在线科技有限公司 | A kind of method and apparatus monitoring network attack |
CN110300193A (en) * | 2019-07-01 | 2019-10-01 | 北京微步在线科技有限公司 | A kind of method and apparatus obtaining entity domain name |
CN110300090A (en) * | 2018-03-23 | 2019-10-01 | 瞻博网络公司 | The network address that Intrusion Detection based on host threatens implements threat strategy movement |
CN110620753A (en) * | 2018-06-19 | 2019-12-27 | 卡巴斯基实验室股份制公司 | System and method for countering attacks on a user's computing device |
CN110798402A (en) * | 2019-10-30 | 2020-02-14 | 腾讯科技(深圳)有限公司 | Service message processing method, device, equipment and storage medium |
CN111181799A (en) * | 2019-10-14 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Network traffic monitoring method and equipment |
CN111614515A (en) * | 2020-05-06 | 2020-09-01 | 南京信息职业技术学院 | Computer network communication method and system |
CN112134837A (en) * | 2020-08-06 | 2020-12-25 | 瑞数信息技术(上海)有限公司 | Method and system for detecting Web attack behavior |
CN112350939A (en) * | 2020-10-29 | 2021-02-09 | 腾讯科技(深圳)有限公司 | Bypass blocking method, system, device, computer equipment and storage medium |
CN112714138A (en) * | 2021-03-29 | 2021-04-27 | 北京网测科技有限公司 | Test method, device, equipment and storage medium based on attack flow |
CN112714118A (en) * | 2020-12-24 | 2021-04-27 | 新浪网技术(中国)有限公司 | Network flow detection method and device |
CN112822213A (en) * | 2021-02-07 | 2021-05-18 | 国网福建省电力有限公司电力科学研究院 | Attack evidence obtaining and tracing method for power monitoring system |
CN112989336A (en) * | 2019-12-18 | 2021-06-18 | 中国移动通信集团浙江有限公司 | Method, device and system for detecting mining behavior of host in cloud platform |
CN113233269A (en) * | 2021-05-12 | 2021-08-10 | 广州广日电梯工业有限公司 | Method and device for diagnosing attack on elevator network |
CN113518067A (en) * | 2021-03-25 | 2021-10-19 | 国网浙江省电力有限公司金华供电公司 | Security analysis method based on original message |
CN113542246A (en) * | 2021-07-02 | 2021-10-22 | 南京中新赛克科技有限责任公司 | Active flow response implementation method based on network processor |
CN113747443A (en) * | 2021-02-26 | 2021-12-03 | 上海观安信息技术股份有限公司 | Machine learning algorithm-based security detection method and device |
CN114765553A (en) * | 2021-01-11 | 2022-07-19 | 腾讯科技(深圳)有限公司 | Security management method and device for access data, computer equipment and storage medium |
CN114884707A (en) * | 2022-04-24 | 2022-08-09 | 金祺创(北京)技术有限公司 | Intelligent security monitoring and networking alarm method and system for large-scale network attack |
CN114915497A (en) * | 2022-07-13 | 2022-08-16 | 杭州云缔盟科技有限公司 | Network access blocking method, device and application for Windows process |
CN114978561A (en) * | 2021-02-26 | 2022-08-30 | 中国科学院计算机网络信息中心 | Real-time high-speed network TCP (Transmission control protocol) bypass batch host blocking method and system |
US11888877B2 (en) | 2018-03-23 | 2024-01-30 | Juniper Networks, Inc. | Tracking host threats in a network and enforcing threat policy actions for the host threats |
CN113747443B (en) * | 2021-02-26 | 2024-06-07 | 上海观安信息技术股份有限公司 | Safety detection method and device based on machine learning algorithm |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1725709A (en) * | 2005-06-30 | 2006-01-25 | 杭州华为三康技术有限公司 | Method of linking network equipment and invading detection system |
CN101202742A (en) * | 2006-12-13 | 2008-06-18 | 中兴通讯股份有限公司 | Method and system for preventing refusal service attack |
CN101478387A (en) * | 2008-12-31 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Defense method, apparatus and system for hyper text transmission protocol attack |
CN101572700A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Method for defending HTTP Flood distributed denial-of-service attack |
CN101577729A (en) * | 2009-06-10 | 2009-11-11 | 上海宝信软件股份有限公司 | Method for blocking bypass by combining DNS redirection with Http redirection |
CN101594269A (en) * | 2009-06-29 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of detection method of unusual connection, device and gateway device |
US20140215599A1 (en) * | 2013-01-28 | 2014-07-31 | The Barrier Group, Llc | Method and system for defeating denial of service attacks |
US20150007314A1 (en) * | 2013-06-27 | 2015-01-01 | Cellco Partnership D/B/A Verizon Wireless | Denial of service (dos) attack detection systems and methods |
-
2015
- 2015-10-30 CN CN201510729059.9A patent/CN106656922A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1725709A (en) * | 2005-06-30 | 2006-01-25 | 杭州华为三康技术有限公司 | Method of linking network equipment and invading detection system |
