CN107454039B - Network attack detection system, method and computer readable storage medium - Google Patents
Network attack detection system, method and computer readable storage medium Download PDFInfo
- Publication number
- CN107454039B CN107454039B CN201610373881.0A CN201610373881A CN107454039B CN 107454039 B CN107454039 B CN 107454039B CN 201610373881 A CN201610373881 A CN 201610373881A CN 107454039 B CN107454039 B CN 107454039B
- Authority
- CN
- China
- Prior art keywords
- unit
- data
- counting
- network request
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The invention discloses a network attack detection system and a network attack detection method. The system comprises: a network data acquisition unit configured to receive network request data from an external data source; the data dispatching unit is connected to the network data acquisition unit and is configured to dispatch the network request data; at least one counting unit connected to the data dispatching unit and configured to count the network request data received from the data dispatching unit in a specified time period based on different network request parameters or combination of network request parameters and generate a blocking rule; and a blocking management unit connected to the at least one counting unit and configured to receive the generated blocking rules from the at least one counting unit, respectively, and determine whether to apply the received blocking rules, wherein the data dispatching unit dispatches network request data, which does not correspond to the blocked source IP address, of the network request data to the at least one counting unit by load balancing based on a combination of the source IP address and the destination IP address in the network request data.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a network attack detection system and a method for detecting a network attack by the network attack detection system.
Background
With the rapid development of the internet, network security has become an increasingly significant problem, and hackers make many companies pay disastrous costs by stealing data or making a reply attack. DDOS attacks have been the most common attack for IT companies in recent years, especially for large internet companies, which have exceeded the affordability of a single hardware firewall due to the large number of attacks. To address this issue, and at the same time to reduce the cost of attack detection, many internet companies have begun to assist in processing by means of, for example, x86 real-time analysis processing clusters, where the Storm real-time stream processing framework is a more heavily used framework.
Although the hardware firewall commonly adopted nowadays can identify and resist a certain degree of DDOS attack, we cannot see more detailed attack data due to the limitation of the storage capacity of the device itself. In addition, although the hardware firewall has the advantage of hardware acceleration, the processing capability of the large computer room still has a bottleneck.
Disclosure of Invention
In order to solve the above problems in the prior art, the present invention provides a network attack detection system and a method for detecting a network attack.
According to one aspect of the invention, a network attack detection system is provided. The system comprises: a network data acquisition unit configured to receive network request data from an external data source; the data dispatching unit is connected to the network data acquisition unit and is configured to dispatch the network request data; at least one counting unit connected to the data dispatching unit and configured to count the network request data received from the data dispatching unit in a specified time period based on different network request parameters or combination of network request parameters and generate a blocking rule; and a blocking management unit connected to the at least one counting unit and configured to receive the generated blocking rules from the at least one counting unit, respectively, and determine whether to apply the received blocking rules, wherein the data dispatching unit dispatches network request data, which does not correspond to the blocked source IP address, of the network request data to the at least one counting unit by load balancing based on a combination of the source IP address and the destination IP address in the network request data.
Preferably, the system further comprises: a configuration management unit configured to pull configuration information updates from a configuration server and correspondingly send the obtained configuration information updates to the data serving unit, the at least one counting unit and/or the block management unit.
Preferably, the system further comprises: and the interception counting unit is connected to the data dispatching unit and is configured to count the network request data received from the data dispatching unit, wherein the data dispatching unit is configured to dispatch the network request data corresponding to the blocked source IP address in the network request data to the interception counting unit.
Preferably, when the at least one counting unit includes a counting unit that counts based on a combination of network request parameters, the system further includes: a secondary counting unit connected to the counting unit for counting based on the combination of the network request parameters, configured to acquire a counting result from the connected counting unit, and perform secondary counting using the acquired counting result based on one of the network request parameters in the combination of the network request parameters, and generate a blocking rule, and the blocking management unit is further configured to receive the generated blocking rule from the secondary counting unit, and determine whether to apply the received blocking rule.
Preferably, the system further comprises: a data output unit configured to receive the counting results from the at least one counting unit, respectively, and write the received counting results into a database.
Preferably, the network request data comprises at least one of a request URL, a source IP address and/or a destination IP address, wherein the request URL comprises a host portion, a path portion and an attribute portion.
Preferably, the network request parameter comprises at least one of: a host portion of the request URL, a path portion of the request URL, an attribute portion of the request URL, a source IP address, and/or a destination IP address.
Preferably, the specified time period is a time period having a specified duration that ends at a unit time previous to the current time.
According to another aspect of the present invention, there is provided a method of detecting a cyber attack by a cyber attack detection system. The network attack detection system comprises a network data acquisition unit, a data dispatching unit, at least one counting unit and a blocking management unit. The method comprises the following steps: the network data acquisition unit receives network request data from an external data source; the data dispatching unit is used for dispatching the network request data which does not correspond to the forbidden source IP address in the network request data to the at least one counting unit by carrying out load balancing based on the combination of the source IP address and the destination IP address in the network request data; the at least one counting unit counts the network request data received from the data dispatching unit in a specified time period based on different network request parameters or combination of network request parameters, and generates a blocking rule; and the blocking management unit receives the generated blocking rules from the at least one counting unit, respectively, and determines whether to apply the received blocking rules.
Preferably, the system further comprises a configuration management unit, and the method further comprises: the configuration management unit pulls configuration information updates from a configuration server and correspondingly sends the obtained configuration information updates to the data dispatching unit, the at least one counting unit and/or the block management unit.
Preferably, the system further comprises an intercept counting unit, and the method further comprises: the data dispatching unit dispatches the network request data corresponding to the blocked source IP address in the network request data to the interception counting unit; the interception counting unit counts the network request data received from the data dispatching unit.
Preferably, when the at least one counting unit includes a counting unit that counts based on a combination of network request parameters, the system further includes a secondary counting unit, and the method further includes: the secondary counting unit acquires a counting result from the connected counting unit, performs secondary counting by using the acquired counting result based on one of the network request parameters in the combination of the network request parameters, and generates a blocking rule; the blocking management unit receives the generated blocking rule from the secondary counting unit and determines whether to apply the received blocking rule.
Preferably, the system further comprises a data output unit, and the method further comprises: the data output unit receives the counting results from the at least one counting unit, respectively, and writes the received counting results into a database.
Preferably, the network request data comprises at least one of a request URL, a source IP address and/or a destination IP address, wherein the request URL comprises a host portion, a path portion and an attribute portion.
Preferably, the network request parameter comprises at least one of: a host portion of the request URL, a path portion of the request URL, an attribute portion of the request URL, a source IP address, and/or a destination IP address.
According to another aspect of the present invention, there is provided a network attack detection system, including: a memory; and a processor coupled to the memory, the processor configured to perform the method of detecting a cyber attack as described above based on instructions stored in the memory.
According to another aspect of the present invention, there is provided a computer-readable storage medium storing computer instructions which, when executed by a processor, implement the method of detecting a network attack as described above.
By using the network attack detection system and the method for detecting the network attack, provided by the invention, when a website is attacked by DDOS or a malicious user is strongly brushed, the network attack threat can be early warned in a multi-dimension way by means of the algorithm, so that the attack is intercepted at the entrance of the website, and the normal operation of a back-end service server is protected.
Drawings
FIG. 1 shows a block diagram of a network attack detection system according to one embodiment of the invention;
FIG. 2 illustrates a flow diagram of a method of detecting a network attack by a network attack detection system according to one embodiment of the invention;
FIG. 3 illustrates a schematic diagram of a sliding window in accordance with a particular embodiment of the present invention;
fig. 4 shows a schematic diagram of a counter memory structure in a counting unit according to a specific embodiment of the present invention.
Detailed Description
It is noted that in the following description of the embodiments of the invention, portions of the disclosure may be described with respect to particular network frameworks (e.g., Storm framework, an open source real-time streaming framework) for convenience, but it is to be understood that embodiments of the invention are not limited to these particular frameworks. One explanation of the term "load balancing" appearing in the present invention includes front-end forwarding for balancing back-end traffic server access pressure. It is to be understood that the above explanation of the terms of the present invention indicates the convenience of the technical solution of the present invention and is not intended to limit the solution of the present invention.
The present invention is described in detail below with reference to the attached drawings.
First, fig. 1 shows a block diagram of a network attack detection system 100 according to an embodiment of the present invention. The network attack defense system 100 includes a network data acquisition unit 110, a data distribution unit 120, at least one counting unit 130 (only 3 counting units 130 are shown in fig. 1, and the number is not limited here), and a block management unit 140.
In one embodiment, the network data acquisition unit 110 is configured to receive network request data from an external data source. Preferably, the network data obtaining unit 110 continuously pulls up the latest network access data from the data source (e.g. message queue) and transmits the latest network access data to the data dispatching unit.
The network request data includes at least one of a request URL, a source IP address, and/or a destination IP address, wherein the request URL includes a Host portion (Host), a Path portion (Path), and an attribute portion (Param). For example, for a URL: http:// search.jdcom/Book/Search? The key word cpu has a main part: com, its path part is/Book/Search, and its attribute part is keyword ═ cpu.
In one embodiment, the data dispatching unit 120 is connected to the network data obtaining unit 110 and configured to dispatch network request data. The received network request data comprises data corresponding to a forbidden source IP address and data corresponding to an unblocked source IP address, and the data corresponding to the forbidden source IP address does not affect the back end because corresponding blockage is adopted, so that the data does not need to be considered again when detecting the attack, and only the data corresponding to the unblocked source IP address needs to be considered. Specifically, the data dispatching unit 120 dispatches the network request data, which does not correspond to the blocked source IP address, of the network request data to the at least one counting unit by performing load balancing based on a combination of the source IP address and the destination IP address in the network request data.
Of course, the data for the source IP address that has been blocked may still be counted, which may be used to verify the system intercept rate. Specifically, the system may further include: and the interception counting unit is connected to the data dispatching unit and is configured to count the network request data received from the data dispatching unit, wherein the data dispatching unit is configured to dispatch the network request data corresponding to the blocked source IP address in the network request data to the interception counting unit.
The significance of load distribution through the data dispatching unit is that the data processing units (such as a counting unit, a blocking management unit, and the like) and the data acquisition units (such as a network data acquisition unit and the like) in one topology structure in the system framework may run on different servers or JVMs in a decentralized manner, so that when data is dispatched to the data processing units, load distribution can be performed according to key values defined by data flows, and an additional data dispatching unit is defined in the topology structure. And the data dispatching unit is used for carrying out data distribution based on the combination of the source IP address and the destination IP address as key values. Because the number of the combined key values of the source IP address and the destination IP address is large, the data dispatching unit can realize the data load distribution by adopting finer granularity by using the combination of the source IP address and the destination IP address as the key values to carry out the data distribution, thereby increasing the distribution efficiency and flexibility.
In one embodiment, at least one counting unit 130 is connected to the data dispatching unit 120, configured to count network request data received from the data dispatching unit 120 within a specified time period based on different network request parameters or combinations of network request parameters, and generate a blocking rule. Specifically, each counting unit 130 counts for different network request parameters or network request parameter combinations, the network request parameters including at least one of: a host portion of the request URL, a path portion of the request URL, an attribute portion of the request URL, a source IP address, and/or a destination IP address. For example, each counting unit 130 may count the three dimensions of the source IP address, the host part, and the path part independently, and generate a counting result and a blocking rule in each time period.
Preferably, in one embodiment, when the count of the counting unit 130 is cleared after a time period elapses, the counting unit 130 restarts counting data in the next time period.
Preferably, in another embodiment, the specified time period is a time period of a specified duration ending at a unit time previous to the current time. Specifically, for this case, the counting unit 130 may count with a sliding time window corresponding to a specified time period terminating at a unit time before the current time, and as the time window slides, the counting unit 130 may count up the count data in the latest one time period at any time and generate the blocking rule based thereon. This scheme will be described in detail below with reference to specific embodiments.
Preferably, in the process of generating the blocking rule, the counting unit 130 may compare a counting result for a specific value of the network request parameter with a specified threshold value and generate the blocking rule based thereon.
For example, when the network request parameter is a target IP address, the corresponding counting unit 130 counts a destination IP address corresponding to network request data received within a specified time period, and when the count for one destination IP address exceeds a specified threshold, the counting unit 130 counts source IP addresses corresponding to network request data corresponding to the destination IP address counted within the time period, and adds one or more (the number may also be pre-specified) source IP addresses with the highest counted number to the block rule.
For another example, when the network request parameter is a source IP address, the corresponding counting unit 130 counts the source IP address corresponding to the network request data received in a specified time period, and when the count for one source IP address exceeds a specified threshold, the counting unit adds the source IP address to the blocking rule.
Preferably, the counting unit 130 may assign penalty coefficients to the source IP addresses added to the blocking rule, and the penalty coefficients of the source IP addresses with higher statistics are also higher. For example, the penalty factor may correspond to a block duration, such that a higher statistical number of source IP addresses has a longer block duration. As another example, the penalty factor may also correspond to a user request rejection rate, with higher statistical numbers of source IP addresses having higher request rejection rates.
In one embodiment, the blocking management unit 140 is connected to the at least one counting unit 130, and configured to receive the generated blocking rules from the at least one counting unit 130, respectively, and determine whether to apply the received blocking rules.
The blocking rules generated by the at least one counting unit 130 are uniformly transmitted to the blocking management unit, and it is determined whether to issue to, for example, an interception server for application. One reason for this is that each blocking rule has a validity period, during which it is not necessary to repeatedly block a source IP address, which would affect the efficiency of the intercepting server. Furthermore, it is possible that a particular source IP address has been identified as not attacking the backend (i.e., the source IP address is in the white list), the block management unit 140 will not issue the block rule for the source IP address to the server.
In one embodiment, the system 100 further comprises a configuration management unit. The configuration management unit is configured to pull configuration information updates from a configuration server and correspondingly send the obtained configuration information updates to the data serving unit, the at least one counting unit and/or the block management unit.
In one embodiment, when the at least one counting unit 130 includes a counting unit 130 that counts based on a combination of network request parameters, the system further includes a secondary counting unit. The secondary counting unit is connected to the counting unit 130 for counting based on the combination of the network request parameters, and is configured to acquire a counting result from the connected counting unit 130, perform secondary counting using the acquired counting result based on one of the network request parameters in the combination of the network request parameters, and generate a blocking rule.
For example, if a certain counting unit 130 counts based on two network request parameters of the host part and the path part of the URL, i.e., counts for any combination of the host part and the path part, the system 100 may further include a secondary counting unit for the host part, which acquires its counting result from the counting unit 130 and sums, for any particular value of the host part, the counting results for the combination of the host part particular value and any path part particular value as the counting result for the host part particular value. When the specific values for the respective host parts are summed up separately, a result of counting based on the host parts is obtained.
The granularity of counting for parameter combinations is smaller, in one embodiment, its granularity ng12Can be represented as ng12=ng1×ng2N, wherein Ng1Is the granularity of counting only for the host part, ng2Is of a granularity comparable to counting only for a portion of a path, N being the total amount of data in the specified time period (see, Ng12Less than ng1And ng2Any of the above).
By adopting the configuration of the secondary counting unit instead of independently setting one counting unit 130 for each parameter in the combination of the network request parameters, the data transmission amount between the nodes can be reduced, thereby improving the resource utilization efficiency.
Preferably, the blocking management unit 140 is further configured to receive the generated blocking rule from the secondary counting unit and determine whether to apply the received blocking rule.
In one embodiment, the system 100 further comprises a data output unit. The data output unit is configured to receive the counting results from the at least one counting unit, respectively, and write the received counting results into a database.
Next, see fig. 2. Fig. 2 shows a flow diagram of a method 200 of detecting a network attack by a network attack detection system according to one embodiment of the invention. The network attack detection system comprises a network data acquisition unit, a data dispatching unit, at least one counting unit and a blocking management unit. The method 200 begins with a providing step S210 in which the network data acquisition unit receives network request data from an external data source. Next, in step S220, the data dispatching unit dispatches the network request data, which does not correspond to the blocked source IP address, of the network request data to the at least one counting unit by performing load balancing based on a combination of the source IP address and the destination IP address in the network request data. Next, in step S230, the at least one counting unit counts the network request data received from the data dispatching unit in a specified time period based on different network request parameters or combinations of network request parameters, and generates a blocking rule. Finally, in step S240, the blocking management unit receives the generated blocking rules from the at least one counting unit, respectively, and determines whether to apply the received blocking rules.
Preferably, the system further comprises a configuration management unit, and the method further comprises: the configuration management unit pulls configuration information updates from a configuration server and correspondingly sends the obtained configuration information updates to the data dispatching unit, the at least one counting unit and/or the block management unit.
Preferably, the system further comprises an intercept counting unit, and the method further comprises: the data dispatching unit dispatches the network request data corresponding to the blocked source IP address in the network request data to the interception counting unit; the interception counting unit counts the network request data received from the data dispatching unit.
Preferably, when the at least one counting unit includes a counting unit that counts based on a combination of network request parameters, the system further includes a secondary counting unit, and the method further includes: the secondary counting unit acquires a counting result from the connected counting unit, performs secondary counting by using the acquired counting result based on one of the network request parameters in the combination of the network request parameters, and generates a blocking rule; the blocking management unit receives the generated blocking rule from the secondary counting unit and determines whether to apply the received blocking rule.
Preferably, the system further comprises a data output unit, and the method further comprises: the data output unit receives the counting results from the at least one counting unit, respectively, and writes the received counting results into a database.
Preferably, the network request data comprises at least one of a request URL, a source IP address and/or a destination IP address, wherein the request URL comprises a host portion, a path portion and an attribute portion.
Preferably, the network request parameter comprises at least one of: a host portion of the request URL, a path portion of the request URL, an attribute portion of the request URL, a source IP address, and/or a destination IP address.
Preferably, the method 200 is performed by the system 100 shown in FIG. 1. The various detailed descriptions and illustrations above with respect to the system 100 in fig. 1 are equally applicable to the steps of the method 200, and are not repeated here.
Next, the algorithm used in the counting unit 130 that counts using a sliding window and the memory structure corresponding to the algorithm used will be described in detail for a specific embodiment.
Specifically, each counting unit 130 needs to maintain an access counter, and for a counting detection algorithm, data in a certain second is simply sampled, so that an attack IP cannot be correctly and effectively determined. Meanwhile, since the sampling timeline always continuously shifts, so that the data window also continuously shifts, the continuously shifted data window is called as a "sliding window", and the counter inside each counting unit 130 has the characteristic of the sliding window. In particular, for Java, a sliding window may be implemented using nested maps.
FIG. 3 illustrates a schematic diagram of a sliding window, in accordance with a particular embodiment of the present invention. The upper part of fig. 3 shows a number of points in time of the time axis, which are indicated by long integer times. Below this, the time window is continuously sliding along the timeline as time progresses, forming sliding time windows (1-10) for a number of different time instants.
Specifically, the memory structure of the counter of the counting unit corresponding to the sliding time window may adopt a two-dimensional storage manner. In particular, fig. 4 shows a schematic diagram of a counter memory structure in a counting unit according to a specific embodiment of the present invention. Fig. 4 corresponds to the case where the combination of the host portion (host) and the path portion (path) based on the URL is counted. As can be seen from the left figure, for each specific combination of host and path, a sliding window counter is stored, and a list of source IP access counts per second (e.g., long integer time points 1456475226 and 1456475227) during the sliding window is stored in the sliding window counter (see the right figure). Each list includes the respective source IP address and its corresponding number of accesses.
Adding the stored access times for the respective instants of the source IP addresses within the list of sliding time windows yields the total access times of the source IP address during the sliding time window. When the dynamically configured threshold is crossed for the total access count within a sliding window, a containment rule may be generated for it.
Specifically, the access condition of the Host/Path can be analyzed according to the following algorithm, and a blocking rule is generated:
firstly, sorting the corresponding source IP addresses of the Host/Path according to the descending order of the access count (algorithms such as quick sorting, insertion sorting and the like are all applicable);
then, the first N IPs with the highest access amount are taken as the forbidden penalty objects (except for the white list IPs) according to the configuration, and the specific algorithm is as follows: calculating the sum of the access counts of the first N IPs; and sequentially summing the IP access count/the first N IP counts for the first N IPs so as to obtain the penalty coefficient of the source IP, wherein the penalty coefficient is higher when the source IP with larger access amount is used.
It should be understood, however, that the algorithm employed in the counting unit employing the sliding window for counting and the memory structure corresponding to the employed algorithm are only exemplary and not intended to limit the present invention, and other schemes employing the sliding window for counting are also applicable.
Although the present invention has been described in conjunction with the preferred embodiments thereof, it will be understood by those skilled in the art that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention. Accordingly, the present invention should not be limited by the above-described embodiments, but should be defined by the appended claims and their equivalents.
Claims (16)
1. A cyber attack detection system comprising:
a network data acquisition unit configured to receive network request data from an external data source;
the data dispatching unit is connected to the network data acquisition unit and is configured to dispatch the network request data;
at least one counting unit connected to the data dispatching unit and configured to count the network request data received from the data dispatching unit in a specified time period based on a combination of network request parameters and generate a blocking rule;
a secondary counting unit connected to the at least one counting unit counting based on the combination of the network request parameters, configured to acquire a counting result from the at least one counting unit connected, and perform secondary counting using the acquired counting result based on one of the network request parameters in the combination of the network request parameters, and generate a blocking rule; and
a blocking management unit connected to the at least one counting unit and the secondary counting unit, configured to receive the generated blocking rules from the at least one counting unit and the secondary counting unit, respectively, and determine whether to apply the received blocking rules,
the data dispatching unit is used for dispatching the network request data which does not correspond to the forbidden source IP address in the network request data to the at least one counting unit by carrying out load balancing based on the combination of the source IP address and the destination IP address in the network request data.
2. The system of claim 1, further comprising:
a configuration management unit configured to pull configuration information updates from a configuration server and correspondingly send the obtained configuration information updates to the data serving unit, the at least one counting unit and/or the block management unit.
3. The system of claim 1, further comprising:
an intercept counting unit connected to the data dispatch unit configured to count network request data received from the data dispatch unit,
wherein the data dispatching unit is configured to dispatch the network request data corresponding to the blocked source IP address in the network request data to the interception counting unit.
4. The system of claim 1, further comprising:
a data output unit configured to receive the counting results from the at least one counting unit, respectively, and write the received counting results into a database.
5. The system of any of claims 1-4, wherein the network request data includes at least one of a request URL, a source IP address, and/or a destination IP address, wherein the request URL includes a host portion, a path portion, and an attribute portion.
6. The system of claim 5, wherein the network request parameter comprises at least one of: a host portion of the request URL, a path portion of the request URL, an attribute portion of the request URL, a source IP address, and/or a destination IP address.
7. The system of any of claims 1-4, wherein the specified time period is a time period of specified duration that ends at a unit time previous to a current time of day.
8. A method for detecting network attacks through a network attack detection system, wherein the network attack detection system comprises a network data acquisition unit, a data distribution unit, at least one counting unit, a secondary counting unit and a block management unit, and the method comprises the following steps:
the network data acquisition unit receives network request data from an external data source;
the data dispatching unit is used for dispatching the network request data which does not correspond to the forbidden source IP address in the network request data to the at least one counting unit by carrying out load balancing based on the combination of the source IP address and the destination IP address in the network request data;
the at least one counting unit counts the network request data received from the data dispatching unit in a specified time period based on the combination of the network request parameters and generates a blocking rule;
the secondary counting unit acquires a counting result from at least one connected counting unit, performs secondary counting by using the acquired counting result based on one of the network request parameters in the combination of the network request parameters, and generates a blocking rule; and
the blocking management unit receives the generated blocking rules from the at least one counting unit and the secondary counting unit, respectively, and determines whether to apply the received blocking rules.
9. The method of claim 8, wherein the system further comprises a configuration management unit, and the method further comprises:
the configuration management unit pulls configuration information updates from a configuration server and correspondingly sends the obtained configuration information updates to the data dispatching unit, the at least one counting unit and/or the block management unit.
10. The method of claim 8, wherein the system further comprises an intercept counting unit, and the method further comprises:
the data dispatching unit dispatches the network request data corresponding to the blocked source IP address in the network request data to the interception counting unit;
the interception counting unit counts the network request data received from the data dispatching unit.
11. The method of claim 8, wherein the system further comprises a data output unit, and the method further comprises:
the data output unit receives the counting results from the at least one counting unit, respectively, and writes the received counting results into a database.
12. The method of any of claims 8-11, wherein the network request data comprises at least one of a request URL, a source IP address, and/or a destination IP address, wherein the request URL comprises a host portion, a path portion, and an attribute portion.
13. The method of claim 12, wherein the network request parameter comprises at least one of: a host portion of the request URL, a path portion of the request URL, an attribute portion of the request URL, a source IP address, and/or a destination IP address.
14. The method according to any of claims 8-11, wherein the specified time period is a time period of specified duration ending at a unit time preceding the current time.
15. A cyber attack detection system comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the method of detecting cyber attacks according to any one of claims 8 to 14 based on instructions stored in the memory.
16. A computer-readable storage medium storing computer instructions which, when executed by a processor, implement a method of detecting a network attack as claimed in any one of claims 8 to 14.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610373881.0A CN107454039B (en) | 2016-05-31 | 2016-05-31 | Network attack detection system, method and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610373881.0A CN107454039B (en) | 2016-05-31 | 2016-05-31 | Network attack detection system, method and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107454039A CN107454039A (en) | 2017-12-08 |
| CN107454039B true CN107454039B (en) | 2020-05-01 |
Family
ID=60485002
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610373881.0A Active CN107454039B (en) | 2016-05-31 | 2016-05-31 | Network attack detection system, method and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107454039B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108667505A (en) * | 2018-04-20 | 2018-10-16 | 广州亿航智能技术有限公司 | The data processing method and computer readable storage medium of UAV Communication link |
| CN109194612B (en) * | 2018-07-26 | 2021-05-18 | 北京计算机技术及应用研究所 | Network attack detection method based on deep belief network and SVM |
| CN109547416A (en) * | 2018-10-30 | 2019-03-29 | 扬州凤凰网络安全设备制造有限责任公司 | Physical level security server |
| CN111241543B (en) * | 2020-01-07 | 2021-03-02 | 中国搜索信息科技股份有限公司 | Method and system for intelligently resisting DDoS attack by application layer |
| CN111741021B (en) * | 2020-08-03 | 2020-11-24 | 北京翼鸥教育科技有限公司 | Detection and protection system for CC attack access service cluster |
| CN113810358A (en) * | 2021-02-05 | 2021-12-17 | 京东科技控股股份有限公司 | Access limiting method, device, computer equipment and storage medium |
| CN114389856A (en) * | 2021-12-23 | 2022-04-22 | 南京理工大学 | Network attack detection system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103916389A (en) * | 2014-03-19 | 2014-07-09 | 汉柏科技有限公司 | Method for preventing HttpFlood attack and firewall |
| CN104137513A (en) * | 2012-09-17 | 2014-11-05 | 华为技术有限公司 | Protection method and device against attacks |
| CN104243209A (en) * | 2014-09-10 | 2014-12-24 | 赛尔网络有限公司 | IP address content provider label coverage statistics method |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1527543A (en) * | 2003-03-06 | 2004-09-08 | 华为技术有限公司 | Network access controlling method based on virtual LAN |
| CN100403726C (en) * | 2003-12-01 | 2008-07-16 | 华为技术有限公司 | Method for realizing IPv6 message flow sorting |
| US10015140B2 (en) * | 2005-02-03 | 2018-07-03 | International Business Machines Corporation | Identifying additional firewall rules that may be needed |
| CN102932380B (en) * | 2012-11-30 | 2016-06-29 | 网宿科技股份有限公司 | The distributed preventing malicious attack method and system of content-based distribution network |
| CN103152284B (en) * | 2013-03-18 | 2016-06-01 | 神州数码网络(北京)有限公司 | A kind of router multipath exports method and the router of intelligent load equilibrium |
| CN104125313B (en) * | 2014-07-11 | 2017-12-08 | 广州华多网络科技有限公司 | Network voting method and apparatus |
| CN105471882A (en) * | 2015-12-08 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Behavior characteristics-based network attack detection method and device |
-
2016
- 2016-05-31 CN CN201610373881.0A patent/CN107454039B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104137513A (en) * | 2012-09-17 | 2014-11-05 | 华为技术有限公司 | Protection method and device against attacks |
| CN103916389A (en) * | 2014-03-19 | 2014-07-09 | 汉柏科技有限公司 | Method for preventing HttpFlood attack and firewall |
| CN104243209A (en) * | 2014-09-10 | 2014-12-24 | 赛尔网络有限公司 | IP address content provider label coverage statistics method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107454039A (en) | 2017-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107454039B (en) | Network attack detection system, method and computer readable storage medium | |
| US20240069942A1 (en) | Centralized networking configuration in distributed systems | |
| Choi et al. | A method of DDoS attack detection using HTTP packet pattern and rule engine in cloud computing environment | |
| US11122063B2 (en) | Malicious domain scoping recommendation system | |
| EP3092569B1 (en) | Cyber security adaptive analytics threat monitoring system and method | |
| US20180109494A1 (en) | Behavior analysis based dns tunneling detection and classification framework for network security | |
| US9363282B1 (en) | Platforms for implementing an analytics framework for DNS security | |
| Xuan et al. | Detecting application denial-of-service attacks: A group-testing-based approach | |
| US10320833B2 (en) | System and method for detecting creation of malicious new user accounts by an attacker | |
| US11665196B1 (en) | Graph stream mining pipeline for efficient subgraph detection | |
| Sree et al. | HADM: detection of HTTP GET flooding attacks by using Analytical hierarchical process and Dempster–Shafer theory with MapReduce | |
| Soleimanzadeh et al. | SD‐WLB: An SDN‐aided mechanism for web load balancing based on server statistics | |
| US9413598B2 (en) | Graph structures for event matching | |
| CN110300085B (en) | Evidence obtaining method, device and system for network attack, statistical cluster and computing cluster | |
| WO2019246573A1 (en) | A statistical approach for augmenting signature detection in web application firewall | |
| Sree et al. | Detection of http flooding attacks in cloud using dynamic entropy method | |
| US8904533B2 (en) | Determining heavy distinct hitters in a data stream | |
| Bang et al. | Design and implementation of storage system for real-time blockchain network monitoring system | |
| Li et al. | Towards efficient traffic monitoring for science dmz with side-channel based traffic winnowing | |
| Munivara Prasad et al. | An experiential metrics-based machine learning approach for anomaly based real time prevention (artp) of app-ddos attacks on web | |
| US11184369B2 (en) | Malicious relay and jump-system detection using behavioral indicators of actors | |
| Vijayalakshmi et al. | An exponent based error detection mechanism against DXDOS attack for improving the security in cloud | |
| Saravanan et al. | Security enhancement in distributed networks using link-based mapping scheme for network intrusion detection with enhanced Bloom filter | |
| CN110460559A (en) | Distribution hits detection method, device and the computer readable storage medium of library behavior | |
| Nooribakhsh et al. | F-STONE: A Fast Real-Time DDOS Attack Detection Method Using an Improved Historical Memory Management. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20221019 Address after: Room 431E, 4/F, Transportation Bureau Building, No. 95, Yingbin Avenue, Huacheng Street, Huadu District, Guangzhou, Guangdong 510800 Patentee after: Guangzhou Huadu Jingdong Smart City Digital Technology Co.,Ltd. Address before: 100080 Haidian District, Beijing, 65 Xing Shu Kou Road, 11C, west section of the western part of the building, 1-4 stories West 1-4 story. Patentee before: BEIJING JINGDONG SHANGKE INFORMATION TECHNOLOGY Co.,Ltd. Patentee before: BEIJING JINGDONG CENTURY TRADING Co.,Ltd. |