CN106790291A - A kind of intrusion detection reminding method and device - Google Patents

A kind of intrusion detection reminding method and device Download PDF

Info

Publication number
CN106790291A
CN106790291A CN201710139153.8A CN201710139153A CN106790291A CN 106790291 A CN106790291 A CN 106790291A CN 201710139153 A CN201710139153 A CN 201710139153A CN 106790291 A CN106790291 A CN 106790291A
Authority
CN
China
Prior art keywords
service request
microsoft loopback
loopback adapter
business
docker containers
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710139153.8A
Other languages
Chinese (zh)
Other versions
CN106790291B (en
Inventor
刘剑
关义春
龙凡
刘雷
郑江林
卞合振
王少游
李大伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201710139153.8A priority Critical patent/CN106790291B/en
Publication of CN106790291A publication Critical patent/CN106790291A/en
Application granted granted Critical
Publication of CN106790291B publication Critical patent/CN106790291B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The embodiment of the invention discloses a kind of intrusion detection method and device, wherein method includes:The service request of the access service Docker containers that corresponding first Microsoft Loopback Adapter of reception business Docker containers sends, the service request carries the terminal iidentification of the user terminal for sending the service request;The service request is parsed, to determine the data characteristics of the service request;If the data characteristics meets default invasion condition, then sent to first Microsoft Loopback Adapter and stop transmission order, the corresponding response data of the service request of the business Docker containers feedback is transmitted in the stopping transmission order for indicating first Microsoft Loopback Adapter to stop.Using the present invention, can realize, to the timely detection of service request and feedback in business Docker containers, improve the efficiency of intrusion detection.