CN101202742A (en) * | 2006-12-13 | 2008-06-18 | 中兴通讯股份有限公司 | Method and system for preventing refusal service attack |
CN101478387A (en) * | 2008-12-31 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Defense method, apparatus and system for hyper text transmission protocol attack |
CN101572700A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Method for defending HTTP Flood distributed denial-of-service attack |
CN101577729A (en) * | 2009-06-10 | 2009-11-11 | 上海宝信软件股份有限公司 | Method for blocking bypass by combining DNS redirection with Http redirection |
CN101594269A (en) * | 2009-06-29 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of detection method of unusual connection, device and gateway device |
US20140215599A1 (en) * | 2013-01-28 | 2014-07-31 | The Barrier Group, Llc | Method and system for defeating denial of service attacks |
US20150007314A1 (en) * | 2013-06-27 | 2015-01-01 | Cellco Partnership D/B/A Verizon Wireless | Denial of service (dos) attack detection systems and methods |
Non-Patent Citations (2)
Title |
---|
宋志鹏: ""基于协议分析的网络入侵检测系统的研究与设计"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
恽俊: ""入侵检测系统在网络安全中的应用和研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (35)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107241344B (en) * | 2017-06-30 | 2019-11-12 | 北京知道创宇信息技术股份有限公司 | Client is intercepted to the method, apparatus and system of the access of hostile network server |
CN107241344A (en) * | 2017-06-30 | 2017-10-10 | 北京知道创宇信息技术有限公司 | Intercept method, apparatus and system of the client to the access of hostile network server |
US11979415B2 (en) | 2018-03-23 | 2024-05-07 | Juniper Networks, Inc. | Enforcing threat policy actions based on network addresses of host threats |
US11888877B2 (en) | 2018-03-23 | 2024-01-30 | Juniper Networks, Inc. | Tracking host threats in a network and enforcing threat policy actions for the host threats |
CN110300090A (en) * | 2018-03-23 | 2019-10-01 | 瞻博网络公司 | The network address that Intrusion Detection based on host threatens implements threat strategy movement |
CN110300090B (en) * | 2018-03-23 | 2022-01-04 | 瞻博网络公司 | Enforcing threat policy actions based on network addresses of host threats |
CN108400995B (en) * | 2018-06-07 | 2020-12-22 | 北京广成同泰科技有限公司 | Network attack identification method and system based on flow pattern comparison |
CN108400995A (en) * | 2018-06-07 | 2018-08-14 | 北京广成同泰科技有限公司 | A kind of network attack identification method and identifying system compared based on flow rate mode |
CN110620753A (en) * | 2018-06-19 | 2019-12-27 | 卡巴斯基实验室股份制公司 | System and method for countering attacks on a user's computing device |
CN109587156A (en) * | 2018-12-17 | 2019-04-05 | 广州天懋信息系统股份有限公司 | Abnormal network access connection identification and blocking-up method, system, medium and equipment |
CN109587156B (en) * | 2018-12-17 | 2021-07-09 | 广州天懋信息系统股份有限公司 | Method, system, medium, and apparatus for identifying and blocking abnormal network access connection |
CN110300193A (en) * | 2019-07-01 | 2019-10-01 | 北京微步在线科技有限公司 | A kind of method and apparatus obtaining entity domain name |
CN110225062A (en) * | 2019-07-01 | 2019-09-10 | 北京微步在线科技有限公司 | A kind of method and apparatus monitoring network attack |
CN111181799A (en) * | 2019-10-14 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Network traffic monitoring method and equipment |
CN110798402A (en) * | 2019-10-30 | 2020-02-14 | 腾讯科技(深圳)有限公司 | Service message processing method, device, equipment and storage medium |
CN112989336A (en) * | 2019-12-18 | 2021-06-18 | 中国移动通信集团浙江有限公司 | Method, device and system for detecting mining behavior of host in cloud platform |
CN111614515A (en) * | 2020-05-06 | 2020-09-01 | 南京信息职业技术学院 | Computer network communication method and system |
CN112134837A (en) * | 2020-08-06 | 2020-12-25 | 瑞数信息技术(上海)有限公司 | Method and system for detecting Web attack behavior |
CN112350939A (en) * | 2020-10-29 | 2021-02-09 | 腾讯科技(深圳)有限公司 | Bypass blocking method, system, device, computer equipment and storage medium |
CN112350939B (en) * | 2020-10-29 | 2023-11-10 | 腾讯科技(深圳)有限公司 | Bypass blocking method, system, device, computer equipment and storage medium |
CN112714118A (en) * | 2020-12-24 | 2021-04-27 | 新浪网技术(中国)有限公司 | Network flow detection method and device |
CN112714118B (en) * | 2020-12-24 | 2023-06-06 | 新浪技术(中国)有限公司 | Network traffic detection method and device |
