CN107360196B - Attack detection method, device and terminal device - Google Patents
Attack detection method, device and terminal device Download PDFInfo
- Publication number
- CN107360196B CN107360196B CN201710806265.4A CN201710806265A CN107360196B CN 107360196 B CN107360196 B CN 107360196B CN 201710806265 A CN201710806265 A CN 201710806265A CN 107360196 B CN107360196 B CN 107360196B
- Authority
- CN
- China
- Prior art keywords
- udp
- current
- preset time
- ratio
- time period
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/164—Adaptation or special uses of UDP protocol
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
技术领域technical field
本发明涉及计算机技术领域,具体而言,涉及一种攻击检测方法、装置及终端设备。The present invention relates to the field of computer technology, and in particular, to an attack detection method, an apparatus and a terminal device.
背景技术Background technique
UDP Flood是当前流行的DOS与DDOS的方式之一,其攻击原理很简单。这种攻击是利用UDP协议是一个面向无连接的传输协议,以至于数据传输过程中,不需要建立连接和进行认证这一特点,进行攻击时攻击方就可以向被攻击方发送大量的异常高流量的完整UDP数据包,这样一方面会使被攻击主机所在的网络资源被耗尽,还会使被攻击主机忙于处理UDP数据包,而使系统崩溃。UDP Flood is one of the current popular DOS and DDOS methods, and its attack principle is very simple. This kind of attack uses the fact that the UDP protocol is a connectionless transmission protocol, so that during the data transmission process, there is no need to establish a connection and perform authentication, and the attacker can send a large number of abnormally high On the one hand, the network resources where the attacked host is located will be exhausted, and the attacked host will be busy processing UDP packets, which will cause the system to crash.
目前对于UDP Flood攻击常用的防护方法需要建立专业的防火墙或其他防护设备支持,造成成本较高。Currently, the commonly used protection methods for UDP flood attacks require the establishment of professional firewalls or other protection devices, resulting in high costs.
发明内容SUMMARY OF THE INVENTION
有鉴于此,本发明实施例提供了一种攻击检测方法、装置及终端设备,以解决上述问题。In view of this, embodiments of the present invention provide an attack detection method, apparatus, and terminal device to solve the above problems.
为了实现上述目的,本发明采用的技术方案如下:In order to achieve the above object, the technical scheme adopted in the present invention is as follows:
一种攻击检测方法,所述方法包括:判断终端设备在当前预设时间段对应的UDP入流量与总体入流量的第一比值是否大于第一预设值;若是,则判断所述终端设备在当前预设时间段对应的UDP入流量与当前最大入流量的第二比值是否大于第二预设值,且所述终端设备在当前预设时间段对应的UDP入流量与UDP出流量的第三比值是否大于当前历史比值;若是,则判定所述终端设备受到UDP攻击。An attack detection method, the method comprising: judging whether a first ratio of UDP inbound traffic corresponding to a terminal device in a current preset time period to an overall ingress traffic is greater than a first preset value; if so, judging whether the terminal device is in Whether the second ratio of the UDP incoming traffic corresponding to the current preset time period to the current maximum incoming traffic is greater than the second preset value, and whether the third ratio of the UDP incoming traffic and the UDP outgoing traffic corresponding to the current preset time period of the terminal device Whether the ratio is greater than the current historical ratio; if so, it is determined that the terminal device is under UDP attack.
一种攻击检测装置,所述装置包括第一判断模块、第二判断模块以及判定模块,其中,所述第一判断模块用于判断终端设备在当前预设时间段对应的UDP入流量与总体入流量的第一比值是否大于第一预设值;若是,则所述第二判断模块用于判断所述终端设备在当前预设时间段对应的UDP入流量与当前最大入流量的第二比值是否大于第二预设值,且所述终端设备在当前预设时间段对应的UDP入流量与UDP出流量的第三比值是否大于当前历史比值;若是,则所述判定模块用于判定所述终端设备受到UDP攻击。An attack detection device, the device includes a first judging module, a second judging module and a judging module, wherein the first judging module is used for judging the UDP ingress and the overall ingress corresponding to the terminal device in the current preset time period. Whether the first ratio of the traffic is greater than the first preset value; if so, the second judgment module is used to judge whether the second ratio of the UDP ingress corresponding to the current preset time period to the current maximum ingress of the terminal device is not greater than the second preset value, and whether the third ratio of the UDP incoming traffic to the UDP outgoing traffic corresponding to the terminal device in the current preset time period is greater than the current historical ratio; if so, the determining module is used to determine the terminal The device is under UDP attack.
一种终端设备,所述终端设备包括存储器和处理器,所述存储器耦接到所述处理器,所述存储器存储指令,当所述指令由所述处理器执行时使所述处理器执行以下操作:判断所述终端设备在当前预设时间段对应的UDP入流量与总体入流量的第一比值是否大于第一预设值;若是,则判断所述终端设备在当前预设时间段对应的UDP入流量与当前最大入流量的第二比值是否大于第二预设值,且所述终端设备在当前预设时间段对应的UDP入流量与UDP出流量的第三比值是否大于当前历史比值;若是,则判定所述终端设备受到UDP攻击。A terminal device comprising a memory coupled to the processor and a processor, the memory storing instructions that, when executed by the processor, cause the processor to perform the following Operation: determine whether the first ratio of the UDP inbound traffic corresponding to the terminal device in the current preset time period to the overall inbound traffic is greater than the first preset value; if so, determine whether the terminal device corresponds to the current preset time period. Whether the second ratio of the UDP incoming traffic to the current maximum incoming traffic is greater than the second preset value, and whether the third ratio of the UDP incoming traffic to the UDP outgoing traffic corresponding to the terminal device in the current preset time period is greater than the current historical ratio; If so, it is determined that the terminal device is under UDP attack.
本发明实施例提供的攻击检测方法、装置及终端设备,通过判断终端设备在当前预设时间段对应的UDP入流量与总体入流量的第一比值是否大于第一预设值;若是,则再判断终端设备在当前预设时间段对应的UDP入流量与当前最大入流量的第二比值是否大于第二预设值,且终端设备在当前预设时间段对应的UDP入流量与UDP出流量的第三比值是否大于当前历史比值;若是,则判定该终端设备受到UDP攻击。从而可以根据流量信息实现对UDP攻击的检测,解决现有技术中的UDP攻击的检测方法成本较高的问题。The attack detection method, device, and terminal device provided by the embodiments of the present invention determine whether the first ratio of the UDP inbound traffic corresponding to the terminal device in the current preset time period to the overall inbound traffic is greater than the first preset value; Determine whether the second ratio of the UDP inbound traffic corresponding to the current preset time period to the current maximum inbound traffic of the terminal device is greater than the second preset value, and the difference between the UDP inbound traffic and the UDP outbound traffic corresponding to the terminal device in the current preset time period Whether the third ratio is greater than the current historical ratio; if so, it is determined that the terminal device is under UDP attack. Therefore, the detection of the UDP attack can be realized according to the traffic information, and the problem of the high cost of the detection method of the UDP attack in the prior art is solved.
为使本发明的上述目的、特征和优点能更明显易懂,下文特举较佳实施例,并配合所附附图,作详细说明如下。In order to make the above-mentioned objects, features and advantages of the present invention more obvious and easy to understand, preferred embodiments are given below, and are described in detail as follows in conjunction with the accompanying drawings.
附图说明Description of drawings
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments These are some embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
图1示出了本发明实施例提供的终端设备的方框示意图;1 shows a schematic block diagram of a terminal device provided by an embodiment of the present invention;
图2示出了本发明实施例提供的攻击检测方法的一种流程图;FIG. 2 shows a flowchart of an attack detection method provided by an embodiment of the present invention;
图3示出了本发明实施例提供的攻击检测方法的另一种流程图;FIG. 3 shows another flowchart of the attack detection method provided by an embodiment of the present invention;
图4示出了本发明实施例提供的攻击检测装置的功能模块图。FIG. 4 shows a functional block diagram of an attack detection apparatus provided by an embodiment of the present invention.
具体实施方式Detailed ways
下面将结合本发明实施例中附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。通常在此处附图中描述和示出的本发明实施例的组件可以以各种不同的配置来布置和设计。因此,以下对在附图中提供的本发明的实施例的详细描述并非旨在限制要求保护的本发明的范围,而是仅仅表示本发明的选定实施例。基于本发明的实施例,本领域技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, but not all of the embodiments. The components of the embodiments of the invention generally described and illustrated in the drawings herein may be arranged and designed in a variety of different configurations. Thus, the following detailed description of the embodiments of the invention provided in the accompanying drawings is not intended to limit the scope of the invention as claimed, but is merely representative of selected embodiments of the invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative work fall within the protection scope of the present invention.
应注意到:相似的标号和字母在下面的附图中表示类似项,因此,一旦某一项在一个附图中被定义,则在随后的附图中不需要对其进行进一步定义和解释。同时,在本发明的描述中,术语“第一”、“第二”等仅用于区分描述,而不能理解为指示或暗示相对重要性。It should be noted that like numerals and letters refer to like items in the following figures, so once an item is defined in one figure, it does not require further definition and explanation in subsequent figures. Meanwhile, in the description of the present invention, the terms "first", "second", etc. are only used to distinguish the description, and cannot be understood as indicating or implying relative importance.
图1示出了一种可应用于本发明实施例中的终端设备的结构框图。如图1所示,终端设备100包括存储器102、存储控制器104,一个或多个(图中仅示出一个)处理器106、外设接口108、射频模块110、音频模块112、显示单元114等。这些组件通过一条或多条通讯总线/信号线116相互通讯。FIG. 1 shows a structural block diagram of a terminal device applicable to an embodiment of the present invention. As shown in FIG. 1 , the
存储器102可用于存储软件程序以及模块,如本发明实施例中的攻击检测方法及装置对应的程序指令/模块,处理器106通过运行存储在存储器102内的软件程序以及模块,从而执行各种功能应用以及数据处理,如本发明实施例提供的攻击检测装置。The
存储器102可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。处理器106以及其他可能的组件对存储器102的访问可在存储控制器104的控制下进行。The
外设接口108将各种输入/输出装置耦合至处理器106以及存储器102。在一些实施例中,外设接口108,处理器106以及存储控制器104可以在单个芯片中实现。在其他一些实例中,他们可以分别由独立的芯片实现。
射频模块110用于接收以及发送电磁波,实现电磁波与电信号的相互转换,从而与通讯网络或者其他设备进行通讯。The
音频模块112向用户提供音频接口,其可包括一个或多个麦克风、一个或者多个扬声器以及音频电路。The
PA17035797HZPA17035797HZ
显示单元114在终端设备100与用户之间提供一个显示界面。具体地,显示单元114向用户显示视频输出,这些视频输出的内容可包括文字、图形、视频及其任意组合。The
可以理解,图1所示的结构仅为示意,终端设备100还可包括比图1中所示更多或者更少的组件,或者具有与图1所示不同的配置。图1中所示的各组件可以采用硬件、软件或其组合实现。It can be understood that the structure shown in FIG. 1 is only for illustration, and the
第一实施例first embodiment
如图2示出了本发明实施例提供的攻击检测方法的流程图。请参见图2,该方法包括:FIG. 2 shows a flowchart of an attack detection method provided by an embodiment of the present invention. Referring to Figure 2, the method includes:
步骤S110:判断终端设备在当前预设时间段对应的UDP入流量与总体入流量的第一比值是否大于第一预设值。Step S110: Determine whether the first ratio of the UDP inbound traffic corresponding to the current preset time period to the overall inbound traffic of the terminal device is greater than the first preset value.
在本发明实施例中,为了实现快速地判断UDP Flood攻击是否存在,需要获取终端设备对应的网络流量信息,可以在终端设备所在网络环境中设置用于采集该终端设备对应的网络流量信息的DPI设备。DPI设备具备业务数据流识别、业务数据流控制能力,工作在OSI模型传输层到应用层,具备高数据采集能力,能够对网络所承载的业务进行识别和流量管理。In this embodiment of the present invention, in order to quickly determine whether a UDP flood attack exists, network traffic information corresponding to a terminal device needs to be acquired, and a DPI for collecting network traffic information corresponding to the terminal device can be set in the network environment where the terminal device is located. equipment. DPI equipment has the capabilities of service data flow identification and service data flow control. It works from the OSI model transmission layer to the application layer, has high data collection capabilities, and can identify and manage the traffic carried by the network.
在进行对UDP Flood攻击的检测之前,需要获取终端设备的网络流量信息,以实现后续对UDP Flood攻击的判断。因此,在步骤S110之前,该攻击检测方法还包括:获取DPI设备采集的所述终端设备在当前时间之前的多个预设时间段的网络流量信息,所述网络流量信息包括多个会话分别对应的网络流量信息。Before detecting a UDP flood attack, it is necessary to obtain network traffic information of the terminal device, so as to realize the subsequent judgment of the UDP flood attack. Therefore, before step S110, the attack detection method further includes: acquiring network traffic information collected by the DPI device for a plurality of preset time periods before the current time of the terminal device, where the network traffic information includes a plurality of sessions corresponding to network traffic information.
其中,当前时间之前的多个预设时间段的网络流量信息可以理解为:当前时间之前的一段时间的网络流量信息,并且将该段时间均分为多段,每段时间的大小与预设时间段的大小对应,即获得多个预设时间段,从而可以获得每个预设时间段的网络流量信息。Among them, the network traffic information of multiple preset time periods before the current time can be understood as: the network traffic information of a period of time before the current time, and the period of time is divided into multiple segments, and the size of each period of time is related to the preset time. The size of the segment corresponds, that is, multiple preset time segments are obtained, so that the network traffic information of each preset time segment can be obtained.
另外,网络流量信息中包括有多个会话分别对应的网络流量信息。具体的网络流量信息可以为各个会话的网络层出入流量、会话的开始和结束时间、采用的网络层协议、来源IP地址信息以及目标IP地址信息。In addition, the network traffic information includes network traffic information corresponding to multiple sessions respectively. The specific network traffic information may be the network layer inbound and outbound traffic of each session, the start and end time of the session, the adopted network layer protocol, source IP address information and destination IP address information.
在获得终端设备在当前时间之前的多个预设时间段的网络流量信息之后,可以基于网络流量信息获得后续需要用于判断UDP Flood攻击的数据。After obtaining the network traffic information of the terminal device in a plurality of preset time periods before the current time, the subsequent data needed to judge the UDP flood attack can be obtained based on the network traffic information.
通常,在终端设备在受到UDP Flood攻击之后,通常其当前时间段的总体流量会达到一极大值,而在正常工作时的一时间段内的总体流量为随机波动的状态。并且当前时间段的UDP协议对应的入流量与总体入流量的比值相对正常工作时的比值高,当前时间段的UDP协议对应的入流量与当前最大入流量的比值相对正常工作时的比值高,当前时间段的UDP协议对应的入流量与UDP协议对应的出流量的比值比记录的历史比值高。其中,入流量以及出流量为流量大小。Usually, after a terminal device is attacked by UDP flood, the total traffic in the current time period usually reaches a maximum value, while the total traffic in a time period during normal operation is in a state of random fluctuation. And the ratio of the ingress traffic corresponding to the UDP protocol in the current time period to the overall ingress traffic is higher than the ratio in normal operation, and the ratio of the ingress traffic corresponding to the UDP protocol in the current time period to the current maximum inflow is relatively high. The ratio of the incoming traffic corresponding to the UDP protocol to the outgoing traffic corresponding to the UDP protocol in the current time period is higher than the recorded historical ratio. Among them, the incoming traffic and the outgoing traffic are the traffic sizes.
因此,该攻击检测方法还包括:基于所述多个预设时间段的网络流量信息,获取所述终端设备在当前预设时间段对应的UDP入流量以及总体入流量。Therefore, the attack detection method further includes: acquiring, based on the network traffic information of the multiple preset time periods, the UDP inbound traffic and the overall inbound traffic corresponding to the terminal device in the current preset time period.
其中,当前预设时间段对应的UDP入流量为终端设备在当前时间前预设时间段中,UDP协议对应的进入流量的大小。当前预设时间段对应的总体入流量为终端设备在当前时间前预设时间段中,所有网络协议对应的进入流量的大小。The UDP incoming traffic corresponding to the current preset time period is the size of the incoming traffic corresponding to the UDP protocol in the preset time period before the current time of the terminal device. The overall inbound traffic corresponding to the current preset time period is the size of the inbound traffic corresponding to all network protocols in the terminal device in the preset time period before the current time.
该攻击检测方法还包括:基于所述多个预设时间段的网络流量信息,获取所述多个预设时间段分别对应的总入流量中的最大值作为当前最大入流量;基于所述多个预设时间段的网络流量信息,获取所述终端设备在当前预设时间段对应的UDP出流量;基于所述多个预设时间段的网络流量信息,获取所述多个预设时间段中除当前预设时间段之外的预设时间段分别对应的UDP入流量与UDP出流量之间的比值中的最大值,作为当前历史比值。The attack detection method further includes: obtaining, based on the network traffic information of the multiple preset time periods, the maximum value of the total inbound traffic corresponding to the multiple preset time periods as the current maximum inbound traffic; based on the multiple preset time periods The network traffic information of the preset time periods is obtained, and the UDP outbound traffic corresponding to the terminal device in the current preset time period is obtained; based on the network traffic information of the preset time periods, the multiple preset time periods are obtained. The maximum value of the ratios between the UDP incoming traffic and the UDP outgoing traffic corresponding to the preset time periods other than the current preset time period is used as the current historical ratio.
可以理解的是,上述的当前历史比值为当前时间段之前的多个预设时间段中,获取分别对应的UDP入流量与UDP出流量的比值中的最大值作为当前历史比值。It can be understood that the above-mentioned current historical ratio is obtained from a plurality of preset time periods before the current time period, and the maximum value among the ratios of the corresponding UDP incoming traffic and UDP outgoing traffic is obtained as the current historical ratio.
在获得当前最大入流量之后,还可以基于所述多个预设时间段的网络流量信息,获取所述多个预设时间段分别对应的总出流量中的最大值作为当前最大出流量;获取所述当前最大入流量以及所述最大出流量的最大值作为当前流量峰值。After obtaining the current maximum inbound traffic, it is also possible to obtain, based on the network traffic information of the plurality of preset time periods, the maximum value of the total outgoing traffic corresponding to the plurality of preset time periods as the current maximum outgoing traffic; The maximum value of the current maximum incoming flow and the maximum outgoing flow is taken as the current flow peak.
当然,还可以基于所述多个预设时间段的网络流量信息,获取每个预设时间段对应的总体出流量。其中,获得了当前时间段对应的总体出流量。Certainly, the overall outgoing traffic corresponding to each preset time period may also be acquired based on the network traffic information of the multiple preset time periods. Among them, the overall outgoing traffic corresponding to the current time period is obtained.
在本发明实施例中,还可以统计出多个预设时间段构成的时间段内的每个UDP协议对应的会话的流量数据。因此,该攻击检测方法还包括:基于所述多个预设时间段的网络流量信息,获取多个预设时间段构成的时间段内的所有UDP会话的入流量;计算所述所有UDP会话的入流量的平均数据,获得UDP会话平均入流量。In this embodiment of the present invention, traffic data of a session corresponding to each UDP protocol in a time period formed by multiple preset time periods may also be counted. Therefore, the attack detection method further includes: based on the network traffic information of the multiple preset time periods, acquiring the incoming traffic of all the UDP sessions in the time period formed by the multiple preset time periods; Average data of incoming traffic to obtain the average incoming traffic of UDP sessions.
在根据获取的网络流量信息获得上述的数据后,再对相关数据进行判断。首先应当判断当前时间段对应的总体入流量与当前流量峰值的比值是否大于一定值。因此,步骤S110之前还包括有:判断所述终端设备在当前时间段对应的总体入流量与当前流量峰值的第四比值是否大于第三预设值;若是,则执行所述判断终端设备在当前预设时间段对应的UDP入流量与总体入流量的第一比值是否大于第一预设值。After the above-mentioned data is obtained according to the obtained network traffic information, the relevant data is judged. First, it should be determined whether the ratio of the overall inflow corresponding to the current time period to the current peak flow is greater than a certain value. Therefore, before step S110, it further includes: judging whether the fourth ratio of the total inflow corresponding to the terminal device in the current time period to the current peak value is greater than the third preset value; if so, executing the judging that the terminal device is currently Whether the first ratio of the UDP inbound traffic corresponding to the preset time period to the overall inbound traffic is greater than the first preset value.
在本发明实施例中,第三预设值可以是0.7~0.9范围内的一个数值。优选的,第三预设值可以是0.8。当然第三预设值的具体数值在本发明实施例中并不作为限定。在具体获取终端设备在当前时间段对应的总体入流量与当前流量峰值的第四比值时,应将上述获取的当前时间段对应的总体入流量的值与上述获取的当前流量峰值相除获得第四比值。In this embodiment of the present invention, the third preset value may be a value in the range of 0.7˜0.9. Preferably, the third preset value may be 0.8. Certainly, the specific value of the third preset value is not limited in the embodiment of the present invention. When specifically acquiring the fourth ratio of the total inflow corresponding to the terminal device in the current time period to the current peak value of the current flow, the value of the overall inflow corresponding to the current time period obtained above should be divided by the current peak value obtained above to obtain the fourth ratio. Four ratios.
当判定为当前时间段对应的总体入流量与当前流量峰值的第四比值大于预设比值时,再执行步骤S110,即判断终端设备在当前预设时间段对应的UDP入流量与总体入流量的第一比值是否大于第一预设值。When it is determined that the fourth ratio of the total inbound traffic corresponding to the current time period to the current peak value is greater than the preset ratio, step S110 is performed again, that is, it is determined that the UDP ingress corresponding to the current preset time period of the terminal device and the overall inbound traffic Whether the first ratio is greater than the first preset value.
另外,判断此时当前时间段对应的总体入流量是否大于当前流量峰值,若是,则将当前流量峰值进行更新为当前时间段对应的总体入流量,以使往后对UDP Flood攻击的检测准确。In addition, it is judged whether the total inbound traffic corresponding to the current time period is greater than the current peak traffic value. If so, the current traffic peak value is updated to the total inbound traffic corresponding to the current time period, so as to accurately detect UDP flood attacks in the future.
在具体执行步骤S110时,第一预设值可以是0.7~0.9范围内的一个数值。优选的,第一预设值可以是0.8。当然第一预设值的具体数值在本发明实施例中并不作为限定。将上述获取的当前时间段对应的UDP入流量与总体入流量相除获得第一比值,再比较第一比值与第一预设值的大小。When step S110 is specifically executed, the first preset value may be a value within the range of 0.7˜0.9. Preferably, the first preset value may be 0.8. Certainly, the specific value of the first preset value is not limited in the embodiment of the present invention. A first ratio is obtained by dividing the obtained UDP inbound traffic corresponding to the current time period and the overall inbound traffic, and then the magnitudes of the first ratio and the first preset value are compared.
步骤S120:若是,则判断所述终端设备在当前预设时间段对应的UDP入流量与当前最大入流量的第二比值是否大于第二预设值,且所述终端设备在当前预设时间段对应的UDP入流量与UDP出流量的第三比值是否大于当前历史比值。Step S120: If yes, then determine whether the second ratio of the UDP inbound traffic corresponding to the current preset time period to the current maximum inbound traffic of the terminal device is greater than the second preset value, and the terminal device is in the current preset time period. Whether the third ratio of the corresponding UDP incoming traffic to the UDP outgoing traffic is greater than the current historical ratio.
当步骤S110中判断出,终端设备在当前预设时间段对应的UDP入流量与总体入流量的第一比值大于第一预设值时,为了更准确地判断出是否是UDP Flood攻击,则再执行判断所述终端设备在当前预设时间段对应的UDP入流量与当前最大入流量的第二比值是否大于第二预设值,且所述终端设备在当前预设时间段对应的UDP入流量与UDP出流量的第三比值是否大于当前历史比值。When it is determined in step S110 that the first ratio of the UDP inbound traffic corresponding to the current preset time period to the overall inbound traffic of the terminal device is greater than the first preset value, in order to more accurately determine whether it is a UDP flood attack, then Perform a judgment on whether the second ratio of the UDP inbound traffic corresponding to the current preset time period to the current maximum ingress flow of the terminal device is greater than the second preset value, and the UDP ingress traffic corresponding to the terminal device in the current preset time period Whether the third ratio to UDP outgoing traffic is greater than the current historical ratio.
具体的,第二预设值可以为0.7~0.9范围内的一个数值。优选的,第二预设值可以是0.8。当然第二预设值的具体数值在本发明实施例中并不作为限定。将上述获取的UDP入流量与上述获取的当前最大入流量相除可以获得第二比值。将上述获取的当前预设时间段对应的UDP入流量与上述获取的当前预设时间段对应的UDP出流量可以获得第三比值。再将第二比值与第二预设值比较,第三比值与当前历史比值比较。获得终端设备在当前预设时间段对应的UDP入流量与当前最大入流量的第二比值是否大于第二预设值,且终端设备在当前预设时间段对应的UDP入流量与UDP出流量的第三比值是否大于当前历史比值的判断结果。Specifically, the second preset value may be a value in the range of 0.7˜0.9. Preferably, the second preset value may be 0.8. Certainly, the specific value of the second preset value is not limited in the embodiment of the present invention. The second ratio can be obtained by dividing the above-obtained UDP incoming traffic by the above-obtained current maximum incoming traffic. The third ratio can be obtained by comparing the UDP inbound traffic corresponding to the current preset time period obtained above and the UDP outbound traffic corresponding to the current preset time period obtained above. The second ratio is then compared with the second preset value, and the third ratio is compared with the current historical ratio. Obtain whether the second ratio of the UDP incoming traffic corresponding to the current preset time period to the current maximum incoming traffic of the terminal device is greater than the second preset value, and whether the UDP incoming traffic and the UDP outgoing traffic corresponding to the terminal device in the current preset time period are The judgment result of whether the third ratio is greater than the current historical ratio.
步骤S130:若是,则判定所述终端设备受到UDP攻击。Step S130: If yes, it is determined that the terminal device is under UDP attack.
如果步骤S120中判断出,终端设备在当前预设时间段对应的UDP入流量与当前最大入流量的第二比值大于第二预设值,并且终端设备在当前预设时间段对应的UDP入流量与UDP出流量的第三比值大于历史比值,则可以判定为终端设备收到UDP Flood攻击。If it is determined in step S120 that the second ratio of the UDP incoming traffic corresponding to the current preset time period to the current maximum incoming traffic of the terminal device is greater than the second preset value, and the UDP incoming traffic corresponding to the current preset time period of the terminal device If the third ratio to UDP outgoing traffic is greater than the historical ratio, it can be determined that the terminal device has received a UDP flood attack.
当步骤S120中判断出终端设备在当前预设时间段对应的UDP入流量与当前最大入流量的第二比值小于或等于第二预设值,但是终端设备在当前预设时间段对应的UDP入流量与UDP出流量的第三比值大于当前历史比值时,则表示终端设备收到UDP Flood攻击,为了使以后的UDP Flood攻击的检测准确,则将当前历史比值进行更新为当前时间段对应的UDP入流量与UDP出流量的第三比值。When it is determined in step S120 that the second ratio between the UDP incoming traffic corresponding to the current preset time period of the terminal device and the current maximum incoming traffic is less than or equal to the second preset value, but the UDP incoming traffic corresponding to the terminal device in the current preset time period When the third ratio of traffic to UDP outbound traffic is greater than the current historical ratio, it means that the terminal device has received a UDP flood attack. To ensure accurate detection of future UDP flood attacks, the current historical ratio is updated to the UDP corresponding to the current time period. The third ratio of incoming traffic to UDP outgoing traffic.
从而,可以获得到UDP Flood的检测结果。另外,在检测到终端设备受UDP Flood攻击后,还可以作出提示,并且获取UDP攻击的源地址。因此,请参见图3,步骤S130之后,还包括步骤S140:获取所述终端设备受到的UDP攻击的源地址。Thus, the detection result of UDP Flood can be obtained. In addition, after detecting that the terminal device is attacked by UDP flood, it can also give a prompt and obtain the source address of the UDP attack. Therefore, referring to FIG. 3 , after step S130 , step S140 is further included: obtaining the source address of the UDP attack received by the terminal device.
具体的,获取该终端设备收到的UDP攻击的源地址可以包括:获取所述终端设备在当前时间段对应的所有UDP会话的入流量中大于UDP会话平均入流量的UDP会话;若是,则判断所述UDP会话的出流量是否为0;若是,则获取所述UDP会话的IP地址作为所述终端设备受到的UDP攻击的源地址。Specifically, acquiring the source address of the UDP attack received by the terminal device may include: acquiring a UDP session whose inflow is greater than the average inbound traffic of all UDP sessions corresponding to the terminal device in the current time period; Whether the outgoing traffic of the UDP session is 0; if so, obtain the IP address of the UDP session as the source address of the UDP attack received by the terminal device.
具体可以根据上述获取的当前时间段对应的所有UDP会话分别对应的入流量与所有UDP会话的入流量的平均入流量比较,获得UDP会话的入流量大于平均入流量的UDP会话,此时获得的UDP会话可能为一个,也可能为多个。然后,再判断获得的入流量大于平均入流量的UDP会话中,其出流量是否为0,如果为0,则将该UDP会话的IP地址作为受到的UDP攻击的源地址。Specifically, according to the above obtained comparison of the ingress traffic corresponding to all UDP sessions corresponding to the current time period and the average ingress traffic of all UDP sessions, the UDP session with the ingress traffic of the UDP session greater than the average ingress traffic can be obtained. There may be one or more UDP sessions. Then, it is judged whether the outgoing traffic is 0 in the UDP session with the obtained ingress traffic greater than the average ingress traffic. If it is 0, the IP address of the UDP session is used as the source address of the UDP attack.
从而,可以利用流量信息实现简单、可靠性高的UDP Flood攻击检测,并且仅需要布置能够分析网络层的流量的设备,当UDP Flood攻击在流量上有体现时,就能快速判断出攻击,并追溯其源地址IP。Therefore, a simple and highly reliable UDP flood attack detection can be realized by using the traffic information, and only a device that can analyze the traffic at the network layer needs to be arranged. Trace its source IP address.
第二实施例Second Embodiment
本发明第二实施例提供了一种攻击检测装置200,请参见图4,该攻击检测装置包括第一判断模块210、第二判断模块220以及判定模块230。其中,所述第一判断模块210用于判断终端设备在当前预设时间段对应的UDP入流量与总体入流量的第一比值是否大于第一预设值;若是,则所述第二判断模块220用于判断所述终端设备在当前预设时间段对应的UDP入流量与当前最大入流量的第二比值是否大于第二预设值,且所述终端设备在当前预设时间段对应的UDP入流量与UDP出流量的第三比值是否大于当前历史比值;若是,则所述判定模块230用于判定所述终端设备受到UDP攻击。The second embodiment of the present invention provides an
在本发明实施例中,该攻击检测装置还包括地址获取模块。地址获取模块用于获取所述终端设备受到的UDP攻击的源地址。In the embodiment of the present invention, the attack detection apparatus further includes an address acquisition module. The address obtaining module is used to obtain the source address of the UDP attack received by the terminal device.
第三实施例Third Embodiment
本发明第三实施例提供了一种终端设100,请参见图1,所述终端设备100包括存储器102和处理器106,所述存储器102耦接到所述处理器106,所述存储器102存储指令,当所述指令由所述处理器106执行时使所述处理器106执行以下操作:判断所述终端设备在当前预设时间段对应的UDP入流量与总体入流量的第一比值是否大于第一预设值;若是,则判断所述终端设备在当前预设时间段对应的UDP入流量与当前最大入流量的第二比值是否大于第二预设值,且所述终端设备在当前预设时间段对应的UDP入流量与UDP出流量的第三比值是否大于当前历史比值;若是,则判定所述终端设备受到UDP攻击。A third embodiment of the present invention provides a
综上所述,本发明实施例提供的攻击检测方法、装置及终端设备,通过判断终端设备在当前预设时间段对应的UDP入流量与总体入流量的第一比值是否大于第一预设值;若是,则再判断终端设备在当前预设时间段对应的UDP入流量与当前最大入流量的第二比值是否大于第二预设值,且终端设备在当前预设时间段对应的UDP入流量与UDP出流量的第三比值是否大于当前历史比值;若是,则判定该终端设备受到UDP攻击。从而可以根据流量信息实现对UDP攻击的检测,解决现有技术中的UDP攻击的检测方法成本较高的问题。To sum up, the attack detection method, device, and terminal device provided by the embodiments of the present invention determine whether the first ratio of the UDP inbound traffic corresponding to the terminal device in the current preset time period to the overall inbound traffic is greater than the first preset value. If yes, then judge whether the second ratio of the UDP inbound flow corresponding to the current preset time period to the current maximum ingress flow of the terminal device is greater than the second preset value, and the UDP ingress flow corresponding to the terminal device in the current preset time period Whether the third ratio to UDP outgoing traffic is greater than the current historical ratio; if so, it is determined that the terminal device is under UDP attack. Therefore, the detection of the UDP attack can be realized according to the traffic information, and the problem of the high cost of the detection method of the UDP attack in the prior art is solved.
需要说明的是,本说明书中的各个实施例均采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似的部分互相参见即可。对于装置类实施例而言,由于其与方法实施例基本相似,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。It should be noted that the various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments. For the same and similar parts among the various embodiments, refer to each other Can. As for the apparatus type embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for the relevant part, please refer to the partial description of the method embodiment.
本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,也可以通过其它的方式实现。以上所描述的装置实施例仅仅是示意性的,例如,附图中的流程图和框图显示了根据本发明的多个实施例的装置、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段或代码的一部分,所述模块、程序段或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现方式中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个连续的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或动作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may also be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, the flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality and possible implementations of apparatuses, methods and computer program products according to various embodiments of the present invention. operate. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code that contains one or more functions for implementing the specified logical function(s) executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It is also noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented in dedicated hardware-based systems that perform the specified functions or actions , or can be implemented in a combination of dedicated hardware and computer instructions.
另外,在本发明各个实施例中的各功能模块可以集成在一起形成一个独立的部分,也可以是各个模块单独存在,也可以两个或两个以上模块集成形成一个独立的部分。In addition, each functional module in each embodiment of the present invention may be integrated to form an independent part, or each module may exist independently, or two or more modules may be integrated to form an independent part.
所述功能如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。If the functions are implemented in the form of software function modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes . It should be noted that, in this document, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any relationship between these entities or operations. any such actual relationship or sequence exists. Moreover, the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device that includes a list of elements includes not only those elements, but also includes not explicitly listed or other elements inherent to such a process, method, article or apparatus. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in a process, method, article or apparatus that includes the element.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。应注意到:相似的标号和字母在下面的附图中表示类似项,因此,一旦某一项在一个附图中被定义,则在随后的附图中不需要对其进行进一步定义和解释。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and changes. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included within the protection scope of the present invention. It should be noted that like numerals and letters refer to like items in the following figures, so once an item is defined in one figure, it does not require further definition and explanation in subsequent figures.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应所述以权利要求的保护范围为准。The above are only specific embodiments of the present invention, but the protection scope of the present invention is not limited thereto. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed by the present invention. should be included within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.
Claims (10)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710806265.4A CN107360196B (en) | 2017-09-08 | 2017-09-08 | Attack detection method, device and terminal device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710806265.4A CN107360196B (en) | 2017-09-08 | 2017-09-08 | Attack detection method, device and terminal device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107360196A CN107360196A (en) | 2017-11-17 |
CN107360196B true CN107360196B (en) | 2020-06-26 |
Family
ID=60290875
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710806265.4A Active CN107360196B (en) | 2017-09-08 | 2017-09-08 | Attack detection method, device and terminal device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107360196B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109005181B (en) * | 2018-08-10 | 2021-07-02 | 深信服科技股份有限公司 | Detection method, system and related components for DNS amplification attack |
CN112491866A (en) * | 2020-04-11 | 2021-03-12 | 吴媛媛 | Intrusion detection method and device combining data flow detection and time sequence feature extraction |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101572609A (en) * | 2008-04-29 | 2009-11-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting and refusing service attack |
CN102291411A (en) * | 2011-08-18 | 2011-12-21 | 网宿科技股份有限公司 | Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service |
CN102497362A (en) * | 2011-12-07 | 2012-06-13 | 北京润通丰华科技有限公司 | Attack source tracking method and device for anomalous network traffic |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104348811B (en) * | 2013-08-05 | 2018-01-26 | 深圳市腾讯计算机系统有限公司 | Detecting method of distributed denial of service attacking and device |
-
2017
- 2017-09-08 CN CN201710806265.4A patent/CN107360196B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101572609A (en) * | 2008-04-29 | 2009-11-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting and refusing service attack |
CN102291411A (en) * | 2011-08-18 | 2011-12-21 | 网宿科技股份有限公司 | Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service |
CN102497362A (en) * | 2011-12-07 | 2012-06-13 | 北京润通丰华科技有限公司 | Attack source tracking method and device for anomalous network traffic |
Also Published As
Publication number | Publication date |
---|---|
CN107360196A (en) | 2017-11-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107040494B (en) | User account abnormity prevention method and system | |
EP3361693B1 (en) | Tcp connection processing method, device and system | |
CN107733581B (en) | Rapid internet asset feature detection method and device based on whole network environment | |
US20150229669A1 (en) | Method and device for detecting distributed denial of service attack | |
CN107547503B (en) | Session table item processing method and device, firewall equipment and storage medium | |
CN103618718B (en) | Processing method and processing device for Denial of Service attack | |
CN109314723B (en) | A method, device and terminal for realizing data service | |
CN107666473B (en) | Attack detection method and controller | |
US10237291B2 (en) | Session processing method and device, server and storage medium | |
WO2015105842A1 (en) | Method and apparatus of identifying proxy ip address | |
CN109040140B (en) | Slow attack detection method and device | |
CN111371774A (en) | Information processing method and device, equipment and storage medium | |
CN106961414B (en) | Honeypot-based data processing method, device and system | |
CN107333287A (en) | Network detecting method, network detection means and intelligent terminal | |
CN107360196B (en) | Attack detection method, device and terminal device | |
US9195805B1 (en) | Adaptive responses to trickle-type denial of service attacks | |
CN107241758A (en) | Network control method, network control device and intelligent terminal | |
CN107968848B (en) | A method, terminal device and storage medium for obtaining IP address | |
CN112822204A (en) | NAT detection method, device, equipment and medium | |
CN107277881A (en) | Network switching method, network switching device and intelligent terminal | |
WO2011153860A1 (en) | Method, apparatus and core network entity for processing network congestion | |
CN106027405B (en) | Data stream shunting method and device | |
CN107332739A (en) | Network detection method, network detection device and intelligent terminal | |
CN103561025B (en) | Method, device and system for detecting DOS attack prevention capacity | |
CN106656912A (en) | Method and device for detecting denial of service attack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 310000 No. 188 Lianhui Street, Xixing Street, Binjiang District, Hangzhou City, Zhejiang Province Applicant after: Dbappsecurity Co.,Ltd. Address before: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer Applicant before: DBAPPSECURITY Co.,Ltd. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20171117 Assignee: Hangzhou Anheng Information Security Technology Co.,Ltd. Assignor: Dbappsecurity Co.,Ltd. Contract record no.: X2024980043369 Denomination of invention: Attack detection methods, devices, and terminal equipment Granted publication date: 20200626 License type: Common License Record date: 20241231 |
|
EE01 | Entry into force of recordation of patent licensing contract |