CN107404465A - Network data analysis method and server - Google Patents

Network data analysis method and server Download PDF

Info

Publication number
CN107404465A
CN107404465A CN201610341755.7A CN201610341755A CN107404465A CN 107404465 A CN107404465 A CN 107404465A CN 201610341755 A CN201610341755 A CN 201610341755A CN 107404465 A CN107404465 A CN 107404465A
Authority
CN
China
Prior art keywords
attack
network
network address
attacker
daily record
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610341755.7A
Other languages
Chinese (zh)
Other versions
CN107404465B (en
Inventor
王海东
李然
宋加生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201610341755.7A priority Critical patent/CN107404465B/en
Publication of CN107404465A publication Critical patent/CN107404465A/en
Application granted granted Critical
Publication of CN107404465B publication Critical patent/CN107404465B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

This application provides webserver monitoring method and system, network data analysis method and server, wherein, network data analysis method includes:Obtain initial network traffic log;Based on sender's network address in the initial network traffic log, recipient's network address, request type and request time is sent, the initial network traffic log is respectively divided in attack record sheet and scanning record sheet;From the attack record sheet and scanning record sheet, attacker's network address is obtained and by attacker's network address as attack alarm data.Using the embodiment of the present application, being accurately positioned to the IP address of attacker can be realized on the premise of the network response data of record honey jar server, so as to the security for ensureing network data transmission and preserving.

