CN107360196B - Attack detection method and device and terminal equipment - Google Patents
Attack detection method and device and terminal equipment Download PDFInfo
- Publication number
- CN107360196B CN107360196B CN201710806265.4A CN201710806265A CN107360196B CN 107360196 B CN107360196 B CN 107360196B CN 201710806265 A CN201710806265 A CN 201710806265A CN 107360196 B CN107360196 B CN 107360196B
- Authority
- CN
- China
- Prior art keywords
- udp
- current
- preset time
- flow
- ratio
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/164—Adaptation or special uses of UDP protocol
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides an attack detection method, an attack detection device and terminal equipment, and relates to the technical field of computers. The attack detection method comprises the following steps: judging whether a first ratio of UDP incoming flow and total incoming flow corresponding to the terminal equipment in the current preset time period is larger than a first preset value or not; if so, judging whether a second ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the current maximum input flow is larger than a second preset value or not, and whether a third ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the UDP output flow is larger than a current historical ratio or not; and if so, judging that the terminal equipment is attacked by the UDP. The attack detection method can better realize the detection of UDP attacks.
Description
Technical Field
The invention relates to the technical field of computers, in particular to an attack detection method, an attack detection device and terminal equipment.
Background
UDP Flood is one of the popular DOS and DDOS modes at present, and the attack principle is simple. The attack is characterized in that a UDP protocol is a connectionless-oriented transmission protocol, so that in the data transmission process, connection establishment and authentication are not needed, an attacking party can send a large number of complete UDP data packets with abnormally high flow to an attacked party during attack, and therefore on one hand, network resources where an attacked host is located are exhausted, and on the other hand, the attacked host is busy processing the UDP data packets, and a system is crashed.
At present, a commonly used protection method for UDP Flood attack needs to establish a professional firewall or other protection equipment support, so that the cost is high.
Disclosure of Invention
In view of this, embodiments of the present invention provide an attack detection method, an attack detection device, and a terminal device, so as to solve the above problems.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
an attack detection method, the method comprising: judging whether a first ratio of UDP incoming flow and total incoming flow corresponding to the terminal equipment in the current preset time period is larger than a first preset value or not; if so, judging whether a second ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the current maximum input flow is larger than a second preset value or not, and whether a third ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the UDP output flow is larger than a current historical ratio or not; and if so, judging that the terminal equipment is attacked by the UDP.
An attack detection device comprises a first judgment module, a second judgment module and a judgment module, wherein the first judgment module is used for judging whether a first ratio of UDP (user Datagram protocol) incoming flow and total incoming flow corresponding to terminal equipment in a current preset time period is greater than a first preset value; if so, the second judging module is configured to judge whether a second ratio of UDP incoming traffic to current maximum incoming traffic corresponding to the terminal device in a current preset time period is greater than a second preset value, and whether a third ratio of UDP incoming traffic to UDP outgoing traffic corresponding to the terminal device in the current preset time period is greater than a current historical ratio; and if so, the judging module is used for judging that the terminal equipment is attacked by the UDP attack.
A terminal device comprising a memory and a processor, the memory coupled to the processor, the memory storing instructions that, when executed by the processor, cause the processor to: judging whether a first ratio of UDP incoming flow and total incoming flow corresponding to the terminal equipment in a current preset time period is larger than a first preset value or not; if so, judging whether a second ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the current maximum input flow is larger than a second preset value or not, and whether a third ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the UDP output flow is larger than a current historical ratio or not; and if so, judging that the terminal equipment is attacked by the UDP.