CN114765553A (en) * | 2021-01-11 | 2022-07-19 | 腾讯科技(深圳)有限公司 | Security management method and device for access data, computer equipment and storage medium |
CN114765553B (en) * | 2021-01-11 | 2024-04-30 | 腾讯科技(深圳)有限公司 | Security management method, device, computer equipment and storage medium for access data |
CN112822213A (en) * | 2021-02-07 | 2021-05-18 | 国网福建省电力有限公司电力科学研究院 | Attack evidence obtaining and tracing method for power monitoring system |
CN113747443A (en) * | 2021-02-26 | 2021-12-03 | 上海观安信息技术股份有限公司 | Machine learning algorithm-based security detection method and device |
CN114978561A (en) * | 2021-02-26 | 2022-08-30 | 中国科学院计算机网络信息中心 | Real-time high-speed network TCP (Transmission control protocol) bypass batch host blocking method and system |
CN114978561B (en) * | 2021-02-26 | 2023-11-07 | 中国科学院计算机网络信息中心 | Real-time high-speed network TCP protocol bypass batch host blocking method and system |
CN113747443B (en) * | 2021-02-26 | 2024-06-07 | 上海观安信息技术股份有限公司 | Safety detection method and device based on machine learning algorithm |
CN113518067A (en) * | 2021-03-25 | 2021-10-19 | 国网浙江省电力有限公司金华供电公司 | Security analysis method based on original message |
CN112714138A (en) * | 2021-03-29 | 2021-04-27 | 北京网测科技有限公司 | Test method, device, equipment and storage medium based on attack flow |
CN113233269A (en) * | 2021-05-12 | 2021-08-10 | 广州广日电梯工业有限公司 | Method and device for diagnosing attack on elevator network |
CN113542246A (en) * | 2021-07-02 | 2021-10-22 | 南京中新赛克科技有限责任公司 | Active flow response implementation method based on network processor |
CN114884707A (en) * | 2022-04-24 | 2022-08-09 | 金祺创(北京)技术有限公司 | Intelligent security monitoring and networking alarm method and system for large-scale network attack |
CN114915497A (en) * | 2022-07-13 | 2022-08-16 | 杭州云缔盟科技有限公司 | Network access blocking method, device and application for Windows process |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106656922A (en) | Flow analysis based protective method and device against network attack | |
CN112769821B (en) | Threat response method and device based on threat intelligence and ATT & CK | |
CN112383546B (en) | Method for processing network attack behavior, related equipment and storage medium | |
CN103179132B (en) | A kind of method and device detecting and defend CC attack | |
US7831822B2 (en) | Real-time stateful packet inspection method and apparatus | |
KR101010302B1 (en) | Security management system and method of irc and http botnet | |
CN109951500A (en) | Network attack detecting method and device | |
CN111818103B (en) | Traffic-based tracing attack path method in network target range | |
CN105681250B (en) | A kind of Botnet distribution real-time detection method and system | |
CN107995162A (en) | Network security sensory perceptual system, method and readable storage medium storing program for executing | |
CN114679338A (en) | Network risk assessment method based on network security situation awareness | |
CN106101104A (en) | A kind of malice domain name detection method based on domain name mapping and system | |
CN107465651A (en) | Network attack detecting method and device | |
CA2764815A1 (en) | Identifying bots | |
CN106790193A (en) | The method for detecting abnormality and device of Intrusion Detection based on host network behavior | |
CN109756501A (en) | A kind of high concealment network agent method and system based on http protocol | |
CN104954345B (en) | Attack recognition method and device based on object analysis | |
CN110362992A (en) | Based on the method and apparatus for stopping in the environment of cloud or detecting computer attack | |
CN109074456A (en) | The computer attack blocking method of two-stage filtering and the device for using this method | |
CN104954346A (en) | Attack recognition method based on object analysis and device thereof | |
CN107666486A (en) | A kind of network data flow restoration methods and system based on message protocol feature | |
CN102882748A (en) | Network access detection system and network access detection method | |
CN108900467A (en) | A method of perception is built and threatened to the automation honey jar based on Docker | |
CN111865996A (en) | Data detection method and device and electronic equipment | |
Frye et al. | An ontology-based system to identify complex network attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170510 |
|
RJ01 | Rejection of invention patent application after publication |