CN106850687A - Method and apparatus for detecting network attack - Google Patents
Method and apparatus for detecting network attack Download PDFInfo
- Publication number
- CN106850687A CN106850687A CN201710195540.3A CN201710195540A CN106850687A CN 106850687 A CN106850687 A CN 106850687A CN 201710195540 A CN201710195540 A CN 201710195540A CN 106850687 A CN106850687 A CN 106850687A
- Authority
- CN
- China
- Prior art keywords
- information
- attack
- computer room
- traffic
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请公开了用于检测网络攻击的方法和装置。该方法的一具体实施方式包括:确定目标机房的流量特征信息;根据该流量特征信息,确定该目标机房是否受到网络攻击;响应于确定该目标机房受到网络攻击,获取该目标机房接收到的数据请求的请求特征信息;根据所获取的请求特征信息,确定该网络攻击的攻击源信息和/或攻击目标信息。该实施方式实现了在目标机房受到网络攻击时,快速确定网络攻击的攻击源和/或攻击目标。
The present application discloses methods and devices for detecting network attacks. A specific implementation of the method includes: determining the traffic characteristic information of the target computer room; determining whether the target computer room is under network attack according to the traffic characteristic information; in response to determining that the target computer room is under network attack, acquiring the data received by the target computer room The request feature information of the request; according to the obtained request feature information, determine the attack source information and/or attack target information of the network attack. This embodiment realizes quickly determining the attack source and/or attack target of the network attack when the target computer room is attacked by the network.
Description
技术领域technical field
本申请涉及计算机技术领域,具体涉及互联网技术领域,尤其涉及用于检测网络攻击的方法和装置。The present application relates to the field of computer technology, specifically to the field of Internet technology, and in particular to a method and device for detecting network attacks.
背景技术Background technique
网络攻击,通常是指对网络系统的硬件、软件及其系统中的数据进行的攻击,网络攻击的范围可以从简单的使服务器无法提供正常的服务到完全破坏、控制服务器。随着互联网的快速发展,网络攻击的方式也越来越多样,这些网络攻击不仅影响网络传输的质量,占用大量带宽资源,而且影响服务器对用户提供的服务质量。A network attack usually refers to an attack on the hardware and software of a network system and the data in the system. The scope of a network attack can range from simply making the server unable to provide normal services to completely destroying and controlling the server. With the rapid development of the Internet, there are more and more ways of network attacks. These network attacks not only affect the quality of network transmission and occupy a large amount of bandwidth resources, but also affect the quality of service provided by servers to users.
然而,现有的用于检测网络攻击的方式,通常存在着以下问题:确定网络攻击的攻击源信息或攻击目标信息的速度较慢。However, the existing methods for detecting network attacks usually have the following problem: the speed of determining the attack source information or attack target information of the network attack is relatively slow.
发明内容Contents of the invention
本申请的目的在于提出一种改进的用于检测网络攻击的方法和装置,来解决以上背景技术部分提到的技术问题。The purpose of this application is to propose an improved method and device for detecting network attacks, so as to solve the technical problems mentioned in the background technology section above.
第一方面,本申请实施例提供了一种用于检测网络攻击的方法,所述方法包括:确定目标机房的流量特征信息;根据所述流量特征信息,确定所述目标机房是否受到网络攻击;响应于确定所述目标机房受到网络攻击,获取所述目标机房接收到的数据请求的请求特征信息;根据所获取的请求特征信息,确定所述网络攻击的攻击源信息和/或攻击目标信息。In the first aspect, the embodiment of the present application provides a method for detecting a network attack, the method comprising: determining traffic characteristic information of a target computer room; determining whether the target computer room is under a network attack according to the traffic characteristic information; In response to determining that the target computer room is under a network attack, acquire request characteristic information of a data request received by the target computer room; determine attack source information and/or attack target information of the network attack according to the acquired request characteristic information.
在一些实施例中,所述请求特征信息包括以下至少一项:所述数据请求发自的源网际协议地址、所述数据请求发至的目的网际协议地址、传输所述数据请求所利用的传输协议的协议类型。In some embodiments, the request feature information includes at least one of the following: a source IP address from which the data request is sent, a destination IP address to which the data request is sent, and a transport used to transmit the data request. The protocol type of the protocol.
在一些实施例中,所述根据所确定的第一流量,确定该源网际协议地址是否是所述攻击源信息,包括:对于所获取的至少一个源网际协议地址中的每个源网际协议地址,确定所述目标机房接收到的、发自该源网际协议地址的数据请求所产生的第一流量;根据所确定的第一流量,确定该源网际协议地址是否是所述攻击源信息。In some embodiments, the determining whether the source IP address is the attack source information according to the determined first traffic includes: for each source IP address in the obtained at least one source IP address , determining the first traffic generated by the data request sent from the source IP address received by the target computer room; and determining whether the source IP address is the attack source information according to the determined first traffic.
在一些实施例中,所述根据所确定的第一流量,确定该源网际协议地址是否是所述攻击源信息,还包括:对于所获取的至少一个源网际协议地址中的每个源网际协议地址,在所述目标机房接收到的、发自该源网际协议地址的数据请求的请求特征信息中,查找预设协议类型;确定利用查找到的预设协议类型的传输协议传输的数据请求所产生的第二流量是否大于预设第二流量阈值;响应于确定所述第二流量大于预设第二流量阈值,确定该源网际协议地址为攻击源信息。In some embodiments, the determining whether the source IP address is the attack source information according to the determined first traffic further includes: for each source IP address in the obtained at least one source IP address Address, in the request feature information of the data request received by the target computer room and sent from the source Internet protocol address, search for the preset protocol type; determine the data request transmitted by the transmission protocol of the found preset protocol type Whether the generated second traffic is greater than a preset second traffic threshold; in response to determining that the second traffic is greater than the preset second traffic threshold, determine that the source IP address is attack source information.
在一些实施例中,所述根据所确定的第一流量,确定该源网际协议地址是否是所述攻击源信息,还包括:对于所获取的至少一个源网际协议地址中的每个源网际协议地址,响应于确定该源网际协议地址为攻击源信息,获取所述目标机房接收到的、发自该源网际协议地址的数据请求的请求特征信息中的至少一个目的网际协议地址;对于所述至少一个目的网际协议地址中的每个目的网际协议地址,确定发至该目的网际协议地址的数据请求所产生的第三流量是否大于预设第三流量阈值;响应于确定所述第三流量大于预设第三流量阈值,确定该目的网际协议地址为攻击目标信息。In some embodiments, the determining whether the source IP address is the attack source information according to the determined first traffic further includes: for each source IP address in the obtained at least one source IP address address, in response to determining that the source Internet protocol address is attack source information, obtain at least one destination Internet protocol address in the request feature information of the data request received by the target computer room and sent from the source Internet protocol address; For each destination IP address in the at least one destination IP address, determine whether the third traffic generated by the data request sent to the destination IP address is greater than a preset third traffic threshold; in response to determining that the third traffic is greater than A third traffic threshold is preset to determine that the destination IP address is attack target information.
在一些实施例中,所述流量特征信息包括以下至少一项:当前流量值、预定历史时刻的流量值、当前时刻之前的预定时间段内的流量平均值,所述目标机房内设置有交换机;以及所述确定目标机房的流量特征信息,包括:通过所述目标机房内设置的交换机的计数信息,确定所述目标机房的流量信息,其中,所述流量信息包括采集时间和流量值;根据所确定的流量信息,确定所述流量特征信息。In some embodiments, the traffic characteristic information includes at least one of the following: current traffic value, traffic value at a predetermined historical moment, and traffic average value within a predetermined time period before the current moment, and a switch is set in the target computer room; And the determining the traffic characteristic information of the target computer room includes: determining the traffic information of the target computer room through the counting information of the switch set in the target computer room, wherein the traffic information includes collection time and flow value; according to the The determined traffic information is to determine the traffic characteristic information.
在一些实施例中,所述根据所述流量特征信息,确定所述目标机房是否受到网络攻击,包括:将所述流量特征信息导入预先建立的流量异常检测模型,得到用于指示所述目标机房是否受到网络攻击的指示信息,其中,所述流量异常检测模型用于表征流量特征信息和指示信息之间的对应关系。In some embodiments, the determining whether the target computer room is under network attack according to the traffic feature information includes: importing the traffic feature information into a pre-established traffic anomaly detection model to obtain a The indication information of whether the network attack is received or not, wherein the traffic anomaly detection model is used to characterize the correspondence between the traffic feature information and the indication information.
在一些实施例中,所述方法还包括建立流量异常检测模型的步骤,其中,所述建立流量异常检测模型的步骤包括:获取已知指示信息的所述目标机房的流量特征信息;利用机器学习算法,基于所获取的流量特征信息及对应的指示信息,训练初始模型得到所述流量异常检测模型。In some embodiments, the method further includes the step of establishing a traffic anomaly detection model, wherein the step of establishing a traffic anomaly detection model includes: obtaining traffic characteristic information of the target computer room with known indication information; using machine learning The algorithm is based on the acquired traffic feature information and corresponding indication information, and trains the initial model to obtain the traffic anomaly detection model.
第二方面,本申请实施例提供了一种用于检测网络攻击的装置,所述装置包括:流量特征信息确定单元,用于确定目标机房的流量特征信息;网络攻击确定单元,用于根据所述流量特征信息,确定所述目标机房是否受到网络攻击;获取单元,用于响应于确定所述目标机房受到网络攻击,获取所述目标机房接收到的数据请求的请求特征信息;攻击信息确定单元,用于根据所获取的请求特征信息,确定所述网络攻击的攻击源信息和/或攻击目标信息。In the second aspect, the embodiment of the present application provides a device for detecting a network attack, the device comprising: a traffic characteristic information determination unit, configured to determine the traffic characteristic information of the target computer room; a network attack determination unit, configured to The traffic characteristic information, to determine whether the target computer room is under network attack; the acquisition unit is used to respond to determining that the target computer room is under network attack, and obtain the request characteristic information of the data request received by the target computer room; the attack information determination unit , configured to determine the attack source information and/or attack target information of the network attack according to the acquired request feature information.
在一些实施例中,所述请求特征信息包括以下至少一项:所述数据请求发自的源网际协议地址、所述数据请求发至的目的网际协议地址、传输所述数据请求所利用的传输协议的协议类型。In some embodiments, the request feature information includes at least one of the following: a source IP address from which the data request is sent, a destination IP address to which the data request is sent, and a transport used to transmit the data request. The protocol type of the protocol.
在一些实施例中,所述攻击信息确定单元,用于:对于所获取的至少一个源网际协议地址中的每个源网际协议地址,确定所述目标机房接收到的、发自该源网际协议地址的数据请求所产生的第一流量;根据所确定的第一流量,确定该源网际协议地址是否是所述攻击源信息。In some embodiments, the attack information determining unit is configured to: for each source IP address in at least one source IP address obtained, determine the IP address received by the target computer room and sent from the source IP address. The first traffic generated by the data request of the address; according to the determined first traffic, determine whether the source IP address is the attack source information.
在一些实施例中,所述攻击信息确定单元,还用于:对于所获取的至少一个源网际协议地址中的每个源网际协议地址,在所述目标机房接收到的、发自该源网际协议地址的数据请求的请求特征信息中,查找预设协议类型;确定利用查找到的预设协议类型的传输协议传输的数据请求所产生的第二流量是否大于预设第二流量阈值;响应于确定所述第二流量大于预设第二流量阈值,确定该源网际协议地址为攻击源信息。In some embodiments, the attack information determining unit is further configured to: for each source Internet Protocol address in at least one source Internet Protocol address obtained, the information received in the target computer room and sent from the source Internet In the request feature information of the data request of the protocol address, search for the preset protocol type; determine whether the second traffic generated by the data request transmitted by the transmission protocol of the found preset protocol type is greater than the preset second traffic threshold; respond It is determined that the second traffic is greater than a preset second traffic threshold, and it is determined that the source IP address is attack source information.
在一些实施例中,所述攻击信息确定单元,还用于:对于所获取的至少一个源网际协议地址中的每个源网际协议地址,响应于确定该源网际协议地址为攻击源信息,获取所述目标机房接收到的、发自该源网际协议地址的数据请求的请求特征信息中的至少一个目的网际协议地址;对于所述至少一个目的网际协议地址中的每个目的网际协议地址,确定发至该目的网际协议地址的数据请求所产生的第三流量是否大于预设第三流量阈值;响应于确定所述第三流量大于预设第三流量阈值,确定该目的网际协议地址为攻击目标信息。In some embodiments, the attack information determining unit is further configured to: for each source Internet protocol address in the obtained at least one source Internet protocol address, in response to determining that the source Internet protocol address is attack source information, obtain At least one destination IP address in the request feature information of the data request received by the target computer room and sent from the source IP address; for each destination IP address in the at least one destination IP address, determine Whether the third traffic generated by the data request sent to the destination IP address is greater than the preset third traffic threshold; in response to determining that the third traffic is greater than the preset third traffic threshold, determine that the destination IP address is the attack target information.
在一些实施例中,所述流量特征信息包括以下至少一项:当前流量值、预定历史时刻的流量值、当前时刻之前的预定时间段内的流量平均值,所述目标机房内设置有交换机;以及所述流量特征信息确定单元,用于:通过所述目标机房内设置的交换机的计数信息,确定所述目标机房的流量信息,其中,所述流量信息包括采集时间和流量值;根据所确定的流量信息,确定所述流量特征信息。In some embodiments, the traffic characteristic information includes at least one of the following: current traffic value, traffic value at a predetermined historical moment, and traffic average value within a predetermined time period before the current moment, and a switch is set in the target computer room; And the flow characteristic information determining unit is configured to: determine the flow information of the target computer room through the counting information of the switch set in the target computer room, wherein the flow information includes collection time and flow value; according to the determined The traffic information is used to determine the traffic feature information.
在一些实施例中,所述网络攻击确定单元,用于:将所述流量特征信息导入预先建立的流量异常检测模型,得到用于指示所述目标机房是否受到网络攻击的指示信息,其中,所述流量异常检测模型用于表征流量特征信息和指示信息之间的对应关系。In some embodiments, the network attack determination unit is configured to: import the traffic feature information into a pre-established traffic anomaly detection model to obtain indication information indicating whether the target computer room is under a network attack, wherein the The traffic anomaly detection model described above is used to characterize the correspondence between traffic feature information and indication information.
在一些实施例中,所述装置还包括建立单元,用于建立流量异常检测模型,其中,所述建立流量异常检测模型包括:获取已知指示信息的所述目标机房的流量特征信息;利用机器学习算法,基于所获取的流量特征信息及对应的指示信息,训练初始模型得到所述流量异常检测模型。In some embodiments, the device further includes an establishment unit configured to establish a traffic anomaly detection model, wherein the establishment of the traffic anomaly detection model includes: obtaining traffic characteristic information of the target computer room with known indication information; using a machine A learning algorithm, based on the acquired traffic feature information and corresponding indication information, trains an initial model to obtain the traffic anomaly detection model.
第三方面,本申请实施例提供了一种设备/终端/服务器所述设备/终端/服务器包括:一个或多个处理器;存储装置,用于存储一个或多个程序,当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现如第一方面的方法。In a third aspect, an embodiment of the present application provides a device/terminal/server. The device/terminal/server includes: one or more processors; a storage device for storing one or more programs, when the one or more A plurality of programs are executed by the one or more processors, so that the one or more processors implement the method of the first aspect.
第四方面,本申请实施例提供了一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现如第一方面的方法。In a fourth aspect, the embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processor, the method in the first aspect is implemented.
本申请实施例提供的用于检测网络攻击的方法和装置,通过确定目标机房的流量特征信息;根据所述流量特征信息,确定所述目标机房是否受到网络攻击;响应于确定所述目标机房受到网络攻击,获取所述目标机房接收到的数据请求的请求特征信息;根据所获取的请求特征信息,确定所述网络攻击的攻击源信息和/或攻击目标信息,从而,可以在目标机房受到网络攻击时,快速确定网络攻击的攻击源和/或攻击目标。The method and device for detecting network attacks provided by the embodiments of the present application determine the traffic characteristic information of the target computer room; determine whether the target computer room is under network attack according to the traffic characteristic information; Network attack, obtaining the request feature information of the data request received by the target computer room; determining the attack source information and/or attack target information of the network attack according to the obtained request feature information, so that the target computer room can be attacked by the network In the event of an attack, quickly determine the source and/or target of a cyber attack.
附图说明Description of drawings
通过阅读参照以下附图所作的对非限制性实施例所作的详细描述,本申请的其它特征、目的和优点将会变得更明显:Other characteristics, objects and advantages of the present application will become more apparent by reading the detailed description of non-limiting embodiments made with reference to the following drawings:
图1是本申请可以应用于其中的示例性系统架构图;FIG. 1 is an exemplary system architecture diagram to which the present application can be applied;
图2是根据本申请的用于检测网络攻击的方法的一个实施例的流程图;FIG. 2 is a flowchart of an embodiment of a method for detecting a network attack according to the present application;
图3是根据本申请的用于检测网络攻击的方法的一个应用场景的示意图;FIG. 3 is a schematic diagram of an application scenario of a method for detecting a network attack according to the present application;
图4是根据本申请的用于检测网络攻击的方法的又一个实施例的流程图;FIG. 4 is a flowchart of another embodiment of a method for detecting a network attack according to the present application;
图5是根据本申请的用于检测网络攻击的装置的一个实施例的结构示意图;FIG. 5 is a schematic structural diagram of an embodiment of a device for detecting network attacks according to the present application;
图6是适于用来实现本申请实施例的监控服务器的计算机系统的结构示意图。Fig. 6 is a schematic structural diagram of a computer system suitable for realizing the monitoring server of the embodiment of the present application.
具体实施方式detailed description
下面结合附图和实施例对本申请作进一步的详细说明。可以理解的是,此处所描述的具体实施例仅仅用于解释相关发明,而非对该发明的限定。另外还需要说明的是,为了便于描述,附图中仅示出了与有关发明相关的部分。The application will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain related inventions, rather than to limit the invention. It should also be noted that, for the convenience of description, only the parts related to the related invention are shown in the drawings.
需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本申请。本领域技术人员还将理解的是,虽然本文中可使用用语“第一”、“第二”“第三”等来描述各种流量、流量阈值等信息,但是这些流量、流量阈值等不应被这些用语限制。这些用语仅用于将一个流量、流量阈值等与其它流量、流量阈值等区分开。It should be noted that, in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined with each other. The present application will be described in detail below with reference to the accompanying drawings and embodiments. Those skilled in the art will also understand that although terms such as "first", "second" and "third" may be used herein to describe information such as various flow rates and flow thresholds, these flow rates, flow thresholds, etc. should not be limited by these terms. These terms are only used to distinguish one flow, flow threshold, etc. from other flows, flow thresholds, etc.
图1示出了可以应用本申请的用于检测网络攻击的方法或用于检测网络攻击的装置的实施例的示例性系统架构100。FIG. 1 shows an exemplary system architecture 100 to which embodiments of the method for detecting a network attack or the device for detecting a network attack of the present application can be applied.
如图1所示,系统架构100可以包括终端设备101、102、103,网络104,服务器105、106和监控服务器107。网络104用以在终端设备101、102、103和服务器105、106之间提供通信链路的介质。网络104可以包括各种连接类型,例如有线、无线通信链路或者光纤电缆等等。As shown in FIG. 1 , the system architecture 100 may include terminal devices 101 , 102 , 103 , a network 104 , servers 105 , 106 and a monitoring server 107 . The network 104 serves as a medium for providing communication links between the terminal devices 101 , 102 , 103 and the servers 105 , 106 . Network 104 may include various connection types, such as wires, wireless communication links, or fiber optic cables, among others.
需要说明的是,服务器105、106可以位于同一机房,图1中的矩形框用于表示上述机房。监控服务器107用于监控上述机房。监控服务器107可以位于上述机房内,也可以位于上述机房外。网络104还可以用以在监控服务器107与上述机房中的用于数据采集或数据存储的电子设备之间提供通信链路的介质。It should be noted that the servers 105 and 106 may be located in the same computer room, and the rectangular frame in FIG. 1 is used to represent the above computer room. The monitoring server 107 is used to monitor the above-mentioned computer room. The monitoring server 107 may be located in the above-mentioned computer room, or outside the above-mentioned computer room. The network 104 can also be used as a medium for providing a communication link between the monitoring server 107 and the electronic equipment used for data collection or data storage in the above-mentioned computer room.
用户110可以使用终端设备101、102、103通过网络104与服务器105、106交互,以接收或发送消息等。终端设备101、102、103上可以安装有各种客户端应用,例如邮件类应用、游戏类应用、即时通信类应用、视频播放类应用、搜索引擎类应用等。The user 110 can use the terminal device 101 , 102 , 103 to interact with the server 105 , 106 through the network 104 to receive or send messages and the like. Various client applications may be installed on the terminal devices 101, 102, and 103, such as mail applications, game applications, instant messaging applications, video playback applications, search engine applications, and the like.
需要说明的是,在本申请的检测网络攻击这一实际场景中,发起网络攻击的用户通常为恶意发送大量数据请求的用户。用户所利用的终端设备可以是具有强大计算功能的电子设备,甚至是服务器。终端设备101、102、103可以是具有显示屏并且支持交互功能的各种电子设备,包括但不限于智能手机、平板电脑、电子书阅读器、MP3播放器(MovingPicture Experts Group Audio Layer III,动态影像专家压缩标准音频层面3)、MP4(Moving Picture Experts Group Audio Layer IV,动态影像专家压缩标准音频层面4)播放器、膝上型便携计算机和台式计算机等等。It should be noted that, in the actual scenario of detecting a network attack in this application, the user who initiates the network attack is usually a user who maliciously sends a large amount of data requests. The terminal device utilized by the user may be an electronic device with powerful computing functions, or even a server. Terminal devices 101, 102, 103 can be various electronic devices with display screens and support interactive functions, including but not limited to smart phones, tablet computers, e-book readers, MP3 players (Moving Picture Experts Group Audio Layer III, moving picture Expert Compression Standard Audio Layer 3), MP4 (Moving Picture Experts Group Audio Layer IV, Moving Picture Experts Compression Standard Audio Layer 4) Players, Laptop Portable Computers and Desktop Computers, etc.
服务器105、106可以是提供各种服务的服务器,例如对终端设备101、102、103提供支持的后台服务器。后台服务器可以接收终端设备的数据请求并进行数据处理,并将处理结果(例如数据请求的请求结果)反馈给终端设备。The servers 105 , 106 may be servers that provide various services, for example, background servers that provide support for the terminal devices 101 , 102 , 103 . The background server can receive the data request from the terminal device, process the data, and feed back the processing result (for example, the request result of the data request) to the terminal device.
监控服务器107可以从上述机房中的用于数据采集或数据存储的电子设备获取流量特征信息和请求特征信息,并由此确定上述机房的网络攻击的攻击源信息和/或攻击目标信息。The monitoring server 107 may acquire traffic characteristic information and request characteristic information from the electronic equipment used for data collection or data storage in the computer room, and thereby determine the attack source information and/or attack target information of the network attack in the computer room.
需要说明的是,本申请实施例所提供的用于检测网络攻击的方法一般由监控服务器107执行,相应地,用于检测网络攻击的装置一般设置于监控服务器107中。It should be noted that the method for detecting a network attack provided by the embodiment of the present application is generally executed by the monitoring server 107 , and correspondingly, the device for detecting a network attack is generally set in the monitoring server 107 .
应该理解,图1中的终端设备、网络、服务器和监控服务器的数目仅仅是示意性的。根据实现需要,可以具有任意数目的终端设备、网络、服务器和监控服务器。It should be understood that the numbers of terminal devices, networks, servers and monitoring servers in Fig. 1 are only illustrative. According to the realization requirements, there can be any number of terminal devices, networks, servers and monitoring servers.
继续参考图2,示出了根据本申请的用于检测网络攻击的方法的一个实施例的流程200。所述的用于检测网络攻击的方法,包括以下步骤:Continuing to refer to FIG. 2 , a flow 200 of an embodiment of a method for detecting a network attack according to the present application is shown. The described method for detecting network attacks comprises the following steps:
步骤201,确定目标机房的流量特征信息。Step 201, determine traffic characteristic information of a target computer room.
在本实施例中,用于检测网络攻击的方法运行于其上的电子设备(例如图1所示的监控服务器)可以确定上述电子设备所监控的目标机房的流量的流量特征信息。In this embodiment, the electronic device (for example, the monitoring server shown in FIG. 1 ) on which the method for detecting network attacks runs may determine the traffic characteristic information of the traffic of the target computer room monitored by the electronic device.
在本实施例中,上述流量可以是目标机房中的服务器接收到的数据请求和发送出的数据所产生的流量。上述流量还可以是目标机房中的服务器接收的数据请求所产生的流量。上述流量还可以是目标机房中的服务器发送的请求结果所产生的流量。In this embodiment, the above traffic may be the traffic generated by the data request received by the server in the target computer room and the data sent out. The foregoing traffic may also be traffic generated by data requests received by servers in the target computer room. The foregoing traffic may also be traffic generated as a result of a request sent by a server in the target computer room.
在本实施例中,上述流量特征信息可以是用于描述与上述流量有关的一些关键要素的信息。In this embodiment, the traffic feature information may be information used to describe some key elements related to the traffic.
在本实施例的一些可选的实现方式中,流量特征信息可以包括但不限于:当前流量值、预定历史时刻的流量值、当前时刻之前的预定时间段内的流量平均值。In some optional implementation manners of this embodiment, the traffic characteristic information may include but not limited to: a current traffic value, a traffic value at a predetermined historical moment, and a traffic average value within a predetermined time period before the current moment.
在本实施例中,上述监控服务器可以从机房中的一些用于数据采集或数据存储的电子设备中获取流量特征信息;上述监控服务器也可以自身具有监控目标机房接收到的数据请求,并确定上述数据请求所产生的流量的流量特征信息的功能,进而从本地获取上述流量特征信息。In this embodiment, the above-mentioned monitoring server can obtain traffic characteristic information from some electronic devices used for data collection or data storage in the computer room; the above-mentioned monitoring server can also have the data request received by the monitoring target computer room, and determine the above-mentioned The function of the traffic characteristic information of the traffic generated by the data request, and then obtain the above traffic characteristic information locally.
步骤202,根据流量特征信息,确定目标机房是否受到网络攻击。Step 202, according to the traffic feature information, determine whether the target computer room is under network attack.
在本实施例中,用于检测网络攻击的方法运行于其上的电子设备(例如图1所示的监控服务器)可以根据流量特征信息,确定目标机房是否受到网络攻击。In this embodiment, the electronic device on which the method for detecting a network attack (for example, the monitoring server shown in FIG. 1 ) can determine whether the target computer room is under a network attack according to traffic feature information.
需要说明的是,确定目标机房是否受到网络攻击可以理解为:目标机房中设置的服务器是否受到网络攻击。目标机房可以设置多个服务器或多个服务器集群。在目标机房接收到的总流量出现异常时,不能确定立即确定是机房中的哪个服务器或服务器集群受到网络攻击,因此需要快速定位是机房中哪个服务器或服务器集群受到网络攻击。It should be noted that determining whether the target computer room is under network attack can be understood as: whether the server set in the target computer room is under network attack. Multiple servers or multiple server clusters can be set up in the target computer room. When the total traffic received by the target computer room is abnormal, it is impossible to immediately determine which server or server cluster in the computer room is under network attack, so it is necessary to quickly locate which server or server cluster in the computer room is under network attack.
在本实施例的一些可选的实现方式中,根据流量特征信息,确定目标机房是否受到网络攻击,可以通过以下方式实现:确定当前流量值是否大于预设流量阈值,响应于确定当前流量值大于预设流量阈值,确定上述目标机房受到网络攻击。In some optional implementations of this embodiment, according to the traffic characteristic information, determining whether the target computer room is under network attack can be achieved in the following manner: determine whether the current traffic value is greater than the preset traffic threshold, and respond to determining whether the current traffic value is greater than Preset the traffic threshold to determine that the above-mentioned target computer room is under network attack.
步骤203,响应于确定目标机房受到网络攻击,获取目标机房接收到的数据请求的请求特征信息。Step 203, in response to determining that the target computer room is under a network attack, acquire request characteristic information of the data request received by the target computer room.
在本实施例中,用于检测网络攻击的方法运行于其上的电子设备(例如图1所示的监控服务器)可以响应于确定目标机房受到网络攻击,获取目标机房接收到的数据请求的请求特征信息。In this embodiment, the electronic device on which the method for detecting network attacks runs (for example, the monitoring server shown in FIG. 1 ) may respond to determining that the target computer room is subject to a network attack, and acquire the request for the data request received by the target computer room. characteristic information.
在本实施例中,目标机房接收到的数据请求可以是发送至目标机房中的服务器的数据请求。上述数据请求的请求特征信息可以用于描述数据请求的一些关键要素的信息。In this embodiment, the data request received by the target computer room may be a data request sent to a server in the target computer room. The above request characteristic information of the data request may be used to describe information of some key elements of the data request.
在本实施例中,上述监控服务器可以从机房中的一些用于数据采集或数据存储的电子设备中获取请求特征信息。上述监控服务器也可以自身具有监控目标机房接收到的数据请求并提取请求特征信息的功能,进而从本地获取上述请求特征信息。In this embodiment, the above-mentioned monitoring server may acquire request characteristic information from some electronic devices used for data collection or data storage in the computer room. The above-mentioned monitoring server may also have the function of monitoring the data requests received by the target computer room and extracting the request characteristic information, and then obtain the above-mentioned request characteristic information locally.
在本实施例的一些可选的实现方式中,上述请求特征信息可以包括但不限于:所述数据请求发自的源网际协议(Internet Protocol,IP)地址、所述数据请求发至的目的网际协议地址、所述数据请求发自的源媒体访问控制(Media Access Control,MAC)地址、所述数据请求发至的目的媒体访问控制地址、传输所述数据请求所利用的传输协议的协议类型、数据请求的字节数。需要说明的是,网际协议地址可以是虚拟网际协议地址(VirtualInternet Protocol Address,VIP)。In some optional implementations of this embodiment, the above request feature information may include but not limited to: the source Internet Protocol (Internet Protocol, IP) address from which the data request is sent, the destination Internet address to which the data request is sent protocol address, the source media access control (Media Access Control, MAC) address from which the data request is sent, the destination media access control address to which the data request is sent, the protocol type of the transmission protocol used to transmit the data request, The number of bytes requested for the data. It should be noted that the IP address may be a virtual Internet Protocol address (Virtual Internet Protocol Address, VIP).
在本实施例的一些可选的实现方式中,上述协议类型包括但不限于传输控制协议(Transmission Control Protocol,TCP)、用户数据包协议(User Datagram Protocol,UDP)。需要说明的是,源网际协议地址也可以称为源IP地址,目的网际协议地址也可以称为目的IP地址,源媒体访问控制也可以称为源MAC地址、目的媒体访问控制地址也可以称为目的MAC地址。In some optional implementation manners of this embodiment, the foregoing protocol types include but are not limited to Transmission Control Protocol (Transmission Control Protocol, TCP) and User Datagram Protocol (User Datagram Protocol, UDP). It should be noted that the source IP address may also be called the source IP address, the destination IP address may also be called the destination IP address, the source media access control may also be called the source MAC address, and the destination media access control address may also be called Destination MAC address.
需要说明的,可以一个数据请求对应一个用于描述该数据请求的请求特征信息。也可以多个数据请求的请求对应一个用于描述上述多条数据请求的请求特征信息。It should be noted that one data request may correspond to one request characteristic information used to describe the data request. It is also possible that multiple data requests correspond to one piece of request characteristic information used to describe the above multiple data requests.
步骤204,根据所获取的请求特征信息,确定网络攻击的攻击源信息和/或攻击目标信息。Step 204: Determine attack source information and/or attack target information of the network attack according to the acquired request characteristic information.
在本实施例中,用于检测网络攻击的方法运行于其上的电子设备(例如图1所示的监控服务器)可以所获取的请求特征信息,确定网络攻击的攻击源信息和/或攻击目标信息。In this embodiment, the electronic device on which the method for detecting a network attack runs (such as the monitoring server shown in FIG. 1 ) can determine the attack source information and/or attack target of the network attack from the acquired request feature information. information.
在本实施例中,攻击源信息可以是用于指示攻击源的信息,攻击源可以是终端或服务器等用户利用其进行网络攻击的电子设备,上述攻击源信息可以包括但不限于攻击源的网际协议地址、媒体访问控制地址。攻击目标信息可以是用于指示攻击目标的信息,攻击目标可以是网络攻击所针对的网站或服务所在的服务器,上述攻击目标信息可以是的网际协议地址、媒体访问控制地址。In this embodiment, the attack source information may be information indicating the attack source, and the attack source may be an electronic device such as a terminal or a server that users use to carry out network attacks. The above attack source information may include, but is not limited to, the Internet Protocol address, media access control address. The attack target information may be information used to indicate the attack target. The attack target may be the server where the website or service targeted by the network attack is located. The above attack target information may be the IP address or the media access control address.
需要说明的是,在实际应用中,可以只获取攻击源信息和/或攻击目标信息,而不根据攻击源信息和/攻击目标信息进行定位以确定攻击源和/或攻击目标。It should be noted that, in practical applications, only the attack source information and/or the attack target information may be acquired, instead of performing positioning based on the attack source information and/or attack target information to determine the attack source and/or attack target.
在本实施例的一些可选的实现方式中,可以在确定攻击源信息之后,屏蔽具有该攻击源信息的数据请求,及时阻止攻击源的攻击。In some optional implementation manners of this embodiment, after the attack source information is determined, the data request with the attack source information may be shielded, so as to prevent the attack of the attack source in time.
在本实施例的一些可选的实现方式中,可以根据所获取的请求特征信息,确定所述网络攻击的攻击源信息。可以根据所获取的请求特征信息,确定所述网络攻击的攻击目标信息。可以根据所获取的请求特征信息,确定所述网络攻击的攻击源信息和攻击目标信息。In some optional implementation manners of this embodiment, the attack source information of the network attack may be determined according to the acquired request feature information. The attack target information of the network attack may be determined according to the acquired request feature information. The attack source information and attack target information of the network attack may be determined according to the acquired request feature information.
在本实施例的一些可选的实现方式中,步骤204可以通过以下方式实现:对于所获取的至少一个源网际协议地址中的每个源网际协议地址,确定所述目标机房接收到的、发自该源网际协议地址的数据请求所产生的第一流量。响应于确定所确定的第一流量大于预设第一流量阈值,确定该源网际协议地址是所述攻击源信息。响应于确定该源网际协议地址是所述攻击源信息,确定所述目标机房接收到的、发自该源网际协议地址的数据请求所发至的目的网际协议地址是所述攻击目标信息。需要说明的是,关于如何确定数据请求所产生的流量是本领域技术人员所公知的,在此不再赘述。In some optional implementation manners of this embodiment, step 204 may be implemented in the following manner: for each source Internet Protocol address in the obtained at least one source Internet Protocol address, determine the received, sent The first flow generated by the data request from the source IP address. In response to determining that the determined first traffic is greater than a preset first traffic threshold, it is determined that the source IP address is the attack source information. In response to determining that the source IP address is the attack source information, it is determined that the destination IP address to which the data request received by the target computer room and sent from the source IP address is sent is the attack target information. It should be noted that how to determine the traffic generated by the data request is well known to those skilled in the art, and will not be repeated here.
继续参见图3,图3是根据本实施例的用于检测网络攻击的方法的应用场景的一个示意图。在图3的应用场景中,终端301和终端302发送至目的机房的数据请求所产生的流量正常,终端303发送至目的机房的数据请求所产生的流量异常。进行恶意网络攻击的用户可以利用具备强大计算功能的终端303向目标机房中的服务器发送数据请求;监控服务器获取目标机房的流量特征信息;之后,监控服务器可以根据上述流量特征信息,确定上述目标机房是否受到网络攻击;然后,上述监控服务器可以响应于确定目标机房受到网络攻击,获取目标机房接收到的数据请求的请求特征信息;最后,上述监控服务器可以根据上述请求特征信息,确定攻击源信息(例如终端303的网际协议地址)和/或攻击目标信息(例如机房中某个服务器集群的虚拟网际协议地址)。Continuing to refer to FIG. 3 , FIG. 3 is a schematic diagram of an application scenario of the method for detecting network attacks according to this embodiment. In the application scenario of FIG. 3 , the traffic generated by the data requests sent by the terminal 301 and the terminal 302 to the destination computer room is normal, and the traffic generated by the data request sent by the terminal 303 to the destination computer room is abnormal. Users conducting malicious network attacks can use the terminal 303 with powerful computing functions to send data requests to the server in the target computer room; the monitoring server obtains the traffic characteristic information of the target computer room; after that, the monitoring server can determine the target computer room based on the above traffic characteristic information Whether it is under network attack; then, the above-mentioned monitoring server can respond to determining that the target computer room is subject to a network attack, and obtain the request characteristic information of the data request received by the target computer room; finally, the above-mentioned monitoring server can determine the attack source information according to the above-mentioned request characteristic information ( For example, the IP address of the terminal 303) and/or attack target information (such as the virtual IP address of a server cluster in the computer room).
本申请的上述实施例提供的方法,通过确定目标机房的流量特征信息;根据所述流量特征信息,确定所述目标机房是否受到网络攻击;响应于确定所述目标机房受到网络攻击,获取所述目标机房接收到的数据请求的请求特征信息;根据所获取的请求特征信息,确定所述网络攻击的攻击源信息和/或攻击目标信息,从而,可以在目标机房受到网络攻击时,快速确定网络攻击的攻击源和/或攻击目标。In the method provided by the above-mentioned embodiments of the present application, by determining the traffic characteristic information of the target computer room; according to the traffic characteristic information, determining whether the target computer room is under network attack; in response to determining that the target computer room is under network attack, obtaining the The request characteristic information of the data request received by the target computer room; according to the obtained request characteristic information, determine the attack source information and/or attack target information of the network attack, so that when the target computer room is under a network attack, quickly determine the network The source and/or target of the attack.
进一步参考图4,其示出了用于检测网络攻击的方法的又一个实施例的流程400。该用于检测网络攻击的方法的流程400,包括以下步骤:Further referring to FIG. 4 , it shows a flow 400 of still another embodiment of the method for detecting network attacks. The process 400 of the method for detecting network attacks includes the following steps:
步骤401,确定目标机房的流量特征信息。Step 401, determine traffic characteristic information of a target computer room.
在本实施例中,用于检测网络攻击的方法运行于其上的电子设备(例如图1所示的监控服务器)可以确定目标机房的流量特征信息。In this embodiment, the electronic device on which the method for detecting network attacks runs (for example, the monitoring server shown in FIG. 1 ) can determine the traffic feature information of the target computer room.
在本实施例中,所述流量特征信息可以包括但不限于:当前流量值、预定历史时刻的流量值、当前时刻之前的预定时间段内的流量平均值。In this embodiment, the traffic characteristic information may include but not limited to: current traffic value, traffic value at a predetermined historical moment, and traffic average value within a predetermined time period before the current moment.
在本实施例的一些可选的实现方式中,所述目标机房内设置有交换机,步骤401可以通过以下方式实现:通过所述目标机房内设置的交换机的计数信息,确定所述目标机房的流量信息,其中,所述流量信息包括采集时间和流量值;根据所确定的流量信息,确定所述流量特征信息。In some optional implementation manners of this embodiment, a switch is set in the target computer room, and step 401 may be implemented in the following manner: determine the flow rate of the target computer room through the counting information of the switch set in the target computer room information, wherein the flow information includes collection time and flow value; and the flow feature information is determined according to the determined flow information.
在本实施例的一些可选的实现方式中,通过所述目标机房内设置的交换机的计数信息,确定所述目标机房的流量信息,可以通过以下方式实现:获取交换机上的计数器的计数器信息,将不同时间采集的技术器信息的差值作为通过该交换机的流量值。In some optional implementation manners of this embodiment, the flow information of the target equipment room is determined through the counting information of the switch set in the target equipment room, which may be achieved in the following manner: acquiring the counter information of the counter on the switch, The difference of the technical switch information collected at different times is taken as the flow value passing through the switch.
需要注意的是,目标机房内设置的交换机的台数可以是一台也可以是多台。如果目标机房内设置多台交换机,则通过所有交换机的计数信息确定该目标机房的流量信息。It should be noted that the number of switches set in the target computer room can be one or more. If multiple switches are set in the target computer room, the flow information of the target computer room is determined through the count information of all switches.
在本实施例的一些可选的实现方式中,可以设置多台电子设备采集交换机的交换机上计数器的计数器信息。特别地,可以对上述多台电子设备进行采用负载均衡的方式进行部署,使得上述多台电子设备中的各个电子设备不出现过载的情况。或者,上述多台电子设备中有电子设备出现故障,其它电子设备可以替代该故障电子设备。这种负载均衡部署多台电子设备采集的方式,可以避免单点故障,防止数据丢失。In some optional implementation manners of this embodiment, multiple electronic devices may be set to collect the counter information of the counter on the switch of the switch. In particular, the above-mentioned multiple electronic devices may be deployed in a load balancing manner, so that each electronic device among the above-mentioned multiple electronic devices does not appear to be overloaded. Alternatively, if one of the above multiple electronic devices fails, other electronic devices can replace the faulty electronic device. This method of load-balanced deployment of multiple electronic devices for collection can avoid single point failures and prevent data loss.
在本实施例的一些可选的实现方式中,根据所确定的流量信息,确定所述流量特征信息,可以通过以下方式实现:通过采集时间可以确定当前流量值、预定历史时刻的流量值;对当前时刻之前的预定时间段内的流量值进行加和平均,可以得到上述流量平均值。In some optional implementations of this embodiment, the flow feature information can be determined according to the determined flow information, which can be achieved in the following manner: the current flow value and the flow value at a predetermined historical moment can be determined through the collection time; The above-mentioned flow average value can be obtained by summing and averaging the flow values in the predetermined time period before the current moment.
步骤402,将流量特征信息导入预先建立的流量异常检测模型,得到用于指示目标机房是否受到网络攻击的指示信息。Step 402, importing the traffic feature information into the pre-established traffic anomaly detection model to obtain indication information for indicating whether the target computer room is under network attack.
在本实施例中,用于检测网络攻击的方法运行于其上的电子设备(例如图1所示的监控服务器)可以将流量特征信息导入预先建立的流量异常检测模型,得到用于指示目标机房是否受到网络攻击的指示信息。在这里,流量异常检测模型用于表征流量特征信息和指示信息之间的对应关系。In this embodiment, the electronic device on which the method for detecting network attacks runs (such as the monitoring server shown in Figure 1 ) can import the traffic feature information into the pre-established traffic anomaly detection model, and obtain the information used to indicate the target computer room. An indication of whether it is under cyber attack. Here, the traffic anomaly detection model is used to characterize the correspondence between traffic feature information and indication information.
在本实施例的一些可选的实现方式中,本实施还可以包括建立流量异常检测模型的步骤,其中,所述建立流量异常检测模型的步骤包括:获取已知指示信息的所述目标机房的流量特征信息;利用机器学习算法,基于所获取的流量特征信息及对应的指示信息,训练初始模型得到所述流量异常检测模型。在这里,初始模型可以是能够用于分类的模型,例如,卷积神经网络模型、随机森林模型、误差反向传播误差神经网络模型等。In some optional implementations of this embodiment, this implementation may also include the step of establishing a traffic anomaly detection model, wherein the step of establishing a traffic anomaly detection model includes: obtaining the known indication information of the target computer room Traffic feature information: using a machine learning algorithm to train an initial model based on the acquired traffic feature information and corresponding indication information to obtain the traffic anomaly detection model. Here, the initial model may be a model that can be used for classification, for example, a convolutional neural network model, a random forest model, an error backpropagation error neural network model, and the like.
步骤403,响应于确定目标机房受到网络攻击,获取目标机房接收到的数据请求的请求特征信息。Step 403, in response to determining that the target computer room is under a network attack, acquire request characteristic information of the data request received by the target computer room.
在本实施例中,用于检测网络攻击的方法运行于其上的电子设备(例如图1所示的监控服务器)可以响应于确定所述目标机房受到网络攻击,获取所述目标机房接收到的数据请求的请求特征信息。In this embodiment, the electronic device on which the method for detecting a network attack runs (for example, the monitoring server shown in FIG. 1 ) may respond to determining that the target computer room is under a network attack, and obtain the The request characteristic information of the data request.
在本实施例中,上述请求特征信息可以包括但不限于:所述数据请求发自的源网际协议地址、所述数据请求发至的目的网际协议地址、传输所述数据请求所利用的传输协议的协议类型、所述数据请求的字节数。步骤403的实现细节和技术效果可以参考步骤203中的说明,在此不再赘述。In this embodiment, the request characteristic information may include but not limited to: the source IP address from which the data request is sent, the destination IP address to which the data request is sent, and the transmission protocol used to transmit the data request The protocol type and the number of bytes of the data request. For implementation details and technical effects of step 403, reference may be made to the description in step 203, which will not be repeated here.
步骤404,根据所获取的请求特征信息,确定网络攻击的攻击源信息和攻击目标信息。Step 404: Determine the attack source information and attack target information of the network attack according to the acquired request characteristic information.
在本实施例中,用于检测网络攻击的方法运行于其上的电子设备(例如图1所示的监控服务器)可以根据所获取的请求特征信息,确定网络攻击的攻击源信息和攻击目标信息。In this embodiment, the electronic device on which the method for detecting a network attack runs (such as the monitoring server shown in FIG. 1 ) can determine the attack source information and attack target information of the network attack according to the acquired request feature information. .
在本实施例的一些可选的实现方式中,步骤404可以通过以下方式实现:对于所获取的至少一个源网际协议地址中的每个源网际协议地址,确定所述目标机房接收到的、发自该源网际协议地址的数据请求所产生的第一流量。根据所确定的第一流量,确定该源网际协议地址是否是所述攻击源信息。In some optional implementation manners of this embodiment, step 404 may be implemented in the following manner: for each source Internet Protocol address in the obtained at least one source Internet Protocol address, determine the received, sent The first flow generated by the data request from the source IP address. According to the determined first flow, determine whether the source IP address is the attack source information.
在本实施例的一些可选的实现方式中,步骤404可以通过以下方式实现:对于所获取的至少一个源网际协议地址中的每个源网际协议地址,在所述目标机房接收到的、发自该源网际协议地址的数据请求的请求特征信息中,查找预设协议类型。确定利用查找到的预设协议类型的传输协议传输的数据请求所产生的第二流量是否大于预设第二流量阈值。响应于确定所述第二流量大于预设第二流量阈值,确定该源网际协议地址为攻击源信息。作为示例,在这里,预设协议类型可以是UDP。In some optional implementations of this embodiment, step 404 may be implemented in the following manner: for each source Internet Protocol address in the obtained at least one source Internet Protocol address, the received and sent Find the default protocol type from the request characteristic information of the data request of the source IP address. It is determined whether the second flow generated by the data request transmitted by using the found transmission protocol of the preset protocol type is greater than a preset second flow threshold. In response to determining that the second traffic is greater than a preset second traffic threshold, it is determined that the source IP address is attack source information. As an example, here, the preset protocol type may be UDP.
在本实施例的一些可选的实现方式中,步骤404可以通过以下方式实现:对于所获取的至少一个源网际协议地址中的每个源网际协议地址,响应于确定该源网际协议地址为攻击源信息,获取所述目标机房接收到的、发自该源网际协议地址的数据请求的请求特征信息中的至少一个目的网际协议地址。对于所述至少一个目的网际协议地址中的每个目的网际协议地址,确定发至该目的网际协议地址的数据请求所产生的第三流量是否大于预设第三流量阈值。响应于确定所述第三流量大于预设第三流量阈值,确定该目的网际协议地址为攻击目标信息。In some optional implementations of this embodiment, step 404 may be implemented in the following manner: for each source IP address in at least one source IP address obtained, in response to determining that the source IP address is an attack The source information is used to obtain at least one destination IP address in the request characteristic information of the data request received by the target computer room and sent from the source IP address. For each destination IP address in the at least one destination IP address, determine whether the third traffic generated by the data request sent to the destination IP address is greater than a preset third traffic threshold. In response to determining that the third traffic is greater than a preset third traffic threshold, it is determined that the destination IP address is attack target information.
从图4中可以看出,与图2对应的实施例相比,本实施例中的用于检测网络攻击的方法的流程400突出了利用预先建立的流量异常检测模型确定目标机房是否受到网络攻击的步骤。由此,本实施例描述的方案可以实现更快速和更准确的确定目标机房是否受到网络攻击,进而更快速地确定攻击源信息和攻击目标信息。As can be seen from FIG. 4 , compared with the embodiment corresponding to FIG. 2 , the process 400 of the method for detecting network attacks in this embodiment highlights the use of a pre-established traffic anomaly detection model to determine whether the target computer room is under network attack A step of. Therefore, the solution described in this embodiment can realize faster and more accurate determination of whether the target computer room is attacked by the network, and then determine the attack source information and attack target information more quickly.
进一步参考图5,作为对上述各图所示方法的实现,本申请提供了一种用于检测网络攻击的装置的一个实施例,该装置实施例与图2所示的方法实施例相对应,该装置具体可以应用于各种电子设备中。Further referring to FIG. 5 , as an implementation of the methods shown in the above figures, the present application provides an embodiment of a device for detecting network attacks, which corresponds to the method embodiment shown in FIG. 2 , The device can be specifically applied to various electronic devices.
如图5所示,本实施例所述的用于检测网络攻击的装置500包括:流量特征信息确定单元501、网络攻击确定单元502、获取单元503和攻击信息确定单元504。其中,流量特征信息确定单元501,用于确定目标机房的流量特征信息;网络攻击确定单元502,用于根据所述流量特征信息,确定所述目标机房是否受到网络攻击;获取单元503,用于响应于确定所述目标机房受到网络攻击,获取所述目标机房接收到的数据请求的请求特征信息;攻击信息确定单元504,用于根据所获取的请求特征信息,确定所述网络攻击的攻击源信息和/或攻击目标信息。As shown in FIG. 5 , the apparatus 500 for detecting network attacks described in this embodiment includes: a traffic characteristic information determining unit 501 , a network attack determining unit 502 , an acquiring unit 503 and an attack information determining unit 504 . Wherein, the traffic characteristic information determination unit 501 is used to determine the traffic characteristic information of the target computer room; the network attack determination unit 502 is used to determine whether the target computer room is under a network attack according to the traffic characteristic information; the acquisition unit 503 is used to In response to determining that the target computer room is under a network attack, acquire request characteristic information of the data request received by the target computer room; the attack information determining unit 504 is configured to determine the attack source of the network attack according to the acquired request characteristic information information and/or target information.
在本实施例中,装置500的流量特征信息确定单元501、网络攻击确定单元502、获取单元503和攻击信息确定单元504的具体处理可以参考图2对应实施例中的步骤201、步骤202、步骤203以及步骤204,这此不再赘述。In this embodiment, the specific processing of the traffic characteristic information determination unit 501, the network attack determination unit 502, the acquisition unit 503, and the attack information determination unit 504 of the device 500 can refer to step 201, step 202, and step 203 and step 204, which will not be repeated here.
在本实施例的一些可选的实现方式中,所述请求特征信息包括以下至少一项:所述数据请求发自的源网际协议地址、所述数据请求发至的目的网际协议地址、传输所述数据请求所利用的传输协议的协议类型。In some optional implementations of this embodiment, the request characteristic information includes at least one of the following: the source IP address from which the data request is sent, the destination IP address to which the data request is sent, the The protocol type of the transport protocol utilized by the data request.
在本实施例的一些可选的实现方式中,所述攻击信息确定单元,用于:对于所获取的至少一个源网际协议地址中的每个源网际协议地址,确定所述目标机房接收到的、发自该源网际协议地址的数据请求所产生的第一流量;根据所确定的第一流量,确定该源网际协议地址是否是所述攻击源信息。In some optional implementation manners of this embodiment, the attack information determining unit is configured to: for each source Internet Protocol address in the obtained at least one source Internet Protocol address, determine the . First flow generated by the data request sent from the source Internet Protocol address; according to the determined first flow, determine whether the source Internet Protocol address is the attack source information.
在本实施例的一些可选的实现方式中,所述攻击信息确定单元,还用于:对于所获取的至少一个源网际协议地址中的每个源网际协议地址,在所述目标机房接收到的、发自该源网际协议地址的数据请求的请求特征信息中,查找预设协议类型;确定利用查找到的预设协议类型的传输协议传输的数据请求所产生的第二流量是否大于预设第二流量阈值;响应于确定所述第二流量大于预设第二流量阈值,确定该源网际协议地址为攻击源信息。In some optional implementation manners of this embodiment, the attack information determining unit is further configured to: for each source Internet Protocol address in at least one source Internet Protocol address obtained, In the request feature information of the data request sent from the source Internet protocol address, search for the preset protocol type; determine whether the second traffic generated by the data request transmitted by the transmission protocol of the found preset protocol type is greater than the preset A second traffic threshold: in response to determining that the second traffic is greater than a preset second traffic threshold, determine that the source IP address is attack source information.
在本实施例的一些可选的实现方式中,所述攻击信息确定单元,还用于:对于所获取的至少一个源网际协议地址中的每个源网际协议地址,响应于确定该源网际协议地址为攻击源信息,获取所述目标机房接收到的、发自该源网际协议地址的数据请求的请求特征信息中的至少一个目的网际协议地址;对于所述至少一个目的网际协议地址中的每个目的网际协议地址,确定发至该目的网际协议地址的数据请求所产生的第三流量是否大于预设第三流量阈值;响应于确定所述第三流量大于预设第三流量阈值,确定该目的网际协议地址为攻击目标信息。In some optional implementations of this embodiment, the attack information determining unit is further configured to: for each source IP address in the obtained at least one source IP address, in response to determining the source IP address The address is the attack source information, obtain at least one destination IP address in the request feature information of the data request received by the target computer room and sent from the source IP address; for each of the at least one destination IP address a destination IP address, determine whether the third traffic generated by the data request sent to the destination IP address is greater than a preset third traffic threshold; in response to determining that the third traffic is greater than a preset third traffic threshold, determine the third traffic The destination IP address is attack target information.
在本实施例的一些可选的实现方式中,所述流量特征信息包括以下至少一项:当前流量值、预定历史时刻的流量值、当前时刻之前的预定时间段内的流量平均值,所述目标机房内设置有交换机;以及所述流量特征信息确定单元,用于:通过所述目标机房内设置的交换机的计数信息,确定所述目标机房的流量信息,其中,所述流量信息包括采集时间和流量值;根据所确定的流量信息,确定所述流量特征信息。In some optional implementations of this embodiment, the traffic feature information includes at least one of the following: current traffic value, traffic value at a predetermined historical moment, and traffic average value within a predetermined time period before the current moment, the A switch is set in the target computer room; and the flow characteristic information determination unit is configured to: determine the flow information of the target computer room through the counting information of the switch set in the target computer room, wherein the flow information includes collection time and a flow value; according to the determined flow information, determine the flow characteristic information.
在本实施例的一些可选的实现方式中,将所述流量特征信息导入预先建立的流量异常检测模型,得到用于指示所述目标机房是否受到网络攻击的指示信息,其中,所述流量异常检测模型用于表征流量特征信息和指示信息之间的对应关系。In some optional implementations of this embodiment, the traffic feature information is imported into a pre-established traffic anomaly detection model to obtain indication information indicating whether the target computer room is under network attack, wherein the traffic anomaly The detection model is used to characterize the correspondence between traffic feature information and indication information.
在本实施例的一些可选的实现方式中,所述装置还包括建立单元(未示出),用于建立流量异常检测模型,其中,所述建立流量异常检测模型包括:获取已知指示信息的所述目标机房的流量特征信息;利用机器学习算法,基于所获取的流量特征信息及对应的指示信息,训练初始模型得到所述流量异常检测模型。In some optional implementations of this embodiment, the device further includes an establishment unit (not shown), configured to establish a traffic anomaly detection model, wherein the establishment of the traffic anomaly detection model includes: acquiring known indication information The traffic feature information of the target computer room; using a machine learning algorithm, based on the acquired traffic feature information and corresponding indication information, training an initial model to obtain the traffic anomaly detection model.
本实施例所提供的装置的各个单元的实现细节和技术效果,可以参考本申请其它实施例中的说明,在此不再赘述。For implementation details and technical effects of each unit of the device provided in this embodiment, reference may be made to descriptions in other embodiments of the present application, and details are not repeated here.
下面参考图6,其示出了适于用来实现本申请实施例的服务器的计算机系统600的结构示意图。图6示出的服务器仅仅是一个示例,不应对本申请实施例的功能和使用范围带来任何限制。Referring now to FIG. 6 , it shows a schematic structural diagram of a computer system 600 suitable for implementing the server of the embodiment of the present application. The server shown in FIG. 6 is only an example, and should not limit the functions and scope of use of this embodiment of the present application.
如图6所示,计算机系统600包括中央处理单元(CPU)601,其可以根据存储在只读存储器(ROM)602中的程序或者从存储部分608加载到随机访问存储器(RAM)603中的程序而执行各种适当的动作和处理。在RAM 603中,还存储有系统600操作所需的各种程序和数据。CPU 601、ROM 602以及RAM 603通过总线604彼此相连。输入/输出(I/O)接口605也连接至总线604。As shown in FIG. 6 , a computer system 600 includes a central processing unit (CPU) 601 that can be programmed according to a program stored in a read-only memory (ROM) 602 or a program loaded from a storage section 608 into a random-access memory (RAM) 603 Instead, various appropriate actions and processes are performed. In the RAM 603, various programs and data necessary for the operation of the system 600 are also stored. The CPU 601 , ROM 602 , and RAM 603 are connected to each other via a bus 604 . An input/output (I/O) interface 605 is also connected to the bus 604 .
以下部件连接至I/O接口605:包括键盘、鼠标等的输入部分606;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分607;包括硬盘等的存储部分608;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分609。通信部分609经由诸如因特网的网络执行通信处理。驱动器610也根据需要连接至I/O接口605。可拆卸介质611,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器610上,以便于从其上读出的计算机程序根据需要被安装入存储部分608。The following components are connected to the I/O interface 605: an input section 606 including a keyboard, a mouse, etc.; an output section 607 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker; a storage section 608 including a hard disk, etc. and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the Internet. A drive 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, optical disk, magneto-optical disk, semiconductor memory, etc. is mounted on the drive 610 as necessary so that a computer program read therefrom is installed into the storage section 608 as necessary.
特别地,根据本公开的实施例,上文参考流程图描述的过程可以被实现为计算机软件程序。例如,本公开的实施例包括一种计算机程序产品,其包括承载在计算机可读介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分609从网络上被下载和安装,和/或从可拆卸介质611被安装。在该计算机程序被中央处理单元(CPU)601执行时,执行本申请的方法中限定的上述功能。In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product, which includes a computer program carried on a computer-readable medium, where the computer program includes program codes for executing the methods shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via communication portion 609 and/or installed from removable media 611 . When the computer program is executed by the central processing unit (CPU) 601, the above-mentioned functions defined in the method of the present application are performed.
需要说明的是,本申请所述的计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质或者是上述两者的任意组合。计算机可读存储介质例如可以是——但不限于——电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子可以包括但不限于:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本申请中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。而在本申请中,计算机可读的信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。计算机可读的信号介质还可以是计算机可读存储介质以外的任何计算机可读介质,该计算机可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。计算机可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于:无线、电线、光缆、RF等等,或者上述的任意合适的组合。It should be noted that the computer-readable medium described in this application may be a computer-readable signal medium or a computer-readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to, electrical connections with one or more wires, portable computer diskettes, hard disks, random access memory (RAM), read-only memory (ROM), erasable Programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above. In the present application, a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In this application, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, in which computer-readable program codes are carried. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A computer-readable signal medium may also be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in conjunction with an instruction execution system, apparatus, or device. . Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
附图中的流程图和框图,图示了按照本申请各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,该模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所中的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in a flowchart or block diagram may represent a module, program segment, or portion of code that contains one or more logical functions for implementing specified executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It should also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by a dedicated hardware-based system that performs the specified functions or operations , or may be implemented by a combination of dedicated hardware and computer instructions.
描述于本申请实施例中所中到的单元可以通过软件的方式实现,也可以通过硬件的方式来实现。所描述的单元也可以设置在处理器中,例如,可以描述为:一种处理器包括流量特征信息确定单元、网络攻击确定单元获取单元和攻击信息确定单元。其中,这些单元的名称在某种情况下并不构成对该单元本身的限定,例如,流量特征信息确定单元还可以被描述为“确定目标机房的流量特征信息的单元”。The units described in the embodiments of the present application may be implemented by software or by hardware. The described unit may also be set in a processor, for example, it may be described as: a processor includes a traffic characteristic information determining unit, a network attack determining unit acquiring a unit, and an attack information determining unit. Wherein, the names of these units do not limit the unit itself under certain circumstances, for example, the traffic feature information determining unit may also be described as "the unit for determining the traffic feature information of the target computer room".
作为另一方面,本申请还提供了一种计算机可读介质,该计算机可读介质可以是上述实施例中描述的装置中所包含的;也可以是单独存在,而未装配入该装置中。上述计算机可读介质承载有一个或者多个程序,当上述一个或者多个程序被该装置执行时,使得该装置:确定目标机房的流量特征信息;根据所述流量特征信息,确定所述目标机房是否受到网络攻击;响应于确定所述目标机房受到网络攻击,获取所述目标机房接收到的数据请求的请求特征信息;根据所获取的请求特征信息,确定所述网络攻击的攻击源信息和/或攻击目标信息。As another aspect, the present application also provides a computer-readable medium. The computer-readable medium may be included in the device described in the above embodiments, or it may exist independently without being assembled into the device. The above-mentioned computer-readable medium carries one or more programs, and when the above-mentioned one or more programs are executed by the device, the device: determines the traffic characteristic information of the target computer room; determines the target computer room according to the traffic characteristic information Whether it is under network attack; in response to determining that the target computer room is under network attack, obtain the request characteristic information of the data request received by the target computer room; determine the attack source information of the network attack and/or according to the obtained request characteristic information or attack target information.
以上描述仅为本申请的较佳实施例以及对所运用技术原理的说明。本领域技术人员应当理解,本申请中所中的发明范围,并不限于上述技术特征的特定组合而成的技术方案,同时也应涵盖在不脱离上述发明构思的情况下,由上述技术特征或其等同特征进行任意组合而形成的其它技术方案。例如上述特征与本申请中公开的(但不限于)具有类似功能的技术特征进行互相替换而形成的技术方案。The above description is only a preferred embodiment of the present application and an illustration of the applied technical principle. Those skilled in the art should understand that the scope of the invention in this application is not limited to the technical solution formed by the specific combination of the above-mentioned technical features, and should also cover the technical solutions formed by the above-mentioned technical features or Other technical solutions formed by any combination of equivalent features. For example, a technical solution formed by replacing the above-mentioned features with technical features with similar functions disclosed in this application (but not limited to).
Claims (11)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710195540.3A CN106850687A (en) | 2017-03-29 | 2017-03-29 | Method and apparatus for detecting network attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710195540.3A CN106850687A (en) | 2017-03-29 | 2017-03-29 | Method and apparatus for detecting network attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106850687A true CN106850687A (en) | 2017-06-13 |
Family
ID=59141453
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710195540.3A Pending CN106850687A (en) | 2017-03-29 | 2017-03-29 | Method and apparatus for detecting network attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106850687A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107483458A (en) * | 2017-08-29 | 2017-12-15 | 杭州迪普科技股份有限公司 | The recognition methods of network attack and device, computer-readable recording medium |
| CN109167797A (en) * | 2018-10-12 | 2019-01-08 | 北京百度网讯科技有限公司 | Analysis of Network Attack method and apparatus |
| CN109327439A (en) * | 2018-09-29 | 2019-02-12 | 武汉极意网络科技有限公司 | Risk Identification Method, device, storage medium and the equipment of service request data |
| CN109462586A (en) * | 2018-11-08 | 2019-03-12 | 北京知道创宇信息技术有限公司 | Flow monitoring method, device and execute server |
| CN110505249A (en) * | 2019-09-30 | 2019-11-26 | 怀来斯达铭数据有限公司 | The recognition methods of ddos attack and device |
| CN111737099A (en) * | 2020-06-09 | 2020-10-02 | 国网电力科学研究院有限公司 | A Gaussian distribution-based data center anomaly detection method and device |
| CN111756759A (en) * | 2020-06-28 | 2020-10-09 | 杭州安恒信息技术股份有限公司 | A network attack source tracing method, device and device |
| CN112153044A (en) * | 2020-09-23 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Flow data detection method and related equipment |
| CN113810207A (en) * | 2020-06-12 | 2021-12-17 | 中国电信股份有限公司 | Root cause server positioning method and root cause server positioning device |
| CN115277256A (en) * | 2022-09-27 | 2022-11-01 | 中国民用航空局空中交通管理局航空气象中心 | Early warning method and system for data intranet and extranet gateway transmission |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103685293A (en) * | 2013-12-20 | 2014-03-26 | 北京奇虎科技有限公司 | Protection method and device for denial of service attack |
| CN103701795A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Identification method and device for attack source of denial of service attack |
| CN104202336A (en) * | 2014-09-22 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | DDoS attack detection method based on information entropy |
| CN104486324A (en) * | 2014-12-10 | 2015-04-01 | 北京百度网讯科技有限公司 | Method and system for identifying network attack |
| CN105337966A (en) * | 2015-10-16 | 2016-02-17 | 中国联合网络通信集团有限公司 | Processing method for network attacks and device |
| CN106027559A (en) * | 2016-07-05 | 2016-10-12 | 国家计算机网络与信息安全管理中心 | Network session statistical characteristic based large-scale network scanning detection method |
-
2017
- 2017-03-29 CN CN201710195540.3A patent/CN106850687A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103685293A (en) * | 2013-12-20 | 2014-03-26 | 北京奇虎科技有限公司 | Protection method and device for denial of service attack |
| CN103701795A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Identification method and device for attack source of denial of service attack |
| CN104202336A (en) * | 2014-09-22 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | DDoS attack detection method based on information entropy |
| CN104486324A (en) * | 2014-12-10 | 2015-04-01 | 北京百度网讯科技有限公司 | Method and system for identifying network attack |
| CN105337966A (en) * | 2015-10-16 | 2016-02-17 | 中国联合网络通信集团有限公司 | Processing method for network attacks and device |
| CN106027559A (en) * | 2016-07-05 | 2016-10-12 | 国家计算机网络与信息安全管理中心 | Network session statistical characteristic based large-scale network scanning detection method |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107483458A (en) * | 2017-08-29 | 2017-12-15 | 杭州迪普科技股份有限公司 | The recognition methods of network attack and device, computer-readable recording medium |
| CN109327439B (en) * | 2018-09-29 | 2021-04-23 | 武汉极意网络科技有限公司 | Risk identification method and device for service request data, storage medium and equipment |
| CN109327439A (en) * | 2018-09-29 | 2019-02-12 | 武汉极意网络科技有限公司 | Risk Identification Method, device, storage medium and the equipment of service request data |
| CN109167797A (en) * | 2018-10-12 | 2019-01-08 | 北京百度网讯科技有限公司 | Analysis of Network Attack method and apparatus |
| CN109462586A (en) * | 2018-11-08 | 2019-03-12 | 北京知道创宇信息技术有限公司 | Flow monitoring method, device and execute server |
| CN110505249A (en) * | 2019-09-30 | 2019-11-26 | 怀来斯达铭数据有限公司 | The recognition methods of ddos attack and device |
| CN111737099A (en) * | 2020-06-09 | 2020-10-02 | 国网电力科学研究院有限公司 | A Gaussian distribution-based data center anomaly detection method and device |
| CN111737099B (en) * | 2020-06-09 | 2021-04-16 | 国网电力科学研究院有限公司 | A Gaussian distribution-based data center anomaly detection method and device |
| CN113810207A (en) * | 2020-06-12 | 2021-12-17 | 中国电信股份有限公司 | Root cause server positioning method and root cause server positioning device |
| CN113810207B (en) * | 2020-06-12 | 2024-11-12 | 天翼云科技有限公司 | Root cause server positioning method and root cause server positioning device |
| CN111756759A (en) * | 2020-06-28 | 2020-10-09 | 杭州安恒信息技术股份有限公司 | A network attack source tracing method, device and device |
| CN112153044A (en) * | 2020-09-23 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Flow data detection method and related equipment |
| CN115277256A (en) * | 2022-09-27 | 2022-11-01 | 中国民用航空局空中交通管理局航空气象中心 | Early warning method and system for data intranet and extranet gateway transmission |
| CN115277256B (en) * | 2022-09-27 | 2022-12-16 | 中国民用航空局空中交通管理局航空气象中心 | Early warning method and system for data intranet and extranet gateway transmission |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106850687A (en) | Method and apparatus for detecting network attack | |
| JP7759453B2 (en) | Honeypot for Infrastructure as a Service Security | |
| KR102298268B1 (en) | An apparatus for network monitoring based on edge computing and method thereof, and system | |
| US20230006936A1 (en) | Intelligent dataflow-based service discovery and analysis | |
| US10320827B2 (en) | Automated cyber physical threat campaign analysis and attribution | |
| US12489793B2 (en) | Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement | |
| US20150229669A1 (en) | Method and device for detecting distributed denial of service attack | |
| KR102469441B1 (en) | A method and an apparatus for monitoring global failure of virtual gateway cluster | |
| CN107431712A (en) | Network flow logs for multi-tenant environments | |
| CN110545277B (en) | Risk processing method and device applied to security system, computing equipment and medium | |
| EP4503800A1 (en) | Data processing method and apparatus, and computer-readable medium and electronic device | |
| CN112702229B (en) | Data transmission method, device, electronic equipment and storage medium | |
| CN111371774A (en) | Information processing method and device, equipment and storage medium | |
| US10623450B2 (en) | Access to data on a remote device | |
| US10129277B1 (en) | Methods for detecting malicious network traffic and devices thereof | |
| CN117093627A (en) | Information mining methods, devices, electronic equipment and storage media | |
| CN116629379A (en) | Federated learning aggregation method and device, storage medium and electronic equipment | |
| US11005797B2 (en) | Method, system and server for removing alerts | |
| CN115396142A (en) | Information access method, device, computer equipment and medium based on zero trust | |
| US11184266B1 (en) | Method and system for detecting latency in a wide area network | |
| US11683339B2 (en) | Attack mitigation in a packet-switched network | |
| US9319422B2 (en) | Detecting remote operation of a computer | |
| CN115190159A (en) | Session control method, device, electronic equipment and medium | |
| CN109688432B (en) | Information transmission method, device and system | |
| CN109614137B (en) | Software version control method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170613 |
|
| RJ01 | Rejection of invention patent application after publication |