According to the attack detection method, the attack detection device and the terminal equipment provided by the embodiment of the invention, whether a first ratio of UDP (user Datagram protocol) incoming flow and total incoming flow corresponding to the terminal equipment in a current preset time period is greater than a first preset value is judged; if so, judging whether a second ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the current maximum input flow is larger than a second preset value or not, and whether a third ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the UDP output flow is larger than a current historical ratio or not; and if so, judging that the terminal equipment is attacked by the UDP. Therefore, the detection of the UDP attack can be realized according to the flow information, and the problem that the detection method of the UDP attack in the prior art is high in cost is solved.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a block diagram illustrating a terminal device according to an embodiment of the present invention;
FIG. 2 is a flow chart of an attack detection method provided by an embodiment of the invention;
FIG. 3 is a flow chart of an attack detection method provided by the embodiment of the invention;
fig. 4 is a functional block diagram of an attack detection apparatus provided in an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present invention, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Fig. 1 shows a block diagram of a terminal device applicable to an embodiment of the present invention. As shown in fig. 1, the terminal device 100 includes a memory 102, a memory controller 104, one or more processors 106 (only one of which is shown), a peripheral interface 108, a radio frequency module 110, an audio module 112, a display unit 114, and the like. These components communicate with each other via one or more communication buses/signal lines 116.
The memory 102 may be used to store software programs and modules, such as program instructions/modules corresponding to the attack detection method and apparatus in the embodiments of the present invention, and the processor 106 executes various functional applications and data processing by running the software programs and modules stored in the memory 102, such as the attack detection apparatus provided in the embodiments of the present invention.
The memory 102 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. Access to the memory 102 by the processor 106, and possibly other components, may be under the control of the memory controller 104.
The peripheral interface 108 couples various input/output devices to the processor 106 as well as to the memory 102. In some embodiments, the peripheral interface 108, the processor 106, and the memory controller 104 may be implemented in a single chip. In other examples, they may be implemented separately from the individual chips.
The rf module 110 is used for receiving and transmitting electromagnetic waves, and implementing interconversion between the electromagnetic waves and electrical signals, so as to communicate with a communication network or other devices.
PA17035797HZ
The display unit 114 provides a display interface between the terminal device 100 and the user. In particular, display unit 114 displays video output to the user, the content of which may include text, graphics, video, and any combination thereof.
It is to be understood that the configuration shown in fig. 1 is merely illustrative, and that the terminal device 100 may include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
First embodiment
Fig. 2 shows a flowchart of an attack detection method provided in an embodiment of the present invention. Referring to fig. 2, the method includes:
step S110: and judging whether a first ratio of the UDP incoming flow corresponding to the terminal equipment in the current preset time period to the total incoming flow is larger than a first preset value.
In the embodiment of the invention, in order to quickly judge whether the UDP Flood attack exists or not, the network flow information corresponding to the terminal device needs to be acquired, and a DPI device for acquiring the network flow information corresponding to the terminal device can be set in a network environment where the terminal device is located. The DPI equipment has the capabilities of identifying and controlling the service data flow, works from an OSI model transmission layer to an application layer, has high data acquisition capability, and can identify and manage the service borne by the network.
Before detecting the UDP Flood attack, network flow information of the terminal device needs to be acquired to realize subsequent judgment of the UDP Flood attack. Therefore, before step S110, the attack detection method further includes: and acquiring network traffic information of the terminal equipment in a plurality of preset time periods before the current time, wherein the network traffic information is acquired by DPI equipment and comprises network traffic information corresponding to a plurality of sessions respectively.
The network traffic information of a plurality of preset time periods before the current time can be understood as: the network traffic information of a period of time before the current time is divided into a plurality of periods of time, and the size of each period of time corresponds to the size of the preset time period, namely, a plurality of preset time periods are obtained, so that the network traffic information of each preset time period can be obtained.
The network traffic information includes network traffic information corresponding to each of the plurality of sessions. The specific network traffic information may be network layer incoming and outgoing traffic of each session, start and end times of the session, a network layer protocol adopted, source IP address information, and destination IP address information.
After the network traffic information of the terminal device in a plurality of preset time periods before the current time is obtained, data which is needed to be used for judging the UDP Flood attack subsequently can be obtained based on the network traffic information.