Description

A kind of intrusion detection reminding method and device
Technical field
The present invention relates to field of computer technology, more particularly to a kind of intrusion detection reminding method and device.
Background technology
With the development of Internet technology, Internet data center (Internet Data Center, IDC) has turned into mutual An indispensable part in Networking industries.IDC will not only provide a user with the service of required data, in addition it is also necessary to network data It is monitored to ensure the normal operation of server, for example, deployment intruding detection system (Intrusion Detection Systems, IDS), specifically dispose physical equipment optical splitter (or interchanger mirror image), energy in the porch of the network data of IDC It is enough to send while to corresponding server the access request that user terminal sends, identical access request is sent to invasion Testing equipment, so that intrusion detection device is detected one by one to access request.
However, the number of servers in IDC is more and during larger quantity of access request, intrusion detection device needs inspection Survey each access request of each server so that detection workload is larger, long processing period, it is impossible in time to server feedback Testing result.Once there is aggressive access request, it is most likely that cannot normal response Lawful access request, so as to cause clothes Business device paralysis, therefore reduce efficiency of intrusion detection.
The content of the invention
Embodiment of the present invention technical problem to be solved is, there is provided a kind of intrusion detection method and device, Neng Goushi Now the timely detection to service request in business Docker containers and feedback, improve the efficiency of intrusion detection.
In a first aspect, the embodiment of the invention provides a kind of intrusion detection method, methods described includes:
The business of the access service Docker containers that corresponding first Microsoft Loopback Adapter of reception business Docker containers sends please Ask, the service request carries the terminal iidentification of the user terminal for sending the service request;
The service request is parsed, to determine the data characteristics of the service request;
If the data characteristics meets default invasion condition, sent to first Microsoft Loopback Adapter and stop transmission order, It is described to stop transmission order for indicating first Microsoft Loopback Adapter to stop the described of the transmission business Docker containers feedback The corresponding response data of service request.
Second aspect, the embodiment of the present invention additionally provides a kind of invasion detecting device, and described device includes:
Request receiving module, for receiving the access service that corresponding first Microsoft Loopback Adapter of business Docker containers sends The service request of Docker containers, the service request carries the terminal iidentification of the user terminal for sending the service request;
Characteristic determination module, for being parsed to the service request, to determine the data characteristics of the service request;
Order sending module, if meeting default invasion condition for the data characteristics, to first Microsoft Loopback Adapter Send and stop transmission order, it is described to stop transmission order for indicating first Microsoft Loopback Adapter to stop the transmission business The corresponding response data of the service request of Docker containers feedback.
In embodiments of the present invention, by receiving the access industry that corresponding first Microsoft Loopback Adapter of business Docker containers sends The service request of business Docker containers;Then service request is parsed, to determine the data characteristics of service request, if data Feature meets default invasion condition, then sent to the first Microsoft Loopback Adapter and stop transmission order, stops transmission order for indicating the One Microsoft Loopback Adapter stops the corresponding response data of service request of transmission services Docker containers feedback.It is virtual by receiving first Network interface card send service request, realize the feedback of the real-time detection and testing result to the service request, so improve into Invade the efficiency of detection.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing The accompanying drawing to be used needed for having technology description is briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is a kind of structural representation of possible physical host provided in an embodiment of the present invention;
Fig. 2 is a kind of schematic flow sheet of intrusion detection method provided in an embodiment of the present invention;
Fig. 3 is the schematic flow sheet of another intrusion detection method provided in an embodiment of the present invention;
Fig. 4 is a kind of system architecture diagram of possible intruding detection system provided in an embodiment of the present invention;
Fig. 5 is the schematic flow sheet of another intrusion detection method provided in an embodiment of the present invention;
Fig. 6 is a kind of structural representation of invasion detecting device provided in an embodiment of the present invention;
Fig. 7 is the structural representation of another invasion detecting device provided in an embodiment of the present invention;
Fig. 8 is the structural representation of another invasion detecting device provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made Embodiment, belongs to the scope of protection of the invention.
Term " comprising " and " having " in description and claims of this specification and above-mentioned accompanying drawing and they appoint What deforms, it is intended that covering is non-exclusive to be included.For example contain process, method, system, the product of series of steps or unit Product or equipment are not limited to the step of having listed or unit, but alternatively also include the step of not listing or unit, or Alternatively also include for these processes, method, product or other intrinsic steps of equipment or unit.
Fig. 1 is referred to, to the embodiment of the invention provides a kind of structural representation of possible physical host.Shown in Fig. 1 Physical host install Docker on the basis of deploy multiple Docker containers, including multiple business Docker containers With IDS Docker containers, wherein it is possible to set Docker containers use certain fix hardware resource, e.g., central processing unit (Central Processing Unit, CPU) resource, memory source etc., the physical host are to provide application or business Server.Further, (Single Root I/O Virtualization, SR-IOV) is virtualized by single input and output The NIC (Network Interface Card, NIC) of physical host is virtually turned to multiple Microsoft Loopback Adapters by technology, often One Microsoft Loopback Adapter of individual Docker containers correspondence, for example, the corresponding business Docker containers 1 of Microsoft Loopback Adapter 1, the correspondence of Microsoft Loopback Adapter 2 Corresponding IDS Docker containers 10 of business Docker containers 2, Microsoft Loopback Adapter 10 etc..
By taking the corresponding business Docker containers 1 of Microsoft Loopback Adapter 1 as an example, hold when Microsoft Loopback Adapter 1 receives access service Docker During the service request of device 1, Microsoft Loopback Adapter 1 sends to business Docker containers 1 service request, and by service request send to IDS Docker containers, service request carries the terminal iidentification of the user terminal for sending service request;Accordingly, IDS Docker Container 10 receives the service request of the access service Docker containers 1 that Microsoft Loopback Adapter 1 sends, and service request is parsed, To determine the data characteristics of service request, if data characteristics meets default invasion condition, IDS Docker containers 10 are to virtual Network interface card 1 sends and stops transmission order, stops transmission order anti-for indicating Microsoft Loopback Adapter 1 to stop transmission services Docker containers 1 The corresponding response data of service request of feedback.By disposing IDS Docker containers in a single physical host, can The service request of the business Docker containers in the physical host is detected in time, improves the efficiency of intrusion detection, separately It is outer to use fixed hardware resource by setting IDS Docker containers, can not influenceed while intrusion detection feature is realized The normal operation of business Docker containers.
In the network architecture shown in Fig. 1, involved user terminal can be the equipment for possessing display, communication function, For example:Panel computer, mobile phone, electronic reader, personal computer (Personal Computer, PC), notebook computer, car The equipment such as load equipment, Web TV, wearable device.
Based on the structural representation of the physical host shown in Fig. 1, below in conjunction with accompanying drawing 2 to accompanying drawing 5, the present invention is implemented The intrusion detection method that example is provided describes in detail.
Fig. 2 is referred to, to the embodiment of the invention provides a kind of schematic flow sheet of intrusion detection method.As shown in Fig. 2 The methods described of the embodiment of the present invention may comprise steps of S101- steps S103.
S101, receives the industry of the access service Docker containers that corresponding first Microsoft Loopback Adapter of business Docker containers sends Business request.
Specifically, in the case where the first Microsoft Loopback Adapter receives the service request of access service Docker containers, it is described First Microsoft Loopback Adapter sends to business Docker containers the service request, and the service request is sent to IDS Docker containers, wherein, the service request carries the terminal iidentification of the user terminal for sending the service request.Accordingly, Service request described in business Docker container receptions, and the service request is processed to generate for the service request Response data;Whether invasion detecting device receives the service request can be to invasion detecting device institute to detect the service request Physical host cause attack, for example, distributed denial of service (Distributed Denial of Service, DDoS) Attack etc..
Optionally, the terminal iidentification of the user terminal can include but is not limited to the network interconnection of the user terminal Agreement (Internet Protocol, IP) address, login user name etc..
S102, parses to the service request, to determine the data characteristics of the service request.
Specifically, the invasion detecting device is parsed to the service request, to determine the number of the service request According to feature, for example, the data characteristics can be carried by the header fields of service request, for example, the service request Can be asked for HTTP (Hyper Text Transfer Protocol, Http), the data of service request are special Levy the URL (Uniform Resource Locator, URL) that can be used for the service request etc..
S103, if the data characteristics meets default invasion condition, sends to first Microsoft Loopback Adapter and stops transmission Order.
If specifically, the invasion detecting device detects the data characteristics meets default invasion condition, it is described enter Invade detection means and sent to first Microsoft Loopback Adapter and stop transmission order.Wherein, it is described to stop transmission order for indicating institute State the corresponding response data of the service request that the first Microsoft Loopback Adapter stops the transmission business Docker containers feedback.
It is to allow business because first Microsoft Loopback Adapter sends to business Docker containers the service request Docker container feedback response data, response data has been fed back to the situation of the first Microsoft Loopback Adapter in business Docker containers Under, if if first Microsoft Loopback Adapter does not have started sends the response data or first virtual net to the user terminal Card does not complete the transmission of the response data also, then once receiving the stopping transmission order that the invasion detecting device sends, Then first Microsoft Loopback Adapter interrupts the transmission of the response data.
Optionally, the stopping transmission order is additionally operable to indicate first Microsoft Loopback Adapter to stop transmission transmission to the use Other response datas of family terminal.If for example, first Microsoft Loopback Adapter receives the user terminal access business Docker During other service requests of container, first Microsoft Loopback Adapter is not performed and sends to the business Docker service request Container;Or, first Microsoft Loopback Adapter sends to the business Docker containers, but not to the use service request Family terminal feeds back the response data for other service requests feedback that the business Docker containers send.Wherein, it is described enter Invading detection means can mark the user terminal according to the terminal iidentification.
Optionally, it can refer to that the data characteristics attacks special with default that the data characteristics meets default invasion condition Attack signature during collection is closed matches unanimously.
In embodiments of the present invention, by receiving the access industry that corresponding first Microsoft Loopback Adapter of business Docker containers sends The service request of business Docker containers;Then service request is parsed, to determine the data characteristics of service request, if data Feature meets default invasion condition, then sent to the first Microsoft Loopback Adapter and stop transmission order, stops transmission order for indicating the One Microsoft Loopback Adapter stops the corresponding response data of service request of transmission services Docker containers feedback.It is virtual by receiving first Network interface card send service request, realize the feedback of the real-time detection and testing result to the service request, so improve into Invade the efficiency of detection.
Fig. 3 is referred to, to the embodiment of the invention provides the schematic flow sheet of another intrusion detection method.Such as Fig. 3 institutes Show, the methods described of the embodiment of the present invention may comprise steps of S201- steps S207.
S201, receives the industry of the access service Docker containers that corresponding first Microsoft Loopback Adapter of business Docker containers sends Business request.
Specifically, in the case where the first Microsoft Loopback Adapter receives the service request of access service Docker containers, it is described First Microsoft Loopback Adapter sends to business Docker containers the service request, and the service request is sent to IDS Docker containers, wherein, the service request carries the terminal iidentification of the user terminal for sending the service request.Accordingly, Service request described in business Docker container receptions, and the service request is processed to generate for the service request Response data;Whether invasion detecting device receives the service request can be to invasion detecting device institute to detect the service request Physical host cause attack, for example, ddos attack etc..
Optionally, the terminal iidentification of the user terminal can include but is not limited to the user terminal IP address, Login user name etc..
S202, parses to the service request, to determine the data characteristics of the service request.
Specifically, the invasion detecting device is parsed to the service request, to determine the number of the service request According to feature, for example, the data characteristics can be carried by the header fields of service request, for example, the service request Can be asked for Http, URL that the data characteristics of service request can be used for the service request etc..
S203, it is special with the presence or absence of the attack consistent with data characteristics matching in the attack signature set that detection prestores Levy.
Specifically, the invasion detecting device whether there is and the data characteristics in detecting the attack signature set for prestoring The consistent attack signature of matching;If in the presence of the attack signature consistent with data characteristics matching, performing step S204;If no In the presence of the attack signature consistent with data characteristics matching, then step S205 is performed.
Optionally, the attack signature set for prestoring contains multiple attack signatures for test access request.Can Choosing, the invasion detecting device can change attack signature in attack signature set, delete attack signature, increases and attack special Levy, so that the attack signature stored in attack signature set is more perfect, improve the validity of intrusion detection.
For example, for the URL that data characteristics is the service request, if the industry of access service Docker containers URL in business request is http://www.qq.com/***, because the URL of normal access service Docker containers is http:// Www.qq.com/, therefore the invasion detecting device can further be detected to " * * * ", by judging in attacking for prestoring Hit when there is " * * * " in characteristic set, it is determined that the data characteristics meets default invasion condition.
S204, if so, then sent to first Microsoft Loopback Adapter stopping transmission order.
If specifically, in the presence of the attack signature consistent with data characteristics matching, the invasion detecting device determines The data characteristics meets default invasion condition.If the data characteristics meets default invasion condition, the intrusion detection dress To put sent to first Microsoft Loopback Adapter and stop transmission order, it is described to stop transmission order for indicating first Microsoft Loopback Adapter Stop the corresponding response data of the service request of the transmission business Docker containers feedback.
It is to allow business because first Microsoft Loopback Adapter sends to business Docker containers the service request Docker container feedback response data, response data has been fed back to the situation of the first Microsoft Loopback Adapter in business Docker containers Under, if if first Microsoft Loopback Adapter does not have started sends the response data or first virtual net to the user terminal Card does not complete the transmission of the response data also, then once receiving the stopping transmission order that the invasion detecting device sends, Then first Microsoft Loopback Adapter interrupts the transmission of the response data.
Optionally, the stopping transmission order is additionally operable to indicate first Microsoft Loopback Adapter to stop transmission transmission to the use Other response datas of family terminal.If for example, first Microsoft Loopback Adapter receives the user terminal access business Docker During other service requests of container, first Microsoft Loopback Adapter is not performed and sends to the business Docker service request Container;Or, first Microsoft Loopback Adapter sends to the business Docker containers, but not to the use service request Family terminal feeds back the response data for other service requests feedback that the business Docker containers send.Wherein, it is described enter Invading detection means can mark the user terminal according to the terminal iidentification.
S205, security server is reported to by pre-assigned second Microsoft Loopback Adapter by the service request.
Specifically, the invasion detecting device is reported to the service request by pre-assigned second Microsoft Loopback Adapter Security server, so that the security server is further detected to the service request.Optionally, the security service Device can be connected with multiple invasion detecting devices, therefore the security server can be to the transmission of different invasion detecting devices Service request is analyzed arrangement, and then acquisition is more accurately judged the service request, improves intrusion detection Accuracy.It is understood that first Microsoft Loopback Adapter is the NIC virtualizations of physical host with second Microsoft Loopback Adapter Two kinds of different Microsoft Loopback Adapters, first Microsoft Loopback Adapter is specially the Microsoft Loopback Adapter corresponding to business Docker containers, described Second Microsoft Loopback Adapter is specially the Microsoft Loopback Adapter corresponding to IDS Docker containers.
It should be noted that being in embodiments of the present invention after step s 204, if or the attack spy for prestoring Collection close in the absence of after the attack signature consistent with data characteristics matching, the invasion detecting device is by the business Request reports to security server.Optionally, the invasion detecting device can receive the first Microsoft Loopback Adapter hair After the service request sent, the service request is reported into the security server;Or, the invasion detecting device Security server can also will be reported after the interior service request packing for receiving for the previous period;Or, the invasion inspection Survey after device can also be packed a number of service request and report security server, the embodiment of the present invention reports safety clothes Be engaged in time of device, independent reporting schemes or packing reporting schemes are not limited.
S206, the corresponding peace of the service request that the security server sends is received by second Microsoft Loopback Adapter Full strategy.
Specifically, being analysed in depth to the service request in the security server, and determine and the business Ask after corresponding security strategy, the security strategy is sent to the intrusion detection by second Microsoft Loopback Adapter and is filled Put.Accordingly, the invasion detecting device receives the industry that the security server sends by second Microsoft Loopback Adapter The corresponding security strategy of business request.Wherein, the security strategy is used to indicate whether first Microsoft Loopback Adapter allows the use Business Docker containers described in the terminal access of family.
Optionally, the record of data characteristics and intrusion detection result during the security server can be accessed by history, Obtain the corresponding relation of the corresponding data characteristics of the service request and security strategy.
S207, according to the security strategy, notifies that the access that first Microsoft Loopback Adapter sends to the user terminal connects Tap into capable treatment.
Specifically, the invasion detecting device is according to the security strategy, notify first Microsoft Loopback Adapter to the use The access connection that family terminal sends is processed.If for example, the security strategy is not allow described in the user terminal access Business Docker containers, then the invasion detecting device notify that first Microsoft Loopback Adapter refuses the visit that the user terminal sends Ask connection.If the security strategy business Docker containers, the intrusion detection described in the permission user terminal access Device does not send a notification message to first Microsoft Loopback Adapter, or sending allows the user terminal to continue to access the business The notification message of Docker.
It should be noted that the invasion detecting device in the embodiment of the present invention can be deployed in a physical host In IDS Docker containers, and in advance be a certain amount of hardware resource of IDS Docker container allocations, such as cpu resource, in Deposit resource etc..By setting invasion detecting device using fixed hardware resource, can be while intrusion detection feature be realized The normal operation of other business Docker containers is not influenceed.
In embodiments of the present invention, by receiving the access industry that corresponding first Microsoft Loopback Adapter of business Docker containers sends The service request of business Docker containers;Then service request is parsed, to determine the data characteristics of service request, if data Feature meets default invasion condition, then sent to the first Microsoft Loopback Adapter and stop transmission order, stops transmission order for indicating the One Microsoft Loopback Adapter stops the corresponding response data of service request of transmission services Docker containers feedback.Such invasion detecting device Network data that can be in time to other business Docker containers detects, improves the efficiency of intrusion detection, additionally by The further detection of security server, it is possible to increase the accuracy of intrusion detection.
Fig. 4 is referred to, to the embodiment of the invention provides a kind of possible intruding detection system Organization Chart.As shown in figure 4, The intruding detection system include security server and Duo Tai physical hosts, such as physical host 1, physical host 2 ..., physics master Machine N.Wherein, each physical host may be referred to the structure chart of the physical host shown in Fig. 1.Based on the invasion inspection shown in Fig. 4 Examining system Organization Chart, please also refer to Fig. 5, for the flow that the embodiment of the invention provides another intrusion detection method is illustrated Figure.Wherein, the intrusion detection mode of the embodiment of the present invention is performed jointly by user terminal, physical host and security server , wherein physical host is illustrated by taking physical host 1 as an example.Wherein, physical host 1 is held with Microsoft Loopback Adapter 1, business Docker Illustrated as a example by device 1 and IDS Docker containers 10.Specific implementation procedure refers to introduced below.
S301, user terminal sends the service request of access service Docker containers 1 to physical host 1.Wherein, the industry Business request carries the terminal iidentification of the user terminal.
S302, the Microsoft Loopback Adapter 1 of the physical host 1 sends to the business Docker containers 1 service request.
S303, the Microsoft Loopback Adapter 1 of the physical host 1 sends to the IDS Docker containers service request 10。
Wherein, the embodiment of the present invention does not limit the time order and function that the Microsoft Loopback Adapter 1 performs step 302 and step 303 Sequentially.
S304, after the business Docker containers 1 receive the service request, at the service request Reason, and determine the corresponding response data of the service request, the corresponding response data of the service request is sent to the void Intend network interface card 1.
S305, the Microsoft Loopback Adapter 1 receives the response data that the business Docker containers 1 send, and to the user Terminal sends the response data received from the business Docker containers 1.
S306, the IDS Docker containers 10 receive the service request of the transmission of the Microsoft Loopback Adapter 1, and described 10 pairs of service requests of IDS Docker containers are parsed, to determine the data characteristics of the service request.
S307, the IDS Docker containers 10 whether there is and data spy in detecting the attack signature set for prestoring Levy the consistent attack signature of matching.
S308, if the IDS Docker containers 10 detect to exist in attack signature set being matched with the data characteristics Consistent attack signature, then the IDS Docker containers 10 are to the transmission stopping transmission order of the Microsoft Loopback Adapter 1.Wherein, institute State and stop transmission order for indicating the Microsoft Loopback Adapter 1 to stop the business of the transmission feedback of business Docker containers 1 Ask corresponding response data.Optionally, the stopping transmission order is additionally operable to indicate the Microsoft Loopback Adapter 1 to stop transmission transmission To other response datas of the user terminal.
It should be noted that the business Docker containers 1 and the IDS Docker containers 10 are to perform reception respectively Service request, and then had no between the business Docker containers 1 and the step performed by the IDS Docker containers 10 Time order and function order point.
S309, the IDS Docker containers 10 can also be sent to security server the service request, so that institute State security server further to detect the service request, to improve the accuracy of intrusion detection.
S310, after security server is finished to service request detection, sends out to the IDS Docker containers 10 The security strategy is sent, wherein, the security strategy is used to indicate whether first Microsoft Loopback Adapter allows the user terminal Access the business Docker containers.
S311, the service request that the IDS Docker containers 10 receive the security server transmission is corresponding After security strategy, according to the security strategy, notify that the access that first Microsoft Loopback Adapter sends to the user terminal connects Tap into capable treatment.
It should be noted that the communication between the IDS Docker containers 10 and the security server be by with institute State what the corresponding Microsoft Loopback Adapter 10 of IDS containers 10 was realized, for example, the security server sends to Microsoft Loopback Adapter security strategy 10, Microsoft Loopback Adapter 10 sends to IDS Docker containers 10 security strategy.
It should be noted that the specific implementation of step S301 to step S311 in the embodiment of the present invention and bringing Technique effect may refer to the specific descriptions of Fig. 2 or embodiment illustrated in fig. 3, will not be repeated here.
The system architecture diagram of the intruding detection system shown in structural representation and Fig. 4 based on the physical host shown in Fig. 1, Below in conjunction with accompanying drawing 6- accompanying drawings 8, invasion detecting device provided in an embodiment of the present invention is described in detail.Need explanation It is, the invasion detecting device shown in accompanying drawing 6- accompanying drawings 8, the method for performing Fig. 2 of the present invention to embodiment illustrated in fig. 5.Accompanying drawing Invasion detecting device shown in 6- accompanying drawings 8 can be the intrusion detection in IDS Docker containers in physical host shown in Fig. 1 Module.For convenience of description, the part related to the embodiment of the present invention is illustrate only, particular technique details is not disclosed, and please be joined According to the embodiment shown in Fig. 2 to Fig. 5 of the present invention.
Fig. 6 is referred to, to the embodiment of the invention provides a kind of structural representation of invasion detecting device.As shown in fig. 6, The invasion detecting device 1 of the embodiment of the present invention can include:Request receiving module 11, characteristic determination module 12, order hair Send module 13.
Request receiving module 11, for receiving the access service that corresponding first Microsoft Loopback Adapter of business Docker containers sends The service request of Docker containers, the service request carries the terminal iidentification of the user terminal for sending the service request.
Specifically, in the case where the first Microsoft Loopback Adapter receives the service request of access service Docker containers, it is described First Microsoft Loopback Adapter sends to business Docker containers the service request, and the service request is sent to IDS Docker containers, wherein, the service request carries the terminal iidentification of the user terminal for sending the service request.Accordingly, Service request described in business Docker container receptions, and the service request is processed to generate for the service request Response data;The request receiving module 11 receives the service request to detect whether the service request can be to intrusion detection Physical host where device 1 causes to attack, for example, ddos attack etc..
