CN106790291A - A kind of intrusion detection reminding method and device - Google Patents
A kind of intrusion detection reminding method and device Download PDFInfo
- Publication number
- CN106790291A CN106790291A CN201710139153.8A CN201710139153A CN106790291A CN 106790291 A CN106790291 A CN 106790291A CN 201710139153 A CN201710139153 A CN 201710139153A CN 106790291 A CN106790291 A CN 106790291A
- Authority
- CN
- China
- Prior art keywords
- service request
- microsoft loopback
- loopback adapter
- business
- docker containers
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The embodiment of the invention discloses a kind of intrusion detection method and device, wherein method includes:The service request of the access service Docker containers that corresponding first Microsoft Loopback Adapter of reception business Docker containers sends, the service request carries the terminal iidentification of the user terminal for sending the service request;The service request is parsed, to determine the data characteristics of the service request;If the data characteristics meets default invasion condition, then sent to first Microsoft Loopback Adapter and stop transmission order, the corresponding response data of the service request of the business Docker containers feedback is transmitted in the stopping transmission order for indicating first Microsoft Loopback Adapter to stop.Using the present invention, can realize, to the timely detection of service request and feedback in business Docker containers, improve the efficiency of intrusion detection.
Description
Technical field
The present invention relates to field of computer technology, more particularly to a kind of intrusion detection reminding method and device.
Background technology
With the development of Internet technology, Internet data center (Internet Data Center, IDC) has turned into mutual
An indispensable part in Networking industries.IDC will not only provide a user with the service of required data, in addition it is also necessary to network data
It is monitored to ensure the normal operation of server, for example, deployment intruding detection system (Intrusion Detection
Systems, IDS), specifically dispose physical equipment optical splitter (or interchanger mirror image), energy in the porch of the network data of IDC
It is enough to send while to corresponding server the access request that user terminal sends, identical access request is sent to invasion
Testing equipment, so that intrusion detection device is detected one by one to access request.
However, the number of servers in IDC is more and during larger quantity of access request, intrusion detection device needs inspection
Survey each access request of each server so that detection workload is larger, long processing period, it is impossible in time to server feedback
Testing result.Once there is aggressive access request, it is most likely that cannot normal response Lawful access request, so as to cause clothes
Business device paralysis, therefore reduce efficiency of intrusion detection.
The content of the invention
Embodiment of the present invention technical problem to be solved is, there is provided a kind of intrusion detection method and device, Neng Goushi
Now the timely detection to service request in business Docker containers and feedback, improve the efficiency of intrusion detection.
In a first aspect, the embodiment of the invention provides a kind of intrusion detection method, methods described includes:
The business of the access service Docker containers that corresponding first Microsoft Loopback Adapter of reception business Docker containers sends please
Ask, the service request carries the terminal iidentification of the user terminal for sending the service request;
The service request is parsed, to determine the data characteristics of the service request;
If the data characteristics meets default invasion condition, sent to first Microsoft Loopback Adapter and stop transmission order,
It is described to stop transmission order for indicating first Microsoft Loopback Adapter to stop the described of the transmission business Docker containers feedback
The corresponding response data of service request.
Second aspect, the embodiment of the present invention additionally provides a kind of invasion detecting device, and described device includes:
Request receiving module, for receiving the access service that corresponding first Microsoft Loopback Adapter of business Docker containers sends
The service request of Docker containers, the service request carries the terminal iidentification of the user terminal for sending the service request;
Characteristic determination module, for being parsed to the service request, to determine the data characteristics of the service request;
Order sending module, if meeting default invasion condition for the data characteristics, to first Microsoft Loopback Adapter
Send and stop transmission order, it is described to stop transmission order for indicating first Microsoft Loopback Adapter to stop the transmission business
The corresponding response data of the service request of Docker containers feedback.
In embodiments of the present invention, by receiving the access industry that corresponding first Microsoft Loopback Adapter of business Docker containers sends
The service request of business Docker containers;Then service request is parsed, to determine the data characteristics of service request, if data
Feature meets default invasion condition, then sent to the first Microsoft Loopback Adapter and stop transmission order, stops transmission order for indicating the
One Microsoft Loopback Adapter stops the corresponding response data of service request of transmission services Docker containers feedback.It is virtual by receiving first
Network interface card send service request, realize the feedback of the real-time detection and testing result to the service request, so improve into
Invade the efficiency of detection.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
The accompanying drawing to be used needed for having technology description is briefly described, it should be apparent that, drawings in the following description are only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with
Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is a kind of structural representation of possible physical host provided in an embodiment of the present invention;
Fig. 2 is a kind of schematic flow sheet of intrusion detection method provided in an embodiment of the present invention;
Fig. 3 is the schematic flow sheet of another intrusion detection method provided in an embodiment of the present invention;
Fig. 4 is a kind of system architecture diagram of possible intruding detection system provided in an embodiment of the present invention;
Fig. 5 is the schematic flow sheet of another intrusion detection method provided in an embodiment of the present invention;
Fig. 6 is a kind of structural representation of invasion detecting device provided in an embodiment of the present invention;
Fig. 7 is the structural representation of another invasion detecting device provided in an embodiment of the present invention;
Fig. 8 is the structural representation of another invasion detecting device provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made
Embodiment, belongs to the scope of protection of the invention.
Term " comprising " and " having " in description and claims of this specification and above-mentioned accompanying drawing and they appoint
What deforms, it is intended that covering is non-exclusive to be included.For example contain process, method, system, the product of series of steps or unit
Product or equipment are not limited to the step of having listed or unit, but alternatively also include the step of not listing or unit, or
Alternatively also include for these processes, method, product or other intrinsic steps of equipment or unit.
Fig. 1 is referred to, to the embodiment of the invention provides a kind of structural representation of possible physical host.Shown in Fig. 1
Physical host install Docker on the basis of deploy multiple Docker containers, including multiple business Docker containers
With IDS Docker containers, wherein it is possible to set Docker containers use certain fix hardware resource, e.g., central processing unit
(Central Processing Unit, CPU) resource, memory source etc., the physical host are to provide application or business
Server.Further, (Single Root I/O Virtualization, SR-IOV) is virtualized by single input and output
The NIC (Network Interface Card, NIC) of physical host is virtually turned to multiple Microsoft Loopback Adapters by technology, often
One Microsoft Loopback Adapter of individual Docker containers correspondence, for example, the corresponding business Docker containers 1 of Microsoft Loopback Adapter 1, the correspondence of Microsoft Loopback Adapter 2
Corresponding IDS Docker containers 10 of business Docker containers 2, Microsoft Loopback Adapter 10 etc..
By taking the corresponding business Docker containers 1 of Microsoft Loopback Adapter 1 as an example, hold when Microsoft Loopback Adapter 1 receives access service Docker
During the service request of device 1, Microsoft Loopback Adapter 1 sends to business Docker containers 1 service request, and by service request send to
IDS Docker containers, service request carries the terminal iidentification of the user terminal for sending service request;Accordingly, IDS Docker
Container 10 receives the service request of the access service Docker containers 1 that Microsoft Loopback Adapter 1 sends, and service request is parsed,
To determine the data characteristics of service request, if data characteristics meets default invasion condition, IDS Docker containers 10 are to virtual
Network interface card 1 sends and stops transmission order, stops transmission order anti-for indicating Microsoft Loopback Adapter 1 to stop transmission services Docker containers 1
The corresponding response data of service request of feedback.By disposing IDS Docker containers in a single physical host, can
The service request of the business Docker containers in the physical host is detected in time, improves the efficiency of intrusion detection, separately
It is outer to use fixed hardware resource by setting IDS Docker containers, can not influenceed while intrusion detection feature is realized
The normal operation of business Docker containers.
In the network architecture shown in Fig. 1, involved user terminal can be the equipment for possessing display, communication function,
For example:Panel computer, mobile phone, electronic reader, personal computer (Personal Computer, PC), notebook computer, car
The equipment such as load equipment, Web TV, wearable device.
Based on the structural representation of the physical host shown in Fig. 1, below in conjunction with accompanying drawing 2 to accompanying drawing 5, the present invention is implemented
The intrusion detection method that example is provided describes in detail.
Fig. 2 is referred to, to the embodiment of the invention provides a kind of schematic flow sheet of intrusion detection method.As shown in Fig. 2
The methods described of the embodiment of the present invention may comprise steps of S101- steps S103.
S101, receives the industry of the access service Docker containers that corresponding first Microsoft Loopback Adapter of business Docker containers sends
Business request.
Specifically, in the case where the first Microsoft Loopback Adapter receives the service request of access service Docker containers, it is described
First Microsoft Loopback Adapter sends to business Docker containers the service request, and the service request is sent to IDS
Docker containers, wherein, the service request carries the terminal iidentification of the user terminal for sending the service request.Accordingly,
Service request described in business Docker container receptions, and the service request is processed to generate for the service request
Response data;Whether invasion detecting device receives the service request can be to invasion detecting device institute to detect the service request
Physical host cause attack, for example, distributed denial of service (Distributed Denial of Service, DDoS)
Attack etc..
Optionally, the terminal iidentification of the user terminal can include but is not limited to the network interconnection of the user terminal
Agreement (Internet Protocol, IP) address, login user name etc..
S102, parses to the service request, to determine the data characteristics of the service request.
Specifically, the invasion detecting device is parsed to the service request, to determine the number of the service request
According to feature, for example, the data characteristics can be carried by the header fields of service request, for example, the service request
Can be asked for HTTP (Hyper Text Transfer Protocol, Http), the data of service request are special
Levy the URL (Uniform Resource Locator, URL) that can be used for the service request etc..
S103, if the data characteristics meets default invasion condition, sends to first Microsoft Loopback Adapter and stops transmission
Order.
If specifically, the invasion detecting device detects the data characteristics meets default invasion condition, it is described enter
Invade detection means and sent to first Microsoft Loopback Adapter and stop transmission order.Wherein, it is described to stop transmission order for indicating institute
State the corresponding response data of the service request that the first Microsoft Loopback Adapter stops the transmission business Docker containers feedback.
It is to allow business because first Microsoft Loopback Adapter sends to business Docker containers the service request
Docker container feedback response data, response data has been fed back to the situation of the first Microsoft Loopback Adapter in business Docker containers
Under, if if first Microsoft Loopback Adapter does not have started sends the response data or first virtual net to the user terminal
Card does not complete the transmission of the response data also, then once receiving the stopping transmission order that the invasion detecting device sends,
Then first Microsoft Loopback Adapter interrupts the transmission of the response data.
Optionally, the stopping transmission order is additionally operable to indicate first Microsoft Loopback Adapter to stop transmission transmission to the use
Other response datas of family terminal.If for example, first Microsoft Loopback Adapter receives the user terminal access business Docker
During other service requests of container, first Microsoft Loopback Adapter is not performed and sends to the business Docker service request
Container;Or, first Microsoft Loopback Adapter sends to the business Docker containers, but not to the use service request
Family terminal feeds back the response data for other service requests feedback that the business Docker containers send.Wherein, it is described enter
Invading detection means can mark the user terminal according to the terminal iidentification.
Optionally, it can refer to that the data characteristics attacks special with default that the data characteristics meets default invasion condition
Attack signature during collection is closed matches unanimously.
In embodiments of the present invention, by receiving the access industry that corresponding first Microsoft Loopback Adapter of business Docker containers sends
The service request of business Docker containers;Then service request is parsed, to determine the data characteristics of service request, if data
Feature meets default invasion condition, then sent to the first Microsoft Loopback Adapter and stop transmission order, stops transmission order for indicating the
One Microsoft Loopback Adapter stops the corresponding response data of service request of transmission services Docker containers feedback.It is virtual by receiving first
Network interface card send service request, realize the feedback of the real-time detection and testing result to the service request, so improve into
Invade the efficiency of detection.
Fig. 3 is referred to, to the embodiment of the invention provides the schematic flow sheet of another intrusion detection method.Such as Fig. 3 institutes
Show, the methods described of the embodiment of the present invention may comprise steps of S201- steps S207.
S201, receives the industry of the access service Docker containers that corresponding first Microsoft Loopback Adapter of business Docker containers sends
Business request.
Specifically, in the case where the first Microsoft Loopback Adapter receives the service request of access service Docker containers, it is described
First Microsoft Loopback Adapter sends to business Docker containers the service request, and the service request is sent to IDS
Docker containers, wherein, the service request carries the terminal iidentification of the user terminal for sending the service request.Accordingly,
Service request described in business Docker container receptions, and the service request is processed to generate for the service request
Response data;Whether invasion detecting device receives the service request can be to invasion detecting device institute to detect the service request
Physical host cause attack, for example, ddos attack etc..
Optionally, the terminal iidentification of the user terminal can include but is not limited to the user terminal IP address,
Login user name etc..