Generally, after the terminal device is attacked by UDP Flood, the total traffic in the current time period may reach a maximum value, and the total traffic in the normal operation time period is in a randomly fluctuating state. And the ratio of the incoming flow corresponding to the UDP protocol in the current time period to the total incoming flow is higher than that in normal working, the ratio of the incoming flow corresponding to the UDP protocol in the current time period to the current maximum incoming flow is higher than that in normal working, and the ratio of the incoming flow corresponding to the UDP protocol in the current time period to the outgoing flow corresponding to the UDP protocol is higher than the recorded historical ratio. Wherein, the inflow and outflow are flow sizes.
Therefore, the attack detection method further includes: and acquiring UDP incoming flow and total incoming flow corresponding to the terminal equipment in the current preset time period based on the network flow information of the preset time periods.
The UDP incoming flow corresponding to the current preset time period is the size of the incoming flow corresponding to the UDP protocol in the preset time period before the current time of the terminal equipment. The total incoming flow corresponding to the current preset time period is the size of the incoming flow corresponding to all network protocols in the preset time period before the current time of the terminal equipment.
The attack detection method further comprises the following steps: acquiring the maximum value of total incoming flow corresponding to the preset time periods respectively as the current maximum incoming flow based on the network flow information of the preset time periods; acquiring UDP (user Datagram protocol) outgoing flow corresponding to the terminal equipment in the current preset time period based on the network flow information of the preset time periods; and acquiring the maximum value of the ratios between the UDP in-flow and the UDP out-flow respectively corresponding to the preset time periods except the current preset time period in the preset time periods as the current historical ratio based on the network flow information of the preset time periods.
It can be understood that, in a plurality of preset time periods before the current time period, the current historical ratio is obtained, and a maximum value of ratios of UDP incoming traffic to UDP outgoing traffic, which correspond to each of the preset time periods, is used as the current historical ratio.
After the current maximum inflow rate is obtained, the maximum value of the total outflow rates respectively corresponding to the preset time periods can be obtained as the current maximum outflow rate based on the network flow information of the preset time periods; and acquiring the maximum value of the current maximum inflow and the maximum outflow as a current flow peak value.
Of course, the total outgoing flow corresponding to each preset time period may also be obtained based on the network flow information of the plurality of preset time periods. Wherein, the total outflow corresponding to the current time period is obtained.
In the embodiment of the present invention, the traffic data of the session corresponding to each UDP protocol in the time period formed by the plurality of preset time periods may also be counted. Therefore, the attack detection method further includes: acquiring the incoming flow of all UDP sessions in a time period formed by a plurality of preset time periods based on the network flow information of the plurality of preset time periods; and calculating the average data of the incoming flows of all the UDP sessions to obtain the average incoming flow of the UDP sessions.
And after the data are obtained according to the obtained network flow information, judging the related data. First, it should be determined whether the ratio of the total inflow rate to the current peak flow rate corresponding to the current time period is greater than a certain value. Therefore, step S110 is preceded by: judging whether a fourth ratio of the total incoming flow corresponding to the current time period of the terminal equipment to the current flow peak value is larger than a third preset value or not; and if so, executing the judgment to judge whether the first ratio of the UDP incoming flow and the total incoming flow corresponding to the terminal equipment in the current preset time period is greater than a first preset value.
In the embodiment of the present invention, the third preset value may be a value within a range of 0.7 to 0.9. Preferably, the third preset value may be 0.8. Of course, the specific value of the third preset value is not limited in the embodiment of the present invention. Specifically, when a fourth ratio of the total inflow rate corresponding to the current time period to the current flow peak value of the terminal device is obtained, the obtained value of the total inflow rate corresponding to the current time period is divided by the obtained current flow peak value to obtain the fourth ratio.
When it is determined that the fourth ratio of the total incoming traffic corresponding to the current time period to the current traffic peak is greater than the preset ratio, step S110 is executed again, that is, it is determined whether the first ratio of the UDP incoming traffic corresponding to the current preset time period to the total incoming traffic of the terminal device is greater than the first preset value.
In addition, whether the total inflow corresponding to the current time period is larger than the current flow peak value or not is judged, if yes, the current flow peak value is updated to the total inflow corresponding to the current time period, and therefore the later detection on the UDP Flood attack is accurate.
In step S110, the first preset value may be a value within a range of 0.7 to 0.9. Preferably, the first preset value may be 0.8. Of course, the specific value of the first preset value is not limited in the embodiment of the present invention. And dividing the UDP incoming flow corresponding to the obtained current time period by the total incoming flow to obtain a first ratio, and comparing the first ratio with a first preset value.
Step S120: if so, judging whether a second ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the current maximum input flow is larger than a second preset value or not, and judging whether a third ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the UDP output flow is larger than a current historical ratio or not.
When it is determined in step S110 that the first ratio of the UDP incoming flow to the total incoming flow corresponding to the terminal device in the current preset time period is greater than the first preset value, in order to more accurately determine whether the terminal device is UDP Flood attack, it is determined whether a second ratio of the UDP incoming flow corresponding to the terminal device in the current preset time period to the current maximum incoming flow is greater than a second preset value, and whether a third ratio of the UDP incoming flow corresponding to the terminal device in the current preset time period to the UDP outgoing flow is greater than the current historical ratio.
Specifically, the second preset value may be a value within a range of 0.7 to 0.9. Preferably, the second preset value may be 0.8. Of course, the specific value of the second preset value is not limited in the embodiment of the present invention. And dividing the obtained UDP input flow and the obtained current maximum input flow to obtain a second ratio. And obtaining a third ratio by using the obtained UDP incoming flow corresponding to the current preset time period and the obtained UDP outgoing flow corresponding to the current preset time period. And comparing the second ratio with a second preset value, and comparing the third ratio with the current historical ratio. And obtaining a judgment result whether a second ratio of the UDP incoming flow corresponding to the terminal equipment in the current preset time period to the current maximum incoming flow is larger than a second preset value or not and whether a third ratio of the UDP incoming flow corresponding to the terminal equipment in the current preset time period to the UDP outgoing flow is larger than the current historical ratio or not.
Step S130: and if so, judging that the terminal equipment is attacked by the UDP.
If it is determined in step S120 that the second ratio of the UDP incoming flow corresponding to the terminal device in the current preset time period to the current maximum incoming flow is greater than the second preset value, and the third ratio of the UDP incoming flow corresponding to the terminal device in the current preset time period to the UDP outgoing flow is greater than the historical ratio, it may be determined that the terminal device receives the UDP Flood attack.
When it is determined in step S120 that the second ratio of the UDP incoming flow corresponding to the terminal device in the current preset time period to the current maximum incoming flow is smaller than or equal to the second preset value, but the third ratio of the UDP incoming flow corresponding to the terminal device in the current preset time period to the UDP outgoing flow is greater than the current historical ratio, it indicates that the terminal device receives the UDP Flood attack, and in order to accurately detect the subsequent UDP Flood attack, the current historical ratio is updated to the third ratio of the UDP incoming flow corresponding to the current time period to the UDP outgoing flow.
Thus, the detection result to UDP Flood can be obtained. In addition, after detecting that the terminal equipment is attacked by the UDP Flood, prompting can be made, and a source address of the UDP attack can be acquired. Therefore, referring to fig. 3, after step S130, step S140 is further included: and acquiring a source address of the UDP attack on the terminal equipment.
Specifically, the obtaining of the source address of the UDP attack received by the terminal device may include: acquiring UDP sessions of which the incoming flows of all UDP sessions corresponding to the current time period are larger than the average incoming flow of the UDP sessions by the terminal equipment; if yes, judging whether the output flow of the UDP session is 0; and if so, acquiring the IP address of the UDP session as the source address of the UDP attack on the terminal equipment.
Specifically, a UDP session whose incoming traffic is greater than the average incoming traffic may be obtained according to the comparison between the obtained incoming traffic corresponding to all UDP sessions corresponding to the current time period and the average incoming traffic of the incoming traffic of all UDP sessions, where the obtained UDP session may be one or multiple UDP sessions. Then, judging whether the output flow is 0 in the UDP session with the obtained input flow larger than the average input flow, and if the output flow is 0, taking the IP address of the UDP session as the source address of the UDP attack.
Therefore, simple and high-reliability UDP Flood attack detection can be realized by utilizing the flow information, only equipment capable of analyzing the flow of the network layer needs to be arranged, when the UDP Flood attack is embodied in the flow, the attack can be quickly judged, and the source address IP of the UDP Flood attack can be traced.
Second embodiment
Referring to fig. 4, the attack detection apparatus 200 according to a second embodiment of the present invention includes a first determining module 210, a second determining module 220, and a determining module 230. The first determining module 210 is configured to determine whether a first ratio of UDP incoming traffic to total incoming traffic corresponding to the terminal device in a current preset time period is greater than a first preset value; if so, the second determining module 220 is configured to determine whether a second ratio of the UDP incoming traffic corresponding to the terminal device in the current preset time period to the current maximum incoming traffic is greater than a second preset value, and whether a third ratio of the UDP incoming traffic corresponding to the terminal device in the current preset time period to the UDP outgoing traffic is greater than a current historical ratio; if yes, the determining module 230 is configured to determine that the terminal device is under UDP attack.
In the embodiment of the present invention, the attack detection apparatus further includes an address acquisition module. The address acquisition module is used for acquiring a source address of the UDP attack on the terminal equipment.
Third embodiment
A third embodiment of the present invention provides a terminal device 100, referring to fig. 1, the terminal device 100 includes a memory 102 and a processor 106, the memory 102 is coupled to the processor 106, the memory 102 stores instructions, and when the instructions are executed by the processor 106, the instructions cause the processor 106 to: judging whether a first ratio of UDP incoming flow and total incoming flow corresponding to the terminal equipment in a current preset time period is larger than a first preset value or not; if so, judging whether a second ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the current maximum input flow is larger than a second preset value or not, and whether a third ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the UDP output flow is larger than a current historical ratio or not; and if so, judging that the terminal equipment is attacked by the UDP.
In summary, according to the attack detection method, the attack detection device, and the terminal device provided in the embodiments of the present invention, it is determined whether a first ratio of UDP incoming traffic to total incoming traffic corresponding to the terminal device in a current preset time period is greater than a first preset value; if so, judging whether a second ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the current maximum input flow is larger than a second preset value or not, and whether a third ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the UDP output flow is larger than a current historical ratio or not; and if so, judging that the terminal equipment is attacked by the UDP. Therefore, the detection of the UDP attack can be realized according to the flow information, and the problem that the detection method of the UDP attack in the prior art is high in cost is solved.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present invention may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. An attack detection method, characterized in that the method comprises:
judging whether a first ratio of UDP incoming flow and total incoming flow corresponding to the terminal equipment in the current preset time period is larger than a first preset value or not;
if so, judging whether a second ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the current maximum input flow is larger than a second preset value or not, and whether a third ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the UDP output flow is larger than a current historical ratio or not;
and if so, judging that the terminal equipment is attacked by the UDP.
2. The method of claim 1, wherein after determining that the end device is subject to a UDP attack, the method further comprises:
and acquiring a source address of the UDP attack on the terminal equipment.
3. The method of claim 2, wherein the obtaining the source address of the UDP attack on the terminal device comprises:
acquiring UDP sessions of which the incoming flows of all UDP sessions corresponding to the current time period are larger than the average incoming flow of the UDP sessions by the terminal equipment;
if yes, judging whether the output flow of the UDP session is 0;
and if so, acquiring the IP address of the UDP session as the source address of the UDP attack on the terminal equipment.
4. The method according to claim 1, wherein before determining whether a first ratio of UDP incoming traffic to total incoming traffic corresponding to the terminal device in a current preset time period is greater than a first preset value, the method further comprises:
acquiring network traffic information of a plurality of preset time periods before the current time of the terminal equipment, which is acquired by DPI equipment, wherein the network traffic information comprises network traffic information corresponding to a plurality of sessions respectively;
and acquiring UDP incoming flow and total incoming flow corresponding to the terminal equipment in the current preset time period based on the network flow information of the preset time periods.
5. The method according to claim 4, wherein before determining whether a second ratio of UDP incoming traffic to current maximum incoming traffic corresponding to the terminal device in a current preset time period is greater than a second preset value and whether a third ratio of UDP incoming traffic to UDP outgoing traffic corresponding to the terminal device in the current preset time period is greater than a current historical ratio, the method further comprises:
acquiring the maximum value of total incoming flow corresponding to the preset time periods respectively as the current maximum incoming flow based on the network flow information of the preset time periods;
acquiring UDP (user Datagram protocol) outgoing flow corresponding to the terminal equipment in the current preset time period based on the network flow information of the preset time periods;
and acquiring the maximum value of the ratios between the UDP in-flow and the UDP out-flow respectively corresponding to the preset time periods except the current preset time period in the preset time periods as the current historical ratio based on the network flow information of the preset time periods.
6. The method according to claim 5, wherein after obtaining a maximum value of total incoming flows corresponding to the plurality of preset time periods as a current maximum incoming flow based on the network traffic information of the plurality of preset time periods, the method further comprises:
acquiring the maximum value of the total output flow corresponding to the preset time periods respectively as the current maximum output flow based on the network flow information of the preset time periods;
and acquiring the maximum value of the current maximum inflow and the maximum outflow as a current flow peak value.
7. The method according to claim 6, wherein before determining whether a first ratio of UDP incoming traffic to total incoming traffic corresponding to the terminal device in a current preset time period is greater than a first preset value, the method further comprises:
judging whether a fourth ratio of the total incoming flow corresponding to the current time period of the terminal equipment to the current flow peak value is larger than a third preset value or not;
and if so, executing the step of judging whether the first ratio of the UDP incoming flow and the total incoming flow corresponding to the current preset time period of the terminal equipment is greater than a first preset value.
8. An attack detection device, comprising a first judgment module, a second judgment module and a judgment module, wherein,
the first judging module is used for judging whether a first ratio of UDP incoming flow and total incoming flow corresponding to the terminal equipment in the current preset time period is larger than a first preset value;
if so, the second judging module is configured to judge whether a second ratio of UDP incoming traffic to current maximum incoming traffic corresponding to the terminal device in a current preset time period is greater than a second preset value, and whether a third ratio of UDP incoming traffic to UDP outgoing traffic corresponding to the terminal device in the current preset time period is greater than a current historical ratio;
and if so, the judging module is used for judging that the terminal equipment is attacked by the UDP attack.
9. The apparatus according to claim 8, wherein the apparatus further comprises an address obtaining module, and the address obtaining module is configured to obtain a source address of a UDP attack on the terminal device.
10. A terminal device, comprising a memory and a processor, the memory coupled to the processor, the memory storing instructions that, when executed by the processor, cause the processor to:
judging whether a first ratio of UDP incoming flow and total incoming flow corresponding to the terminal equipment in a current preset time period is larger than a first preset value or not;
if so, judging whether a second ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the current maximum input flow is larger than a second preset value or not, and whether a third ratio of the UDP input flow corresponding to the terminal equipment in the current preset time period to the UDP output flow is larger than a current historical ratio or not;
and if so, judging that the terminal equipment is attacked by the UDP.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710806265.4A CN107360196B (en) | 2017-09-08 | 2017-09-08 | Attack detection method and device and terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710806265.4A CN107360196B (en) | 2017-09-08 | 2017-09-08 | Attack detection method and device and terminal equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107360196A CN107360196A (en) | 2017-11-17 |
| CN107360196B true CN107360196B (en) | 2020-06-26 |
Family
ID=60290875
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710806265.4A Active CN107360196B (en) | 2017-09-08 | 2017-09-08 | Attack detection method and device and terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107360196B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109005181B (en) * | 2018-08-10 | 2021-07-02 | 深信服科技股份有限公司 | Detection method, system and related components for DNS amplification attack |
| CN112491865A (en) * | 2020-04-11 | 2021-03-12 | 吴媛媛 | Intrusion detection method and device for data flow detection and time sequence feature extraction |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572609A (en) * | 2008-04-29 | 2009-11-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting and refusing service attack |
| CN102291411A (en) * | 2011-08-18 | 2011-12-21 | 网宿科技股份有限公司 | Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service |
| CN102497362A (en) * | 2011-12-07 | 2012-06-13 | 北京润通丰华科技有限公司 | Attack source tracking method and device for anomalous network traffic |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104348811B (en) * | 2013-08-05 | 2018-01-26 | 深圳市腾讯计算机系统有限公司 | Detecting method of distributed denial of service attacking and device |
-
2017
- 2017-09-08 CN CN201710806265.4A patent/CN107360196B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572609A (en) * | 2008-04-29 | 2009-11-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting and refusing service attack |
| CN102291411A (en) * | 2011-08-18 | 2011-12-21 | 网宿科技股份有限公司 | Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service |
| CN102497362A (en) * | 2011-12-07 | 2012-06-13 | 北京润通丰华科技有限公司 | Attack source tracking method and device for anomalous network traffic |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107360196A (en) | 2017-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107040494B (en) | User account abnormity prevention method and system | |
| CN108075934B (en) | Network quality monitoring method, device and system | |
| CN109194680B (en) | Network attack identification method, device and equipment | |
| US10110538B2 (en) | Method and apparatus for message transmission | |
| CN109617852B (en) | Method and device for preventing network addiction based on flow analysis | |
| US20150229669A1 (en) | Method and device for detecting distributed denial of service attack | |
| CN109040140B (en) | Slow attack detection method and device | |
| US10547636B2 (en) | Method and system for detecting and mitigating denial-of-service attacks | |
| CN109889547A (en) | A kind of detection method and device of abnormal network equipment | |
| WO2018103405A1 (en) | Method for identifying access point and hotspot, and related product | |
| CN108134816B (en) | Access to data on remote device | |
| CN105530138A (en) | Data monitoring method and data monitoring device | |
| EP3582463A1 (en) | Threat detection method and apparatus | |
| US20170134413A1 (en) | System and method for connection fingerprint generation and stepping-stone traceback based on netflow | |
| CN107360196B (en) | Attack detection method and device and terminal equipment | |
| CN111224980A (en) | Detection method and device for denial of service attack, electronic equipment and medium | |
| CN106961414B (en) | Honeypot-based data processing method, device and system | |
| CN110311963B (en) | Message pushing method and device, computer equipment and computer readable storage medium | |
| CN108737344B (en) | Network attack protection method and device | |
| CN109474623B (en) | Network security protection and parameter determination method, device, equipment and medium thereof | |
| US20120163212A1 (en) | Apparatus and method for detecting abnormal traffic | |
| CN117254931A (en) | Port scanning method, device and scanning engine | |
| CN106656912B (en) | Method and device for detecting denial of service attack | |
| CN105656848B (en) | Application layer rapid attack detection method and related device | |
| CN110445808A (en) | Abnormal flow attack guarding method, device, electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310000 No. 188 Lianhui Street, Xixing Street, Binjiang District, Hangzhou City, Zhejiang Province Applicant after: DBAPPSECURITY Ltd. Address before: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer Applicant before: DBAPPSECURITY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |