CN107370754B - Website protection method based on IP credit rating scoring model of cloud protection - Google Patents
Website protection method based on IP credit rating scoring model of cloud protection Download PDFInfo
- Publication number
- CN107370754B CN107370754B CN201710730912.8A CN201710730912A CN107370754B CN 107370754 B CN107370754 B CN 107370754B CN 201710730912 A CN201710730912 A CN 201710730912A CN 107370754 B CN107370754 B CN 107370754B
- Authority
- CN
- China
- Prior art keywords
- target
- attack
- website
- score
- influence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The invention relates to a cloud protection technology, and aims to provide a website protection technology based on an IP credibility scoring model of cloud protection. The website protection technology based on the IP credibility scoring model of cloud protection comprises the following steps: the target IP accesses a target hosting website, and the cloud protection platform acquires the accessed target IP; calculating the IP credit degree of the target IP; calculating the average credit degree of the IP section where the target IP is located; and calculating the weighted sum of the two target IP credibility influence factors to obtain the final credibility of the target IP, and when the final credibility of the target IP is lower than 0.7, enabling the cloud protection platform to directly intercept the access of the target IP to the target hosting website through a real-time feedback mechanism. The invention can feed back the malicious IP to the cloud protection platform in time, so that the cloud protection platform can directly intercept the attack sources in a blacklist mode.
Description
Technical Field
The invention relates to the technical field of cloud protection, in particular to a website protection method based on an IP credibility scoring model of cloud protection.
Background
The portal is very important as an important image and propaganda medium of governments and enterprises and public institutions, a large number of attacks and intrusion behaviors occur all the time in a network space, and especially the outbreak of some 0day bugs can cause a large number of websites to be seriously influenced in a very short time. The website protection technology based on cloud protection can relieve the security problem of websites in large batch. However, a large number of protection actions of cloud protection are based on protection strategies, each layer of strategy means one more layer of overhead for cloud protection, and the response time of a website is increased.
The content of an IP blacklist is introduced into a plurality of websites, large-scale data centers and cloud protection centers, and when traffic comes, the content is filtered by a layer of IP blacklist mechanism, so that the layer-upon-layer overhead on a defense strategy is reduced. At present, a plurality of open-source IP blacklist libraries are used on the Internet, but the IP blacklist libraries are often not updated timely, the source credibility is not high enough, and clear blacklist judgment standards are lacked.
Disclosure of Invention
The invention mainly aims to overcome the defects in the prior art and provide a website protection technology which is based on an access log and an attack log of a cloud protection platform, analyzes an IP address with low credibility in an off-line analysis mode and enables the cloud protection platform to directly intercept the IP through a real-time feedback mechanism. In order to solve the technical problem, the solution of the invention is as follows:
the website protection method based on the IP credibility scoring model of cloud protection is provided, a cloud protection platform can intercept attack behaviors aiming at a target hosting website, and the website protection method based on the IP credibility scoring model of cloud protection comprises the following steps:
step A: the target IP accesses a target hosting website, and the cloud protection platform acquires the accessed target IP;
and B: the method comprises the following steps of calculating the IP credit degree of a target IP, wherein the influence factors of the IP credit degree are 3, namely attack frequency, an attack target and an attack time period, and the specific calculation steps are as follows:
step B1) attack frequency refers to: v11=NT/(NT+NV);
Wherein, the V11Is referred to as the frequency of attack, V11The larger the size, the more obvious the aggressiveness is, i.e. the worse the credibility is; n is a radical ofTThe number of attacks initiated by a target IP on a target hosting website is referred to; n is a radical ofVThe number refers to the number of normal accesses initiated by a target IP to a target hosting website;
the scoring formula with attack frequency as an influence factor is as follows: c11=1–V11;
Wherein, C11The influence score of the attack frequency is referred to; v11Refers to the frequency of attack;
step B2), the managed websites accessed by the cloud protection platform are divided into the following 5 types: government affairs website, education website, financial website, enterprise website, news media website, respectively using V121、V122、V123、V124、V125The score value which represents each type of managed website as an attack target;
wherein, C12The influence score of an attack target is defined; lambda [ alpha ]12iRefer to the weights of different attack targets, and(we set this to 4:3:4:2: 2); v12iThe attack times of the website as an attack target/the total attack times of all managed websites as the attack targets;
step B3), according to the off-duty and sleeping habits of the people, dividing 24 hours of a day (we need to process attack time according to different areas on the basis of IP-based geographic location characteristics) into the following time periods for statistics respectively:
attack period 1: the time period is 22: 00-08: 00, and the score is V131The score is the number of attacks in the time period/the total number of attacks;
attack period 2: the time period is 08: 00-18: 00, and the score is V132The score is the number of attacks in the time period/the total number of attacks;
attack period 3: the time period is 18: 00-22: 00, and the score is V133The score is the number of attacks in the time period/the total number of attacks;
wherein, C13The influence score of the attack time period is referred to; lambda [ alpha ]13iRefer to the weight of different attack time periods, and(we set this to 5:1: 2); v13iRefers to the scores of different attack time periods;
wherein λ is1iRefers to the weight of each impact factor (we set it to 1:2: 2);
and C: calculating the average credit degree of the IP section where the target IP is located, wherein the credit degree scores of other IPs of the IP section where the target IP is located can influence the credit degree score of the final IP;
is set to be the same as the target IPIn the section C, N IPs initiate attacks on the hosting website on the cloud protection platform, and then the average credit influence score of the IP section where the target IP is located is as follows:
wherein, CSThe average credit influence score of the IP section where the target IP is located is referred to; cFiThe credit influence score of each IP which initiates an attack on the target hosting website in the IP section where the target IP is located is referred to; n is the number of IP which is attacked by the IP section where the target IP is located to the target hosting website;
step D: the influence factors of the credibility of the target IP comprise the credibility of the IP and the influence of the credibility score of the IP section where the IP is located, the weighted sum of the two influence factors is calculated to obtain the final credibility of the target IP, and the formula is as follows: λ is C ═ λ1CF+λ2CS;
Wherein, CFThe influence score of the credit degree of the IP is obtained; cSThe average credit influence score of the IP section where the target IP is located is obtained; lambda [ alpha ]iWeights are calculated for each dimension, and1+λ21 (we set it to 7: 3);
and when the final credibility of the target IP is lower than 0.7, directly intercepting the access of the target IP to the target hosting website by the cloud protection platform through a real-time feedback mechanism.
Compared with the prior art, the invention has the beneficial effects that:
a large number of portal websites are accessed into the cloud protection platform, so that the cloud protection platform has natural advantages on flow attraction and brings massive data samples for subsequent analysis models;
according to the invention, malicious IP can be fed back to the cloud protection platform in time, so that the cloud protection platform can directly intercept the attack sources in a blacklist mode;
the invention can provide threat intelligence data to other security manufacturers to realize intelligence sharing.
Drawings
FIG. 1 is a flowchart of the reputation scoring of the present invention.
Detailed Description
It should be noted that the present invention is an application of computer technology in the field of information security technology. In the implementation process of the invention, the application of a plurality of software functional modules is involved. The applicant believes that it is fully possible for one skilled in the art to utilize the software programming skills in his or her own practice to implement the invention, as well as to properly understand the principles and objectives of the invention, in conjunction with the prior art, after a perusal of this application.
The invention is described in further detail below with reference to the following detailed description and accompanying drawings:
the cloud protection platform is a cloud computing platform capable of effectively analyzing, computing and intercepting network attacks and intrusion behaviors. The cloud protection platform can clean the access flow of the managed website, intercept attack behaviors, release normal access to ensure the safe operation of the rear website, and record access and attack records in a real-time stream processing mode.
As shown in fig. 1, a website protection method based on a cloud protection IP reputation degree scoring model includes the following steps:
step A: the target IP accesses the target hosting website, and the cloud protection platform acquires the accessed target IP.
And B: the method comprises the following steps of calculating the IP credit degree of a target IP, wherein the influence factors of the IP credit degree are 3, namely attack frequency, an attack target and an attack time period, and the specific calculation steps are as follows:
step B1) attack frequency refers to: v11=III/(III+IIIII);
Wherein III refers to the number of attacks initiated by the target IP on the target hosting website; IIIII refers to the number of normal visits initiated by the target IP to the target hosting website; v11The larger the size, the more obvious the aggressiveness is, and the worse the credibility is.
The scoring formula with attack frequency as an influence factor is as follows: c11=1–V11;
Wherein, C11The influence score of the attack frequency is referred to; v11Means thatFrequency of attack of the target IP.
Step B2), the managed websites accessed by the cloud protection platform are divided into the following 5 types: government affairs website, education website, financial website, enterprise website, news media website, respectively using V121、V122、V123、V124、V125And the score value of each type of managed website as an attack target is represented.
wherein, C12The influence score of an attack target is defined; lambda [ alpha ]12iRefer to the weights of different attack targets, and(we set this to 4:3:4:2: 2); v12iThe attack times of the website as an attack target/the total attack times of all managed websites as the attack targets; wherein i is 1, 2, 3, 4, 5.
Step B3), according to the off-duty and sleeping habits of the people, dividing 24 hours of a day (we need to process attack time according to different areas on the basis of IP-based geographic location characteristics) into the following time periods for statistics respectively:
TABLE 1
Serial number | Time period | Score ═ number of attacks/total number of attacks in the time period |
1 | 22:00~08:00 | V131 |
2 | 08:00~18:00 | V132 |
3 | 18:00~22:00 | V133 |
After long-term tracking and research, hackers are found to be more preferable to attack during off-hours, and generally, the response speed of users to emergencies during off-hours is significantly slower. The scoring formula for the attack time period as the impact factor is therefore:
wherein, C13The influence score of the attack time period is referred to; lambda [ alpha ]13iRefer to the weight of different attack time periods, and(we set this to 5:1: 2); v13iRefers to the scoring of different attack time periods.
wherein λ is1iIs the weight of each impact factor, which we set to 1:2: 2.
And C: when a hacker initiates an attack, a machine is not used, but a batch of broiler chickens are controlled, and the broiler chickens are not in the same C section, so that credit scores of other IPs of an IP section where a target IP is located can influence the credit score of the final IP.
Setting N I in same C section with target IPP attacks the managed website on the cloud protection platform, and then the average credit influence score of the IP section where the target IP is located is as follows:
wherein, CSThe average credit influence score of the IP section where the target IP is located is referred to; cFiThe credit influence score of each IP which initiates an attack on the target hosting website in the IP section where the target IP is located is referred to; n refers to the number of IP of the target hosting website attacked by the IP section where the target IP is located.
Step D: the influence factors of the credibility of the target IP comprise the credibility of the IP and the influence of the credibility score of the IP section where the IP is located, the weighted sum of the two influence factors is calculated to obtain the final credibility of the target IP, and the formula is as follows:
C=λ1CF+λ2CS
wherein, CFThe influence score of the credit degree of the IP is obtained; cSThe average credit influence score of the IP section where the target IP is located is obtained; lambda [ alpha ]iWeights are calculated for each dimension, and1+λ2we set it to 7:3 as 1.
And when the final credibility of the target IP is lower than 0.7, directly intercepting the access of the target IP to the target hosting website by the cloud protection platform through a real-time feedback mechanism.
After the traffic passes through the cleaning and protection strategy of the cloud protection platform, a large number of access logs and attack logs are recorded.
Finally, it should be noted that the above-mentioned list is only a specific embodiment of the present invention. It is obvious that the present invention is not limited to the above embodiments, but many variations are possible. All modifications which can be derived or suggested by a person skilled in the art from the disclosure of the present invention are to be considered within the scope of the invention.
Claims (1)
1. A website protection method based on an IP credibility scoring model of cloud protection is characterized in that the website protection method based on the IP credibility scoring model of cloud protection comprises the following steps:
step A: the target IP accesses a target hosting website, and the cloud protection platform acquires the accessed target IP;
and B: the method comprises the following steps of calculating the IP credit degree of a target IP, wherein the influence factors of the IP credit degree are 3, namely attack frequency, an attack target and an attack time period, and the specific calculation steps are as follows:
step B1) attack frequency refers to: v11=NT/(NT+NV);
Wherein, the V11Is referred to as the frequency of attack, V11The larger the size, the more obvious the aggressiveness is, i.e. the worse the credibility is; n is a radical ofTThe number of attacks initiated by a target IP on a target hosting website is referred to; n is a radical ofVThe number refers to the number of normal accesses initiated by a target IP to a target hosting website;
the scoring formula with attack frequency as an influence factor is as follows: c11=1-V11;
Wherein, C11The influence score of the attack frequency is referred to; v11Refers to the frequency of attack;
step B2), the managed websites accessed by the cloud protection platform are divided into the following 5 types: government affairs website, education website, financial website, enterprise website, news media website, respectively using V121、V122、V123、V124、V125The score value which represents each type of managed website as an attack target;
wherein, C12The influence score of an attack target is defined; lambda [ alpha ]12iRefer to the weights of different attack targets, andV12imeans that the website is attackedAttack times of the target/total attack times of all managed websites as attack targets;
step B3), dividing 24 hours of a day into the following time periods for statistics according to the off-duty and sleeping habits of people:
attack period 1: the time period is 22: 00-08: 00, and the score is V131The score is the number of attacks in the time period/the total number of attacks;
attack period 2: the time period is 08: 00-18: 00, and the score is V132The score is the number of attacks in the time period/the total number of attacks;
attack period 3: the time period is 18: 00-22: 00, and the score is V133The score is the number of attacks in the time period/the total number of attacks;
wherein, C13The influence score of the attack time period is referred to; lambda [ alpha ]13iRefer to the weight of different attack time periods, andV13irefers to the scores of different attack time periods;
wherein λ is1iRefers to the weight of each impact factor;
and C: calculating the average credit degree of the IP section where the target IP is located, wherein the credit degree scores of other IPs of the IP section where the target IP is located can influence the credit degree score of the final IP;
if N IPs in the same C section with the target IP initiate attacks on a hosting website on the cloud protection platform, the average credit degree influence score of the IP section where the target IP is located is as follows:
wherein, CSThe average credit influence score of the IP section where the target IP is located is referred to; cFiThe credit influence score of each IP which initiates an attack on the target hosting website in the IP section where the target IP is located is referred to; n is the number of IP which is attacked by the IP section where the target IP is located to the target hosting website;
step D: the influence factors of the credibility of the target IP comprise the credibility of the IP and the influence of the credibility score of the IP section where the IP is located, the weighted sum of the two influence factors is calculated to obtain the final credibility of the target IP, and the formula is as follows: λ is C ═ λ1CF+λ2CS;
Wherein, CFThe influence score of the credit degree of the IP is obtained; cSThe average credit influence score of the IP section where the target IP is located is obtained; lambda [ alpha ]iWeights are calculated for each dimension, and1+λ2=1;
and when the final credibility of the target IP is lower than 0.7, directly intercepting the access of the target IP to the target hosting website by the cloud protection platform through a real-time feedback mechanism.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710730912.8A CN107370754B (en) | 2017-08-23 | 2017-08-23 | Website protection method based on IP credit rating scoring model of cloud protection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710730912.8A CN107370754B (en) | 2017-08-23 | 2017-08-23 | Website protection method based on IP credit rating scoring model of cloud protection |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107370754A CN107370754A (en) | 2017-11-21 |
CN107370754B true CN107370754B (en) | 2020-04-07 |
Family
ID=60312398
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710730912.8A Active CN107370754B (en) | 2017-08-23 | 2017-08-23 | Website protection method based on IP credit rating scoring model of cloud protection |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107370754B (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110717179A (en) * | 2018-07-13 | 2020-01-21 | 马上消费金融股份有限公司 | Risk assessment method of IP address and related device |
CN109962905A (en) * | 2018-11-02 | 2019-07-02 | 证通股份有限公司 | Protect current system from the method for network attack |
CN109376537B (en) * | 2018-11-06 | 2020-09-15 | 杭州安恒信息技术股份有限公司 | Asset scoring method and system based on multi-factor fusion |
CN109617914A (en) * | 2019-01-15 | 2019-04-12 | 成都知道创宇信息技术有限公司 | A kind of cloud security means of defence based on IP reference |
CN109873811A (en) * | 2019-01-16 | 2019-06-11 | 光通天下网络科技股份有限公司 | Network safety protection method and its network security protection system based on attack IP portrait |
CN110135711B (en) * | 2019-04-28 | 2021-10-08 | 成都亚信网络安全产业技术研究院有限公司 | Network security information management method and device |
CN112839014B (en) * | 2019-11-22 | 2023-09-22 | 北京数安鑫云信息技术有限公司 | Method, system, equipment and medium for establishing abnormal visitor identification model |
CN111600853A (en) * | 2020-04-29 | 2020-08-28 | 浙江德迅网络安全技术有限公司 | Website protection system of IP credit rating model based on cloud protection |
CN112491869A (en) * | 2020-11-25 | 2021-03-12 | 上海七牛信息技术有限公司 | Application layer DDOS attack detection and protection method and system based on IP credit |
CN115659324B (en) * | 2022-09-21 | 2023-07-18 | 国网山东省电力公司 | Multi-device security management method and system for data security |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7546338B2 (en) * | 2002-02-25 | 2009-06-09 | Ascentive Llc | Method and system for screening remote site connections and filtering data based on a community trust assessment |
US9081958B2 (en) * | 2009-08-13 | 2015-07-14 | Symantec Corporation | Using confidence about user intent in a reputation system |
CN104506356B (en) * | 2014-12-24 | 2018-06-15 | 网易(杭州)网络有限公司 | A kind of method and apparatus of determining IP address credit worthiness |
CN106790292A (en) * | 2017-03-13 | 2017-05-31 | 摩贝(上海)生物科技有限公司 | The web application layer attacks detection and defence method of Behavior-based control characteristic matching and analysis |
-
2017
- 2017-08-23 CN CN201710730912.8A patent/CN107370754B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN107370754A (en) | 2017-11-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107370754B (en) | Website protection method based on IP credit rating scoring model of cloud protection | |
CN110351307B (en) | Abnormal user detection method and system based on ensemble learning | |
CN108234462A (en) | A kind of method that intelligent intercept based on cloud protection threatens IP | |
US20180262521A1 (en) | Method for web application layer attack detection and defense based on behavior characteristic matching and analysis | |
Zangerle et al. | " Sorry, I was hacked" a classification of compromised twitter accounts | |
Velásquez et al. | Hate multiverse spreads malicious COVID-19 content online beyond individual platform control | |
US11695791B2 (en) | System for extracting, classifying, and enriching cyber criminal communication data | |
US11792178B2 (en) | Techniques for mitigating leakage of user credentials | |
Riccardi et al. | A framework for financial botnet analysis | |
CN107294971B (en) | Method for ranking threat degree of server attack source | |
CN107451469A (en) | A kind of process management system and method | |
CN110572402A (en) | internet hosting website detection method and system based on network access behavior analysis and readable storage medium | |
Zeng | AI empowers security threats and strategies for cyber attacks | |
Bell et al. | Catch me (on time) if you can: Understanding the effectiveness of twitter url blacklists | |
Schlumberger et al. | How authoritarianism transforms: A framework for the study of digital dictatorship | |
CN116827697B (en) | Push method of network attack event, electronic equipment and storage medium | |
CN103795591B (en) | A kind of corpse methods for plant community analysis and device | |
Luo | Model design artificial intelligence and research of adaptive network intrusion detection and defense system using fuzzy logic | |
Zhang et al. | MF2POSE: Multi-task Feature Fusion Pseudo-Siamese Network for intrusion detection using Category-distance Promotion Loss | |
US20210266341A1 (en) | Automated actions in a security platform | |
Zawoad et al. | Curla: Cloud-based spam url analyzer for very large datasets | |
Xu et al. | Research on the computer informatization in multimedia public opinion monitoring | |
EP3895047B1 (en) | Systems and methods for behavioral threat detection | |
TWI741698B (en) | Method for detecting malicious attacks and network security management device | |
Schuh et al. | Helping companies to evaluate their status quo in information security with a serious gaming-based economical quantification approach |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer Applicant after: Hangzhou Annan information technology Limited by Share Ltd Address before: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer Applicant before: Dbappsecurity Co.,ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |