CN106878247A - A kind of attack recognition method and apparatus - Google Patents

A kind of attack recognition method and apparatus Download PDF

Info

Publication number
CN106878247A
CN106878247A CN201610659797.5A CN201610659797A CN106878247A CN 106878247 A CN106878247 A CN 106878247A CN 201610659797 A CN201610659797 A CN 201610659797A CN 106878247 A CN106878247 A CN 106878247A
Authority
CN
China
Prior art keywords
conflict
service
identification characteristics
request
time period
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610659797.5A
Other languages
Chinese (zh)
Other versions
CN106878247B (en
Inventor
徐飞
谷胜才
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Advanced New Technologies Co Ltd
Advantageous New Technologies Co Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201610659797.5A priority Critical patent/CN106878247B/en
Publication of CN106878247A publication Critical patent/CN106878247A/en
Application granted granted Critical
Publication of CN106878247B publication Critical patent/CN106878247B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of attack recognition method and apparatus, and wherein method includes:It is determined that the request end carried in the service request that is stored with identification characteristics when, obtain the corresponding conflict number that service conflict occurs of the identification characteristics in preset time period;If the conflict number in the preset time period reaches threshold value, it is determined that the corresponding request end of the identification characteristics is attacker, the service request is query-attack.The wasting of resources that write-in when being attacked present invention reduces high concurrent conflicts to service end.

Description

A kind of attack recognition method and apparatus
Technical field
The present invention relates to computer technology, more particularly to a kind of attack recognition method and apparatus.
Background technology
The development of network and computer technology, the work for giving people and life all bring many facilities;But, consequently also Security risk is there is, some lawless persons attempt to obtain user's concealed information in a network using some illegal operations, and Steal the personal resource of user.For example, one of which unsafe acts are the number of sweeping attack, attacker would generally take high concurrent Simulation request constantly sound out user account log-on message, until getting correct log-on message.Also, this high concurrent The attack of on-demand, often occurs:Same attacker IP can initiate to simulate request twice or repeatedly with frequency higher, i.e., The frequency that the attacker of the IP address sends simulation request is very high, and interval time is very short.
Network security management personnel can generally also take some measures to take precautions against and recognize above-mentioned attack, such as, for The number of sweeping attack, can by statistical server record each IP address ask number of times, receive each time request will be right The request number of times value of the IP address should be updated, is then judged to that the number of sweeping is attacked when the number of times meets certain threshold condition.In IP In the statistics of request number of times, the characteristics of request due to above-mentioned high concurrent, it is likely that occur having two threads same to this simultaneously The request number of times of one IP address is write (the corresponding number of times that update the IP), and this just occurs " write-in conflict ".Phase In the technology of pass, when a collision occurs, the measure taken is to retry, and server will be write once again again.But, as described above, The characteristics of this high concurrent is attacked is request frequency very high, even if rewriteeing, the probability for continuing to clash also can be at a relatively high, and every It is secondary to rewrite the system resource that all take server, cause the wasting of resources.
The content of the invention
In view of this, the present invention provides a kind of attack recognition method and apparatus, is rushed with reducing write-in when high concurrent is attacked The prominent wasting of resources to service end.
Specifically, the present invention is achieved through the following technical solutions:
First aspect, there is provided a kind of attack recognition method, methods described includes:
It is determined that in the service request that is stored with carry request end identification characteristics when, obtain preset time period in the mark Know the corresponding conflict number that service conflict occurs of feature;
If the conflict number in the preset time period reaches threshold value, it is determined that the corresponding request of the identification characteristics It is attacker to hold, and the service request is query-attack.
Second aspect, there is provided a kind of attack recognition device, described device includes:
Data obtaining module, for it is determined that in the service request that is stored with carry request end identification characteristics when, obtain The corresponding conflict number that service conflict occurs of the identification characteristics in preset time period;
Recognition processing module, for when the conflict number reaches threshold value in preset time period, it is determined that the mark The corresponding request end of feature is attacker, and the service request is query-attack.
The attack recognition method and apparatus of the embodiment of the present invention, by using buffer memory conflict relevant information, Ke Yitong Cross the conflict relevant information and determine whether the request end of generation service conflict is attacker, such that it is able to enter when attack is recognized Row is intercepted, and reduces the wasting of resources of write-in conflict when high concurrent is attacked to service end.
Brief description of the drawings
Fig. 1 is the schematic diagram of a scenario that a kind of number of sweeping provided in an embodiment of the present invention is attacked;
Fig. 2 is a kind of application schematic diagram for recognizing attack conflict provided in an embodiment of the present invention;
Fig. 3 is a kind of structural representation of information Store provided in an embodiment of the present invention;
Fig. 4 is a kind of flow chart of attack recognition method provided in an embodiment of the present invention;
Fig. 5 is a kind of structural representation of attack recognition device provided in an embodiment of the present invention;
Fig. 6 is a kind of structural representation of attack recognition device provided in an embodiment of the present invention.
Specific embodiment
It is that one kind performs user name password to be simulated login with automaton behavior that the number of sweeping is attacked, and attempts user name close The code whether correct attack pattern of information.For example, as shown in figure 1, terminal 11 be one by hacker control equipment, for conduct The originating end that the number of sweeping is attacked.The IP address of the terminal 11 is IP1, and the terminal 11 can initiate the attack of high concurrent formula, in such as Fig. 1 Attack 1, attack 2, attack 3, attack the multiple attacks such as 4, can be initiated with frequency higher, attack each time is terminal 11 Initiate once simulation log in, and attack the username and password for using every time can be with difference;If certain is once logined successfully, attack The person of hitting can just get the private information of user.
The above-mentioned number of sweeping attacks corresponding log-on message, can be the information of the registered user of certain application, such as, Ke Yishi One log-on message of shopping website, many users have carried out registration and have been done shopping in the website in the shopping website, The website also stored under the account of each user some to should user private information.Attacked to take precautions against the number of sweeping, protected The information security of user is protected, application can carry out the identification of the number of sweeping attack using statistical server, as shown in figure 1, statistics clothes Business device 12 can receive many service requests, and in this example, the service request can be logged on request, such as, one normal Application registered user when carrying out website log on the computer of oneself, the username and password request that can be input into oneself is stepped on Record, the computer then sends logging request.For statistical server 12, in its numerous service request for being received, both included The request of normal users, attack 1, attack 2 etc. that also the terminal 11 of example sends in the service request including attacker, i.e. Fig. 1 The corresponding logging request of multiple attack.
Statistical server 12 can judge whether that the number of sweeping is attacked by the way of counting statistics, this counting statistics Mode can record the corresponding IP address of each service request, and the IP address initiates the number of times of request, and by statistical information Stored in the form of key-value key-value pairs, wherein, Key is IP address, and value is request number of times.For example, Fig. 1 In attacker be that terminal 11 is launched a offensive with high-frequency, that is to say, that " IP1 " this IP address frequently will be carried out constantly Logging request, when receiving the request for the first time, statistical server 12 can record " key=IP1, value=1 ", second When receiving request, or the IP address is sent out, and statistical server 12 will be updated to key-value pair, be changed to " key=IP1, Value=2 ", it can be seen that receive a request every time, value corresponding to the source IP address of the request write Operation, carries out the renewal of value values.
But, be, with high concurrent, easily to cause a problem the characteristics of attacked due to the number of sweeping, i.e., there are two lines simultaneously Journey will value corresponding to same IP address enter row write renewal, this be due to received in the short period IP address initiate Twice requests caused by, that is possible to " write-in conflict " occur, and write-in conflict is database to ensure data accuracy And the characteristic taken.It is not to say that each query-attack that the number of sweeping is attacked can all cause write-in to conflict, but the number of sweeping is attacked High concurrent feature cause that write-in conflict can occur with a relatively high probability, and be likely to lasting write-in conflict occurs.It is this In the case of, if statistical server side is all retried when conflict occurs every time, that is, re-write, by serious waste system money Source, in the treatment of the illegal request that avoid that the wasting of resources is attacked in this number of sweeping that should especially try one's best.
Based on above-mentioned, the embodiment of the present application provides a kind of attack recognition method, and the main purpose of the method is to reduce high The wasting of resources that write-in when concurrently attacking conflicts to service end, mainly recognizes that service request conflict is the conflict that the number of sweeping is attacked Or normal conflict, the conflict set recognition that the number of sweeping is attacked is out so that the side of statistical server 12 is no longer carried out to this conflict Rewrite and waste of resource.As shown in Fig. 2 this example is provided with attack recognition device 13, for example, as shown in Fig. 2 the attack recognition Device 13 can include:One first caching 132 of caching 131 and at least one second.For example, caching here can be LRU (least recently used, at least use in the recent period) Cache, LRU Cache are a kind of according to least recently used The mechanism that principle removes the partial objects in caching;Wherein, here the first caching 131 and the second caching 132 can be not Be physically limit the two pieces LRU Cache of isolation, and can be the difference according to storage content to distinguish, such as, the Request end identification characteristics when clashing can be stored in one caching 131, and the second caching 132 can be used for storage mark spy Corresponding conflicting information is levied, such as is conflicted the time.The attack recognition device 13 can get the service request of the transmission of terminal 11 The identification characteristics (such as, the IP address of terminal 11) of the request end (such as, terminal 11) of middle carrying, and can be special according to mark Levy and judge whether this is once to attack;Attack recognition device 13 can also determine that request end is that interception is attacked when attacking end in identification The service request that end sends to statistical server 12 is hit, so as to mitigate the pressure of statistical server side.
Also, it should be noted that the information stored in above-mentioned LRU Cache is all the information about request collision, and attack Hit identifying device 13 according to these information be also judge certain occur request collision IP address whether be attacker IP address, It is used to judge whether conflict situations are that attack is caused.
In order that must be clearer to the description of the attack recognition method of this example, above-mentioned each LRU will be first illustrated as follows Information in Cache is how to store, and then introduces how attack recognition device 13 carries out attack recognition according to these information again.
Information Store in LRU Cache:
Even if as shown in Fig. 2 information of the attack recognition device 13 in LRU Cache is capable of identify that attacker, leading to It is also often, when the frequency that conflict is determined according to the information reaches certain threshold value, just to judge that certain IP address is attacker, this It is that the characteristics of being attacked according to the number of sweeping determines.Therefore, when the information content stored in LRU Cache is less, above-mentioned threshold value is not yet reached When, even if the inquiry of attack recognition device 13 LRU Cache cannot also determine that this is attacker, then, attack recognition device 13 can Let pass with by service request, request is received by the side joint of statistical server 12.
And let pass service request be possible to be exactly query-attack, simply temporary transient attack recognition device 13 also it is unidentified go out Come;So, if the frequency of query-attack is especially high, in this case it is still possible to write-in conflict occurs in the side of statistical server 12.This example In son, statistical server 12 can feed back to attack recognition device 13, inform attack recognition device 13 to this service request Result is write-in conflict, and attack recognition device 13 can just know that its service request let pass is sent out in the side of statistical server 12 Give birth to conflict, then now, attack recognition device 13 can carry out information Store in LRU Cache, record the punching of this business It is prominent, store the related information of this conflict.
As shown in figure 3, the information Store in LRU Cache is by taking tabular form as an example, it is assumed that this conflict is one new IP address, that attack recognition device 13 can (the second caching in first caching and follow-up example can be with the first caching LRU Cache) conflict list in store the IP address be key4 mark, be also stored in conflict list key1, key2, Key3, these IP address occurred to conflict and stored in lists before being.What is stored in conflict list is all that business occurred The key for conflicting (write conflict as described above), can be referred to as identification characteristics by these Key, and first caches for storing generation The identification characteristics of each request end of service conflict, for example, it may be asking the IP address of end equipment, this example is represented with Key.
Also, attack recognition device 13 also sets corresponding second caching for each key, in second caching The corresponding conflicting informations of storage key, for example, the conflicting information can include:Conflict the time time for occurring, and to be write during conflict The information such as value.Wherein, the conflicting information can be also used for determining the corresponding conflict of the identification characteristics in preset time period Number of times, in the description of follow-up example.As shown in figure 3, the time in illustrating conflicting information, for what is newly increased in conflict list Key4, correspondence increases the time time4-1 that this conflict occurs in corresponding second cachings of the Key4.Assuming that second receives Pointed out to the corresponding conflicts of key4, attack recognition device 13 can continue to record another punching in the corresponding conflicting informations of key4 Prominent information.
For the mode of the LRU Cache storage informations of example in Fig. 3, have need explanation at following 2 points:
Firstth, can realize that the automatic of garbage is eliminated using LRU Cache:
By taking conflict list as an example, Key in the list, if there occurs conflict once more, by the key in lists Upper shifting, such as, it is assumed that the corresponding service requests of key1 in Fig. 3 there occurs write-in conflict again, then moved key1 by upper in list To the top of key4.According to the principle, the key that no conflict occurred in the usually long period of list lowermost end works as LRU Gone out, it is necessary to remove some data when the memory space of Cache is occupied full, just remove the key of list bottom.By in principle Say, positioned at the key of conflict list lowermost end, the long period does not clash again, illustrates the conflict occurrence frequency of the key It is relatively low, the characteristics of do not meet attacker, can be removed by list.Certainly, if next time occurs the conflict of the key, Ke Yizai again It is secondary to be increased into list, restart monitoring.
For the maintenance mechanism of the second caching of memory contention information, principle is identical with the first above-mentioned caching, positioned at punching It is the conflict time that the time of the place list lowermost end of prominent information occurs before being the long period, preferential to eliminate apart from current time Time time at most.
Secondth, the Capacity design of LRU Cache:
In this example, the operating mechanism of LRU Cache can be used for eliminating hash automatically, the work of the LRU Cache With the not only cleaning including hash so that queries during inquiry list is not too large, and inquiry velocity is higher, also, LRU The effect of Cache be there is a need for being able to recognize attacker, and the knowledge of attacker can be completed according to predetermined attack recognition condition Not.Such as, if attack recognition condition is that " certain key conflict numbers within 1 minute reach 10 times, and the key is defined as attacking The person of hitting ", then, the capacity of the second caching will can at least store 10 conflicting informations of conflict, i.e., be at least used to store default The conflict time of quantity, the predetermined number is equal to predetermined threshold value (e.g., above-mentioned 10 times) corresponding conflict number.And the first caching Capacity depend on the quantity of key to monitor simultaneously, such as, if to monitor 1000 key, then the capacity of the first caching At least it is used to store the identification characteristics of predetermined number (e.g., 1000).
Information Pull in LRU Cache:
Attack recognition device 13 can carry out the identification of the number of sweeping attack according to the information in LRU Cache is stored.Fig. 4 The flow chart of the attack recognition method of the embodiment of the present application is illustrated, attack recognition device 13 can recognize one according to the flow The secondary number of sweeping is attacked.As shown in figure 4, the method includes:
In step 401, it is determined that the identification characteristics of the request end carried in the service request that is stored with.
For example, attack recognition device 13 gets the identification characteristics of the request end carried in a service request, the mark Feature can be the IP address of terminal 11, IP1.
The inquiry of attack recognition device 13 first is cached, in this example, it may be determined that the mark that is stored with the first caching is special Levy.For example, attack recognition device 13 can inquire about the conflict list of the first caching, if finding, IP1 (assuming that the IP1 is key3) exists In list, it is determined that be stored with the identification characteristics, continues executing with step 402;Otherwise, if in IP1 no longer lists, can put Capable service request so that the request is sent to statistical server side.In statistical server side, if the request of the IP1 is not sent out Raw write-in conflict, then statistical server can normally update the corresponding request number of times value of the IP;In the event of conflicting, then may be used Information record is carried out to feed back to attack recognition device.
In step 402, the corresponding conflict number that service conflict occurs of the identification characteristics is obtained.
For example, still by taking key3 as an example, it is assumed that preset time period is 1 minute, can according to current time and preset time period, Acquisition is included in the multiple conflict times in the preset time period, such as can be two times of correspondence key3 in Fig. 3 Time3-1 and time3-2, and assume time3-3 apart from current time beyond 1 minute, thereby determine that apart from it is current when Between preset time period in conflict number for twice.
In step 403, if the corresponding conflict number of the identification characteristics reaches threshold value in preset time period, it is determined that institute The corresponding request end of identification characteristics is stated for attacker, the service request is query-attack.
For example, it is assumed that threshold value is 2, then the corresponding conflict numbers of the key3 in step 402 have reached threshold value, attack recognition Device can determine that IP1 is the IP of attacker, and this service request is query-attack, then can intercept the request, is not retransmited To statistical server side;If threshold value is 10, the corresponding conflict numbers of key3 in step 402 not yet reach threshold value, attack Identifying device this fashion can not determine that the IP1 is attacker, then can let pass this service request.
Additionally, in above-mentioned example, if in preset time period, the conflict number of identification characteristics is not up to threshold value, or please Ask the identification characteristics at end not in identification information, then send to service end service request after being processed, when receiving When stating the prompting of generation service conflict of service end feedback, in corresponding second caching of the identification characteristics of this service request, Store corresponding conflicting information.
The attack recognition method that this example is provided, by using buffer memory conflict relevant information, can be by the conflict Whether the request end that relevant information determines service conflict is attacker, such that it is able to be intercepted when attack is recognized, Reduce the wasting of resources of write-in conflict when high concurrent is attacked to service end.Additionally, using LRU Cache as storage information Caching, not only can aid in identification and attacks, and its operating mechanism can automatically eliminate useless information, keep information content not Can be too big, also, LRU Cache can quickly execution information inquiry operation, speed, contribute to quick identification attack.
In order to realize above-mentioned attack recognition method, the embodiment of the present application additionally provides a kind of attack recognition device, such as Fig. 5 Shown, the device can include:Data obtaining module 51 and recognition processing module 52.
Data obtaining module 51, for it is determined that in the service request that is stored with carry request end identification characteristics when, obtain Take the corresponding conflict number that service conflict occurs of the identification characteristics in preset time period;
Recognition processing module 52, if reaching threshold value for the conflict number in preset time period, it is determined that the mark The corresponding request end of feature is attacker, and the service request is query-attack.
In one example, as shown in fig. 6, the device can also include:Information storage module 53;
Recognition processing module 52, is additionally operable to not storing the identification characteristics of the request end, or, institute in preset time period State the corresponding conflict number of identification characteristics not up to threshold value when, then the service request is sent to service end and is processed.
Information storage module 53, for when the prompting of generation service conflict of the service end feedback is received, storing The identification characteristics, and record this service conflict.
In one example, information storage module 53, when for recording this service conflict, including:In a LRU The identification characteristics of the request end of this service conflict are stored in Cache, a LRU Cache are used to store the punching of generation business The identification characteristics of each prominent request end;In twoth LRU Cache corresponding with the identification characteristics, the punching of this business is stored Prominent conflicting information, the conflicting information is used to determine the corresponding conflict number of the identification characteristics in preset time period.
In one example, data obtaining module 51, for including when the conflicting information:The identification characteristics are corresponding During the conflict time that each conflict occurs, according to current time and preset time period, acquisition is included in many in preset time period Individual conflict time, the quantity of the conflict time is the corresponding conflict number of the identification characteristics.
In one example, the capacity of a LRU Cache is the identification characteristics for being at least used to store predetermined number;
When the conflicting information includes the conflict time, the capacity of the 2nd LRU Cache is at least to be used to store pre- If the conflict time of quantity, the predetermined number is equal to the corresponding conflict number of the threshold value.
Presently preferred embodiments of the present invention is the foregoing is only, is not intended to limit the invention, it is all in essence of the invention Within god and principle, any modification, equivalent substitution and improvements done etc. should be included within the scope of protection of the invention.

Claims (10)

1. a kind of attack recognition method, it is characterised in that methods described includes:
It is determined that the request end carried in the service request that is stored with identification characteristics when, obtain the mark in preset time period special Levy the conflict number of corresponding generation service conflict;
If the conflict number in the preset time period reaches threshold value, it is determined that the corresponding request end of the identification characteristics is Attacker, the service request is query-attack.
2. method according to claim 1, it is characterised in that methods described also includes:
If the identification characteristics of the request end are not stored, or, the corresponding conflict number of the identification characteristics in preset time period Not up to threshold value, then send the service request to service end and processed;
When the prompting of generation service conflict of the service end feedback is received, the identification characteristics are stored, and record this Service conflict.
3. method according to claim 2, it is characterised in that described this service conflict that records includes:
The identification characteristics of the request end of this service conflict are stored in the first Cache using caching LRU minimum in the recent period, it is described First LRU Cache are used to store the identification characteristics of each request end that service conflict occurs;
In twoth LRU Cache corresponding with the identification characteristics, the conflicting information of this service conflict, the conflict are stored Information is used to determine the corresponding conflict number of the identification characteristics in preset time period.
4. method according to claim 3, it is characterised in that when the conflicting information includes:The identification characteristics correspondence Each conflict occur the conflict time when, the corresponding conflict number that service conflict occurs of the acquisition identification characteristics, Including:
According to current time and preset time period, acquisition is included in the multiple conflict times in the preset time period, the punching The quantity of prominent time is the corresponding conflict number of the identification characteristics.
5. method according to claim 3, it is characterised in that the capacity of a LRU Cache is at least to be used to deposit Store up the identification characteristics of predetermined number;
When the conflicting information includes the conflict time, the capacity of the 2nd LRU Cache is at least to be used to store present count The conflict time of amount, the predetermined number is equal to the corresponding conflict number of the threshold value.
6. a kind of attack recognition device, it is characterised in that described device includes:
Data obtaining module, for it is determined that the request end carried in the service request that is stored with identification characteristics when, obtain default The corresponding conflict number that service conflict occurs of the identification characteristics in time period;
Recognition processing module, for when the conflict number reaches threshold value in preset time period, it is determined that the identification characteristics Corresponding request end is attacker, and the service request is query-attack.
7. device according to claim 6, it is characterised in that
The recognition processing module, is additionally operable to not storing the identification characteristics of the request end, or, it is described in preset time period When the corresponding conflict number of identification characteristics is not up to threshold value, then the service request is sent to service end and processed;
Described device also includes:Information storage module, for receiving carrying for the generation service conflict of the service end feedback When showing, the identification characteristics are stored, and record this service conflict.
8. device according to claim 7, it is characterised in that
Described information memory module, when for recording this service conflict, including:This is stored in a LRU Cache The identification characteristics of the request end of service conflict, a LRU Cache are used to store each request end that service conflict occurs Identification characteristics;In twoth LRU Cache corresponding with the identification characteristics, the conflicting information of this service conflict is stored, The conflicting information is used to determine the corresponding conflict number of the identification characteristics in preset time period.
9. device according to claim 8, it is characterised in that
Described information acquisition module, for including when the conflicting information:The identification characteristics conflict what is occurred corresponding each time During the conflict time, according to current time and preset time period, acquisition is included in the multiple conflict times in preset time period, described The quantity of conflict time is the corresponding conflict number of the identification characteristics.
10. device according to claim 8, it is characterised in that the capacity of a LRU Cache is at least to be used to deposit Store up the identification characteristics of predetermined number;
When the conflicting information includes the conflict time, the capacity of the 2nd LRU Cache is at least to be used to store present count The conflict time of amount, the predetermined number is equal to the corresponding conflict number of the threshold value.
CN201610659797.5A 2016-08-11 2016-08-11 Attack identification method and device Active CN106878247B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610659797.5A CN106878247B (en) 2016-08-11 2016-08-11 Attack identification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610659797.5A CN106878247B (en) 2016-08-11 2016-08-11 Attack identification method and device

Publications (2)

Publication Number Publication Date
CN106878247A true CN106878247A (en) 2017-06-20
CN106878247B CN106878247B (en) 2020-06-16

Family

ID=59238834

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610659797.5A Active CN106878247B (en) 2016-08-11 2016-08-11 Attack identification method and device

Country Status (1)

Country Link
CN (1) CN106878247B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109167767A (en) * 2018-08-17 2019-01-08 苏州亮磊知识产权运营有限公司 A kind of working method of the ddos attack system of defense for DHCP framework
WO2020000989A1 (en) * 2018-06-26 2020-01-02 天津飞腾信息技术有限公司 Cache reinforcement method and device capable of resisting side channel attacks

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1679264A (en) * 2002-08-12 2005-10-05 哈里公司 Wireless local on metropolitan area network with intrusion detection features and related methods
CN101116052A (en) * 2004-12-21 2008-01-30 米斯特科技有限公司 Network interface and firewall device
CN103634284A (en) * 2012-08-24 2014-03-12 阿里巴巴集团控股有限公司 Network flood attack detecting method and device
CN103701795A (en) * 2013-12-20 2014-04-02 北京奇虎科技有限公司 Identification method and device for attack source of denial of service attack
US20150242246A1 (en) * 2014-02-27 2015-08-27 International Business Machines Corporation Adaptive process for data sharing with selection of lock elision and locking
US20160055042A1 (en) * 2014-08-25 2016-02-25 Salesforce.Com, Inc. Detecting and Managing Flooding of Multi-tenant Message Queues

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1679264A (en) * 2002-08-12 2005-10-05 哈里公司 Wireless local on metropolitan area network with intrusion detection features and related methods
CN101116052A (en) * 2004-12-21 2008-01-30 米斯特科技有限公司 Network interface and firewall device
CN103634284A (en) * 2012-08-24 2014-03-12 阿里巴巴集团控股有限公司 Network flood attack detecting method and device
CN103701795A (en) * 2013-12-20 2014-04-02 北京奇虎科技有限公司 Identification method and device for attack source of denial of service attack
US20150242246A1 (en) * 2014-02-27 2015-08-27 International Business Machines Corporation Adaptive process for data sharing with selection of lock elision and locking
US20160055042A1 (en) * 2014-08-25 2016-02-25 Salesforce.Com, Inc. Detecting and Managing Flooding of Multi-tenant Message Queues

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020000989A1 (en) * 2018-06-26 2020-01-02 天津飞腾信息技术有限公司 Cache reinforcement method and device capable of resisting side channel attacks
US11334668B2 (en) 2018-06-26 2022-05-17 Phytium Technology Co., Ltd. Cache securing method and device capable of resisting side channel attack
CN109167767A (en) * 2018-08-17 2019-01-08 苏州亮磊知识产权运营有限公司 A kind of working method of the ddos attack system of defense for DHCP framework

Also Published As

Publication number Publication date
CN106878247B (en) 2020-06-16

Similar Documents

Publication Publication Date Title
US10491614B2 (en) Illegitimate typosquatting detection with internet protocol information
US20160321745A1 (en) Account binding processing method, apparatus and system
US9807110B2 (en) Method and system for detecting algorithm-generated domains
CN110324313B (en) Honeypot system-based malicious user identification method and related equipment
CN109889547B (en) Abnormal network equipment detection method and device
CN105939326B (en) Method and device for processing message
Hao et al. Understanding the domain registration behavior of spammers
US8205239B1 (en) Methods and systems for adaptively setting network security policies
EP2779572A1 (en) System and method for monitoring authentication attempts
TW201824047A (en) Attack request determination method, apparatus and server
KR100745044B1 (en) Apparatus and method for protecting access of phishing site
CN111786966A (en) Method and device for browsing webpage
WO2012117253A1 (en) An authentication system
CN114598525A (en) IP automatic blocking method and device for network attack
US20150312211A1 (en) Method and system for generating durable host identifiers using network artifacts
US20170171188A1 (en) Non-transitory computer-readable recording medium, access monitoring method, and access monitoring apparatus
JP6655731B2 (en) Self-protection security device based on system environment and user behavior analysis and its operation method
CN106878247A (en) A kind of attack recognition method and apparatus
US20180159868A1 (en) Network attack pattern determination apparatus, determination method, and non-transitory computer readable storage medium thereof
JP2006040196A (en) Software monitoring system and monitoring method
CN112231698B (en) Attack detection method, device and storage medium
US10320784B1 (en) Methods for utilizing fingerprinting to manage network security and devices thereof
CN108055299A (en) Portal page push method, network access server and portal certification system
CN117201060A (en) Method and related device for authorizing access to resources by zero-trust access subject identity authentication
US20230069845A1 (en) Using a threat intelligence framework to populate a recursive dns server cache

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20200923

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Patentee after: Innovative advanced technology Co.,Ltd.

Address before: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Patentee before: Advanced innovation technology Co.,Ltd.

Effective date of registration: 20200923

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Patentee after: Advanced innovation technology Co.,Ltd.

Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands

Patentee before: Alibaba Group Holding Ltd.