Description

Network data analysis method and server
Technical field
The application is related to internet data processing technology field, more particularly to a kind of storage of network data Method and the webserver, the monitoring method and monitoring monitoring system of a kind of webserver, and, A kind of network data analysis method and Analysis server.
Background technology
At present, as user using network carries out the increasing online transaction such as do shopping, also have more The attack of hacker etc. is often subject to come more users.If attacker is forged into by attacker to clothes Business device have sent substantial amounts of data processing request, server will be mistakenly considered by attacker ( The victim of energy) data processing is being initiated, therefore network response data will be sent to and be attacked Person, it so will result in the consequence for being refused service by attacker.
The content of the invention
Inventor has found in research process, in the prior art, will be attacked because attacker has used IP (Internet Protocol, Internet protocol) address of person is forged into by the IP address progress of attacker The mode of attack, therefore the attack data obtained on the network equipment of end side, are forgery source Packet, it is difficult to navigate to the IP address of real attacker.
Based on this, this application provides a kind of storage method of network data, a kind of webserver Monitoring method, and, a kind of network data analysis method, to record server network On the premise of response data, being accurately positioned to the IP address of attacker is realized, so as to ensure network Data transfer and the security preserved.
Present invention also provides a kind of webserver, a kind of monitoring system, and, one kind analysis clothes Business device, to ensure the realization and application of the above method in practice.
This application discloses a kind of network data analysis method, this method includes:
Obtain initial network traffic log;Wherein, the initial network traffic log includes:Sender Network address, recipient's network address, request type and transmission request time;
With reference to sender's network address of the initial network traffic log, recipient's network address, ask Seek type and send request time, the initial network traffic log is respectively divided and recorded in attack In table and scanning record sheet;Wherein, the attack record sheet is used for the network flow for preserving attack type Daily record is measured, the scanning record sheet is used for the network traffics daily record for preserving scan type;
From the attack record sheet and scanning record sheet, attacker's network address is obtained and by attacker Network address is as attack alarm data.
Disclosed herein as well is a kind of network data analysis server, including:
Initial network traffic log module is obtained, for obtaining initial network traffic log;Wherein, institute Stating initial network traffic log includes:Sender's network address, recipient's network address, request class Type and transmission request time;
Initial network traffic log module is divided, for based on the hair in the initial network traffic log The side's of sending network address, recipient's network address, request type and transmission request time, will be described first Beginning network traffics daily record is respectively divided in attack record sheet and scanning record sheet;Wherein, it is described to attack The network traffics daily record that record sheet is used to preserve attack type is hit, the scanning record sheet is used to preserve The network traffics daily record of scan type;
Attack alarm data module is obtained, for from the attack record sheet and scanning record sheet, obtaining Take attacker's network address and by attacker's network address as attack alarm data.
Compared with prior art, the application includes advantages below:
In the embodiment of the present application, be deployed in different regions the webserver can by installation and The network server specified is configured, to simulate the real webserver and exposure on the internet, Once attacker will be added in its attacker simultaneously by the scanning discovery webserver therein Trial is launched a offensive by the webserver, and the webserver in the present embodiment can preserve often The secondary network traffics daily record for sending network response data, so as to what is sent to attacker each time Data processing request and its response process are all recorded, be subsequent analysis server to these networks Traffic log is analyzed so as to obtain attacker's IP address and be alerted by attacks such as attacker's IP address Data provide possibility, ensure that the security of network data transmission.
Further, monitoring system is monitored to each independent webserver wherein disposed, The performance parameter of each webserver can be obtained, so as to ensure the normal of each webserver Operation, and then in the case where exception occurs in performance parameter, phase can also be carried out to the webserver The adjustment answered, ensure each webserver in the event of an anomaly, can also be repaired, The webserver is allowd to be normally carried out the storage of subsequent network data.
Further, Analysis server is divided by the network traffics daily record preserved to the webserver Analysis, so as to carry out attacker and its attack process monitoring exactly, determine to attack each time The IP address of the attacker of behind, can also to belonging to the assets of attacker's IP address just carry out and When early warning, ensure that the security of network data processing.
Certainly, any product for implementing the application it is not absolutely required to reach all the above simultaneously Advantage.
Brief description of the drawings
In order to illustrate more clearly of the technical scheme in the embodiment of the present application, embodiment will be described below In the required accompanying drawing used be briefly described, it should be apparent that, drawings in the following description are only Only it is some embodiments of the present application, for those of ordinary skill in the art, is not paying wound On the premise of the property made is laborious, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart of the storage method of the network data of the application;
Fig. 2 is the scene framework figure of the application in actual applications;
Fig. 3 is the flow chart of the webserver monitoring method embodiment of the application;
Fig. 4 is the flow chart of the network data analysis embodiment of the method for the application;
Fig. 5 is the structured flowchart of the webserver embodiment of the application;
Fig. 6 is the structured flowchart of the monitoring system embodiment of the application;
Fig. 7 is the structured flowchart of the Analysis server embodiment of the application.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present application, to the technical scheme in the embodiment of the present application It is clearly and completely described, it is clear that described embodiment is only that the application part is real Apply example, rather than whole embodiments.Based on the embodiment in the application, ordinary skill The every other embodiment that personnel are obtained under the premise of creative work is not made, belong to this Apply for the scope of protection.
Definition:
DDoS (Distributed Denial of Service, distributed denial of service), many DOS Attack source attacks certain server and just constitutes DDOS attack together, and attack refers to by means of client/clothes Business device technology, multiple computers are joined together as Attack Platform, and one or more targets are sent out Dynamic DoS attack, so as to exponentially improve the power of Denial of Service attack.
Reflection-type ddos attack, reflection-type ddos attack are also Amplification Attack, are Refer to utilize and set based on connectionless UDP (User Datagram Protocol, User Datagram Protocol) The characteristics of network service " defect " and source IP address of meter do not do authenticity examination, attacker will Forgery of source address sends substantial amounts of request message to server, server into by attacker's IP address The data of response can be sent to forgery by attacker's IP address, when the packet of response is enough When will cause by attacker refuse service consequence.The size of server response byte and attacker The ratio for forging the data packet byte size of request is referred to as BAF (amplification factor, Bandwidth Amplification Factor), amplification factor is bigger, and the effect of reflection attack is more obvious.Often at present The network service for being used to initiate reflection-type ddos attack seen has:DNS、SNMP、NTP、 SSDP etc..
The webserver, it is arranged on the general name for a kind of server that data processing is carried out in internet. In the embodiment of the present application, the webserver can be honey jar (HoneyPot) server, honey jar Server is referred mainly to by simulating real computer environment in computer realm, to detect and send out Now real intrusion event, and record a kind of computer system of valuable attacker's resource.
Scanner, it is a kind of using specific network protocol features, to main frame open on internet Port is detected and confirms the instrument of its service state.
Reflection attack feature, it may be used to determine out data processing request when attacker launches a offensive Corresponding network traffics daily record.In order to accurately determine network traffics day corresponding to reflection attack Will, it can be accounted for respectively in terms of time, request type and server address three, accordingly , the reflection attack feature can include:Attack time feature, attack type feature and attack Address feature.
TCP (Transmission Control Protocol, transmission control protocol) is a kind of towards even Transport layer communication protocol connecing, reliable, based on byte stream, by IETF (Internet Engineering Task Force, Internet Engineering Task group) RFC 793 define.Simplified In computer network OSI (Open System Interconnect, open system interconnection) model, It completes the function specified by the 4th layer of transport layer, and UDP is another important transmission in same layer Agreement.
DNS (Domain Name System, domain name system).In Internet (internet) co-domain It is one-to-one between name and IP address, although domain name is easy to people to remember, but between machine only IP address can be recognized mutually, and the conversion work between them is referred to as domain name mapping, and domain name mapping needs Completed by special domain name analysis system, DNS is exactly the system for carrying out domain name mapping
NTP (Network Time Protocol, NTP), is for making computer time A kind of synchronized agreement, it can make computer to its server or clock source (such as quartz clock, GPS etc.) synchronize, it can provide the time adjustment of high accurancy and precision, and (LAN is upper and standard Between difference be less than 1 millisecond, WAN upper a few tens of milliseconds), and can be prevented via the mode of encrypted acknowledgment Protocol attack.
MAC (Media Access Control, medium access control) address is burning in NIC (network interface card, Network Interface Card) inner " .MAC " address, is also hardware address, It is made up of the numeral of 48 bit longs (6 byte) 16 systems, wherein, 0-23 positions are called tissue only One identifier (organizationally unique), it is the mark for identifying LAN (LAN) node, 24-47 positions are distributed by producer oneself.
With reference to figure 1, a kind of flow chart of the storage method embodiment of network data of the application is shown, This method can apply to monitor on each independent webserver that monitoring system includes, should Method can include:The present embodiment may comprise steps of:
Step 101:According to the network protocol type pre-set, the network server response is obtained In the network response data that data processing request is sent.
In the present embodiment, the webserver can be honey jar server, then below with honey jar service It is introduced exemplified by device.Wherein it is possible in advance according to different geographical position or different interconnections Net environment disposes each honey jar server for including of monitoring monitoring system, in order to more accurate and Comprehensive perceived reflection type DDoS threat, it can include in the monitoring system multiple independent mutually Honey jar server.At present, the more active country of ddos attack have the U.S., China, South Korea, Japan etc., for example, for each big city of China, one is disposed in each metropolitan computer room Monitoring system is monitored, multiple independent honey jar servers are set under the monitoring system.