S202, parses to the service request, to determine the data characteristics of the service request.
Specifically, the invasion detecting device is parsed to the service request, to determine the number of the service request
According to feature, for example, the data characteristics can be carried by the header fields of service request, for example, the service request
Can be asked for Http, URL that the data characteristics of service request can be used for the service request etc..
S203, it is special with the presence or absence of the attack consistent with data characteristics matching in the attack signature set that detection prestores
Levy.
Specifically, the invasion detecting device whether there is and the data characteristics in detecting the attack signature set for prestoring
The consistent attack signature of matching;If in the presence of the attack signature consistent with data characteristics matching, performing step S204;If no
In the presence of the attack signature consistent with data characteristics matching, then step S205 is performed.
Optionally, the attack signature set for prestoring contains multiple attack signatures for test access request.Can
Choosing, the invasion detecting device can change attack signature in attack signature set, delete attack signature, increases and attack special
Levy, so that the attack signature stored in attack signature set is more perfect, improve the validity of intrusion detection.
For example, for the URL that data characteristics is the service request, if the industry of access service Docker containers
URL in business request is http://www.qq.com/***, because the URL of normal access service Docker containers is http://
Www.qq.com/, therefore the invasion detecting device can further be detected to " * * * ", by judging in attacking for prestoring
Hit when there is " * * * " in characteristic set, it is determined that the data characteristics meets default invasion condition.
S204, if so, then sent to first Microsoft Loopback Adapter stopping transmission order.
If specifically, in the presence of the attack signature consistent with data characteristics matching, the invasion detecting device determines
The data characteristics meets default invasion condition.If the data characteristics meets default invasion condition, the intrusion detection dress
To put sent to first Microsoft Loopback Adapter and stop transmission order, it is described to stop transmission order for indicating first Microsoft Loopback Adapter
Stop the corresponding response data of the service request of the transmission business Docker containers feedback.
It is to allow business because first Microsoft Loopback Adapter sends to business Docker containers the service request
Docker container feedback response data, response data has been fed back to the situation of the first Microsoft Loopback Adapter in business Docker containers
Under, if if first Microsoft Loopback Adapter does not have started sends the response data or first virtual net to the user terminal
Card does not complete the transmission of the response data also, then once receiving the stopping transmission order that the invasion detecting device sends,
Then first Microsoft Loopback Adapter interrupts the transmission of the response data.
Optionally, the stopping transmission order is additionally operable to indicate first Microsoft Loopback Adapter to stop transmission transmission to the use
Other response datas of family terminal.If for example, first Microsoft Loopback Adapter receives the user terminal access business Docker
During other service requests of container, first Microsoft Loopback Adapter is not performed and sends to the business Docker service request
Container;Or, first Microsoft Loopback Adapter sends to the business Docker containers, but not to the use service request
Family terminal feeds back the response data for other service requests feedback that the business Docker containers send.Wherein, it is described enter
Invading detection means can mark the user terminal according to the terminal iidentification.
S205, security server is reported to by pre-assigned second Microsoft Loopback Adapter by the service request.
Specifically, the invasion detecting device is reported to the service request by pre-assigned second Microsoft Loopback Adapter
Security server, so that the security server is further detected to the service request.Optionally, the security service
Device can be connected with multiple invasion detecting devices, therefore the security server can be to the transmission of different invasion detecting devices
Service request is analyzed arrangement, and then acquisition is more accurately judged the service request, improves intrusion detection
Accuracy.It is understood that first Microsoft Loopback Adapter is the NIC virtualizations of physical host with second Microsoft Loopback Adapter
Two kinds of different Microsoft Loopback Adapters, first Microsoft Loopback Adapter is specially the Microsoft Loopback Adapter corresponding to business Docker containers, described
Second Microsoft Loopback Adapter is specially the Microsoft Loopback Adapter corresponding to IDS Docker containers.
It should be noted that being in embodiments of the present invention after step s 204, if or the attack spy for prestoring
Collection close in the absence of after the attack signature consistent with data characteristics matching, the invasion detecting device is by the business
Request reports to security server.Optionally, the invasion detecting device can receive the first Microsoft Loopback Adapter hair
After the service request sent, the service request is reported into the security server;Or, the invasion detecting device
Security server can also will be reported after the interior service request packing for receiving for the previous period;Or, the invasion inspection
Survey after device can also be packed a number of service request and report security server, the embodiment of the present invention reports safety clothes
Be engaged in time of device, independent reporting schemes or packing reporting schemes are not limited.
S206, the corresponding peace of the service request that the security server sends is received by second Microsoft Loopback Adapter
Full strategy.
Specifically, being analysed in depth to the service request in the security server, and determine and the business
Ask after corresponding security strategy, the security strategy is sent to the intrusion detection by second Microsoft Loopback Adapter and is filled
Put.Accordingly, the invasion detecting device receives the industry that the security server sends by second Microsoft Loopback Adapter
The corresponding security strategy of business request.Wherein, the security strategy is used to indicate whether first Microsoft Loopback Adapter allows the use
Business Docker containers described in the terminal access of family.
Optionally, the record of data characteristics and intrusion detection result during the security server can be accessed by history,
Obtain the corresponding relation of the corresponding data characteristics of the service request and security strategy.
S207, according to the security strategy, notifies that the access that first Microsoft Loopback Adapter sends to the user terminal connects
Tap into capable treatment.
Specifically, the invasion detecting device is according to the security strategy, notify first Microsoft Loopback Adapter to the use
The access connection that family terminal sends is processed.If for example, the security strategy is not allow described in the user terminal access
Business Docker containers, then the invasion detecting device notify that first Microsoft Loopback Adapter refuses the visit that the user terminal sends
Ask connection.If the security strategy business Docker containers, the intrusion detection described in the permission user terminal access
Device does not send a notification message to first Microsoft Loopback Adapter, or sending allows the user terminal to continue to access the business
The notification message of Docker.
It should be noted that the invasion detecting device in the embodiment of the present invention can be deployed in a physical host
In IDS Docker containers, and in advance be a certain amount of hardware resource of IDS Docker container allocations, such as cpu resource, in
Deposit resource etc..By setting invasion detecting device using fixed hardware resource, can be while intrusion detection feature be realized
The normal operation of other business Docker containers is not influenceed.