Optionally, the terminal iidentification of the user terminal can include but is not limited to the user terminal IP address, Login user name etc..
Characteristic determination module 12, it is special with the data for determining the service request for being parsed to the service request Levy.
Specifically, 12 pairs of service requests of the characteristic determination module are parsed, to determine the service request Data characteristics, for example, the data characteristics can be carried by the header fields of service request, for example, the business please Asking can be for Http be asked, URL that the data characteristics of service request can be used for the service request etc..
Order sending module 13, if meeting default invasion condition for the data characteristics, to first virtual net Card sends and stops transmission order, described to stop transmission order for indicating first Microsoft Loopback Adapter to stop the transmission business The corresponding response data of the service request of Docker containers feedback.
Specifically, if detecting the data characteristics meets default invasion condition, the order sending module 13 is to institute State the first Microsoft Loopback Adapter and send and stop transmission order.Wherein, it is described to stop transmission order for indicating first Microsoft Loopback Adapter Stop the corresponding response data of the service request of the transmission business Docker containers feedback.
It is to allow business because first Microsoft Loopback Adapter sends to business Docker containers the service request Docker container feedback response data, response data has been fed back to the situation of the first Microsoft Loopback Adapter in business Docker containers Under, if if first Microsoft Loopback Adapter does not have started sends the response data or first virtual net to the user terminal Card does not complete the transmission of the response data also, then once receiving the stopping transmission life that the order sending module 13 sends Order, the then transmission of the first Microsoft Loopback Adapter interruption response data.
Optionally, the stopping transmission order is additionally operable to indicate first Microsoft Loopback Adapter to stop transmission transmission to the use Other response datas of family terminal.If for example, first Microsoft Loopback Adapter receives the user terminal access business Docker During other service requests of container, first Microsoft Loopback Adapter is not performed and sends to the business Docker service request Container;Or, first Microsoft Loopback Adapter sends to the business Docker containers, but not to the use service request Family terminal feeds back the response data for other service requests feedback that the business Docker containers send.Wherein, the life Making sending module 13 can mark the user terminal according to the terminal iidentification.
Optionally, it can refer to that the data characteristics attacks special with default that the data characteristics meets default invasion condition Attack signature during collection is closed matches unanimously.
In embodiments of the present invention, by receiving the access industry that corresponding first Microsoft Loopback Adapter of business Docker containers sends The service request of business Docker containers;Then service request is parsed, to determine the data characteristics of service request, if data Feature meets default invasion condition, then sent to the first Microsoft Loopback Adapter and stop transmission order, stops transmission order for indicating the One Microsoft Loopback Adapter stops the corresponding response data of service request of transmission services Docker containers feedback.It is virtual by receiving first Network interface card send service request, realize the feedback of the real-time detection and testing result to the service request, so improve into Invade the efficiency of detection.
Fig. 7 is referred to, to the embodiment of the invention provides the structural representation of another invasion detecting device.Such as Fig. 7 institutes Show, the invasion detecting device 1 of the embodiment of the present invention can include:Request receiving module 11, characteristic determination module 12, order Sending module 13, feature detection module 14, invasion determining module 15, request reporting module 16, Policy receipt module 17 and access Processing module 18.
Request receiving module 11, for receiving the access service that corresponding first Microsoft Loopback Adapter of business Docker containers sends The service request of Docker containers, the service request carries the terminal iidentification of the user terminal for sending the service request.
Specifically, in the case where the first Microsoft Loopback Adapter receives the service request of access service Docker containers, it is described First Microsoft Loopback Adapter sends to business Docker containers the service request, and the service request is sent to IDS Docker containers, wherein, the service request carries the terminal iidentification of the user terminal for sending the service request.Accordingly, Service request described in business Docker container receptions, and the service request is processed to generate for the service request Response data;The request receiving module 11 receives the service request to detect whether the service request can be to intrusion detection Physical host where device 1 causes to attack, for example, ddos attack etc..
Optionally, the terminal iidentification of the user terminal can include but is not limited to the user terminal IP address, Login user name etc..
Characteristic determination module 12, it is special with the data for determining the service request for being parsed to the service request Levy.
Specifically, 12 pairs of service requests of the characteristic determination module are parsed, to determine the service request Data characteristics, for example, the data characteristics can be carried by the header fields of service request, for example, the business please Asking can be for Http be asked, URL that the data characteristics of service request can be used for the service request etc..
Feature detection module 14, whether there is in the attack signature set prestored for detection and is matched with the data characteristics Consistent attack signature.
Specifically, the feature detection module 14 whether there is and data spy in detecting the attack signature set for prestoring Levy the consistent attack signature of matching;If in the presence of the attack signature consistent with data characteristics matching, notifying that invasion determines mould Block 15 performs its step;If in the absence of the attack signature consistent with data characteristics matching, notifying request reporting module 16 Perform its step.
Optionally, the attack signature set for prestoring contains multiple attack signatures for test access request.Can Choosing, the invasion detecting device 1 can change attack signature in attack signature set, delete attack signature, increases and attack Feature etc., so that the attack signature stored in attack signature set is more perfect, improves the validity of intrusion detection.
Invasion determining module 15, if being yes for the testing result of the feature detection module, it is determined that the data are special Levy the default invasion condition of satisfaction.
If specifically, in the presence of the attack signature consistent with data characteristics matching, the invasion determining module 15 is true The fixed data characteristics meets default invasion condition.If the data characteristics meets default invasion condition.
For example, for the URL that data characteristics is the service request, if the industry of access service Docker containers URL in business request is http://www.qq.com/***, because the URL of normal access service Docker containers is http:// Www.qq.com/, therefore the invasion detecting device 1 can further be detected to " * * * ", by judging in attacking for prestoring Hit when there is " * * * " in characteristic set, it is determined that the data characteristics meets default invasion condition.
Order sending module 13, if meeting default invasion condition for the data characteristics, to first virtual net Card sends and stops transmission order, described to stop transmission order for indicating first Microsoft Loopback Adapter to stop the transmission business The corresponding response data of the service request of Docker containers feedback.
Specifically, then the order sending module 13 sends stopping transmission order to first Microsoft Loopback Adapter, it is described to stop The business that only transmission order is used to indicate first Microsoft Loopback Adapter to stop the transmission business Docker containers feedback please Seek corresponding response data.
It is to allow business because first Microsoft Loopback Adapter sends to business Docker containers the service request Docker container feedback response data, response data has been fed back to the situation of the first Microsoft Loopback Adapter in business Docker containers Under, if if first Microsoft Loopback Adapter does not have started sends the response data or first virtual net to the user terminal Card does not complete the transmission of the response data also, then once receiving the stopping transmission life that the order sending module 13 sends Order, the then transmission of the first Microsoft Loopback Adapter interruption response data.
Optionally, the stopping transmission order is additionally operable to indicate first Microsoft Loopback Adapter to stop transmission transmission to the use Other response datas of family terminal.If for example, first Microsoft Loopback Adapter receives the user terminal access business Docker During other service requests of container, first Microsoft Loopback Adapter is not performed and sends to the business Docker service request Container;Or, first Microsoft Loopback Adapter sends to the business Docker containers, but not to the use service request Family terminal feeds back the response data for other service requests feedback that the business Docker containers send.Wherein, the life Making sending module 13 can mark the user terminal according to the terminal iidentification.
Request reporting module 16, for the service request to be reported into safety by pre-assigned second Microsoft Loopback Adapter Server.
Specifically, the request reporting module 16 is reported the service request by pre-assigned second Microsoft Loopback Adapter To security server, so that the security server is further detected to the service request.Optionally, the safety clothes Business device can be connected with multiple invasion detecting devices, therefore the security server can send to different invasion detecting devices Service request be analyzed arrangement, and then acquisition is more accurately judged the service request, improves intrusion detection Accuracy.
It should be noted that being in embodiments of the present invention after order sending module 13 is performed, if or described pre- In the absence of after the attack signature consistent with data characteristics matching in the attack signature set deposited, the request reporting module The service request is reported to security server by 16.Optionally, the request reporting module 16 can receive it is described After the service request that first Microsoft Loopback Adapter sends, the service request is reported into the security server;Or, institute Stating request reporting module 16 can also will report security server after the interior service request packing for receiving for the previous period; Or, the request reporting module 16 reports security server, this hair after can also a number of service request be packed Bright embodiment reports time, independent reporting schemes or the packing reporting schemes of security server not to limit.
Policy receipt module 17, for receiving the industry that the security server sends by second Microsoft Loopback Adapter The corresponding security strategy of business request, the security strategy is used to indicate whether first Microsoft Loopback Adapter allows the user terminal Access the business Docker containers.
Specifically, being analysed in depth to the service request in the security server, and determine and the business Ask after corresponding security strategy, the security strategy is sent to the intrusion detection by second Microsoft Loopback Adapter and is filled Put.Accordingly, the Policy receipt module 17 receives the described of the security server transmission by second Microsoft Loopback Adapter The corresponding security strategy of service request.Wherein, whether the security strategy is described for indicating first Microsoft Loopback Adapter to allow Business Docker containers described in user terminal access.
Optionally, the record of data characteristics and intrusion detection result during the security server can be accessed by history, Obtain the corresponding relation of the corresponding data characteristics of the service request and security strategy.
Access processing module 18, for according to the security strategy, notifying first Microsoft Loopback Adapter to user's end The access for sending connection is held to be processed.
Specifically, the access processing module 18 is according to the security strategy, notify first Microsoft Loopback Adapter to described The access connection that user terminal sends is processed.If for example, the security strategy is not to allow the user terminal access institute Business Docker containers are stated, then the access processing module 18 notifies that first Microsoft Loopback Adapter is refused the user terminal and sent Access connection.If the security strategy business Docker containers, the access described in the permission user terminal access Processing module 18 does not send a notification message to first Microsoft Loopback Adapter, or sending allows the user terminal to continue to access institute State the notification message of business Docker.
It should be noted that the invasion detecting device in the embodiment of the present invention can be deployed in a physical host In IDS Docker containers, and in advance be a certain amount of hardware resource of IDS Docker container allocations, such as cpu resource, in Deposit resource etc..By setting invasion detecting device using fixed hardware resource, can be while intrusion detection feature be realized The normal operation of other business Docker containers is not influenceed.
In embodiments of the present invention, by receiving the access industry that corresponding first Microsoft Loopback Adapter of business Docker containers sends The service request of business Docker containers;Then service request is parsed, to determine the data characteristics of service request, if data Feature meets default invasion condition, then sent to the first Microsoft Loopback Adapter and stop transmission order, stops transmission order for indicating the One Microsoft Loopback Adapter stops the corresponding response data of service request of transmission services Docker containers feedback.Such invasion detecting device Network data that can be in time to other business Docker containers detects, improves the efficiency of intrusion detection, additionally by The further detection of security server, it is possible to increase the accuracy of intrusion detection.
Fig. 8 is referred to, to the embodiment of the invention provides the structural representation of another invasion detecting device.Such as Fig. 8 institutes Show, the invasion detecting device 1000 can include:At least one processor 1001, such as CPU, at least one network interface 1004, memory 1005, at least one communication bus 1002.Network interface 1004 can optionally connect including the wired of standard Mouth, wave point (such as WI-FI interfaces).Memory 1005 can be high-speed RAM memory, or non-labile storage Device (non-volatile memory), for example, at least one magnetic disk storage.Memory 1005 optionally can also be at least one The individual storage device for being located remotely from aforementioned processor 1001.Wherein, communication bus 1002 is used to realize the company between these components Connect letter.Optionally, the invasion detecting device 1000 includes user interface 1003, wherein, optionally, the user interface 1003 can include display screen (Display), keyboard (Keyboard).As shown in figure 8, as a kind of computer-readable storage medium Operating system, network communication module, Subscriber Interface Module SIM and intrusion detection application program can be included in memory 1005.
In the invasion detecting device 1000 shown in Fig. 8, processor 1001 can be used for calling storage in memory 1005 Intrusion detection application program, and specifically perform following operation:
The business of the access service Docker containers that corresponding first Microsoft Loopback Adapter of reception business Docker containers sends please Ask, the service request carries the terminal iidentification of the user terminal for sending the service request;
The service request is parsed, to determine the data characteristics of the service request;
If the data characteristics meets default invasion condition, sent to first Microsoft Loopback Adapter and stop transmission order, It is described to stop transmission order for indicating first Microsoft Loopback Adapter to stop the described of the transmission business Docker containers feedback The corresponding response data of service request.
In a possible embodiment, the stopping transmission order is additionally operable to indicate first Microsoft Loopback Adapter to stop passing It is defeated to send to other response datas of the user terminal.
In a possible embodiment, if the processor 1001 is performing the default invasion bar of data characteristics satisfaction Part, then sent before stopping transmission order to first Microsoft Loopback Adapter, and the processor 1001 is also performed:
With the presence or absence of the attack signature consistent with data characteristics matching in the attack signature set that detection prestores;
If, it is determined that the data characteristics meets default invasion condition.
In a possible embodiment, the processor 1001 is also performed:
The service request is reported to by security server by pre-assigned second Microsoft Loopback Adapter;
The corresponding safe plan of the service request that the security server sends is received by second Microsoft Loopback Adapter Slightly, the security strategy is used to indicate whether first Microsoft Loopback Adapter allows business Docker described in the user terminal access Container;
According to the security strategy, notify that the access connection that first Microsoft Loopback Adapter sends to the user terminal is carried out Treatment.
In a possible embodiment, the processor 1001 is being performed according to the security strategy, notifies described the The access connection that one Microsoft Loopback Adapter sends to the user terminal is processed, specific to perform when the security strategy is not to allow Described in the user terminal access during business Docker containers, notify that first Microsoft Loopback Adapter is refused the user terminal and sent Access connection.
It should be noted that the processor 1001 shown in the embodiment of the present invention can be used for performing shown in Fig. 2 to Fig. 5 appointing The action of invasion detecting device or step in one embodiment, the specific implementation and band of the content performed by processor 1001 The technique effect for coming will not be repeated here referring to the specific descriptions of correlation method embodiment.
It should be noted that for each foregoing embodiment of the method, in order to be briefly described, therefore it is all expressed as one it is The combination of actions of row, but those skilled in the art should know, and the present invention is not limited by described sequence of movement, because It is that, according to the present invention, certain some step can sequentially or simultaneously be carried out using other.Secondly, those skilled in the art also should Know, embodiment described in this description belongs to preferred embodiment, involved action and module not necessarily this hair Necessary to bright.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and is not described in certain embodiment Part, may refer to the associated description of other embodiment.
One of ordinary skill in the art will appreciate that all or part of flow in realizing above-described embodiment method, can be The hardware of correlation is instructed to complete by computer program, described program can be stored in a computer read/write memory medium In, the program is upon execution, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access Memory, RAM) etc..
Above disclosed is only present pre-ferred embodiments, can not limit the right model of the present invention with this certainly Enclose, therefore the equivalent variations made according to the claims in the present invention, still belong to the scope that the present invention is covered.

Claims (10)

1. a kind of intrusion detection method, it is characterised in that including:
The service request of the access service Docker containers that corresponding first Microsoft Loopback Adapter of reception business Docker containers sends, institute State the terminal iidentification that service request carries the user terminal for sending the service request;
The service request is parsed, to determine the data characteristics of the service request;
If the data characteristics meets default invasion condition, sent to first Microsoft Loopback Adapter and stop transmission order, it is described Stop transmission order for indicating first Microsoft Loopback Adapter to stop the business of the transmission business Docker containers feedback Ask corresponding response data.
2. method according to claim 1, it is characterised in that the stopping transmission order is additionally operable to indicate described first empty Intend other response datas that network interface card stops transmission transmission to the user terminal.
3. method according to claim 1, it is characterised in that if the data characteristics meets default invasion condition, Then sent to first Microsoft Loopback Adapter before stopping transmission order, also included:
With the presence or absence of the attack signature consistent with data characteristics matching in the attack signature set that detection prestores;
If, it is determined that the data characteristics meets default invasion condition.
4. the method according to claim any one of 1-3, it is characterised in that also include:
The service request is reported to by security server by pre-assigned second Microsoft Loopback Adapter;
The corresponding security strategy of the service request that the security server sends, institute are received by second Microsoft Loopback Adapter Security strategy is stated for indicating whether first Microsoft Loopback Adapter allows business Docker containers described in the user terminal access;
According to the security strategy, notify at access connection that first Microsoft Loopback Adapter sends to the user terminal Reason.
5. method according to claim 4, it is characterised in that described according to the security strategy, notifies that described first is empty The access connection that plan network interface card sends to the user terminal is processed, including:
When the security strategy is not to allow business Docker containers described in the user terminal access, notify that described first is empty Intend network interface card and refuse the access connection that the user terminal sends.
6. a kind of invasion detecting device, it is characterised in that including:
Request receiving module, for receiving the access service Docker that corresponding first Microsoft Loopback Adapter of business Docker containers sends The service request of container, the service request carries the terminal iidentification of the user terminal for sending the service request;
Characteristic determination module, for being parsed to the service request, to determine the data characteristics of the service request;
Order sending module, if meeting default invasion condition for the data characteristics, sends to first Microsoft Loopback Adapter Stop transmission order, it is described to stop transmitting order for indicating first Microsoft Loopback Adapter to stop the transmission business Docker appearances The corresponding response data of the service request of device feedback.
7. device according to claim 6, it is characterised in that the stopping transmission order is additionally operable to indicate described first empty Intend other response datas that network interface card stops transmission transmission to the user terminal.
8. device according to claim 6, it is characterised in that described device also includes:
Feature detection module, with the presence or absence of consistent with data characteristics matching in the attack signature set prestored for detection Attack signature;
Invasion determining module, if being yes for the testing result of the feature detection module, it is determined that the data characteristics meets Default invasion condition.
9. the device according to claim any one of 6-8, it is characterised in that described device also includes:
Request reporting module, for the service request to be reported into security service by pre-assigned second Microsoft Loopback Adapter Device;
Policy receipt module, for receiving the service request that the security server sends by second Microsoft Loopback Adapter Corresponding security strategy, the security strategy is used to indicate whether first Microsoft Loopback Adapter allows the user terminal access institute State business Docker containers;
Access processing module, for according to the security strategy, notifying that first Microsoft Loopback Adapter sends to the user terminal Access connection processed.
10. device according to claim 9, it is characterised in that
The access processing module is specifically for being not allow business described in the user terminal access when the security strategy During Docker containers, notify that first Microsoft Loopback Adapter refuses the access connection that the user terminal sends.
CN201710139153.8A 2017-03-09 2017-03-09 Intrusion detection prompting method and device Active CN106790291B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710139153.8A CN106790291B (en) 2017-03-09 2017-03-09 Intrusion detection prompting method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710139153.8A CN106790291B (en) 2017-03-09 2017-03-09 Intrusion detection prompting method and device

Publications (2)

Publication Number Publication Date
CN106790291A true CN106790291A (en) 2017-05-31
CN106790291B CN106790291B (en) 2020-04-03

Family

ID=58961839

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710139153.8A Active CN106790291B (en) 2017-03-09 2017-03-09 Intrusion detection prompting method and device

Country Status (1)

Country Link
CN (1) CN106790291B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108282376A (en) * 2018-04-20 2018-07-13 江南大学 A kind of LDDoS emulation modes based on lightweight virtualization
CN110086881A (en) * 2019-05-07 2019-08-02 网易(杭州)网络有限公司 Method for processing business, device and equipment
CN110138776A (en) * 2019-05-14 2019-08-16 重庆天蓬网络有限公司 Docker intrusion detection method, device and medium based on order monitoring
CN112153049A (en) * 2020-09-24 2020-12-29 绿盟科技集团股份有限公司 Intrusion detection method and device
CN112182573A (en) * 2020-09-10 2021-01-05 青岛海尔科技有限公司 Method, device and equipment for intrusion detection
WO2021053422A1 (en) * 2019-09-20 2021-03-25 International Business Machines Corporation Correspondence of external operations to containers and mutation events
CN113364723A (en) * 2020-03-05 2021-09-07 奇安信科技集团股份有限公司 DDoS attack monitoring method and device, storage medium and computer equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101465770A (en) * 2009-01-06 2009-06-24 北京航空航天大学 Method for disposing inbreak detection system
CN104135490A (en) * 2014-08-14 2014-11-05 浪潮(北京)电子信息产业有限公司 Intrusion detection system (IDS) analysis method and intrusion detection system
CN105072115A (en) * 2015-08-12 2015-11-18 国家电网公司 Information system invasion detection method based on Docker virtualization
US20160283713A1 (en) * 2015-03-25 2016-09-29 International Business Machines Corporation Security within a software-defined infrastructure

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101465770A (en) * 2009-01-06 2009-06-24 北京航空航天大学 Method for disposing inbreak detection system
CN104135490A (en) * 2014-08-14 2014-11-05 浪潮(北京)电子信息产业有限公司 Intrusion detection system (IDS) analysis method and intrusion detection system
US20160283713A1 (en) * 2015-03-25 2016-09-29 International Business Machines Corporation Security within a software-defined infrastructure
CN105072115A (en) * 2015-08-12 2015-11-18 国家电网公司 Information system invasion detection method based on Docker virtualization

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张楠: "云计算中使用容器技术的信息安全风险与对策", 《第30次全国计算机安全学术交流会论文集》 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108282376A (en) * 2018-04-20 2018-07-13 江南大学 A kind of LDDoS emulation modes based on lightweight virtualization
CN108282376B (en) * 2018-04-20 2021-06-08 江南大学 LDDoS simulation method based on lightweight virtualization
CN110086881A (en) * 2019-05-07 2019-08-02 网易(杭州)网络有限公司 Method for processing business, device and equipment
CN110138776A (en) * 2019-05-14 2019-08-16 重庆天蓬网络有限公司 Docker intrusion detection method, device and medium based on order monitoring
CN110138776B (en) * 2019-05-14 2020-04-28 重庆天蓬网络有限公司 Docker intrusion detection method, device and medium based on command monitoring
WO2021053422A1 (en) * 2019-09-20 2021-03-25 International Business Machines Corporation Correspondence of external operations to containers and mutation events
GB2602435A (en) * 2019-09-20 2022-06-29 Ibm Correspondence of external operations to containers and mutation events
GB2602435B (en) * 2019-09-20 2023-01-04 Ibm Correspondence of external operations to containers and mutation events
US11580199B2 (en) 2019-09-20 2023-02-14 International Business Machines Corporation Correspondence of external operations to containers and mutation events
CN113364723A (en) * 2020-03-05 2021-09-07 奇安信科技集团股份有限公司 DDoS attack monitoring method and device, storage medium and computer equipment
CN112182573A (en) * 2020-09-10 2021-01-05 青岛海尔科技有限公司 Method, device and equipment for intrusion detection
CN112153049A (en) * 2020-09-24 2020-12-29 绿盟科技集团股份有限公司 Intrusion detection method and device
CN112153049B (en) * 2020-09-24 2023-01-17 绿盟科技集团股份有限公司 Intrusion detection method, device, electronic equipment and computer readable medium

Also Published As

Publication number Publication date
CN106790291B (en) 2020-04-03

Similar Documents

Publication Publication Date Title
CN106790291A (en) A kind of intrusion detection reminding method and device
US11089057B1 (en) System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits
US10148693B2 (en) Exploit detection system
US10601865B1 (en) Detection of credential spearphishing attacks using email analysis
US9973531B1 (en) Shellcode detection
CN105430011B (en) A kind of method and apparatus detecting distributed denial of service attack
US8595840B1 (en) Detection of computer network data streams from a malware and its variants
US20140317733A1 (en) Method and client for ensuring user network security
EP2755157B1 (en) Detecting undesirable content
US20160036849A1 (en) Method, Apparatus and System for Detecting and Disabling Computer Disruptive Technologies
CN108696490A (en) The recognition methods of account permission and device
US20230259626A1 (en) System and method for automatic generation of malware detection traps
CN104239577A (en) Method and device for detecting authenticity of webpage data
CN105701423B (en) Date storage method and device applied to high in the clouds payment transaction
CN106453216A (en) Malicious website interception method, malicious website interception device and client
CN103338211A (en) Malicious URL (unified resource locator) authenticating method and device
CN111343176B (en) Network attack countering device, method, storage medium and computer equipment
CN109617917A (en) Address virtual Web application security firewall methods, devices and systems
CN109547449B (en) Safety detection method and related device
US10474810B2 (en) Controlling access to web resources
CN109347876B (en) Security defense method and related device
CN103067360B (en) Program network Activity recognition method and system
CN111225038B (en) Server access method and device
CN108595957A (en) Main browser page altering detecting method, device and storage medium
CN114710304A (en) Privacy risk monitoring method and device, storage medium and terminal gateway equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant