Specific embodiment
It is that one kind performs user name password to be simulated login with automaton behavior that the number of sweeping is attacked, and attempts user name close
The code whether correct attack pattern of information.For example, as shown in figure 1, terminal 11 be one by hacker control equipment, for conduct
The originating end that the number of sweeping is attacked.The IP address of the terminal 11 is IP1, and the terminal 11 can initiate the attack of high concurrent formula, in such as Fig. 1
Attack 1, attack 2, attack 3, attack the multiple attacks such as 4, can be initiated with frequency higher, attack each time is terminal 11
Initiate once simulation log in, and attack the username and password for using every time can be with difference;If certain is once logined successfully, attack
The person of hitting can just get the private information of user.
The above-mentioned number of sweeping attacks corresponding log-on message, can be the information of the registered user of certain application, such as, Ke Yishi
One log-on message of shopping website, many users have carried out registration and have been done shopping in the website in the shopping website,
The website also stored under the account of each user some to should user private information.Attacked to take precautions against the number of sweeping, protected
The information security of user is protected, application can carry out the identification of the number of sweeping attack using statistical server, as shown in figure 1, statistics clothes
Business device 12 can receive many service requests, and in this example, the service request can be logged on request, such as, one normal
Application registered user when carrying out website log on the computer of oneself, the username and password request that can be input into oneself is stepped on
Record, the computer then sends logging request.For statistical server 12, in its numerous service request for being received, both included
The request of normal users, attack 1, attack 2 etc. that also the terminal 11 of example sends in the service request including attacker, i.e. Fig. 1
The corresponding logging request of multiple attack.
Statistical server 12 can judge whether that the number of sweeping is attacked by the way of counting statistics, this counting statistics
Mode can record the corresponding IP address of each service request, and the IP address initiates the number of times of request, and by statistical information
Stored in the form of key-value key-value pairs, wherein, Key is IP address, and value is request number of times.For example, Fig. 1
In attacker be that terminal 11 is launched a offensive with high-frequency, that is to say, that " IP1 " this IP address frequently will be carried out constantly
Logging request, when receiving the request for the first time, statistical server 12 can record " key=IP1, value=1 ", second
When receiving request, or the IP address is sent out, and statistical server 12 will be updated to key-value pair, be changed to " key=IP1,
Value=2 ", it can be seen that receive a request every time, value corresponding to the source IP address of the request write
Operation, carries out the renewal of value values.
But, be, with high concurrent, easily to cause a problem the characteristics of attacked due to the number of sweeping, i.e., there are two lines simultaneously
Journey will value corresponding to same IP address enter row write renewal, this be due to received in the short period IP address initiate
Twice requests caused by, that is possible to " write-in conflict " occur, and write-in conflict is database to ensure data accuracy
And the characteristic taken.It is not to say that each query-attack that the number of sweeping is attacked can all cause write-in to conflict, but the number of sweeping is attacked
High concurrent feature cause that write-in conflict can occur with a relatively high probability, and be likely to lasting write-in conflict occurs.It is this
In the case of, if statistical server side is all retried when conflict occurs every time, that is, re-write, by serious waste system money
Source, in the treatment of the illegal request that avoid that the wasting of resources is attacked in this number of sweeping that should especially try one's best.
Based on above-mentioned, the embodiment of the present application provides a kind of attack recognition method, and the main purpose of the method is to reduce high
The wasting of resources that write-in when concurrently attacking conflicts to service end, mainly recognizes that service request conflict is the conflict that the number of sweeping is attacked
Or normal conflict, the conflict set recognition that the number of sweeping is attacked is out so that the side of statistical server 12 is no longer carried out to this conflict
Rewrite and waste of resource.As shown in Fig. 2 this example is provided with attack recognition device 13, for example, as shown in Fig. 2 the attack recognition
Device 13 can include:One first caching 132 of caching 131 and at least one second.For example, caching here can be
LRU (least recently used, at least use in the recent period) Cache, LRU Cache are a kind of according to least recently used
The mechanism that principle removes the partial objects in caching;Wherein, here the first caching 131 and the second caching 132 can be not
Be physically limit the two pieces LRU Cache of isolation, and can be the difference according to storage content to distinguish, such as, the
Request end identification characteristics when clashing can be stored in one caching 131, and the second caching 132 can be used for storage mark spy
Corresponding conflicting information is levied, such as is conflicted the time.The attack recognition device 13 can get the service request of the transmission of terminal 11
The identification characteristics (such as, the IP address of terminal 11) of the request end (such as, terminal 11) of middle carrying, and can be special according to mark
Levy and judge whether this is once to attack;Attack recognition device 13 can also determine that request end is that interception is attacked when attacking end in identification
The service request that end sends to statistical server 12 is hit, so as to mitigate the pressure of statistical server side.
Also, it should be noted that the information stored in above-mentioned LRU Cache is all the information about request collision, and attack
Hit identifying device 13 according to these information be also judge certain occur request collision IP address whether be attacker IP address,
It is used to judge whether conflict situations are that attack is caused.
In order that must be clearer to the description of the attack recognition method of this example, above-mentioned each LRU will be first illustrated as follows
Information in Cache is how to store, and then introduces how attack recognition device 13 carries out attack recognition according to these information again.
Information Store in LRU Cache:
Even if as shown in Fig. 2 information of the attack recognition device 13 in LRU Cache is capable of identify that attacker, leading to
It is also often, when the frequency that conflict is determined according to the information reaches certain threshold value, just to judge that certain IP address is attacker, this
It is that the characteristics of being attacked according to the number of sweeping determines.Therefore, when the information content stored in LRU Cache is less, above-mentioned threshold value is not yet reached
When, even if the inquiry of attack recognition device 13 LRU Cache cannot also determine that this is attacker, then, attack recognition device 13 can
Let pass with by service request, request is received by the side joint of statistical server 12.
And let pass service request be possible to be exactly query-attack, simply temporary transient attack recognition device 13 also it is unidentified go out
Come;So, if the frequency of query-attack is especially high, in this case it is still possible to write-in conflict occurs in the side of statistical server 12.This example
In son, statistical server 12 can feed back to attack recognition device 13, inform attack recognition device 13 to this service request
Result is write-in conflict, and attack recognition device 13 can just know that its service request let pass is sent out in the side of statistical server 12
Give birth to conflict, then now, attack recognition device 13 can carry out information Store in LRU Cache, record the punching of this business
It is prominent, store the related information of this conflict.
As shown in figure 3, the information Store in LRU Cache is by taking tabular form as an example, it is assumed that this conflict is one new
IP address, that attack recognition device 13 can (the second caching in first caching and follow-up example can be with the first caching
LRU Cache) conflict list in store the IP address be key4 mark, be also stored in conflict list key1, key2,
Key3, these IP address occurred to conflict and stored in lists before being.What is stored in conflict list is all that business occurred
The key for conflicting (write conflict as described above), can be referred to as identification characteristics by these Key, and first caches for storing generation
The identification characteristics of each request end of service conflict, for example, it may be asking the IP address of end equipment, this example is represented with Key.
Also, attack recognition device 13 also sets corresponding second caching for each key, in second caching
The corresponding conflicting informations of storage key, for example, the conflicting information can include:Conflict the time time for occurring, and to be write during conflict
The information such as value.Wherein, the conflicting information can be also used for determining the corresponding conflict of the identification characteristics in preset time period
Number of times, in the description of follow-up example.As shown in figure 3, the time in illustrating conflicting information, for what is newly increased in conflict list
Key4, correspondence increases the time time4-1 that this conflict occurs in corresponding second cachings of the Key4.Assuming that second receives
Pointed out to the corresponding conflicts of key4, attack recognition device 13 can continue to record another punching in the corresponding conflicting informations of key4
Prominent information.
For the mode of the LRU Cache storage informations of example in Fig. 3, have need explanation at following 2 points:
Firstth, can realize that the automatic of garbage is eliminated using LRU Cache:
By taking conflict list as an example, Key in the list, if there occurs conflict once more, by the key in lists
Upper shifting, such as, it is assumed that the corresponding service requests of key1 in Fig. 3 there occurs write-in conflict again, then moved key1 by upper in list
To the top of key4.According to the principle, the key that no conflict occurred in the usually long period of list lowermost end works as LRU
Gone out, it is necessary to remove some data when the memory space of Cache is occupied full, just remove the key of list bottom.By in principle
Say, positioned at the key of conflict list lowermost end, the long period does not clash again, illustrates the conflict occurrence frequency of the key
It is relatively low, the characteristics of do not meet attacker, can be removed by list.Certainly, if next time occurs the conflict of the key, Ke Yizai again
It is secondary to be increased into list, restart monitoring.
For the maintenance mechanism of the second caching of memory contention information, principle is identical with the first above-mentioned caching, positioned at punching
It is the conflict time that the time of the place list lowermost end of prominent information occurs before being the long period, preferential to eliminate apart from current time
Time time at most.
Secondth, the Capacity design of LRU Cache:
In this example, the operating mechanism of LRU Cache can be used for eliminating hash automatically, the work of the LRU Cache
With the not only cleaning including hash so that queries during inquiry list is not too large, and inquiry velocity is higher, also, LRU
The effect of Cache be there is a need for being able to recognize attacker, and the knowledge of attacker can be completed according to predetermined attack recognition condition
Not.Such as, if attack recognition condition is that " certain key conflict numbers within 1 minute reach 10 times, and the key is defined as attacking
The person of hitting ", then, the capacity of the second caching will can at least store 10 conflicting informations of conflict, i.e., be at least used to store default
The conflict time of quantity, the predetermined number is equal to predetermined threshold value (e.g., above-mentioned 10 times) corresponding conflict number.And the first caching
Capacity depend on the quantity of key to monitor simultaneously, such as, if to monitor 1000 key, then the capacity of the first caching
At least it is used to store the identification characteristics of predetermined number (e.g., 1000).
Information Pull in LRU Cache:
Attack recognition device 13 can carry out the identification of the number of sweeping attack according to the information in LRU Cache is stored.Fig. 4
The flow chart of the attack recognition method of the embodiment of the present application is illustrated, attack recognition device 13 can recognize one according to the flow
The secondary number of sweeping is attacked.As shown in figure 4, the method includes:
In step 401, it is determined that the identification characteristics of the request end carried in the service request that is stored with.
For example, attack recognition device 13 gets the identification characteristics of the request end carried in a service request, the mark
Feature can be the IP address of terminal 11, IP1.
The inquiry of attack recognition device 13 first is cached, in this example, it may be determined that the mark that is stored with the first caching is special
Levy.For example, attack recognition device 13 can inquire about the conflict list of the first caching, if finding, IP1 (assuming that the IP1 is key3) exists
In list, it is determined that be stored with the identification characteristics, continues executing with step 402;Otherwise, if in IP1 no longer lists, can put
Capable service request so that the request is sent to statistical server side.In statistical server side, if the request of the IP1 is not sent out
Raw write-in conflict, then statistical server can normally update the corresponding request number of times value of the IP;In the event of conflicting, then may be used
Information record is carried out to feed back to attack recognition device.
In step 402, the corresponding conflict number that service conflict occurs of the identification characteristics is obtained.
For example, still by taking key3 as an example, it is assumed that preset time period is 1 minute, can according to current time and preset time period,
Acquisition is included in the multiple conflict times in the preset time period, such as can be two times of correspondence key3 in Fig. 3
Time3-1 and time3-2, and assume time3-3 apart from current time beyond 1 minute, thereby determine that apart from it is current when
Between preset time period in conflict number for twice.
In step 403, if the corresponding conflict number of the identification characteristics reaches threshold value in preset time period, it is determined that institute
The corresponding request end of identification characteristics is stated for attacker, the service request is query-attack.
For example, it is assumed that threshold value is 2, then the corresponding conflict numbers of the key3 in step 402 have reached threshold value, attack recognition
Device can determine that IP1 is the IP of attacker, and this service request is query-attack, then can intercept the request, is not retransmited
To statistical server side;If threshold value is 10, the corresponding conflict numbers of key3 in step 402 not yet reach threshold value, attack
Identifying device this fashion can not determine that the IP1 is attacker, then can let pass this service request.
Additionally, in above-mentioned example, if in preset time period, the conflict number of identification characteristics is not up to threshold value, or please
Ask the identification characteristics at end not in identification information, then send to service end service request after being processed, when receiving
When stating the prompting of generation service conflict of service end feedback, in corresponding second caching of the identification characteristics of this service request,
Store corresponding conflicting information.
The attack recognition method that this example is provided, by using buffer memory conflict relevant information, can be by the conflict
Whether the request end that relevant information determines service conflict is attacker, such that it is able to be intercepted when attack is recognized,
Reduce the wasting of resources of write-in conflict when high concurrent is attacked to service end.Additionally, using LRU Cache as storage information
Caching, not only can aid in identification and attacks, and its operating mechanism can automatically eliminate useless information, keep information content not
Can be too big, also, LRU Cache can quickly execution information inquiry operation, speed, contribute to quick identification attack.
In order to realize above-mentioned attack recognition method, the embodiment of the present application additionally provides a kind of attack recognition device, such as Fig. 5
Shown, the device can include:Data obtaining module 51 and recognition processing module 52.
Data obtaining module 51, for it is determined that in the service request that is stored with carry request end identification characteristics when, obtain
Take the corresponding conflict number that service conflict occurs of the identification characteristics in preset time period;
Recognition processing module 52, if reaching threshold value for the conflict number in preset time period, it is determined that the mark
The corresponding request end of feature is attacker, and the service request is query-attack.
In one example, as shown in fig. 6, the device can also include:Information storage module 53;
Recognition processing module 52, is additionally operable to not storing the identification characteristics of the request end, or, institute in preset time period
State the corresponding conflict number of identification characteristics not up to threshold value when, then the service request is sent to service end and is processed.
Information storage module 53, for when the prompting of generation service conflict of the service end feedback is received, storing
The identification characteristics, and record this service conflict.
In one example, information storage module 53, when for recording this service conflict, including:In a LRU
The identification characteristics of the request end of this service conflict are stored in Cache, a LRU Cache are used to store the punching of generation business
The identification characteristics of each prominent request end;In twoth LRU Cache corresponding with the identification characteristics, the punching of this business is stored
Prominent conflicting information, the conflicting information is used to determine the corresponding conflict number of the identification characteristics in preset time period.
In one example, data obtaining module 51, for including when the conflicting information:The identification characteristics are corresponding
During the conflict time that each conflict occurs, according to current time and preset time period, acquisition is included in many in preset time period
Individual conflict time, the quantity of the conflict time is the corresponding conflict number of the identification characteristics.
In one example, the capacity of a LRU Cache is the identification characteristics for being at least used to store predetermined number;
When the conflicting information includes the conflict time, the capacity of the 2nd LRU Cache is at least to be used to store pre-
If the conflict time of quantity, the predetermined number is equal to the corresponding conflict number of the threshold value.
Presently preferred embodiments of the present invention is the foregoing is only, is not intended to limit the invention, it is all in essence of the invention
Within god and principle, any modification, equivalent substitution and improvements done etc. should be included within the scope of protection of the invention.