In embodiments of the present invention, by receiving the access industry that corresponding first Microsoft Loopback Adapter of business Docker containers sends
The service request of business Docker containers;Then service request is parsed, to determine the data characteristics of service request, if data
Feature meets default invasion condition, then sent to the first Microsoft Loopback Adapter and stop transmission order, stops transmission order for indicating the
One Microsoft Loopback Adapter stops the corresponding response data of service request of transmission services Docker containers feedback.Such invasion detecting device
Network data that can be in time to other business Docker containers detects, improves the efficiency of intrusion detection, additionally by
The further detection of security server, it is possible to increase the accuracy of intrusion detection.
Fig. 4 is referred to, to the embodiment of the invention provides a kind of possible intruding detection system Organization Chart.As shown in figure 4,
The intruding detection system include security server and Duo Tai physical hosts, such as physical host 1, physical host 2 ..., physics master
Machine N.Wherein, each physical host may be referred to the structure chart of the physical host shown in Fig. 1.Based on the invasion inspection shown in Fig. 4
Examining system Organization Chart, please also refer to Fig. 5, for the flow that the embodiment of the invention provides another intrusion detection method is illustrated
Figure.Wherein, the intrusion detection mode of the embodiment of the present invention is performed jointly by user terminal, physical host and security server
, wherein physical host is illustrated by taking physical host 1 as an example.Wherein, physical host 1 is held with Microsoft Loopback Adapter 1, business Docker
Illustrated as a example by device 1 and IDS Docker containers 10.Specific implementation procedure refers to introduced below.
S301, user terminal sends the service request of access service Docker containers 1 to physical host 1.Wherein, the industry
Business request carries the terminal iidentification of the user terminal.
S302, the Microsoft Loopback Adapter 1 of the physical host 1 sends to the business Docker containers 1 service request.
S303, the Microsoft Loopback Adapter 1 of the physical host 1 sends to the IDS Docker containers service request
10。
Wherein, the embodiment of the present invention does not limit the time order and function that the Microsoft Loopback Adapter 1 performs step 302 and step 303
Sequentially.
S304, after the business Docker containers 1 receive the service request, at the service request
Reason, and determine the corresponding response data of the service request, the corresponding response data of the service request is sent to the void
Intend network interface card 1.
S305, the Microsoft Loopback Adapter 1 receives the response data that the business Docker containers 1 send, and to the user
Terminal sends the response data received from the business Docker containers 1.
S306, the IDS Docker containers 10 receive the service request of the transmission of the Microsoft Loopback Adapter 1, and described
10 pairs of service requests of IDS Docker containers are parsed, to determine the data characteristics of the service request.
S307, the IDS Docker containers 10 whether there is and data spy in detecting the attack signature set for prestoring
Levy the consistent attack signature of matching.
S308, if the IDS Docker containers 10 detect to exist in attack signature set being matched with the data characteristics
Consistent attack signature, then the IDS Docker containers 10 are to the transmission stopping transmission order of the Microsoft Loopback Adapter 1.Wherein, institute
State and stop transmission order for indicating the Microsoft Loopback Adapter 1 to stop the business of the transmission feedback of business Docker containers 1
Ask corresponding response data.Optionally, the stopping transmission order is additionally operable to indicate the Microsoft Loopback Adapter 1 to stop transmission transmission
To other response datas of the user terminal.
It should be noted that the business Docker containers 1 and the IDS Docker containers 10 are to perform reception respectively
Service request, and then had no between the business Docker containers 1 and the step performed by the IDS Docker containers 10
Time order and function order point.
S309, the IDS Docker containers 10 can also be sent to security server the service request, so that institute
State security server further to detect the service request, to improve the accuracy of intrusion detection.
S310, after security server is finished to service request detection, sends out to the IDS Docker containers 10
The security strategy is sent, wherein, the security strategy is used to indicate whether first Microsoft Loopback Adapter allows the user terminal
Access the business Docker containers.
S311, the service request that the IDS Docker containers 10 receive the security server transmission is corresponding
After security strategy, according to the security strategy, notify that the access that first Microsoft Loopback Adapter sends to the user terminal connects
Tap into capable treatment.
It should be noted that the communication between the IDS Docker containers 10 and the security server be by with institute
State what the corresponding Microsoft Loopback Adapter 10 of IDS containers 10 was realized, for example, the security server sends to Microsoft Loopback Adapter security strategy
10, Microsoft Loopback Adapter 10 sends to IDS Docker containers 10 security strategy.
It should be noted that the specific implementation of step S301 to step S311 in the embodiment of the present invention and bringing
Technique effect may refer to the specific descriptions of Fig. 2 or embodiment illustrated in fig. 3, will not be repeated here.
The system architecture diagram of the intruding detection system shown in structural representation and Fig. 4 based on the physical host shown in Fig. 1,
Below in conjunction with accompanying drawing 6- accompanying drawings 8, invasion detecting device provided in an embodiment of the present invention is described in detail.Need explanation
It is, the invasion detecting device shown in accompanying drawing 6- accompanying drawings 8, the method for performing Fig. 2 of the present invention to embodiment illustrated in fig. 5.Accompanying drawing
Invasion detecting device shown in 6- accompanying drawings 8 can be the intrusion detection in IDS Docker containers in physical host shown in Fig. 1
Module.For convenience of description, the part related to the embodiment of the present invention is illustrate only, particular technique details is not disclosed, and please be joined
According to the embodiment shown in Fig. 2 to Fig. 5 of the present invention.
Fig. 6 is referred to, to the embodiment of the invention provides a kind of structural representation of invasion detecting device.As shown in fig. 6,
The invasion detecting device 1 of the embodiment of the present invention can include:Request receiving module 11, characteristic determination module 12, order hair
Send module 13.
Request receiving module 11, for receiving the access service that corresponding first Microsoft Loopback Adapter of business Docker containers sends
The service request of Docker containers, the service request carries the terminal iidentification of the user terminal for sending the service request.
Specifically, in the case where the first Microsoft Loopback Adapter receives the service request of access service Docker containers, it is described
First Microsoft Loopback Adapter sends to business Docker containers the service request, and the service request is sent to IDS
Docker containers, wherein, the service request carries the terminal iidentification of the user terminal for sending the service request.Accordingly,
Service request described in business Docker container receptions, and the service request is processed to generate for the service request
Response data;The request receiving module 11 receives the service request to detect whether the service request can be to intrusion detection
Physical host where device 1 causes to attack, for example, ddos attack etc..
Optionally, the terminal iidentification of the user terminal can include but is not limited to the user terminal IP address,
Login user name etc..
Characteristic determination module 12, it is special with the data for determining the service request for being parsed to the service request
Levy.
Specifically, 12 pairs of service requests of the characteristic determination module are parsed, to determine the service request
Data characteristics, for example, the data characteristics can be carried by the header fields of service request, for example, the business please
Asking can be for Http be asked, URL that the data characteristics of service request can be used for the service request etc..
Order sending module 13, if meeting default invasion condition for the data characteristics, to first virtual net
Card sends and stops transmission order, described to stop transmission order for indicating first Microsoft Loopback Adapter to stop the transmission business
The corresponding response data of the service request of Docker containers feedback.
Specifically, if detecting the data characteristics meets default invasion condition, the order sending module 13 is to institute
State the first Microsoft Loopback Adapter and send and stop transmission order.Wherein, it is described to stop transmission order for indicating first Microsoft Loopback Adapter
Stop the corresponding response data of the service request of the transmission business Docker containers feedback.
It is to allow business because first Microsoft Loopback Adapter sends to business Docker containers the service request
Docker container feedback response data, response data has been fed back to the situation of the first Microsoft Loopback Adapter in business Docker containers
Under, if if first Microsoft Loopback Adapter does not have started sends the response data or first virtual net to the user terminal
Card does not complete the transmission of the response data also, then once receiving the stopping transmission life that the order sending module 13 sends
Order, the then transmission of the first Microsoft Loopback Adapter interruption response data.
Optionally, the stopping transmission order is additionally operable to indicate first Microsoft Loopback Adapter to stop transmission transmission to the use
Other response datas of family terminal.If for example, first Microsoft Loopback Adapter receives the user terminal access business Docker
During other service requests of container, first Microsoft Loopback Adapter is not performed and sends to the business Docker service request
Container;Or, first Microsoft Loopback Adapter sends to the business Docker containers, but not to the use service request
Family terminal feeds back the response data for other service requests feedback that the business Docker containers send.Wherein, the life
Making sending module 13 can mark the user terminal according to the terminal iidentification.
Optionally, it can refer to that the data characteristics attacks special with default that the data characteristics meets default invasion condition
Attack signature during collection is closed matches unanimously.
In embodiments of the present invention, by receiving the access industry that corresponding first Microsoft Loopback Adapter of business Docker containers sends
The service request of business Docker containers;Then service request is parsed, to determine the data characteristics of service request, if data
Feature meets default invasion condition, then sent to the first Microsoft Loopback Adapter and stop transmission order, stops transmission order for indicating the
One Microsoft Loopback Adapter stops the corresponding response data of service request of transmission services Docker containers feedback.It is virtual by receiving first
Network interface card send service request, realize the feedback of the real-time detection and testing result to the service request, so improve into
Invade the efficiency of detection.
Fig. 7 is referred to, to the embodiment of the invention provides the structural representation of another invasion detecting device.Such as Fig. 7 institutes
Show, the invasion detecting device 1 of the embodiment of the present invention can include:Request receiving module 11, characteristic determination module 12, order
Sending module 13, feature detection module 14, invasion determining module 15, request reporting module 16, Policy receipt module 17 and access
Processing module 18.
Request receiving module 11, for receiving the access service that corresponding first Microsoft Loopback Adapter of business Docker containers sends
The service request of Docker containers, the service request carries the terminal iidentification of the user terminal for sending the service request.
Specifically, in the case where the first Microsoft Loopback Adapter receives the service request of access service Docker containers, it is described
First Microsoft Loopback Adapter sends to business Docker containers the service request, and the service request is sent to IDS
Docker containers, wherein, the service request carries the terminal iidentification of the user terminal for sending the service request.Accordingly,
Service request described in business Docker container receptions, and the service request is processed to generate for the service request
Response data;The request receiving module 11 receives the service request to detect whether the service request can be to intrusion detection
Physical host where device 1 causes to attack, for example, ddos attack etc..
Optionally, the terminal iidentification of the user terminal can include but is not limited to the user terminal IP address,
Login user name etc..
Characteristic determination module 12, it is special with the data for determining the service request for being parsed to the service request
Levy.
Specifically, 12 pairs of service requests of the characteristic determination module are parsed, to determine the service request
Data characteristics, for example, the data characteristics can be carried by the header fields of service request, for example, the business please
Asking can be for Http be asked, URL that the data characteristics of service request can be used for the service request etc..
Feature detection module 14, whether there is in the attack signature set prestored for detection and is matched with the data characteristics
Consistent attack signature.
Specifically, the feature detection module 14 whether there is and data spy in detecting the attack signature set for prestoring
Levy the consistent attack signature of matching;If in the presence of the attack signature consistent with data characteristics matching, notifying that invasion determines mould
Block 15 performs its step;If in the absence of the attack signature consistent with data characteristics matching, notifying request reporting module 16
Perform its step.
Optionally, the attack signature set for prestoring contains multiple attack signatures for test access request.Can
Choosing, the invasion detecting device 1 can change attack signature in attack signature set, delete attack signature, increases and attack
Feature etc., so that the attack signature stored in attack signature set is more perfect, improves the validity of intrusion detection.
Invasion determining module 15, if being yes for the testing result of the feature detection module, it is determined that the data are special
Levy the default invasion condition of satisfaction.
If specifically, in the presence of the attack signature consistent with data characteristics matching, the invasion determining module 15 is true
The fixed data characteristics meets default invasion condition.If the data characteristics meets default invasion condition.
For example, for the URL that data characteristics is the service request, if the industry of access service Docker containers
URL in business request is http://www.qq.com/***, because the URL of normal access service Docker containers is http://
Www.qq.com/, therefore the invasion detecting device 1 can further be detected to " * * * ", by judging in attacking for prestoring
Hit when there is " * * * " in characteristic set, it is determined that the data characteristics meets default invasion condition.
Order sending module 13, if meeting default invasion condition for the data characteristics, to first virtual net
Card sends and stops transmission order, described to stop transmission order for indicating first Microsoft Loopback Adapter to stop the transmission business
The corresponding response data of the service request of Docker containers feedback.
Specifically, then the order sending module 13 sends stopping transmission order to first Microsoft Loopback Adapter, it is described to stop
The business that only transmission order is used to indicate first Microsoft Loopback Adapter to stop the transmission business Docker containers feedback please
Seek corresponding response data.
It is to allow business because first Microsoft Loopback Adapter sends to business Docker containers the service request
Docker container feedback response data, response data has been fed back to the situation of the first Microsoft Loopback Adapter in business Docker containers
Under, if if first Microsoft Loopback Adapter does not have started sends the response data or first virtual net to the user terminal
Card does not complete the transmission of the response data also, then once receiving the stopping transmission life that the order sending module 13 sends
Order, the then transmission of the first Microsoft Loopback Adapter interruption response data.
Optionally, the stopping transmission order is additionally operable to indicate first Microsoft Loopback Adapter to stop transmission transmission to the use
Other response datas of family terminal.If for example, first Microsoft Loopback Adapter receives the user terminal access business Docker
During other service requests of container, first Microsoft Loopback Adapter is not performed and sends to the business Docker service request
Container;Or, first Microsoft Loopback Adapter sends to the business Docker containers, but not to the use service request
Family terminal feeds back the response data for other service requests feedback that the business Docker containers send.Wherein, the life
Making sending module 13 can mark the user terminal according to the terminal iidentification.
Request reporting module 16, for the service request to be reported into safety by pre-assigned second Microsoft Loopback Adapter
Server.
Specifically, the request reporting module 16 is reported the service request by pre-assigned second Microsoft Loopback Adapter
To security server, so that the security server is further detected to the service request.Optionally, the safety clothes
Business device can be connected with multiple invasion detecting devices, therefore the security server can send to different invasion detecting devices
Service request be analyzed arrangement, and then acquisition is more accurately judged the service request, improves intrusion detection
Accuracy.
It should be noted that being in embodiments of the present invention after order sending module 13 is performed, if or described pre-
In the absence of after the attack signature consistent with data characteristics matching in the attack signature set deposited, the request reporting module
The service request is reported to security server by 16.Optionally, the request reporting module 16 can receive it is described
After the service request that first Microsoft Loopback Adapter sends, the service request is reported into the security server;Or, institute
Stating request reporting module 16 can also will report security server after the interior service request packing for receiving for the previous period;
Or, the request reporting module 16 reports security server, this hair after can also a number of service request be packed
Bright embodiment reports time, independent reporting schemes or the packing reporting schemes of security server not to limit.
Policy receipt module 17, for receiving the industry that the security server sends by second Microsoft Loopback Adapter
The corresponding security strategy of business request, the security strategy is used to indicate whether first Microsoft Loopback Adapter allows the user terminal
Access the business Docker containers.
Specifically, being analysed in depth to the service request in the security server, and determine and the business
Ask after corresponding security strategy, the security strategy is sent to the intrusion detection by second Microsoft Loopback Adapter and is filled
Put.Accordingly, the Policy receipt module 17 receives the described of the security server transmission by second Microsoft Loopback Adapter
The corresponding security strategy of service request.Wherein, whether the security strategy is described for indicating first Microsoft Loopback Adapter to allow
Business Docker containers described in user terminal access.
Optionally, the record of data characteristics and intrusion detection result during the security server can be accessed by history,
Obtain the corresponding relation of the corresponding data characteristics of the service request and security strategy.
Access processing module 18, for according to the security strategy, notifying first Microsoft Loopback Adapter to user's end
The access for sending connection is held to be processed.
Specifically, the access processing module 18 is according to the security strategy, notify first Microsoft Loopback Adapter to described
The access connection that user terminal sends is processed.If for example, the security strategy is not to allow the user terminal access institute
Business Docker containers are stated, then the access processing module 18 notifies that first Microsoft Loopback Adapter is refused the user terminal and sent
Access connection.If the security strategy business Docker containers, the access described in the permission user terminal access
Processing module 18 does not send a notification message to first Microsoft Loopback Adapter, or sending allows the user terminal to continue to access institute
State the notification message of business Docker.
It should be noted that the invasion detecting device in the embodiment of the present invention can be deployed in a physical host
In IDS Docker containers, and in advance be a certain amount of hardware resource of IDS Docker container allocations, such as cpu resource, in
Deposit resource etc..By setting invasion detecting device using fixed hardware resource, can be while intrusion detection feature be realized
The normal operation of other business Docker containers is not influenceed.
In embodiments of the present invention, by receiving the access industry that corresponding first Microsoft Loopback Adapter of business Docker containers sends
The service request of business Docker containers;Then service request is parsed, to determine the data characteristics of service request, if data
Feature meets default invasion condition, then sent to the first Microsoft Loopback Adapter and stop transmission order, stops transmission order for indicating the
One Microsoft Loopback Adapter stops the corresponding response data of service request of transmission services Docker containers feedback.Such invasion detecting device
Network data that can be in time to other business Docker containers detects, improves the efficiency of intrusion detection, additionally by
The further detection of security server, it is possible to increase the accuracy of intrusion detection.
Fig. 8 is referred to, to the embodiment of the invention provides the structural representation of another invasion detecting device.Such as Fig. 8 institutes
Show, the invasion detecting device 1000 can include:At least one processor 1001, such as CPU, at least one network interface
1004, memory 1005, at least one communication bus 1002.Network interface 1004 can optionally connect including the wired of standard
Mouth, wave point (such as WI-FI interfaces).Memory 1005 can be high-speed RAM memory, or non-labile storage
Device (non-volatile memory), for example, at least one magnetic disk storage.Memory 1005 optionally can also be at least one
The individual storage device for being located remotely from aforementioned processor 1001.Wherein, communication bus 1002 is used to realize the company between these components
Connect letter.Optionally, the invasion detecting device 1000 includes user interface 1003, wherein, optionally, the user interface
1003 can include display screen (Display), keyboard (Keyboard).As shown in figure 8, as a kind of computer-readable storage medium
Operating system, network communication module, Subscriber Interface Module SIM and intrusion detection application program can be included in memory 1005.
In the invasion detecting device 1000 shown in Fig. 8, processor 1001 can be used for calling storage in memory 1005
Intrusion detection application program, and specifically perform following operation:
The business of the access service Docker containers that corresponding first Microsoft Loopback Adapter of reception business Docker containers sends please
Ask, the service request carries the terminal iidentification of the user terminal for sending the service request;
The service request is parsed, to determine the data characteristics of the service request;
If the data characteristics meets default invasion condition, sent to first Microsoft Loopback Adapter and stop transmission order,
It is described to stop transmission order for indicating first Microsoft Loopback Adapter to stop the described of the transmission business Docker containers feedback
The corresponding response data of service request.
In a possible embodiment, the stopping transmission order is additionally operable to indicate first Microsoft Loopback Adapter to stop passing
It is defeated to send to other response datas of the user terminal.
In a possible embodiment, if the processor 1001 is performing the default invasion bar of data characteristics satisfaction
Part, then sent before stopping transmission order to first Microsoft Loopback Adapter, and the processor 1001 is also performed:
With the presence or absence of the attack signature consistent with data characteristics matching in the attack signature set that detection prestores;
If, it is determined that the data characteristics meets default invasion condition.
In a possible embodiment, the processor 1001 is also performed:
The service request is reported to by security server by pre-assigned second Microsoft Loopback Adapter;
The corresponding safe plan of the service request that the security server sends is received by second Microsoft Loopback Adapter
Slightly, the security strategy is used to indicate whether first Microsoft Loopback Adapter allows business Docker described in the user terminal access
Container;
According to the security strategy, notify that the access connection that first Microsoft Loopback Adapter sends to the user terminal is carried out
Treatment.
In a possible embodiment, the processor 1001 is being performed according to the security strategy, notifies described the
The access connection that one Microsoft Loopback Adapter sends to the user terminal is processed, specific to perform when the security strategy is not to allow
Described in the user terminal access during business Docker containers, notify that first Microsoft Loopback Adapter is refused the user terminal and sent
Access connection.
It should be noted that the processor 1001 shown in the embodiment of the present invention can be used for performing shown in Fig. 2 to Fig. 5 appointing
The action of invasion detecting device or step in one embodiment, the specific implementation and band of the content performed by processor 1001
The technique effect for coming will not be repeated here referring to the specific descriptions of correlation method embodiment.
It should be noted that for each foregoing embodiment of the method, in order to be briefly described, therefore it is all expressed as one it is
The combination of actions of row, but those skilled in the art should know, and the present invention is not limited by described sequence of movement, because
It is that, according to the present invention, certain some step can sequentially or simultaneously be carried out using other.Secondly, those skilled in the art also should
Know, embodiment described in this description belongs to preferred embodiment, involved action and module not necessarily this hair
Necessary to bright.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and is not described in certain embodiment
Part, may refer to the associated description of other embodiment.
One of ordinary skill in the art will appreciate that all or part of flow in realizing above-described embodiment method, can be
The hardware of correlation is instructed to complete by computer program, described program can be stored in a computer read/write memory medium
In, the program is upon execution, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic
Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access
Memory, RAM) etc..
Above disclosed is only present pre-ferred embodiments, can not limit the right model of the present invention with this certainly
Enclose, therefore the equivalent variations made according to the claims in the present invention, still belong to the scope that the present invention is covered.
Claims (10)
1. a kind of intrusion detection method, it is characterised in that including:
The service request of the access service Docker containers that corresponding first Microsoft Loopback Adapter of reception business Docker containers sends, institute
State the terminal iidentification that service request carries the user terminal for sending the service request;
The service request is parsed, to determine the data characteristics of the service request;
If the data characteristics meets default invasion condition, sent to first Microsoft Loopback Adapter and stop transmission order, it is described
Stop transmission order for indicating first Microsoft Loopback Adapter to stop the business of the transmission business Docker containers feedback
Ask corresponding response data.
2. method according to claim 1, it is characterised in that the stopping transmission order is additionally operable to indicate described first empty
Intend other response datas that network interface card stops transmission transmission to the user terminal.
3. method according to claim 1, it is characterised in that if the data characteristics meets default invasion condition,
Then sent to first Microsoft Loopback Adapter before stopping transmission order, also included:
With the presence or absence of the attack signature consistent with data characteristics matching in the attack signature set that detection prestores;
If, it is determined that the data characteristics meets default invasion condition.
4. the method according to claim any one of 1-3, it is characterised in that also include:
The service request is reported to by security server by pre-assigned second Microsoft Loopback Adapter;
The corresponding security strategy of the service request that the security server sends, institute are received by second Microsoft Loopback Adapter
Security strategy is stated for indicating whether first Microsoft Loopback Adapter allows business Docker containers described in the user terminal access;
According to the security strategy, notify at access connection that first Microsoft Loopback Adapter sends to the user terminal
Reason.
5. method according to claim 4, it is characterised in that described according to the security strategy, notifies that described first is empty
The access connection that plan network interface card sends to the user terminal is processed, including:
When the security strategy is not to allow business Docker containers described in the user terminal access, notify that described first is empty
Intend network interface card and refuse the access connection that the user terminal sends.
6. a kind of invasion detecting device, it is characterised in that including:
Request receiving module, for receiving the access service Docker that corresponding first Microsoft Loopback Adapter of business Docker containers sends
The service request of container, the service request carries the terminal iidentification of the user terminal for sending the service request;
Characteristic determination module, for being parsed to the service request, to determine the data characteristics of the service request;
Order sending module, if meeting default invasion condition for the data characteristics, sends to first Microsoft Loopback Adapter
Stop transmission order, it is described to stop transmitting order for indicating first Microsoft Loopback Adapter to stop the transmission business Docker appearances
The corresponding response data of the service request of device feedback.
7. device according to claim 6, it is characterised in that the stopping transmission order is additionally operable to indicate described first empty
Intend other response datas that network interface card stops transmission transmission to the user terminal.
8. device according to claim 6, it is characterised in that described device also includes:
Feature detection module, with the presence or absence of consistent with data characteristics matching in the attack signature set prestored for detection
Attack signature;
Invasion determining module, if being yes for the testing result of the feature detection module, it is determined that the data characteristics meets
Default invasion condition.
9. the device according to claim any one of 6-8, it is characterised in that described device also includes:
Request reporting module, for the service request to be reported into security service by pre-assigned second Microsoft Loopback Adapter
Device;
Policy receipt module, for receiving the service request that the security server sends by second Microsoft Loopback Adapter
Corresponding security strategy, the security strategy is used to indicate whether first Microsoft Loopback Adapter allows the user terminal access institute
State business Docker containers;
Access processing module, for according to the security strategy, notifying that first Microsoft Loopback Adapter sends to the user terminal
Access connection processed.
10. device according to claim 9, it is characterised in that
The access processing module is specifically for being not allow business described in the user terminal access when the security strategy
During Docker containers, notify that first Microsoft Loopback Adapter refuses the access connection that the user terminal sends.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710139153.8A CN106790291B (en) | 2017-03-09 | 2017-03-09 | Intrusion detection prompting method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710139153.8A CN106790291B (en) | 2017-03-09 | 2017-03-09 | Intrusion detection prompting method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106790291A true CN106790291A (en) | 2017-05-31 |
CN106790291B CN106790291B (en) | 2020-04-03 |
Family
ID=58961839
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710139153.8A Active CN106790291B (en) | 2017-03-09 | 2017-03-09 | Intrusion detection prompting method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106790291B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108282376A (en) * | 2018-04-20 | 2018-07-13 | 江南大学 | A kind of LDDoS emulation modes based on lightweight virtualization |
CN110086881A (en) * | 2019-05-07 | 2019-08-02 | 网易(杭州)网络有限公司 | Method for processing business, device and equipment |
CN110138776A (en) * | 2019-05-14 | 2019-08-16 | 重庆天蓬网络有限公司 | Docker intrusion detection method, device and medium based on order monitoring |
CN112153049A (en) * | 2020-09-24 | 2020-12-29 | 绿盟科技集团股份有限公司 | Intrusion detection method and device |
CN112182573A (en) * | 2020-09-10 | 2021-01-05 | 青岛海尔科技有限公司 | Method, device and equipment for intrusion detection |
WO2021053422A1 (en) * | 2019-09-20 | 2021-03-25 | International Business Machines Corporation | Correspondence of external operations to containers and mutation events |
CN113364723A (en) * | 2020-03-05 | 2021-09-07 | 奇安信科技集团股份有限公司 | DDoS attack monitoring method and device, storage medium and computer equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101465770A (en) * | 2009-01-06 | 2009-06-24 | 北京航空航天大学 | Method for disposing inbreak detection system |
CN104135490A (en) * | 2014-08-14 | 2014-11-05 | 浪潮(北京)电子信息产业有限公司 | Intrusion detection system (IDS) analysis method and intrusion detection system |
CN105072115A (en) * | 2015-08-12 | 2015-11-18 | 国家电网公司 | Information system invasion detection method based on Docker virtualization |
US20160283713A1 (en) * | 2015-03-25 | 2016-09-29 | International Business Machines Corporation | Security within a software-defined infrastructure |
-
2017
- 2017-03-09 CN CN201710139153.8A patent/CN106790291B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101465770A (en) * | 2009-01-06 | 2009-06-24 | 北京航空航天大学 | Method for disposing inbreak detection system |
CN104135490A (en) * | 2014-08-14 | 2014-11-05 | 浪潮(北京)电子信息产业有限公司 | Intrusion detection system (IDS) analysis method and intrusion detection system |
US20160283713A1 (en) * | 2015-03-25 | 2016-09-29 | International Business Machines Corporation | Security within a software-defined infrastructure |
CN105072115A (en) * | 2015-08-12 | 2015-11-18 | 国家电网公司 | Information system invasion detection method based on Docker virtualization |
Non-Patent Citations (1)
Title |
---|
张楠: "云计算中使用容器技术的信息安全风险与对策", 《第30次全国计算机安全学术交流会论文集》 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108282376A (en) * | 2018-04-20 | 2018-07-13 | 江南大学 | A kind of LDDoS emulation modes based on lightweight virtualization |
CN108282376B (en) * | 2018-04-20 | 2021-06-08 | 江南大学 | LDDoS simulation method based on lightweight virtualization |
CN110086881A (en) * | 2019-05-07 | 2019-08-02 | 网易(杭州)网络有限公司 | Method for processing business, device and equipment |
CN110138776A (en) * | 2019-05-14 | 2019-08-16 | 重庆天蓬网络有限公司 | Docker intrusion detection method, device and medium based on order monitoring |
CN110138776B (en) * | 2019-05-14 | 2020-04-28 | 重庆天蓬网络有限公司 | Docker intrusion detection method, device and medium based on command monitoring |
WO2021053422A1 (en) * | 2019-09-20 | 2021-03-25 | International Business Machines Corporation | Correspondence of external operations to containers and mutation events |
GB2602435A (en) * | 2019-09-20 | 2022-06-29 | Ibm | Correspondence of external operations to containers and mutation events |
GB2602435B (en) * | 2019-09-20 | 2023-01-04 | Ibm | Correspondence of external operations to containers and mutation events |
US11580199B2 (en) | 2019-09-20 | 2023-02-14 | International Business Machines Corporation | Correspondence of external operations to containers and mutation events |
CN113364723A (en) * | 2020-03-05 | 2021-09-07 | 奇安信科技集团股份有限公司 | DDoS attack monitoring method and device, storage medium and computer equipment |
CN112182573A (en) * | 2020-09-10 | 2021-01-05 | 青岛海尔科技有限公司 | Method, device and equipment for intrusion detection |
CN112153049A (en) * | 2020-09-24 | 2020-12-29 | 绿盟科技集团股份有限公司 | Intrusion detection method and device |
CN112153049B (en) * | 2020-09-24 | 2023-01-17 | 绿盟科技集团股份有限公司 | Intrusion detection method, device, electronic equipment and computer readable medium |
Also Published As
Publication number | Publication date |
---|---|
CN106790291B (en) | 2020-04-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106790291A (en) | A kind of intrusion detection reminding method and device | |
US11089057B1 (en) | System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits | |
US10148693B2 (en) | Exploit detection system | |
US10601865B1 (en) | Detection of credential spearphishing attacks using email analysis | |
US9973531B1 (en) | Shellcode detection | |
CN105430011B (en) | A kind of method and apparatus detecting distributed denial of service attack | |
US8595840B1 (en) | Detection of computer network data streams from a malware and its variants | |
US20140317733A1 (en) | Method and client for ensuring user network security | |
EP2755157B1 (en) | Detecting undesirable content | |
US20160036849A1 (en) | Method, Apparatus and System for Detecting and Disabling Computer Disruptive Technologies | |
CN108696490A (en) | The recognition methods of account permission and device | |
US20230259626A1 (en) | System and method for automatic generation of malware detection traps | |
CN104239577A (en) | Method and device for detecting authenticity of webpage data | |
CN105701423B (en) | Date storage method and device applied to high in the clouds payment transaction | |
CN106453216A (en) | Malicious website interception method, malicious website interception device and client | |
CN103338211A (en) | Malicious URL (unified resource locator) authenticating method and device | |
CN111343176B (en) | Network attack countering device, method, storage medium and computer equipment | |
CN109617917A (en) | Address virtual Web application security firewall methods, devices and systems | |
CN109547449B (en) | Safety detection method and related device | |
US10474810B2 (en) | Controlling access to web resources | |
CN109347876B (en) | Security defense method and related device | |
CN103067360B (en) | Program network Activity recognition method and system | |
CN111225038B (en) | Server access method and device | |
CN108595957A (en) | Main browser page altering detecting method, device and storage medium | |
CN114710304A (en) | Privacy risk monitoring method and device, storage medium and terminal gateway equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |