CN107370754B - Website protection method based on IP credit rating scoring model of cloud protection - Google Patents

Website protection method based on IP credit rating scoring model of cloud protection Download PDF

Info

Publication number
CN107370754B
CN107370754B CN201710730912.8A CN201710730912A CN107370754B CN 107370754 B CN107370754 B CN 107370754B CN 201710730912 A CN201710730912 A CN 201710730912A CN 107370754 B CN107370754 B CN 107370754B
Authority
CN
China
Prior art keywords
target
attack
website
score
influence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710730912.8A
Other languages
Chinese (zh)
Other versions
CN107370754A (en
Inventor
蒋海峰
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201710730912.8A priority Critical patent/CN107370754B/en
Publication of CN107370754A publication Critical patent/CN107370754A/en
Application granted granted Critical
Publication of CN107370754B publication Critical patent/CN107370754B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Abstract

The invention relates to a cloud protection technology, and aims to provide a website protection technology based on an IP credibility scoring model of cloud protection. The website protection technology based on the IP credibility scoring model of cloud protection comprises the following steps: the target IP accesses a target hosting website, and the cloud protection platform acquires the accessed target IP; calculating the IP credit degree of the target IP; calculating the average credit degree of the IP section where the target IP is located; and calculating the weighted sum of the two target IP credibility influence factors to obtain the final credibility of the target IP, and when the final credibility of the target IP is lower than 0.7, enabling the cloud protection platform to directly intercept the access of the target IP to the target hosting website through a real-time feedback mechanism. The invention can feed back the malicious IP to the cloud protection platform in time, so that the cloud protection platform can directly intercept the attack sources in a blacklist mode.

Description

Website protection method based on IP credit rating scoring model of cloud protection
Technical Field
The invention relates to the technical field of cloud protection, in particular to a website protection method based on an IP credibility scoring model of cloud protection.
Background
The portal is very important as an important image and propaganda medium of governments and enterprises and public institutions, a large number of attacks and intrusion behaviors occur all the time in a network space, and especially the outbreak of some 0day bugs can cause a large number of websites to be seriously influenced in a very short time. The website protection technology based on cloud protection can relieve the security problem of websites in large batch. However, a large number of protection actions of cloud protection are based on protection strategies, each layer of strategy means one more layer of overhead for cloud protection, and the response time of a website is increased.
The content of an IP blacklist is introduced into a plurality of websites, large-scale data centers and cloud protection centers, and when traffic comes, the content is filtered by a layer of IP blacklist mechanism, so that the layer-upon-layer overhead on a defense strategy is reduced. At present, a plurality of open-source IP blacklist libraries are used on the Internet, but the IP blacklist libraries are often not updated timely, the source credibility is not high enough, and clear blacklist judgment standards are lacked.
Disclosure of Invention
The invention mainly aims to overcome the defects in the prior art and provide a website protection technology which is based on an access log and an attack log of a cloud protection platform, analyzes an IP address with low credibility in an off-line analysis mode and enables the cloud protection platform to directly intercept the IP through a real-time feedback mechanism. In order to solve the technical problem, the solution of the invention is as follows:
the website protection method based on the IP credibility scoring model of cloud protection is provided, a cloud protection platform can intercept attack behaviors aiming at a target hosting website, and the website protection method based on the IP credibility scoring model of cloud protection comprises the following steps:
step A: the target IP accesses a target hosting website, and the cloud protection platform acquires the accessed target IP;
and B: the method comprises the following steps of calculating the IP credit degree of a target IP, wherein the influence factors of the IP credit degree are 3, namely attack frequency, an attack target and an attack time period, and the specific calculation steps are as follows:
step B1) attack frequency refers to: v11=NT/(NT+NV);
Wherein, the V11Is referred to as the frequency of attack, V11The larger the size, the more obvious the aggressiveness is, i.e. the worse the credibility is; n is a radical ofTThe number of attacks initiated by a target IP on a target hosting website is referred to; n is a radical ofVThe number refers to the number of normal accesses initiated by a target IP to a target hosting website;
the scoring formula with attack frequency as an influence factor is as follows: c11=1–V11
Wherein, C11The influence score of the attack frequency is referred to; v11Refers to the frequency of attack;
step B2), the managed websites accessed by the cloud protection platform are divided into the following 5 types: government affairs website, education website, financial website, enterprise website, news media website, respectively using V121、V122、V123、V124、V125The score value which represents each type of managed website as an attack target;
the scoring formula of the attack target as the influence factor is as follows:
Figure GDA0002248797410000021
wherein, C12The influence score of an attack target is defined; lambda [ alpha ]12iRefer to the weights of different attack targets, and
Figure GDA0002248797410000022
(we set this to 4:3:4:2: 2); v12iThe attack times of the website as an attack target/the total attack times of all managed websites as the attack targets;
step B3), according to the off-duty and sleeping habits of the people, dividing 24 hours of a day (we need to process attack time according to different areas on the basis of IP-based geographic location characteristics) into the following time periods for statistics respectively:
attack period 1: the time period is 22: 00-08: 00, and the score is V131The score is the number of attacks in the time period/the total number of attacks;
attack period 2: the time period is 08: 00-18: 00, and the score is V132The score is the number of attacks in the time period/the total number of attacks;
attack period 3: the time period is 18: 00-22: 00, and the score is V133The score is the number of attacks in the time period/the total number of attacks;
the scoring formula with attack time period as the influence factor is as follows:
Figure GDA0002248797410000023
wherein, C13The influence score of the attack time period is referred to; lambda [ alpha ]13iRefer to the weight of different attack time periods, and
Figure GDA0002248797410000024
(we set this to 5:1: 2); v13iRefers to the scores of different attack time periods;
step B4) the influence score of the IP reputation is as follows:
Figure GDA0002248797410000025
wherein λ is1iRefers to the weight of each impact factor (we set it to 1:2: 2);
and C: calculating the average credit degree of the IP section where the target IP is located, wherein the credit degree scores of other IPs of the IP section where the target IP is located can influence the credit degree score of the final IP;
is set to be the same as the target IPIn the section C, N IPs initiate attacks on the hosting website on the cloud protection platform, and then the average credit influence score of the IP section where the target IP is located is as follows:
Figure GDA0002248797410000026
wherein, CSThe average credit influence score of the IP section where the target IP is located is referred to; cFiThe credit influence score of each IP which initiates an attack on the target hosting website in the IP section where the target IP is located is referred to; n is the number of IP which is attacked by the IP section where the target IP is located to the target hosting website;
step D: the influence factors of the credibility of the target IP comprise the credibility of the IP and the influence of the credibility score of the IP section where the IP is located, the weighted sum of the two influence factors is calculated to obtain the final credibility of the target IP, and the formula is as follows: λ is C ═ λ1CF2CS
Wherein, CFThe influence score of the credit degree of the IP is obtained; cSThe average credit influence score of the IP section where the target IP is located is obtained; lambda [ alpha ]iWeights are calculated for each dimension, and121 (we set it to 7: 3);
and when the final credibility of the target IP is lower than 0.7, directly intercepting the access of the target IP to the target hosting website by the cloud protection platform through a real-time feedback mechanism.
Compared with the prior art, the invention has the beneficial effects that:
a large number of portal websites are accessed into the cloud protection platform, so that the cloud protection platform has natural advantages on flow attraction and brings massive data samples for subsequent analysis models;
according to the invention, malicious IP can be fed back to the cloud protection platform in time, so that the cloud protection platform can directly intercept the attack sources in a blacklist mode;
the invention can provide threat intelligence data to other security manufacturers to realize intelligence sharing.
Drawings
FIG. 1 is a flowchart of the reputation scoring of the present invention.
Detailed Description
It should be noted that the present invention is an application of computer technology in the field of information security technology. In the implementation process of the invention, the application of a plurality of software functional modules is involved. The applicant believes that it is fully possible for one skilled in the art to utilize the software programming skills in his or her own practice to implement the invention, as well as to properly understand the principles and objectives of the invention, in conjunction with the prior art, after a perusal of this application.
The invention is described in further detail below with reference to the following detailed description and accompanying drawings:
the cloud protection platform is a cloud computing platform capable of effectively analyzing, computing and intercepting network attacks and intrusion behaviors. The cloud protection platform can clean the access flow of the managed website, intercept attack behaviors, release normal access to ensure the safe operation of the rear website, and record access and attack records in a real-time stream processing mode.
As shown in fig. 1, a website protection method based on a cloud protection IP reputation degree scoring model includes the following steps:
step A: the target IP accesses the target hosting website, and the cloud protection platform acquires the accessed target IP.
And B: the method comprises the following steps of calculating the IP credit degree of a target IP, wherein the influence factors of the IP credit degree are 3, namely attack frequency, an attack target and an attack time period, and the specific calculation steps are as follows:
step B1) attack frequency refers to: v11=III/(III+IIIII);
Wherein III refers to the number of attacks initiated by the target IP on the target hosting website; IIIII refers to the number of normal visits initiated by the target IP to the target hosting website; v11The larger the size, the more obvious the aggressiveness is, and the worse the credibility is.
The scoring formula with attack frequency as an influence factor is as follows: c11=1–V11
Wherein, C11The influence score of the attack frequency is referred to; v11Means thatFrequency of attack of the target IP.
Step B2), the managed websites accessed by the cloud protection platform are divided into the following 5 types: government affairs website, education website, financial website, enterprise website, news media website, respectively using V121、V122、V123、V124、V125And the score value of each type of managed website as an attack target is represented.
The scoring formula of the attack target as the influence factor is as follows:
Figure GDA0002248797410000041
wherein, C12The influence score of an attack target is defined; lambda [ alpha ]12iRefer to the weights of different attack targets, and
Figure GDA0002248797410000042
(we set this to 4:3:4:2: 2); v12iThe attack times of the website as an attack target/the total attack times of all managed websites as the attack targets; wherein i is 1, 2, 3, 4, 5.
Step B3), according to the off-duty and sleeping habits of the people, dividing 24 hours of a day (we need to process attack time according to different areas on the basis of IP-based geographic location characteristics) into the following time periods for statistics respectively:
TABLE 1
Serial number Time period Score ═ number of attacks/total number of attacks in the time period
1 22:00~08:00 V131
2 08:00~18:00 V132
3 18:00~22:00 V133
After long-term tracking and research, hackers are found to be more preferable to attack during off-hours, and generally, the response speed of users to emergencies during off-hours is significantly slower. The scoring formula for the attack time period as the impact factor is therefore:
Figure GDA0002248797410000043
wherein, C13The influence score of the attack time period is referred to; lambda [ alpha ]13iRefer to the weight of different attack time periods, and
Figure GDA0002248797410000044
(we set this to 5:1: 2); v13iRefers to the scoring of different attack time periods.
Step B4) the influence score of the IP reputation is as follows:
Figure GDA0002248797410000045
wherein λ is1iIs the weight of each impact factor, which we set to 1:2: 2.
And C: when a hacker initiates an attack, a machine is not used, but a batch of broiler chickens are controlled, and the broiler chickens are not in the same C section, so that credit scores of other IPs of an IP section where a target IP is located can influence the credit score of the final IP.
Setting N I in same C section with target IPP attacks the managed website on the cloud protection platform, and then the average credit influence score of the IP section where the target IP is located is as follows:
Figure GDA0002248797410000046
wherein, CSThe average credit influence score of the IP section where the target IP is located is referred to; cFiThe credit influence score of each IP which initiates an attack on the target hosting website in the IP section where the target IP is located is referred to; n refers to the number of IP of the target hosting website attacked by the IP section where the target IP is located.
Step D: the influence factors of the credibility of the target IP comprise the credibility of the IP and the influence of the credibility score of the IP section where the IP is located, the weighted sum of the two influence factors is calculated to obtain the final credibility of the target IP, and the formula is as follows:
C=λ1CF2CS
wherein, CFThe influence score of the credit degree of the IP is obtained; cSThe average credit influence score of the IP section where the target IP is located is obtained; lambda [ alpha ]iWeights are calculated for each dimension, and12we set it to 7:3 as 1.
And when the final credibility of the target IP is lower than 0.7, directly intercepting the access of the target IP to the target hosting website by the cloud protection platform through a real-time feedback mechanism.
After the traffic passes through the cleaning and protection strategy of the cloud protection platform, a large number of access logs and attack logs are recorded.
Finally, it should be noted that the above-mentioned list is only a specific embodiment of the present invention. It is obvious that the present invention is not limited to the above embodiments, but many variations are possible. All modifications which can be derived or suggested by a person skilled in the art from the disclosure of the present invention are to be considered within the scope of the invention.

Claims (1)

1. A website protection method based on an IP credibility scoring model of cloud protection is characterized in that the website protection method based on the IP credibility scoring model of cloud protection comprises the following steps:
step A: the target IP accesses a target hosting website, and the cloud protection platform acquires the accessed target IP;
and B: the method comprises the following steps of calculating the IP credit degree of a target IP, wherein the influence factors of the IP credit degree are 3, namely attack frequency, an attack target and an attack time period, and the specific calculation steps are as follows:
step B1) attack frequency refers to: v11=NT/(NT+NV);
Wherein, the V11Is referred to as the frequency of attack, V11The larger the size, the more obvious the aggressiveness is, i.e. the worse the credibility is; n is a radical ofTThe number of attacks initiated by a target IP on a target hosting website is referred to; n is a radical ofVThe number refers to the number of normal accesses initiated by a target IP to a target hosting website;
the scoring formula with attack frequency as an influence factor is as follows: c11=1-V11
Wherein, C11The influence score of the attack frequency is referred to; v11Refers to the frequency of attack;
step B2), the managed websites accessed by the cloud protection platform are divided into the following 5 types: government affairs website, education website, financial website, enterprise website, news media website, respectively using V121、V122、V123、V124、V125The score value which represents each type of managed website as an attack target;
the scoring formula of the attack target as the influence factor is as follows:
Figure FDA0002295944080000011
wherein, C12The influence score of an attack target is defined; lambda [ alpha ]12iRefer to the weights of different attack targets, and
Figure FDA0002295944080000012
V12imeans that the website is attackedAttack times of the target/total attack times of all managed websites as attack targets;
step B3), dividing 24 hours of a day into the following time periods for statistics according to the off-duty and sleeping habits of people:
attack period 1: the time period is 22: 00-08: 00, and the score is V131The score is the number of attacks in the time period/the total number of attacks;
attack period 2: the time period is 08: 00-18: 00, and the score is V132The score is the number of attacks in the time period/the total number of attacks;
attack period 3: the time period is 18: 00-22: 00, and the score is V133The score is the number of attacks in the time period/the total number of attacks;
the scoring formula with attack time period as the influence factor is as follows:
Figure FDA0002295944080000013
wherein, C13The influence score of the attack time period is referred to; lambda [ alpha ]13iRefer to the weight of different attack time periods, and
Figure FDA0002295944080000014
V13irefers to the scores of different attack time periods;
step B4) the influence score of the IP reputation is as follows:
Figure FDA0002295944080000015
wherein λ is1iRefers to the weight of each impact factor;
and C: calculating the average credit degree of the IP section where the target IP is located, wherein the credit degree scores of other IPs of the IP section where the target IP is located can influence the credit degree score of the final IP;
if N IPs in the same C section with the target IP initiate attacks on a hosting website on the cloud protection platform, the average credit degree influence score of the IP section where the target IP is located is as follows:
Figure FDA0002295944080000021
wherein, CSThe average credit influence score of the IP section where the target IP is located is referred to; cFiThe credit influence score of each IP which initiates an attack on the target hosting website in the IP section where the target IP is located is referred to; n is the number of IP which is attacked by the IP section where the target IP is located to the target hosting website;
step D: the influence factors of the credibility of the target IP comprise the credibility of the IP and the influence of the credibility score of the IP section where the IP is located, the weighted sum of the two influence factors is calculated to obtain the final credibility of the target IP, and the formula is as follows: λ is C ═ λ1CF2CS
Wherein, CFThe influence score of the credit degree of the IP is obtained; cSThe average credit influence score of the IP section where the target IP is located is obtained; lambda [ alpha ]iWeights are calculated for each dimension, and12=1;
and when the final credibility of the target IP is lower than 0.7, directly intercepting the access of the target IP to the target hosting website by the cloud protection platform through a real-time feedback mechanism.
CN201710730912.8A 2017-08-23 2017-08-23 Website protection method based on IP credit rating scoring model of cloud protection Active CN107370754B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710730912.8A CN107370754B (en) 2017-08-23 2017-08-23 Website protection method based on IP credit rating scoring model of cloud protection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710730912.8A CN107370754B (en) 2017-08-23 2017-08-23 Website protection method based on IP credit rating scoring model of cloud protection

Publications (2)

Publication Number Publication Date
CN107370754A CN107370754A (en) 2017-11-21
CN107370754B true CN107370754B (en) 2020-04-07

Family

ID=60312398

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710730912.8A Active CN107370754B (en) 2017-08-23 2017-08-23 Website protection method based on IP credit rating scoring model of cloud protection

Country Status (1)

Country Link
CN (1) CN107370754B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110717179A (en) * 2018-07-13 2020-01-21 马上消费金融股份有限公司 Risk assessment method of IP address and related device
CN109962905A (en) * 2018-11-02 2019-07-02 证通股份有限公司 Protect current system from the method for network attack
CN109376537B (en) * 2018-11-06 2020-09-15 杭州安恒信息技术股份有限公司 Asset scoring method and system based on multi-factor fusion
CN109617914A (en) * 2019-01-15 2019-04-12 成都知道创宇信息技术有限公司 A kind of cloud security means of defence based on IP reference
CN109873811A (en) * 2019-01-16 2019-06-11 光通天下网络科技股份有限公司 Network safety protection method and its network security protection system based on attack IP portrait
CN110135711B (en) * 2019-04-28 2021-10-08 成都亚信网络安全产业技术研究院有限公司 Network security information management method and device
CN112839014B (en) * 2019-11-22 2023-09-22 北京数安鑫云信息技术有限公司 Method, system, equipment and medium for establishing abnormal visitor identification model
CN111600853A (en) * 2020-04-29 2020-08-28 浙江德迅网络安全技术有限公司 Website protection system of IP credit rating model based on cloud protection
CN112491869A (en) * 2020-11-25 2021-03-12 上海七牛信息技术有限公司 Application layer DDOS attack detection and protection method and system based on IP credit
CN115659324B (en) * 2022-09-21 2023-07-18 国网山东省电力公司 Multi-device security management method and system for data security

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7546338B2 (en) * 2002-02-25 2009-06-09 Ascentive Llc Method and system for screening remote site connections and filtering data based on a community trust assessment
US9081958B2 (en) * 2009-08-13 2015-07-14 Symantec Corporation Using confidence about user intent in a reputation system
CN104506356B (en) * 2014-12-24 2018-06-15 网易(杭州)网络有限公司 A kind of method and apparatus of determining IP address credit worthiness
CN106790292A (en) * 2017-03-13 2017-05-31 摩贝(上海)生物科技有限公司 The web application layer attacks detection and defence method of Behavior-based control characteristic matching and analysis

Also Published As

Publication number Publication date
CN107370754A (en) 2017-11-21

Similar Documents

Publication Publication Date Title
CN107370754B (en) Website protection method based on IP credit rating scoring model of cloud protection
CN110351307B (en) Abnormal user detection method and system based on ensemble learning
CN108234462A (en) A kind of method that intelligent intercept based on cloud protection threatens IP
US20180262521A1 (en) Method for web application layer attack detection and defense based on behavior characteristic matching and analysis
Zangerle et al. " Sorry, I was hacked" a classification of compromised twitter accounts
Velásquez et al. Hate multiverse spreads malicious COVID-19 content online beyond individual platform control
US11695791B2 (en) System for extracting, classifying, and enriching cyber criminal communication data
US11792178B2 (en) Techniques for mitigating leakage of user credentials
Riccardi et al. A framework for financial botnet analysis
CN107294971B (en) Method for ranking threat degree of server attack source
CN107451469A (en) A kind of process management system and method
CN110572402A (en) internet hosting website detection method and system based on network access behavior analysis and readable storage medium
Zeng AI empowers security threats and strategies for cyber attacks
Bell et al. Catch me (on time) if you can: Understanding the effectiveness of twitter url blacklists
Schlumberger et al. How authoritarianism transforms: A framework for the study of digital dictatorship
CN116827697B (en) Push method of network attack event, electronic equipment and storage medium
CN103795591B (en) A kind of corpse methods for plant community analysis and device
Luo Model design artificial intelligence and research of adaptive network intrusion detection and defense system using fuzzy logic
Zhang et al. MF2POSE: Multi-task Feature Fusion Pseudo-Siamese Network for intrusion detection using Category-distance Promotion Loss
US20210266341A1 (en) Automated actions in a security platform
Zawoad et al. Curla: Cloud-based spam url analyzer for very large datasets
Xu et al. Research on the computer informatization in multimedia public opinion monitoring
EP3895047B1 (en) Systems and methods for behavioral threat detection
TWI741698B (en) Method for detecting malicious attacks and network security management device
Schuh et al. Helping companies to evaluate their status quo in information security with a serious gaming-based economical quantification approach

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer

Applicant after: Hangzhou Annan information technology Limited by Share Ltd

Address before: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer

Applicant before: Dbappsecurity Co.,ltd.

GR01 Patent grant
GR01 Patent grant