Wherein, monitoring system can be set up from CentOS or Ubuntu servers, root Different according to the agreement to be monitored (UDP or TCP etc.), these honey jar servers need to install not Same service routine, for UDP, such as DNS service program or NTP service routines etc., According to these service routines, honey jar server can be divided into DNS honey jars server or NTP honey Tank server etc., and ensure that these servers normal operation and can externally provide service, i.e. can To be detected by the scanner of attacker.
It is the network architecture diagram of the embodiment of the present application in actual applications with reference to shown in figure 2. Wherein, monitoring system 20 may be used also in addition to it can include multiple independent honey jar servers 202 With including the monitoring device 201 being monitored to each honey jar server.Assuming that in the present embodiment, Attacker is in order to which the honey jar server on internet is scanned detection, it is necessary to be sent out to honey jar server Data processing request is sent, and after the IP address that attacker gets honey jar server, also can be to The IP address of oneself is forged into substantial amounts of number is initiated by attacker IP again to these honey jar servers Asked according to processing.Data processing request during for above-mentioned scanning, or data processing during attack Request, honey jar server can all respond thereto.For example, for scanning when attacker send Network response data can be sent to attacker by data processing request, honey jar server, and for attacking The data processing request that attacker sends when hitting, because attacker is forged into by attacker's IP address Send, therefore network response data can be sent to by attacker's IP address by honey jar server.
In this step, each honey jar server is according to the network protocol type pre-set, such as It is that UDP or TCP etc. (disposes the different clothes of each honey jar server installation during honey jar server Business program), to obtain the network number of responses that honey jar server is sent in response to data processing request According to, for example, the network response data sent to attacker, or to the network sent by attacker Response data, all get in this step.
Step 102:Network traffics letter corresponding to request every time is extracted from the network response data Breath, wherein, the network traffic information includes:Sender's network address, request type, reception Square network address and transmission request time.
, can be from the extracting data after all network response datas are got in step 101 To network traffic information corresponding to each data processing request, the network traffic information can include: Sender's network address, request type, recipient's network address and transmission request time.Wherein, Sender's network address is the IP address of each honey jar server itself;Request type is each time Attacker sends the type of data processing request to the webserver, for example, the data processing request It is UDP types or TCP types;Recipient's network address is then that honey jar server sends network sound Answer recipient's IP address of data, recipient's network address is attacker IP in the case of scanning Location, recipient's network address is by attacker's IP address in the case of an attack;Send request time As the system of data processing request sends the time.
During specific implementation, monitoring programme can be installed on each honey jar server, can be by the monitoring Program monitors network response data, so as to obtain network traffic information, for example, DNS honey jars take The DNS Protocol flow, the Network Time Protocol flow of NTP honey jar servers, etc. of business device.Each honey In the case of tank server installation Linux system, monitoring programme can use the existing iptables of linux Fire wall records all network packets sent out from honey jar server, Iptables fire prevention Wall can be forwarded with designated port and Protocol Through Network response data, and, record each net Network flow information.Specifically, honey jar server can be monitored by redaction rule, such as Rule:“iptables-A OUTPUT-p udp--sport 123-j LOG--log-prefix "LOG_NTP_OUT"--log-level info”.The regular implication represents, can record it is all from " 123 " port of honey jar server is sent out and uses the network traffic information of udp protocol, When the network traffic information is subsequently saved as network traffics daily record, ipables fire prevention can be stored in In the Log Directory of wall, and with " LOG_NTP_OUT " for prefix.
Wherein, network traffic information is except that can include sender's network address, request type, connect Side network address and transmission request time, can also include:The host name of honey jar server, hair Process name, record prefix, the network interface card of honey jar server, the honey jar server of SCN Space Cable Network response data MAC Address, the protocol code of honey jar server, the priority of network response data, network ring Life cycle for answering data, the source port number for sending network response data, send network response data Destination slogan, the protocol type of honey jar server, IP windows, protocol length, TCP-Flags etc..
It is understood that same method extraction can be also sampled to DNS Protocol or Transmission Control Protocol Network traffic information, it is only necessary to change sport parameters and the daily record prefix to be preserved.
Step 103:By described sender network address, recipient's network address, request type and hair Request time is sent to save as network traffics daily record.
In step 103, for the network traffic information got in step 102, then protected Save as the network traffics daily record of honey jar server.Wherein, network traffics daily record mainly includes:Send Square network address, recipient's network address, request type and transmission request time.
Specifically, step 103 can include step A1~step A2:
Step A1:Sender's network address that data processing request is related to, recipient's network Address, request type and transmission request time correspondingly save as a network traffics daily record;
In this step, the content in network traffic information can be preserved by the parsing of daily record flow For network traffics daily record.Carried in the network traffic information that iptables fire walls preserve from step 102 Taking-up sender's network address that data processing request is related to each time, recipient's network address, ask Seek type and send request time, four are correspondingly saved as a network traffics daily record.Certainly, The network traffics daily record can also include the other guide in network traffic information, for example, honey jar takes Be engaged in device host name, send the process name of network response data, honey jar server MAC Address, Send the source port number of network response data, the destination slogan for sending network response data, network Data packet length, etc..
Step A2:Each bar network traffics daily record corresponding to each secondary data processing request is stored in local The webserver on.
Record, be stored in using each network traffics daily record as a scanning record or attack again On the honey jar server local apache webserver (webserver), in subsequent figure 2 Analysis server 21 these network traffics daily records can be analyzed so as to obtain attacker IP Address etc..
It can be seen that in the embodiment of the present application, being deployed in the honey jar server of different regions can pass through The network server that installation and configuration are specified, to simulate the real webserver and be exposed to mutual In networking, once attacker will add its attack by scanning discovery honey jar server therein In program and attempt to initiate reflection-type ddos attack by honey jar server, and in the present embodiment Honey jar server can preserve the network traffics daily record for sending network response data every time, so as to The data processing request and its response process sent to attacker each time all records, and is follow-up Analysis server is analyzed these network traffics daily records so as to obtain the correlations such as attacker's IP address Data provide possibility, ensure that the security of network data transmission.
With reference to figure 3, a kind of flow of the monitoring method embodiment of honey jar server of the application is shown Figure, the present embodiment can apply to include in the monitoring system of multiple mutual independent honey jar servers, The monitoring system also includes monitoring device, and the present embodiment may comprise steps of:
Step 301:Honey jar server obtains the honey jar according to the network protocol type pre-set The network response data that server is sent in response to data processing request;From the network number of responses According to network traffic information corresponding to each request of middle extraction;By described sender network address, receive Square network address, request type and transmission request time save as network traffics daily record.
In this step, honey jar server carries out depositing for network traffics daily record according to the flow shown in Fig. 1 Storage.Specific implementation process may be referred to being discussed in detail in the embodiment shown in Fig. 1, herein no longer Repeat.
Step 302:Monitoring device monitors the performance ginseng of each honey jar server in the monitoring system Number, the performance parameter include:CPU occupation rates, network traffics bag size, memory usage and/ Or the read-write state of disk input and output.
In this step, the monitoring device being connected with each honey jar server can be responsible for monitoring each honey The running status of tank server, for example, monitoring the CPU of each honey jar server by linux orders Occupation rate, network traffics bag size, memory usage and/or the read-write state of disk input and output, Etc..Wherein, can also be by this after the above-mentioned performance parameter of each honey jar server is obtained A little performance parameters are stored in the specific file under webserver system (system) catalogue.
Wherein, after step 302, monitoring system can also include:
Step 303:In the case where exception occurs in the performance parameter, according to the exception of performance parameter Information is adjusted to the honey jar server.
Assuming that in the case that exception occurs in the performance parameter monitored in step 302, monitoring system is also Can be according to the abnormal conditions of performance parameter, to be adjusted to honey jar server.For example, it is assumed that Memory usage is excessive, then the honey jar server can be shielded into a period of time, then be exposed to it Attacker's scanning probe is supplied on network.For another example in the event of honey jar server, CPU is accounted for suddenly With rate appearance, absolutely phenomenon, possible honey jar server crash, then can restart honey jar clothes Business device.
In the present embodiment, monitoring system is carried out to each independent honey jar server wherein disposed Monitoring, the performance parameter of each honey jar server can be obtained, so as to ensure each honey jar server Normal operation, can also be to honey jar server and then in the case where exception occurs in performance parameter It is adjusted correspondingly, ensures each honey jar server in the event of an anomaly, can also enter Row is repaired so that honey jar server can be normally carried out the storage of subsequent network data.
With reference to shown in figure 4, a kind of network data analysis side based on honey jar server of the application is shown The flow chart of method embodiment, the embodiment can apply to what is be connected with the monitoring system 20 in Fig. 2 On Analysis server 21, the present embodiment may comprise steps of:
Step 401:It is initial that each bar is obtained successively from multiple honey jar servers in the monitoring system Network traffics daily record.
In this step, Analysis server is connected with monitoring system, can be from multiple in monitoring system The initial network stream stored on the webserver of each honey jar server is got in honey jar server Measure daily record.Wherein, Analysis server can obtain once every 30 seconds from each honey jar server Initial network traffic log, the frequency can be according to the network states of monitoring system by art technology Personnel are dynamically adjusted.The content of embodiment introduction based on Fig. 1, read in this step Network traffics daily record can include:Sender's network address, recipient's network address, request Type and transmission request time, it is of course also possible to including the other information in network traffics daily record. Each bar initial network traffic log got in this step can be used as one group of attack metadata to store It can safeguard two tables of data in the mysql databases of Analysis server, in the database, one It is attack record sheet, for preserving the network traffics daily record of attack type, another is scanning record Table, for preserving the network traffics daily record of scan type.
Step 402:Based on sender's network address in the initial network traffic log, recipient Network address, request type and transmission request time, the initial network traffic log is drawn respectively Divide in attack record sheet and scanning record sheet.
Then, Analysis server is referred in the initial network traffic log preserved in mysql databases Network traffic information, cluster analysis is carried out to beginning network traffics daily record, so as to by each bar initial network Traffic log is respectively divided in attack record sheet and scanning record sheet.
Specifically, this step can include:
Step B1:The time difference for sending request time is obtained in preset time threshold, the transmission Square network address difference and the network traffics daily record to be analyzed of recipient's network address identical.
First, the transmission request time of each bar initial network traffic log is obtained from mysql databases Time difference.Then, the time difference is got in preset time threshold, also, every initial Sender's network address difference and recipient's network address identical original net in network traffics daily record Network traffic log, as network traffics daily record to be analyzed.Wherein, different sender's network address Network response data corresponding to expression is sent from different honey jar servers, and " sender's network Location is different and recipient's network address is identical " represent different honey jar server by network number of responses According to being sent to same destination host address.Wherein, preset time threshold is those skilled in the art The time value pre-set, such as can be hour etc., concrete numerical value can be by this Art personnel are from main modulation.
Step B2:Judge whether the bar number of the network traffics daily record to be analyzed is more than default number of branches threshold Value, if it is, into step B3, if it is not, then into step B4.
Next, it is determined that whether the bar number of network traffics daily record to be analyzed is more than default number of branches threshold value, this is pre- The numerical value that if bar number threshold value, which is also those skilled in the art, to be pre-set, such as can be 2 Bar, concrete numerical value can be by those skilled in the art from main modulation.
Step B3:The network traffics daily record to be analyzed that will be greater than default number of branches threshold value is defined as day of attack Will, and the attack logs are preserved to the attack record sheet.
When the bar number of network traffics daily record to be analyzed is more than 2, then it is assumed that the network traffics day to be analyzed Main frame is by reflection-type ddos attack, therefore should corresponding to purpose network address in will Bar network traffics daily record to be analyzed is saved in the attack record sheet of mysql databases.Specifically, attack The each attack logs hit in record sheet, its information included can have:Transmission request time, Request type, recipient's network address and sender's network address.For attack logs, hair The side's of sending network address is the network address of honey jar server;And recipient's network address is then attacker Camouflage by attacker's network address.
Step B4:Network traffics daily record to be analyzed no more than default bar number threshold value is defined as sweeping Network traffics daily record is retouched, and the scanning network traffics daily record is preserved to the reflection attack and scanned Record sheet.
When the bar number of the network traffics daily record to be analyzed is less than 2, then it is assumed that the network traffics to be analyzed Main frame corresponding to purpose network address in daily record just scans in initiation protocol, then by the net to be analyzed Network traffic log is saved in the scanning record sheet of mysql databases.Specifically, in scanning record sheet Each scanning daily record, its information included can have:Send request time, request type, Recipient's network address and sender's network address, wherein, scan sender's network in daily record Location is still the network address of honey jar server, and recipient's network address is then that attacker is real Attacker's network address.
Step 403:From the attack record sheet and scanning record sheet, attacker's network address is obtained Attack alarm data is used as with by attacker's network address.
Because recipient's network address in scanning daily record is then attacker real attacker's network Location, and recipient's network address in attack logs be then attacker camouflage by attacker's network Location, therefore, can from attack record sheet attack logs and scanning record sheet scanning daily record in, Extract attacker's network address and by attacker's network address as attack alarm data.
Specifically, this step can specifically include step C1~step C2:
Step C1:From the attack record sheet and scanning record sheet, extraction meets default reflection and attacked Hit attack logs and the scanning daily record of feature.
Wherein, reflection attack feature is used to determine the net corresponding to the data processing request of reflection attack Network traffic log, specifically, the reflection attack feature can include:Attack time feature, attack Hit type feature and attack address feature.This step is by the attack record sheet of mysq databases and scanning Record sheet carries out association in time, according to attack record sheet and scans the reflection preserved respectively in record sheet Attack traffic daily record and reflection scanning traffic log, extract meet default attack time feature, The objective network traffic log of attack type feature and attack address feature.
Specifically, this step C1 can include step D1~step D4:
Step D1:Judge whether the attack logs and the transmission request time scanned in daily record meet Default attack time threshold value;If it is, into step D2.
First, in the case where judging whether attack logs meet attack time feature with scanning daily record, An attack time threshold value can be pre-set, then judges the transmission request time of attack logs, and Scan the transmission request time in daily record, if meet default attack time threshold value.For example, it is It is no all to occur interior on the same day.Certainly, those skilled in the art can also be to the attack time threshold value Carry out from main modulation.
Step D2:Judge whether the request type of the attack logs and the scanning daily record is identical, If it is, into step D3.
Secondly, if attack time feature is met, continue to determine whether to meet attack type feature. If attack time threshold value is unsatisfactory for, subsequent step is no longer performed.Judging network traffics daily record When whether meeting attack type feature, the request type in attack logs is specifically may determine that, For example, DNS reflections or NTP reflections etc., and, whether identical, example if scanning the request type of daily record Such as, DNS scannings, NTP scannings.
Step D3:Judging sender's network address in the attack logs and the scanning daily record is It is no identical;If it is, into step D4.
Again, if attack type feature is met, continue to judge to attack whether address feature meets, If request type is unsatisfactory for, subsequent step is no longer performed.If judging network traffics daily record When whether meeting attack type feature, specifically it may determine that, in attacking network traffic log Whether sender's network address in sender's network address, and scanning network traffics daily record is identical.
Step D4:Corresponding scanning network traffics daily record and attacking network traffic log are defined as mesh Mark network traffics daily record.
If step D1~step D3 judged result is all yes, by corresponding scanning daily record and attack Hit daily record and be defined as objective network traffic log.
Certainly, judgement order step D1, between step D2 and step D3 can not also limit A kind of this mode is stated, those skilled in the art can also freely adjust the relation between these three steps, In the case that final judged result is all to be, then determine objective network traffic log.
Step C2:The attack logs and scanning daily record are analyzed, with obtaining attacker's network Location and by attacker's network address as attack alarm data.
The attack logs and scanning daily record determined in step C1 are analyzed, and then obtain attack alarm Data, the attack alarm data can include:Attacker's network address and by attacker's network address. In actual applications, the attack alarm data can also include sending request time and request type, It is the attack when initiated that the generation request time, which can represent attacker, and request type It is what type of attack that the attack, which can then be represented,.
Specifically, step C2 realization can include step E1~step E2:
Step E1:Recipient's network address in the scanning network traffics daily record is obtained as attack Person's network address, and, recipient's network address in the attacking network traffic log is as quilt Attacker's network address.
Firstly, for scanning network traffics daily record, because the recipient's network address wherein recorded is honey Tank server is sent out the address of network response data, therefore, for scanning in the case of, should Recipient's network address is exactly the IP address of attacker, so connecing in network traffics daily record will be scanned Side network address is as attacker's network address.And for attacking network traffic log, because Under attack condition, attacker oneself will be forged into by the IP address of attacker, honey jar server hair Recipient's network address of SCN Space Cable Network response data i.e. attacker want attack by attacker IP Address, it is by attacker's network address.
Step E2:By attacker's network address, by attacker's network address, send ask when Between and request type be combined as attack alarm data.
Again by attacker's network address, by attacker's network address, transmission request time and request type An attack alarm data is combined as, the attack alarm data have recorded attacker and by attacker's Associated address information.
Further, after step 403, can also include:
Step 404:The attack alarm data is sent to front end display interface to show.
Wherein, step 401~step 403 is the data analysis process carried out in Analysis server rear end, After obtaining attacking alarm data, attack alarm data can also be sent to Analysis server Front end, the example on a display interface (for example, attack monitoring web-based management interface etc. in real time) Property be shown in a manner of daily record, so as to those skilled in the art can to attack alarm data In content got information about.
Further, after step 403, can also also include:
Step F:For same by attacker's network address, judge whether have in the monitoring system The webserver more than default attack number initiates data processing to described by attacker's network address Ask, accused if it is, attack alarm data is sent to described by attacker's network address It is alert.
For the same IP address by attacker, attack number is preset when being had more than in monitoring system Honey jar server to this by attacker IP address initiate data processing request in the case of, then may be used With will attack alarm data send to this by the IP address of attacker, to play alarm effect to it. For example, it is assumed that deploying 100 honey jar servers in monitoring system, 50 honey jar services are had more than When device is all attacked to this by the IP address of attacker, be considered as attack it is more serious, can be right Asset side belonging to the IP address by attacker carries out early warning.Certainly, the tool of attack number is preset Body numerical value can also independently be set by those skilled in the art.
Further, the network traffics daily record and attack alarm data also include destination interface information, Then methods described after step 403, can also include:
Step G:Attack defending information is generated according to the destination interface information.
In the present embodiment, can also include in network traffics daily record and attack alarm data by destination Message is ceased, such as port 56, then Analysis server can also be generated according to the port number information and attacked Information is defendd, to stop attack of the attacker by the port numbers.
, can be by network traffics day for being preserved to honey jar server it can be seen that in the embodiment of the present application Will is analyzed, and so as to monitor reflection ddos attack at present exactly, determines to reflect The IP address of the attacker of type ddos attack behind, can also be to by the money of attacker's IP address Timely early warning is just carried out belonging to production, ensure that the security of network data processing.
For foregoing embodiment of the method, in order to be briefly described, therefore it is all expressed as a series of dynamic Combine, but those skilled in the art should know, the application is not suitable by described action The limitation of sequence, because according to the application, some steps can use other orders or carry out simultaneously. Secondly, those skilled in the art should also know, embodiment described in this description belongs to excellent Embodiment is selected, necessary to involved action and module not necessarily the application.
It is corresponding with the method that a kind of storage method embodiment of network data of above-mentioned the application is provided, Referring to Fig. 5, present invention also provides a kind of honey jar server example, in the present embodiment, the honey Tank server can include:
Network response data module 501 is obtained, for according to the network protocol type pre-set, obtaining The network response data for taking the honey jar server to be sent in response to data processing request.
Network traffic information module 502 is extracted, every time please for being extracted from the network response data Corresponding network traffic information is sought, wherein, the network traffic information includes:Sender's network Location, request type, recipient's network address and transmission request time.
Preserving module 503, for by described sender network address, recipient's network address, request Type and transmission request time save as network traffics daily record.
Wherein, the preserving module 503 can specifically include:
First preserve submodule, for a data processing request is related to sender's network address, Recipient's network address, request type and transmission request time correspondingly save as a network traffics day Will;With the second preservation submodule, by each bar network traffics day corresponding to each secondary data processing request Will is stored on the local webserver.
It can be seen that the honey jar server that different regions are deployed in the present embodiment can be by installing and configuring The network server specified, to simulate the real webserver and exposure on the internet, one Denier attacker will be added in its attacker and be tasted by scanning discovery honey jar server therein Ping honey jar server and initiate reflection-type ddos attack, and the honey jar server in the present embodiment The network traffics daily record for sending network response data every time can be preserved, so as to attacking each time The data processing request and its response process that the person of hitting sends all are recorded, and are subsequent analysis server These network traffics daily records are analyzed and provided so as to obtain the related datas such as attacker's IP address Possibility, it ensure that the security of network data transmission.
It is corresponding with the method that a kind of honey jar server monitoring method embodiment of above-mentioned the application is provided, With reference to shown in figure 6, present invention also provides a kind of monitoring system embodiment, in the present embodiment, The monitoring system can include:Including monitoring device and multiple honey jar servers as shown in Figure 5, Wherein, the monitoring device 201, for monitoring the property of each honey jar server in the monitoring system Energy parameter, the performance parameter include:CPU occupation rates, network traffics bag size, EMS memory occupation Rate and/or the read-write state of disk input and output.
Wherein, the honey jar server, can also include:Adjusting module 601, join in the performance In the case of counting existing exception, the honey jar is adjusted according to the abnormal information of performance parameter.
It can be seen that the monitoring system in the present embodiment is entered to each independent honey jar server wherein disposed Row monitoring, the performance parameter of each honey jar server can be obtained, so as to ensure each honey jar service The normal operation of device, and then in the case where exception occurs in performance parameter, can also be to honey jar service Device is adjusted correspondingly, and ensures each honey jar server in the event of an anomaly, can be with Repaired so that honey jar server can be normally carried out the storage of subsequent network data.
It is corresponding with the method that a kind of network data analysis embodiment of the method for above-mentioned the application is provided, Referring to Fig. 7, present invention also provides a kind of network data analysis server based on honey jar server is real Example is applied, in the present embodiment, the Analysis server is connected with the monitoring system shown in Fig. 7, described Network data analysis server can include:
Initial network traffic log module 701 is obtained, for from multiple honey jars in the monitoring system In obtain each bar initial network traffic log successively.
Initial network traffic log module 702 is divided, for based in the initial network traffic log Sender's network address, recipient's network address, request type and send request time, by institute Initial network traffic log is stated to be respectively divided in attack record sheet and scanning record sheet;Wherein, institute The network traffics daily record that attack record sheet is used to preserve attack type is stated, the scanning record sheet is used for Preserve the network traffics daily record of scan type.
Wherein, the division initial network traffic log module, can specifically include:
Daily record submodule to be analyzed is obtained, the time difference of request time is sent for obtaining in preset time In threshold value, and described sender network address difference and recipient's network address identical net to be analyzed Network traffic log;First judging submodule, for judging the bar of the network traffics daily record to be analyzed Whether number is more than default number of branches threshold value;First determination sub-module, for judging submodule described first In the case that the result of block is is, the network traffics daily record to be analyzed that will be greater than default number of branches threshold value is true It is set to attack logs;First preserves submodule, is attacked for determine first determination sub-module Daily record is hit to preserve to the attack record sheet;Second determination sub-module, for judging described first In the case that the result of submodule is no, by no more than the network flow to be analyzed of default bar number threshold value Amount daily record is defined as scanning daily record;With the second preservation submodule, for determining son by described second The scanning daily record that module determines preserves to the reflection attack and scans record sheet.
Attack alarm data module 703 is obtained, for attacking record sheet and scanning record sheet from described In, obtain attacker's network address and by attacker's network address as attack alarm data.
Wherein, the attack alarm data module 703 that obtains can specifically include:
Daily record submodule is extracted, for from the attack record sheet and scanning record sheet, extraction to meet The attack logs of default attack signature and scanning daily record;With analysis daily record submodule, for institute State attack logs and scanning daily record is analyzed, obtain attacker's network address and by attacker's network Address is as attack alarm data.
Wherein, the extraction daily record submodule specifically can be used for:
From the attack record sheet and scanning record sheet, extract and meet default attack time spy Sign, attack type feature and the objective network traffic log for attacking address feature.
Wherein, the extraction daily record submodule can specifically include:
Second judging submodule, for judging the attacking network traffic log and scanning network traffics day Whether the transmission request time in will meets default attack time threshold value;3rd judging submodule, In the case of being in the result of second judging submodule, the attacking network stream is judged Whether the request type for measuring daily record and the scanning network traffics daily record is identical;4th judging submodule, In the case of being in the result of the 3rd judging submodule, the attacking network stream is judged Whether the sender's network address measured in daily record and the scanning network traffics daily record is identical;With, the Three determination sub-modules, will be right in the case of being in the result of the 4th judging submodule The daily record of scanning network traffics and attacking network traffic log answered are defined as objective network traffic log.
Wherein, the analysis daily record submodule can specifically include:
Address submodule is obtained, for obtaining recipient's network in the scanning network traffics daily record Location as attacker's network address, and, recipient's network in the attacking network traffic log Address is used as by attacker's network address;With submodule is combined, for by attacker's network Address, attack alarm number is combined as by attacker's network address, transmission request time and request type According to.
Wherein, Analysis server can also include:
First sends attack alarm data module 704, for the attack alarm data to be sent to preceding Display interface is held to show.
Wherein, Analysis server can also include:
Judge module, for by attacker's network address, judging for same in the monitoring system The webserver for whether having more than default attack number initiates number to described by attacker's network address Asked according to processing;With the second transmission attack alarm data module, in the judge module As a result in the case of being, will attack alarm data send to it is described by attacker's network address so as to Alarm.
Wherein, the network traffics daily record and attack alarm data also include destination interface information, analyze Server can also include:
Attack defending information module is generated, for according to destination interface information generation attack defending letter Breath.
, can be by network traffics day for being preserved to honey jar server it can be seen that in the embodiment of the present application Will is analyzed, and so as to carry out monitoring exactly to reflection ddos attack at present, is determined anti- The IP address of the attacker of type ddos attack behind is penetrated, can also be to by attacker's IP address Timely early warning is just carried out belonging to assets, ensure that network data transmission and the security preserved.
It should be noted that each embodiment in this specification is described by the way of progressive, What each embodiment stressed is the difference with other embodiment, between each embodiment Identical similar part mutually referring to.For device class embodiment, due to itself and method Embodiment is substantially similar, so description is fairly simple, referring to the portion of embodiment of the method in place of correlation Defend oneself bright.
Finally, it is to be noted that, herein, such as first and second or the like relation Term is used merely to make a distinction an entity or operation with another entity or operation, without It is certain to require either to imply any this actual relation or suitable be present between these entities or operation Sequence.Moreover, term " comprising ", "comprising" or its any other variant be intended to it is non-exclusive Property includes, so that process, method, article or equipment including a series of elements are not only Including those key elements, but also the other element including being not expressly set out, or also including being This process, method, article or the intrinsic key element of equipment.In situation about not limiting more Under, the key element that is limited by sentence "including a ...", it is not excluded that including the key element Other identical element in process, method, article or equipment also be present.
Network data analysis method provided herein and server are described in detail above, Specific case used herein is set forth to the principle and embodiment of the application, and the above is real The explanation for applying example is only intended to help and understands the present processes and its core concept;Meanwhile for Those of ordinary skill in the art, according to the thought of the application, in embodiment and using model There will be changes are placed, in summary, this specification content should not be construed as to the application's Limitation.

Claims (16)

  1. A kind of 1. network data analysis method, it is characterised in that this method includes:
    Obtain initial network traffic log;Wherein, the initial network traffic log includes:Sender Network address, recipient's network address, request type and transmission request time;
    Sender's network address, recipient's network address based on the initial network traffic log, ask Seek type and send request time, the initial network traffic log is respectively divided and recorded in attack In table and scanning record sheet;Wherein, the attack record sheet is used to preserve the net for belonging to attack type Network traffic log, the scanning record sheet are used to preserve the network traffics daily record for belonging to scan type;
    From the attack record sheet and scanning record sheet, attacker's network address is obtained and by attacker Network address is as attack alarm data.
  2. 2. according to the method for claim 1, it is characterised in that described to be based on the original net Sender's network address, recipient's network address, request type and the transmission request of network traffic log Time, initial network traffic log described in each bar is respectively divided and recorded in attack record sheet and scanning In table, including:
    The time difference for sending request time is obtained in preset time threshold, and described sender network Location difference and the network traffics daily record to be analyzed of recipient's network address identical;
    Judge whether the bar number of the network traffics daily record to be analyzed is more than default number of branches threshold value, if It is that the network traffics daily record to be analyzed that then will be greater than default number of branches threshold value is defined as attack logs, and The attack logs are preserved to the attack record sheet;
    If it is not, then the network traffics daily record to be analyzed no more than default bar number threshold value is defined as sweeping Daily record is retouched, and the scanning daily record is preserved to the scanning record sheet.
  3. 3. according to the method for claim 1, it is characterised in that described from the attack record In table and scanning record sheet, attacker's network address is obtained and by attacker's network address as attack Alarm data, including:
    From the attack record sheet and scanning record sheet, extraction meets the day of attack of default attack signature Will and scanning daily record;
    The attack logs and scanning daily record are analyzed, attacker's network address is obtained and is attacked Person's network address is as attack alarm data.
  4. 4. according to the method for claim 3, it is characterised in that from it is described attack record sheet and Scan in record sheet, extraction meets the objective network traffic log of default reflection attack feature, bag Include:
    From the attack record sheet and scanning record sheet, extract and meet default attack time spy Sign, attack type feature and the objective network traffic log for attacking address feature.
  5. 5. according to the method for claim 4, it is characterised in that described from the attack record Table and scanning record sheet in, extract meet default attack time feature, attack type feature and The objective network traffic log of address feature is attacked, including:
    Judge whether the attack logs and the transmission request time scanned in daily record meet default attack Hit time threshold;
    If it is, judge whether the request type of the attack logs and the scanning daily record is identical;
    If it is, judge that sender's network address in the attack logs and the scanning daily record is It is no identical;
    If it is, corresponding scanning daily record and attack logs are defined as objective network traffic log.
  6. 6. according to the method for claim 3, it is characterised in that the attack alarm data is also Including:Send request time and request type, then it is described that the attack logs and scanning daily record are entered Row analysis, obtain attacker's network address and attack alarm data be used as by attacker's network address, Including:
    Recipient's network address in the scanning daily record is obtained as attacker's network address, and, Recipient's network address in the attack logs is used as by attacker's network address;
    By attacker's network address, by attacker's network address, transmission request time and request class Type is combined as attacking alarm data.
  7. 7. according to the method for claim 1, it is characterised in that also include:
    The attack alarm data is sent to front end display interface to show.
  8. 8. according to the method for claim 1, it is characterised in that also include:
    For same by attacker's network address, judge whether to have more than the network of default attack number Server initiates data processing request to described by attacker's network address, if it is, will attack Alarm data send to it is described by attacker's network address to alert.
  9. A kind of 9. network data analysis server, it is characterised in that including:
    Initial network traffic log module is obtained, for obtaining initial network traffic log;Wherein, institute Stating initial network traffic log includes:Sender's network address, recipient's network address, request class Type and transmission request time;
    Initial network traffic log module is divided, for based on the hair in the initial network traffic log The side's of sending network address, recipient's network address, request type and transmission request time, will be described first Beginning network traffics daily record is respectively divided in attack record sheet and scanning record sheet;Wherein, it is described to attack Hit record sheet be used for preserve belong to the network traffics daily record of attack type, the record sheet that scans is used for Preserve the network traffics daily record for belonging to scan type;
    Attack alarm data module is obtained, for from the attack record sheet and scanning record sheet, obtaining Take attacker's network address and by attacker's network address as attack alarm data.
  10. 10. server according to claim 9, it is characterised in that the division initial network Traffic log module, including:
    Daily record submodule to be analyzed is obtained, the time difference of request time is sent for obtaining in preset time In threshold value, described sender network address difference and recipient's network address identical network to be analyzed Traffic log;
    First judging submodule, for judging whether the bar number of the network traffics daily record to be analyzed is more than Default number of branches threshold value;
    First determination sub-module, in the case of being in the result of first judging submodule, The network traffics daily record to be analyzed that will be greater than default number of branches threshold value is defined as attack logs;
    First preserve submodule, the attack logs for first determination sub-module to be determined preserve to The attack record sheet;
    Second determination sub-module, in the case of being no in the result of first judging submodule, Network traffics daily record to be analyzed no more than default bar number threshold value is defined as to scan daily record;
    Second preserve submodule, the scanning daily record for second determination sub-module to be determined preserve to The scanning record sheet.
  11. 11. server according to claim 10, it is characterised in that described to obtain attack announcement Alert data module, including:
    Daily record submodule is extracted, for from the attack record sheet and scanning record sheet, extraction to meet The attack logs of default attack signature and scanning daily record;
    Daily record submodule is analyzed, for analyzing the attack logs and scanning daily record, is attacked The person's of hitting network address and by attacker's network address as attack alarm data.
  12. 12. server according to claim 11, it is characterised in that the extraction day measure Module is specifically used for:
    From the attack record sheet and scanning record sheet, extract and meet default attack time spy Sign, attack type feature and the objective network traffic log for attacking address feature.
  13. 13. server according to claim 12, it is characterised in that the extraction day measure Module specifically includes:
    Second judging submodule, for judge the attack logs and scan daily record in transmission request when Between whether meet default attack time threshold value;
    3rd judging submodule, in the case of being in the result of second judging submodule, Judge whether the request type of the attack logs and the scanning daily record is identical;
    4th judging submodule, in the case of being in the result of the 3rd judging submodule, Judge whether sender's network address in the attack logs and the scanning daily record is identical;
    3rd determination sub-module, in the case of being in the result of the 4th judging submodule, Corresponding scanning daily record and attack logs are defined as objective network traffic log.
  14. 14. server according to claim 11, it is characterised in that the analysis day measure Module includes:
    Address submodule is obtained, is attacked for obtaining recipient's network address conduct in the scanning daily record The person's of hitting network address, and, recipient's network address in the attack logs is used as by attacker Network address;
    Combine submodule, for by attacker's network address, by attacker's network address, send Request time and request type are combined as attacking alarm data.
  15. 15. server according to claim 9, it is characterised in that also include:
    First sends attack alarm data module, shows for the attack alarm data to be sent to front end Show interface to show.
  16. 16. server according to claim 9, it is characterised in that also include:
    Judge module, it is default for by attacker's network address, judging whether to have more than for same The webserver for attacking number initiates data processing request to described by attacker's network address;
    Second sends attack alarm data module, for the situation for being yes in the result of the judge module Under, will attack alarm data send to it is described by attacker's network address to alert.
CN201610341755.7A 2016-05-20 2016-05-20 Network data analysis method and server Active CN107404465B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610341755.7A CN107404465B (en) 2016-05-20 2016-05-20 Network data analysis method and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610341755.7A CN107404465B (en) 2016-05-20 2016-05-20 Network data analysis method and server

Publications (2)

Publication Number Publication Date
CN107404465A true CN107404465A (en) 2017-11-28
CN107404465B CN107404465B (en) 2020-08-04

Family

ID=60389376

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610341755.7A Active CN107404465B (en) 2016-05-20 2016-05-20 Network data analysis method and server

Country Status (1)

Country Link
CN (1) CN107404465B (en)

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108512694A (en) * 2018-03-05 2018-09-07 北京信安世纪科技股份有限公司 A kind of method and device of server log analysis
CN108769071A (en) * 2018-07-02 2018-11-06 腾讯科技(深圳)有限公司 attack information processing method, device and internet of things honey pot system
CN109194680A (en) * 2018-09-27 2019-01-11 腾讯科技(深圳)有限公司 A kind of network attack identification method, device and equipment
CN109302426A (en) * 2018-11-30 2019-02-01 东软集团股份有限公司 Unknown loophole attack detection method, device, equipment and storage medium
CN109302390A (en) * 2018-09-21 2019-02-01 郑州云海信息技术有限公司 A kind of leak detection method and device
CN109347881A (en) * 2018-11-30 2019-02-15 东软集团股份有限公司 Network protection method, apparatus, equipment and storage medium based on network cheating
CN109696892A (en) * 2018-12-21 2019-04-30 上海瀚之友信息技术服务有限公司 A kind of Safety Automation System and its control method
CN110351229A (en) * 2018-04-04 2019-10-18 电信科学技术研究院有限公司 A kind of terminal UE management-control method and device
CN110784449A (en) * 2019-09-23 2020-02-11 太仓红码软件技术有限公司 Space arrangement-based network security system for distributed attack
CN111183612A (en) * 2017-12-27 2020-05-19 西门子股份公司 Network traffic sending method and device and hybrid honeypot system
CN111552621A (en) * 2020-04-27 2020-08-18 中国银行股份有限公司 Log information processing method and device and service equipment
CN111726342A (en) * 2020-06-08 2020-09-29 中国电信集团工会上海市委员会 Method and system for improving alarm output accuracy of honeypot system
CN112087532A (en) * 2020-08-28 2020-12-15 中国移动通信集团黑龙江有限公司 Information acquisition method, device, equipment and storage medium
CN112272932A (en) * 2018-03-26 2021-01-26 阿姆多克斯发展公司 System, method and computer program for automatically generating training data for analyzing a new configuration of a communication network
CN112532636A (en) * 2020-12-02 2021-03-19 赛尔网络有限公司 Malicious domain name detection method and device based on T-Pot honeypot and backbone network flow
CN113676497A (en) * 2021-10-22 2021-11-19 广州锦行网络科技有限公司 Data blocking method and device, electronic equipment and storage medium
CN113872802A (en) * 2021-09-17 2021-12-31 支付宝(杭州)信息技术有限公司 Method and device for detecting network element
CN113904853A (en) * 2021-10-13 2022-01-07 百度在线网络技术(北京)有限公司 Intrusion detection method and device for network system, electronic equipment and medium
CN114422163A (en) * 2021-11-26 2022-04-29 苏州浪潮智能科技有限公司 Intranet safety protection method, system, computer equipment and storage medium
CN114422202A (en) * 2021-12-28 2022-04-29 中国电信股份有限公司 IP classification method, system, device, electronic equipment and storage medium
CN114598504A (en) * 2022-02-21 2022-06-07 烽台科技(北京)有限公司 Risk assessment method and device, electronic equipment and readable storage medium
CN114598512A (en) * 2022-02-24 2022-06-07 烽台科技(北京)有限公司 Honeypot-based network security guarantee method and device and terminal equipment
CN115589335A (en) * 2022-11-25 2023-01-10 北京微步在线科技有限公司 Processing method and system for NTP distributed denial of service attack
TWI836279B (en) * 2021-07-16 2024-03-21 台達電子工業股份有限公司 Network data packet processing device and network data packet processing method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101262351A (en) * 2008-05-13 2008-09-10 华中科技大学 A network tracking system
CN101610174A (en) * 2009-07-24 2009-12-23 深圳市永达电子股份有限公司 A kind of log correlation analysis system and method
CN103561004A (en) * 2013-10-22 2014-02-05 西安交通大学 Cooperative type active defense system based on honey nets
CN105049232A (en) * 2015-06-19 2015-11-11 成都艾尔普科技有限责任公司 Network information log audit system
US20160099964A1 (en) * 2014-10-01 2016-04-07 Ciena Corporation Systems and methods to detect and defend against distributed denial of service attacks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101262351A (en) * 2008-05-13 2008-09-10 华中科技大学 A network tracking system
CN101610174A (en) * 2009-07-24 2009-12-23 深圳市永达电子股份有限公司 A kind of log correlation analysis system and method
CN103561004A (en) * 2013-10-22 2014-02-05 西安交通大学 Cooperative type active defense system based on honey nets
US20160099964A1 (en) * 2014-10-01 2016-04-07 Ciena Corporation Systems and methods to detect and defend against distributed denial of service attacks
CN105049232A (en) * 2015-06-19 2015-11-11 成都艾尔普科技有限责任公司 Network information log audit system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张凌: "分布式拒绝服务攻击的检测、响应和追踪方法研究", 《中国优秀硕士学位论文全文数据库》 *
汪北阳: "基于蜜罐技术的DDoS防范模型研究与实现", 《中国优秀硕士学位论文全文数据库》 *

Cited By (40)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11736524B2 (en) 2017-12-27 2023-08-22 Siemens Aktiengesellschaft Network traffic sending method and apparatus, and hybrid honeypot system
CN111183612A (en) * 2017-12-27 2020-05-19 西门子股份公司 Network traffic sending method and device and hybrid honeypot system
CN111183612B (en) * 2017-12-27 2023-08-29 西门子股份公司 Network traffic sending method and device and mixed honey pot system
CN108512694A (en) * 2018-03-05 2018-09-07 北京信安世纪科技股份有限公司 A kind of method and device of server log analysis
CN112272932A (en) * 2018-03-26 2021-01-26 阿姆多克斯发展公司 System, method and computer program for automatically generating training data for analyzing a new configuration of a communication network
CN112272932B (en) * 2018-03-26 2023-09-05 阿姆多克斯发展公司 System, method and computer program for automatically generating training data for analyzing a new configuration of a communication network
CN110351229B (en) * 2018-04-04 2020-12-08 电信科学技术研究院有限公司 Terminal UE (user equipment) management and control method and device
CN110351229A (en) * 2018-04-04 2019-10-18 电信科学技术研究院有限公司 A kind of terminal UE management-control method and device
US11206541B2 (en) 2018-04-04 2021-12-21 Datang Mobile Communications Equipment Co., Ltd. Method and device for managing and controlling terminal UE
CN108769071A (en) * 2018-07-02 2018-11-06 腾讯科技(深圳)有限公司 attack information processing method, device and internet of things honey pot system
CN109302390A (en) * 2018-09-21 2019-02-01 郑州云海信息技术有限公司 A kind of leak detection method and device
CN109194680A (en) * 2018-09-27 2019-01-11 腾讯科技(深圳)有限公司 A kind of network attack identification method, device and equipment
CN109194680B (en) * 2018-09-27 2021-02-12 腾讯科技(深圳)有限公司 Network attack identification method, device and equipment
CN109347881A (en) * 2018-11-30 2019-02-15 东软集团股份有限公司 Network protection method, apparatus, equipment and storage medium based on network cheating
CN109302426A (en) * 2018-11-30 2019-02-01 东软集团股份有限公司 Unknown loophole attack detection method, device, equipment and storage medium
CN109302426B (en) * 2018-11-30 2021-04-13 东软集团股份有限公司 Unknown vulnerability attack detection method, device, equipment and storage medium
CN109696892A (en) * 2018-12-21 2019-04-30 上海瀚之友信息技术服务有限公司 A kind of Safety Automation System and its control method
CN110784449A (en) * 2019-09-23 2020-02-11 太仓红码软件技术有限公司 Space arrangement-based network security system for distributed attack
CN111552621A (en) * 2020-04-27 2020-08-18 中国银行股份有限公司 Log information processing method and device and service equipment
CN111552621B (en) * 2020-04-27 2023-09-01 中国银行股份有限公司 Log information processing method and device and service equipment
CN111726342A (en) * 2020-06-08 2020-09-29 中国电信集团工会上海市委员会 Method and system for improving alarm output accuracy of honeypot system
CN111726342B (en) * 2020-06-08 2022-08-02 中国电信集团工会上海市委员会 Method and system for improving alarm output accuracy of honeypot system
CN112087532A (en) * 2020-08-28 2020-12-15 中国移动通信集团黑龙江有限公司 Information acquisition method, device, equipment and storage medium
CN112087532B (en) * 2020-08-28 2023-04-07 中国移动通信集团黑龙江有限公司 Information acquisition method, device, equipment and storage medium
CN112532636A (en) * 2020-12-02 2021-03-19 赛尔网络有限公司 Malicious domain name detection method and device based on T-Pot honeypot and backbone network flow
TWI836279B (en) * 2021-07-16 2024-03-21 台達電子工業股份有限公司 Network data packet processing device and network data packet processing method
CN113872802A (en) * 2021-09-17 2021-12-31 支付宝(杭州)信息技术有限公司 Method and device for detecting network element
CN113872802B (en) * 2021-09-17 2024-01-19 支付宝(杭州)信息技术有限公司 Method and device for detecting network element
CN113904853A (en) * 2021-10-13 2022-01-07 百度在线网络技术(北京)有限公司 Intrusion detection method and device for network system, electronic equipment and medium
CN113904853B (en) * 2021-10-13 2024-05-14 百度在线网络技术(北京)有限公司 Intrusion detection method, device, electronic equipment and medium of network system
CN113676497A (en) * 2021-10-22 2021-11-19 广州锦行网络科技有限公司 Data blocking method and device, electronic equipment and storage medium
CN114422163B (en) * 2021-11-26 2023-07-21 苏州浪潮智能科技有限公司 Intranet safety protection method, system, computer equipment and storage medium
CN114422163A (en) * 2021-11-26 2022-04-29 苏州浪潮智能科技有限公司 Intranet safety protection method, system, computer equipment and storage medium
CN114422202A (en) * 2021-12-28 2022-04-29 中国电信股份有限公司 IP classification method, system, device, electronic equipment and storage medium
CN114598504A (en) * 2022-02-21 2022-06-07 烽台科技(北京)有限公司 Risk assessment method and device, electronic equipment and readable storage medium
CN114598504B (en) * 2022-02-21 2023-11-03 烽台科技(北京)有限公司 Risk assessment method and device, electronic equipment and readable storage medium
CN114598512B (en) * 2022-02-24 2024-02-06 烽台科技(北京)有限公司 Network security guarantee method and device based on honeypot and terminal equipment
CN114598512A (en) * 2022-02-24 2022-06-07 烽台科技(北京)有限公司 Honeypot-based network security guarantee method and device and terminal equipment
CN115589335A (en) * 2022-11-25 2023-01-10 北京微步在线科技有限公司 Processing method and system for NTP distributed denial of service attack
CN115589335B (en) * 2022-11-25 2023-04-21 北京微步在线科技有限公司 Processing method and system for NTP distributed denial of service attack

Also Published As

Publication number Publication date
CN107404465B (en) 2020-08-04

Similar Documents

Publication Publication Date Title
CN107404465A (en) Network data analysis method and server
Stiawan et al. Investigating brute force attack patterns in IoT network
Panjwani et al. An experimental evaluation to determine if port scans are precursors to an attack
AU2003229456B2 (en) Network bandwidth anomaly detector apparatus and method for detecting network attacks using correlation function
JP2009539271A (en) Computer network intrusion detection system and method
Gondim et al. Mirror saturation in amplified reflection Distributed Denial of Service: A case of study using SNMP, SSDP, NTP and DNS protocols
Chen et al. Optimal worm-scanning method using vulnerable-host distributions
CN111225002A (en) Network attack tracing method and device, electronic equipment and storage medium
Liu et al. Real-time diagnosis of network anomaly based on statistical traffic analysis
CN106790073B (en) Blocking method and device for malicious attack of Web server and firewall
Ezenwe et al. Mitigating denial of service attacks with load balancing
Furfaro et al. A simulation model for the analysis of DDOS amplification attacks
Guan Network forensics
Salim et al. Preventing ARP spoofing attacks through gratuitous decision packet
US20050240780A1 (en) Self-propagating program detector apparatus, method, signals and medium
Kiratsata et al. Behaviour analysis of open-source firewalls under security crisis
CN113596037B (en) APT attack detection method based on event relation directed graph in network full flow
Chang A proactive approach to detect IoT based flooding attacks by using software defined networks and manufacturer usage descriptions
Bhatia Detecting distributed denial-of-service attacks and flash events
Balogh et al. LAN security analysis and design
Vieira et al. Identifying attack signatures for the internet of things: an IP flow based approach
Sharma Honeypots in Network Security
Trapkickin Who is scanning the internet
Anbar et al. Statistical cross-relation approach for detecting TCP and UDP random and sequential network scanning (SCANS)
Abhijith et al. First Level Security System for Intrusion Detection and Prevention in LAN

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant