CN107528859A - The defence method and equipment of a kind of ddos attack - Google Patents

The defence method and equipment of a kind of ddos attack Download PDF

Info

Publication number
CN107528859A
CN107528859A CN201710908810.0A CN201710908810A CN107528859A CN 107528859 A CN107528859 A CN 107528859A CN 201710908810 A CN201710908810 A CN 201710908810A CN 107528859 A CN107528859 A CN 107528859A
Authority
CN
China
Prior art keywords
behavior
correlation
user
degree
mrow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710908810.0A
Other languages
Chinese (zh)
Other versions
CN107528859B (en
Inventor
刘文辉
陈裕涛
何坤
张磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201710908810.0A priority Critical patent/CN107528859B/en
Publication of CN107528859A publication Critical patent/CN107528859A/en
Application granted granted Critical
Publication of CN107528859B publication Critical patent/CN107528859B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The invention discloses a kind of defence method of ddos attack and equipment, distinguishes the degree of accuracy of broiler chicken user from customer group for improving, and then makes effective prevention policies.The defence method of ddos attack therein includes:It is determined that at least one behavior degree of correlation set of each user, wherein, the behavior degree of correlation between other kind of behavior, the behavior degree of correlation are used to indicate a kind of correlation degree of behavior respectively between any one behavior in other kind of behavior respectively for a kind of behavior of one behavior degree of correlation set including a user and server interaction;The multiple behavior degrees of correlation included according at least one behavior degree of correlation set determine at least one interval range, the corresponding interval range of a behavior degree of correlation set;In preset time period, however, it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user in interval range, is not then closing the IP address of the first user corresponding to behavior degree of correlation set where each behavior degree of correlation.

Description

The defence method and equipment of a kind of ddos attack
Technical field
The present invention relates to technical field of network security, the defence method and equipment of more particularly to a kind of ddos attack.
Background technology
Distributed denial of service (Distributed Denial of Service, DDoS) attack is a kind of network attack Mode, sent using special attack Software tool generally by the use of broiler chicken group as Attack Platform or to victim host and seem reasonable Service request take the ample resources of server, so as to cause network congestion or server resource exhausts and causes server Refusal service validated user.Broiler chicken, which may be considered, has suffered trojan horse, can be by the computer equipment of remote control.
Due to broiler chicken group's ddos attack, there is certain similitude in the behavior with normal users, cause conventional DDoS to defend Method, such as the behavior of analysis checking attacker's protocol stack, watermarking algorithm etc. can not separate broiler chicken user from normal users Come, so as to cause to protect the protection effect of algorithm undesirable, or even failure, huge economic loss is caused to service provider.
Therefore, broiler chicken user and normal users how are distinguished, broiler chicken user is timely and accurately extracted simultaneously from customer group It is a very urgent and urgent thing that protection is timely carried out to it..
The content of the invention
The embodiment of the present invention provides a kind of defence method and equipment of ddos attack, is distinguished for improving from customer group The degree of accuracy of broiler chicken user, and then make effective prevention policies.
In a first aspect, one embodiment of the invention provides a kind of defence method of ddos attack, the defence method includes:
It is determined that at least one behavior degree of correlation set of each user;Wherein, a behavior degree of correlation set includes A kind of behavior of one user and server interaction behavior degree of correlation between other kind of behavior respectively, the behavior degree of correlation For indicating a kind of correlation degree of the behavior respectively between any one behavior in other kind of behavior;
At least one section model is determined according to multiple behavior degrees of correlation that at least one behavior degree of correlation set includes Enclose;Wherein, the corresponding interval range of a behavior degree of correlation set, the interval range are used for instruction user and the service A kind of default fluctuation range of behavior behavior degree of correlation between other kind of behavior respectively of device interaction;
In preset time period, however, it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user does not exist Where each behavior degree of correlation the internet of first user is then closed corresponding to behavior degree of correlation set in interval range Protocol IP address.
Optionally, it is determined that at least one behavior degree of correlation set of each user, including:
Obtain at least one cybernetics control number with each user of the server interaction;Wherein, the behavior is special Levy parameter and be used for instruction user and the behavior of the server interaction;
Every kind of cybernetics control number at least one cybernetics control number is normalized;
According to every kind of cybernetics control number after normalization, each user is determined at least by equation below One behavior degree of correlation:
Wherein, cov (x, y) is the behavior degree of correlation between two kinds of behaviors, and x is a kind of value of cybernetics control number, and y is another A kind of value of cybernetics control number,For the average value of x in preset time period,For the average value of y in preset time period, n is use The quantity of the species of the behavior at family, wherein sxFor x standard deviation, syFor y standard deviation.
Optionally, the multiple behavior degrees of correlation included according at least one behavior degree of correlation set determine at least one Interval range, including:
The behavior obtained successively in each behavior degree of correlation set at least one behavior degree of correlation set is related The maximum and minimum value of degree;
The scope that the maximum in each behavior degree of correlation set and the minimum value are formed is defined as institute State the interval range of each behavior degree of correlation set.
Optionally, the Internet protocol IP address of first user is closed, including:
If it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user is not in each behavior phase Corresponding to behavior degree of correlation set where Guan Du in interval range, then determine to close according to the behavior degree of correlation of first user Multiple durations of the IP address of first user, the corresponding duration of each behavior degree of correlation of first user;
First duration is determined according to the multiple duration, and with closing in first duration IP of first user Location;
Wherein, each duration is determined by below equation:
Wherein, Time is the first duration, and e is constant, and n is the quantity of at least one behavior degree of correlation set, xiTo be described I-th of behavior degree of correlation of first user and the difference of corresponding interval range, the difference be i-th behavior degree of correlation with it is described The maximum of corresponding interval range or the difference of minimum value.
Optionally, the first duration is determined according to the multiple duration, including:
Any one duration in the multiple duration is defined as first duration;
Or, the most long duration in the multiple duration is defined as first duration.
Optionally, the defence method also includes:
In the preset time period, if each behavior degree of correlation in all behavior degrees of correlation of first user is equal At least one behavioural characteristic of first user in interval range, is then being recorded corresponding to place behavior degree of correlation set Parameter;
At least one behavior of first user is redefined according at least one cybernetics control number of record The degree of correlation;
At least one behavior degree of correlation redefined is updated at least one behavior degree of correlation set.
Optionally, the cybernetics control number includes duration, user and the server that user accesses the server The frequency of interactive default behavior and user input the frequency of information.
Second aspect, one embodiment of the invention provide a kind of defensive equipment of ddos attack, and the defensive equipment includes:
First determining module, for determining at least one behavior degree of correlation set of each user;Wherein, a row It is related to include behavior of the user to a kind of behavior of server interaction respectively between other kind of behavior for degree of correlation set Degree, the behavior degree of correlation are used to indicate a kind of behavior respectively between any one behavior in other kind of behavior Correlation degree;
Second determining module, multiple behavior degrees of correlation for being included according at least one behavior degree of correlation set are true Fixed at least one interval range;Wherein, the corresponding interval range of a behavior degree of correlation set, the interval range are used to refer to Show a kind of default fluctuation model of behavior of user and server interaction behavior degree of correlation between other kind of behavior respectively Enclose;
Module is closed, in preset time period, however, it is determined that each row in all behavior degrees of correlation of the first user Corresponding to behavior degree of correlation set in interval range, then closed described not where each behavior degree of correlation for the degree of correlation The Internet protocol IP address of first user.
Optionally, first determining module is specifically used for:
Obtain at least one cybernetics control number with each user of the server interaction;Wherein, the behavior is special Levy parameter and be used for instruction user and the behavior of the server interaction;
Every kind of cybernetics control number at least one cybernetics control number is normalized;
According to every kind of cybernetics control number after normalization, each user is determined at least by equation below One behavior degree of correlation:
Wherein, cov (x, y) is the behavior degree of correlation between two kinds of behaviors, and x is a kind of value of cybernetics control number, and y is another A kind of value of cybernetics control number,For the average value of x in preset time period,For the average value of y in preset time period, n is use The quantity of the species of the behavior at family, wherein sxFor x standard deviation, syFor y standard deviation.
Optionally, second determining module is specifically used for:
The behavior obtained successively in each behavior degree of correlation set at least one behavior degree of correlation set is related The maximum and minimum value of degree;
The scope that the maximum in each behavior degree of correlation set and the minimum value are formed is defined as institute State the interval range of each behavior degree of correlation set.
Optionally, the module of closing is specifically used for:
If it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user is not in each behavior phase Corresponding to behavior degree of correlation set where Guan Du in interval range, then determine to close according to the behavior degree of correlation of first user Multiple durations of the IP address of first user, the corresponding duration of each behavior degree of correlation of first user;
First duration is determined according to the multiple duration, and with closing in first duration IP of first user Location;
Wherein, each duration is determined by below equation:
Wherein, Time is the first duration, and e is constant, and n is the quantity of at least one behavior degree of correlation set, xiTo be described I-th of behavior degree of correlation of first user and the difference of corresponding interval range, the difference be i-th behavior degree of correlation with it is described The maximum of corresponding interval range or the difference of minimum value.
Optionally, the module of closing is additionally operable to:
Any one duration in the multiple duration is defined as first duration;
Or, the most long duration in the multiple duration is defined as first duration.
Optionally, the defensive equipment also includes update module, and the update module is used for:
In the preset time period, if each behavior degree of correlation in all behavior degrees of correlation of first user is equal At least one behavioural characteristic of first user in interval range, is then being recorded corresponding to place behavior degree of correlation set Parameter;
At least one behavior of first user is redefined according at least one cybernetics control number of record The degree of correlation;
At least one behavior degree of correlation redefined is updated at least one behavior degree of correlation set.
Optionally, the cybernetics control number includes duration, user and the server that user accesses the server The frequency of interactive default behavior and user input the frequency of information.
The third aspect, one embodiment of the invention also provide a kind of computer installation, and the computer installation includes processor, The processor is realized in the defence method provided such as first aspect when being used to perform the computer program stored in memory appoints The step of one methods described.
Fourth aspect, one embodiment of the invention provide a kind of computer-readable recording medium, are stored thereon with computer Program, method any one of the defence method provided such as first aspect is realized when the computer program is executed by processor The step of.
The embodiments of the invention provide a kind of defence method of new ddos attack, by determining a user and server The behavior degree of correlation between interactive a kind of behavior and other behaviors, and then determine a kind of behavior of the user and server interaction The default fluctuation range of the behavior degree of correlation between other kind of behavior respectively, that is, the daily behavior custom of user, if Certain behavior degree of correlation of user is in corresponding default fluctuation range, then it is considered that the usually behavioural habits of the user are exactly this Sample.Therefore, if in preset time period, each behavior degree of correlation in all behavior degrees of correlation of the user is not in each row To preset ripple scope corresponding to the degree of correlation, then it is considered that the behavior of the user and server interaction and usual behavioural habits are not Together, i.e. the behavioural habits of the user are completely different from usual behavior, it is believed that are that disabled user utilizes the account of the user to clothes Business device carries out ddos attack.Broiler chicken user is so assured that, that is, improves the accuracy rate for determining ddos attack, now can be with Effective prevention policies are made, such as close the IP address of the user.
Brief description of the drawings
Fig. 1 is the flow chart of the defence method of ddos attack provided in an embodiment of the present invention;
Fig. 2 is a kind of structural representation of the defensive equipment of ddos attack provided in an embodiment of the present invention;
Fig. 3 is a kind of structural representation of computer installation provided in an embodiment of the present invention.
Embodiment
For the object, technical solutions and advantages of the present invention are more clearly understood, below in conjunction with the embodiment of the present invention Accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described.
Because broiler chicken group and normal users have certain similitude or infected normal users, cause its transmission Packet be not different with normal discharge, so as to cause in general defence method None- identified to go out ddos attack, and then can not It is on the defensive in time for ddos attack
In consideration of it, the embodiments of the invention provide a kind of defence method of new ddos attack, the defence method passes through true The behavior degree of correlation between a fixed user and a kind of behavior and other behaviors of server interaction, if certain behavior of user The degree of correlation is in corresponding default fluctuation range, then it is considered that so the usually behavioural habits of the user are exactly.Therefore, if pre- If in the period, each behavior degree of correlation in all behavior degrees of correlation of the user is not corresponding to each behavior degree of correlation Default ripple scope, then it is considered that the user is different with usual behavioural habits from the behavior of server interaction, then the user Broiler chicken may be infected into.Daily behavior i.e. according to user is accustomed to, and infected user, Ran Houzhen are distinguished from customer group User is infected to these means are closed using IP, it is closed.
Technical scheme provided in an embodiment of the present invention is described in detail with reference to Figure of description.
Fig. 1 is referred to, one embodiment of the invention provides a kind of defence method of ddos attack, and the defence method can lead to Any electronic equipment is crossed to perform.The flow of the defence method is described as follows:
S101:It is determined that at least one behavior degree of correlation set of each user, wherein, a behavior degree of correlation set includes The behavior degree of correlation between other kind of behavior, the behavior degree of correlation are used for respectively for a kind of behavior of one user and server interaction Indicate a kind of correlation degree of behavior respectively between any one behavior in other kind of behavior;
S102:The multiple behavior degrees of correlation included according at least one behavior degree of correlation set determine at least one section model Enclose, wherein, the corresponding interval range of behavior degree of correlation set, interval range is used for instruction user and server interaction A kind of default fluctuation range of the behavior behavior degree of correlation between other kind of behavior respectively;
S103:In preset time period, however, it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user Not corresponding to behavior degree of correlation set where each behavior degree of correlation in interval range, then with closing the IP of the first user Location.
The behavior degree of correlation refers to the correlation degree between user and two behaviors of server interaction, it can be understood as user A kind of behavior with server interaction correlation degree between any one behavior in other kind of behavior respectively.Certainly, take The application that business device is supported is different, and the behavior of user and server interaction is also different.For example, what if server was supported Using being chess and card games, then the behavior of user and server interaction comes in handy the behavior of family input chat message, user The behavior played a card or user switch the behavior in room.If the application that server is supported is RPG (Role- Playing game, RPG), then the behavior of user and server interaction may have the behavior of selection hero, discharge the speed of technical ability Behavior of degree etc..
Below the behavior degree of correlation is introduced so that the application of server support is object for appreciation chess and card games as an example.A for example, user Play chess and card games, then the behavior of this user and server interaction come in handy family input chat message behavior, use The behavior that the behavior in family switching room, user play a card, if the frequency that user inputs chat message is higher, then the user may Have a wonderful time, the number played a card may be more, and the possibility for switching room is just smaller.So it is considered that the row that user includes There is user to input the associated degree of the behavior of chat message and the behavior in user's switching room, user's input chat for the degree of correlation The associated degree of the behavior of information and behavior that user plays a card, the behavior that user plays a card and user switch the phase of the behavior in room Correlation degree.
Because user and a kind of behavior of server interaction are real all in the presence of associated degree, the present invention with a variety of behaviors respectively Applying example can be by a kind of behavior of a user and server interaction behavior degree of correlation division between other kind of behavior respectively For a set, i.e. behavior degree of correlation set.Generally, the same application supported for server, a user It is little with the behavioural habits change of server interaction, that is, any one behavior of the user and server interaction and other kinds The change of the behavior degree of correlation between behavior is little, i.e., the maximum or the ripple of minimum value that corresponding behavior degree of correlation set includes Dynamic scope is smaller.Fluctuation range corresponding to behavior degree of correlation set is also referred to as interval range, section model in the embodiment of the present invention Enclose and can serve to indicate that a kind of the pre- of behavior of user and server interaction behavior degree of correlation between other kind of behavior respectively If fluctuation range.If each behavior in a period of time in a variety of behaviors of a user and server interaction respectively with its He plants each behavior degree of correlation of behavior in corresponding interval range, i.e., multiple behavior degrees of correlation of the user are in default ripple In dynamic scope, it is believed that multiple behaviors of the user are normal, and the behavioural habits that the user accesses the server are exactly such as This.If on the contrary, each degree of correlation in multiple behavior degrees of correlation of the user within certain time is not in corresponding area Between in the range of, that is, the user is different from the behavior of server interaction and the usually behavioural habits of the user, then the user It may be infected, therefore once detect each degree of correlation in multiple behavior degrees of correlation of the user not corresponding default Fluctuation, then be probably that server receives ddos attack, now can is on the defensive to ddos attack.
The defence method for the ddos attack that the embodiment of the present invention is provided is exactly by by multiple behavior phases of a user Whether Guan Du judges this user to server compared with multiple behavior degrees of correlation before the user, according to comparative result Ddos attack is carried out, with timely defending DDoS (Distributed Denial of Service) attacks.
The embodiment of the present invention can determine each behavior degree of correlation of the validated user within a period of time, so that it is determined that at least One behavior degree of correlation set, the corresponding interval range of each behavior degree of correlation set.The embodiment of the present invention can obtain with At least one cybernetics control number of each user of server interaction, determined according at least one cybernetics control number of acquisition Each behavior degree of correlation.Cybernetics control number can serve to indicate that the behavior of user and server interaction, and a user corresponds to extremely A kind of few cybernetics control number.For example, if the application that server is supported is chess and card games, then user hands over server Mutual behavior can go out the behavior of one card or next step chess including user, user switches the behavior in room, user's input is chatted Behavior of its information etc..Cybernetics control number can include the pre- of the duration of user access server, user and server interaction If the frequency of behavior and user input the frequency of information.The default behavior of user and server interaction in the embodiment of the present invention can It is correspondingly arranged with the species for the application supported according to server, if for example, the application that server is supported is swum for chess category Play, then default behavior can include user and go out the behavior of one card or next step chess, the behavior in user's switching room etc..
At least one the cybernetics control number how embodiment of the present invention obtains user is described below.
Because the behavior of user and server interaction has time response, if for example, the application that server is supported is Game class application, then the number that possible user interacts with server at night is more, and behavior is also more, may be in the morning The number interacted with server is less, and behavior is also less.If by obtaining a user and service in certain time period The behavior of device interaction determines the behavior degree of correlation between the behavior two-by-two of the user, it is clear that accuracy rate is relatively low.
In consideration of it, the embodiment of the present invention can be obtained with server interaction extremely according to user behavior and the correlation of time At least one cybernetics control number of a few user, and behavior two-by-two is determined by least one cybernetics control number of acquisition Between the behavior degree of correlation.In possible embodiment, the embodiment of the present invention can be obtained in preset time period T and server At least one cybernetics control number of interactive at least one user.Wherein, preset time period can be one set in advance Period, at least occur once in the various actions of each period and server interaction including at least one user as far as possible. For example, generally, user and the number that server interacts are more at night, and behavior is also more, in the morning user and server The number interacted is less, and behavior is also less, also may not interacted with server in morning user.So preset time period T can be 1 day, as long as at least one user can be included in the various actions of each period and server interaction at least as far as possible Occur once, to avoid the error come due to time-bands as far as possible.Certainly, preset time period T can also be that other are possible Value, just differ one schematically illustrates here.In the specific implementation, the embodiment of the present invention can be by the way of traffic mirroring, i.e., to user With server interaction caused by data flow carry out the mode of mirror image and obtain and flow to the data flow of server, the data flow is generally wrapped Internet protocol (Internet Protocol, IP) address, the user access server duration of user is included, user hands over server The number of mutual default behavior and user input the number of information.The embodiment of the present invention can be by acquired user and server The number of interactive default behavior and user input the number of information as cybernetics control number, can also be by acquired user The number that information is inputted with the number of the default behavior of server interaction and user is converted into corresponding frequency as behavioural characteristic Parameter.
Because the quantity of the behavior of user and server interaction in the different periods in preset time period is poor It is different.For example, generally, user and the number that server interacts are more at night, and behavior is also more, user and service in the morning The number that device interacts is less, and behavior is also less, also may not interacted with server in morning user.If that obtain At least one cybernetics control number of the interior user with server interaction of preset time period, it is clear that obtain the data for flowing to server It is also larger to flow the amount of calculation of larger at least one cybernetics control number in extraction data flow, adds the burden of electronic equipment.
In consideration of it, preset time period can be divided into multiple periods by the embodiment of the present invention, such as it is divided into the period of the day from 11 a.m. to 1 p.m It is section, period at noon, afternoon hours, period in morning, middle out of this multiple periods to choose some periods the period in the evening, only obtain At least one cybernetics control number of interior at least one user with server interaction of some periods.For example, generally at noon when Section, user and the number of server interaction more the period in the evening, then the behavior of user and server interaction is also more.Therefore can To determine the row between the behavior two-by-two of the user by the behavior of a user and server interaction in the two periods For the degree of correlation.So only need acquisition period at noon, to flow to the data flow of server the period in the evening, carried from the data flow of acquisition Take the amount of calculation of at least one cybernetics control number just smaller, the burden of electronic equipment can be mitigated.It is right in the embodiment of the present invention The division of preset time period is only citing, and as several periods are divided into, the duration of each period can be according to actual feelings Condition is set, and the embodiment of the present invention is not restricted to this.
The embodiment of the present invention obtains at least one cybernetics control number can determine at least one behavior of user afterwards The degree of correlation, every kind of cybernetics control number at least one cybernetics control number can be specifically normalized, will At least one cybernetics control number is uniformly arrived under same referential, and so every kind of cybernetics control number is joined with other behavioural characteristics Number does not influence each other.Then according to every kind of cybernetics control number after normalization, each user is determined at least by formula (1) One behavior degree of correlation.
In formula (1), cov (x, y) is the behavior degree of correlation between two kinds of behaviors, and n is at least one behavior of user Species quantity, the behavior of user and server interaction has user access server, user and server interaction to preset behavior, Such as play a card and switch room, user input information, then the behavior of user and server interaction include 4 kinds, n is exactly 4.X is A kind of value of cybernetics control number, y is the value of another cybernetics control number, for example, a kind of behavior of a user is to play a card, Another behavior is switching room, and the frequency played a card of the user is 10 beats/min, switch the frequency in room for 3 times/when, that X be 10 beats/min, y be 3 times/when.For the average value of x in preset time period,For the average value of y in preset time period, Wherein sxFor x standard deviation, syFor y standard deviation.
The behavior degree of correlation between any two behavior of a user can be calculated by formula (1).It is of the invention real The first behavior of user behavior phase with every kind of behavior of other kind of behavior respectively can be determined by formula (1) by applying example Guan Du, the like, the embodiment of the present invention can determine any one behavior in all behaviors of user respectively with other kinds Behavior degree of correlation of every kind of behavior in behavior etc..
The embodiment of the present invention determine any one behavior in all behaviors of each user respectively with other kind of behavior In every kind of behavior the behavior degree of correlation after, can be according to the species of behavior, it is determined that at least one behavior phase of each user Guan Du gathers, and then included according to each behavior degree of correlation set at least one behavior degree of correlation set of each user Multiple behavior degrees of correlation determine interval range corresponding to each behavior degree of correlation set.
For a behavior degree of correlation set, the embodiment of the present invention can obtain behavior degree of correlation set include it is multiple The maximum and minimum value of the behavior degree of correlation, that is, a certain behavior behavior phase between other kind of behavior respectively of user Guan Du maximum and minimum value, the scope that the maximum of acquisition and minimum value are formed can be defined as behavior degree of correlation collection The interval range of conjunction.As a rule, the custom conversion amplitude of user is smaller, and therefore, the embodiment of the present invention can be by acquisition most Approximate two end values as interval range of big value and minimum value.But the custom of user is not unalterable, even Maximum and minimum value are also to have fluctuation.Under the circumstances, an end of the interval range in the embodiment of the present invention Value can be the standard deviation sum of maximum and maximum, another end value can be minimum value and minimum value standard deviation it Difference.Standard deviation can be used for the error for characterizing a behavior degree of correlation.Wherein, the standard deviation of maximum can pass through formula (2) Calculate gained.
Wherein, σ is standard deviation, and S is the value of the first cybernetics control number, and μ is the average value of S in preset time period, and N is use The quantity of the species of the behavior at family.
The embodiment of the present invention according to the method described above, travels through each behavior degree of correlation at least one behavior degree of correlation set Set is assured that interval range corresponding to each behavior degree of correlation set, i.e., at least one interval range.Each section model A kind of behavioural habits of user and server interaction can be represented by enclosing, then can determine the user from least one interval range With the behavioural habits of server interaction, if the user is infected, then it is used for carrying out ddos attack to server, then felt The behavioural habits that user after dye gives the behavioural habits of server interaction and the normal users can difference, i.e. user Each behavior degree of correlation in the part or all of behavior degree of correlation may not be in corresponding interval range.Therefore, the present invention is real Applying example in preset time period, can monitor all behavior degrees of correlation of any one user to determine whether the user is illegal Whether user, i.e. server are by ddos attack, with timely defending DDoS (Distributed Denial of Service) attacks.This is introduced by taking a user as an example below Inventive embodiments how defending DDoS (Distributed Denial of Service) attacks.
All behavior degrees of correlation of the first user are monitored, for any one behavior degree of correlation in all behavior degrees of correlation It is detected whether in interval range corresponding to behavior degree of correlation set where the behavior degree of correlation, if in corresponding section model Enclose, then it is considered that the behavior of the first user is probably normal.If not in corresponding interval range, then can recognize The behavior for the first user is probably abnormal, and the first user is possible to be infected.Therefore, if the embodiment of the present invention Monitor each behavior degree of correlation not behavior where each behavior degree of correlation in all behavior degrees of correlation of the first user Corresponding to degree of correlation set in interval range.Or first user all behavior degrees of correlation in default one or more The behavior degree of correlation is not corresponding to behavior degree of correlation set where each behavior degree of correlation in interval range, then it is considered that The behavior of one user and server interaction occurs abnormal, it is likely that infected, then can now to close infection user's IP address, to forbid the first user access server, reach the purpose of defending DDoS (Distributed Denial of Service) attacks.
The embodiment of the present invention can close the IP address of the first user in the first duration.Wherein the first duration can basis It is every in the part or all of behavior degree of correlation and the part or all of behavior degree of correlation in all behavior degrees of correlation of first user Interval range determines corresponding to behavior degree of correlation set where the individual behavior degree of correlation.In all behavior degrees of correlation of first user Any one behavior degree of correlation can obtain a duration, for any one behavior degree of correlation, can be counted by formula (3) Calculation obtains a duration.
In formula (3), Time is duration, and e is constant, that is, the logarithm of the natural truth of a matter, n are that at least one behavior is related Spend the quantity of set, xiFor i-th of the behavior degree of correlation and the difference of corresponding interval range of the first user, the difference is i-th The behavior degree of correlation and the maximum of corresponding interval range or the difference of minimum value.If for example, i-th of behavior phase of the first user Guan Du is less than the minimum value of corresponding interval range, then the difference is exactly i-th of behavior degree of correlation of the first user and corresponding area Between scope minimum value difference absolute value.If i-th of behavior degree of correlation of the first user is more than corresponding interval range Maximum, then the difference is exactly difference of i-th of behavior degree of correlation with the maximum of corresponding interval range of the first user.
Each behavior degree of correlation is obtained with all behavior degrees of correlation of the first user by formula (3) to correspond to respectively Duration, i.e., multiple durations.First duration can be defined as any one duration in this multiple duration.Or first duration The most long duration that can also be defined as in multiple durations, can be thorough with the time long point for closing the IP of disabled user as far as possible Defending DDoS (Distributed Denial of Service) attacks.
The electronic equipment of the embodiment of the present invention calculates multiple durations corresponding to all behavior degrees of correlation of the first user, calculates Amount is obviously larger, and the burden of electronic equipment may be heavier.Accordingly, it is possible to embodiment in, the embodiment of the present invention can only count It is multiple durations corresponding to the degree of correlation to calculate branch in the middle part of all behavior degrees of correlation, to mitigate the burden of electronic equipment.Wherein, part The behavior degree of correlation can be the default behavior degree of correlation, for example, the behavior of the first behavior of the first user and second of behavior The degree of correlation can substantially characterize the behavioural habits of the first user, then now the default behavior degree of correlation can be the first user The behavior degree of correlation of the first behavior and second of behavior.In another example the first behavior of the first user and second of behavior The behavior degree of correlation of the third behavior and the 4th kind of behavior that the behavior degree of correlation combines the first user just can substantially characterize first The behavioural habits of user, then now the default behavior degree of correlation can be the first behavior and second of behavior of the first user The behavior degree of correlation, and the behavior degree of correlation of the third behavior and the 4th kind of behavior of the first user.
If in preset time period, the embodiment of the present invention is if it is determined that each in all behavior degrees of correlation of the first user The behavior degree of correlation is corresponding to place behavior degree of correlation set in interval range, that is, the first user is validated user, and It is not infected.So behavioural habits of a user and server interaction may change, now can record the At least one cybernetics control number of one user, to redefine the first user by least one cybernetics control number of record At least one behavior degree of correlation, redefine at least one behavior degree of correlation renewal arrives at least one behavior degree of correlation collection Close, that is, redefine the behavioural habits of the first user and server interaction, the detection can subsequently to disabled user is more At least one behavior degree of correlation collection of the first user after new is combined into standard, to improve the degree of accuracy of detection.
The embodiments of the invention provide a kind of defence method of new ddos attack, by determining a user and server The behavior degree of correlation between interactive a kind of behavior and other behaviors, and then determine behavior of the user usually with server interaction Custom.Therefore, if in preset time period, each behavior degree of correlation in all behavior degrees of correlation of the user is not each Ripple scope is preset corresponding to the behavior degree of correlation, then it is considered that the behavior of the user and server interaction and usual behavioural habits It is different, then the user may be infected.It can be considered to carry out ddos attack after normal users are infected, improve determination The accuracy rate of ddos attack, the IP address of the user can be now closed, with timely defending DDoS (Distributed Denial of Service) attacks.
Equipment provided in an embodiment of the present invention is introduced below in conjunction with the accompanying drawings.
Fig. 2 is referred to, based on same inventive concept, one embodiment of the invention provides a kind of defensive equipment of ddos attack, The defensive equipment includes the first determining module 201, the second determining module 202 and closes module 203.Wherein, the first determining module 201 are determined at least one behavior degree of correlation set of each user, and a behavior degree of correlation set includes a use The behavior degree of correlation between other kind of behavior, the behavior degree of correlation are used to indicate one respectively for a kind of behavior of family and server interaction Kind of the behavior correlation degree between any one behavior in other kind of behavior respectively.Second determining module 202 can be used for The multiple behavior degrees of correlation included according at least one behavior degree of correlation set determine at least one interval range, a behavior phase The corresponding interval range of Guan Du set, interval range be used for a kind of behavior of instruction user and server interaction respectively with other The default fluctuation range of the behavior degree of correlation between kind behavior.Module 203 is closed to can be used in preset time period, however, it is determined that Each behavior degree of correlation in all behavior degrees of correlation of first user not behavior degree of correlation where each behavior degree of correlation Corresponding to set in interval range, then the IP address of the first user is closed.
Optionally, the first determining module 201 specifically can be used for:
At least one cybernetics control number with each user of server interaction is obtained, wherein, cybernetics control number is used In instruction user and the behavior of server interaction;
Every kind of cybernetics control number at least one cybernetics control number is normalized;
According to every kind of cybernetics control number after normalization, at least one behavior of each user is determined by equation below The degree of correlation:
Wherein, cov (x, y) is the behavior degree of correlation between two kinds of behaviors, and x is a kind of value of cybernetics control number, and y is another A kind of value of cybernetics control number,For the average value of x in preset time period,For the average value of y in preset time period, n is use The quantity of the species of the behavior at family, wherein sxFor x standard deviation, syFor y standard deviation.
Optionally, the second determining module 202 specifically can be used for:
The behavior degree of correlation in each behavior degree of correlation set at least one behavior degree of correlation set is obtained successively Maximum and minimum value;
The scope that maximum in each behavior degree of correlation set and minimum value are formed is defined as each behavior degree of correlation The interval range of set.
Optionally, module 203 is closed specifically to can be used for:
If it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user is not in each behavior degree of correlation Corresponding to place behavior degree of correlation set in interval range, then determined to close the first user according to the behavior degree of correlation of the first user IP address multiple durations, the corresponding duration of each behavior degree of correlation of the first user;
The first duration is determined according to multiple durations, and the IP address of the first user is closed in the first duration;
Wherein, each duration is determined by below equation:
Wherein, Time is the first duration, and e is constant, and n is the quantity of at least one behavior degree of correlation set, xiTo be described I-th of behavior degree of correlation of first user and the difference of corresponding interval range, difference are i-th of behavior degree of correlation and corresponding section The maximum of scope or the difference of minimum value.
Optionally, module 203 is closed to can be also used for:
Any one duration in multiple durations is defined as the first duration;
Or, the most long duration in multiple durations is defined as the first duration.
Optionally, the defensive equipment also includes update module 204, and update module 204 can be used for:
In preset time period, if each behavior degree of correlation in all behavior degrees of correlation of the first user is being expert at In interval range, then to record at least one cybernetics control number of the first user corresponding to degree of correlation set;
At least one behavior degree of correlation of the first user is redefined according at least one cybernetics control number of record;
At least one behavior degree of correlation redefined is updated at least one behavior degree of correlation set.
Optionally, cybernetics control number includes duration, user and the server interaction that user accesses the server Default behavior frequency and user input information frequency.
The equipment can be used for performing the method that the embodiment shown in Fig. 1 is provided.Therefore, for each function of the equipment Function that module can be realized etc. refers to the description of the embodiment shown in Fig. 1, seldom repeats.
Fig. 3 is referred to, one embodiment of the invention also provides a kind of computer installation, and the computer installation includes processor 301, processor 301 is provided in an embodiment of the present invention such as Fig. 1 institutes for being realized when performing the computer program stored in memory The step of defence method of the ddos attack shown.
Optionally, processor 301 can be specifically central processing unit, ASIC (English: Application Specific Integrated Circuit, referred to as:ASIC), can be that one or more is used to control journey The integrated circuit that sequence performs, can be using field programmable gate array (English:Field Programmable Gate Array, referred to as:FPGA) the hardware circuit of exploitation, can be BBP.
Optionally, processor 301 can include at least one processing core.
Optionally, the computer installation also includes memory 302, and memory 302 can include read-only storage (English: Read Only Memory, referred to as:ROM), random access memory (English:Random Access Memory, referred to as:RAM) And magnetic disk storage.Memory 302 is used to store data required when processor 301 is run.The quantity of memory 302 is one It is or multiple.Wherein, memory 302 is shown in the lump in figure 3, but it is understood that memory 302 is not essential function mould Block, thus it is shown in broken lines in figure 3.
It is apparent to those skilled in the art that for convenience and simplicity of description, only with above-mentioned each function The division progress of module, can be as needed and by above-mentioned function distribution by different function moulds for example, in practical application Block is completed, i.e., the internal structure of device is divided into different functional modules, to complete all or part of work(described above Energy.The specific work process of the system, apparatus, and unit of foregoing description, it may be referred to corresponding in preceding method embodiment Journey, it will not be repeated here.
In several embodiments provided by the present invention, it should be understood that disclosed apparatus and method, it can be passed through Its mode is realized.For example, device embodiment described above is only schematical, for example, the module or unit Division, only a kind of division of logic function, can there is other dividing mode, such as multiple units or component when actually realizing Another system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or The mutual coupling discussed or direct-coupling or communication connection can be the indirect couplings by some interfaces, device or unit Close or communicate to connect, can be electrical, mechanical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs 's.
In addition, each functional unit in each embodiment of the application can be integrated in a processing unit, can also That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list Member can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.
If the integrated unit is realized in the form of SFU software functional unit and is used as independent production marketing or use When, it can be stored in a computer read/write memory medium.Based on such understanding, the technical scheme of the application is substantially The part to be contributed in other words to prior art or all or part of the technical scheme can be in the form of software products Embody, the computer software product is stored in a storage medium, including some instructions are causing a computer It is each that equipment (can be personal computer, server, or network equipment etc.) or processor (processor) perform the application The all or part of step of embodiment methods described.And foregoing storage medium includes:General serial bus USB (Universal Serial Bus flash disk), mobile hard disk, read-only storage (Read-Only Memory, ROM), Random access memory (Random Access Memory, RAM), magnetic disc or CD etc. are various can be with store program codes Medium.
Obviously, those skilled in the art can carry out the essence of various changes and modification without departing from the present invention to the present invention God and scope.So, if these modifications and variations of the present invention belong to the scope of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to comprising including these changes and modification.

Claims (16)

  1. A kind of 1. defence method of distributed denial of service ddos attack, it is characterised in that including:
    It is determined that at least one behavior degree of correlation set of each user;Wherein, a behavior degree of correlation set includes one The behavior degree of correlation between other kind of behavior, the behavior degree of correlation are used for respectively for a kind of behavior of user and server interaction Indicate a kind of correlation degree of the behavior respectively between any one behavior in other kind of behavior;
    At least one interval range is determined according to multiple behavior degrees of correlation that at least one behavior degree of correlation set includes;Its In, the corresponding interval range of a behavior degree of correlation set, the interval range is used for instruction user and handed over the server A kind of default fluctuation range of mutual behavior behavior degree of correlation between other kind of behavior respectively;
    In preset time period, however, it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user is not described Where each behavior degree of correlation the Internet protocol of first user is then closed corresponding to behavior degree of correlation set in interval range IP address.
  2. 2. defence method as claimed in claim 1, it is characterised in that it is determined that at least one behavior degree of correlation collection of each user Close, including:
    Obtain at least one cybernetics control number with each user of the server interaction;Wherein, the behavioural characteristic ginseng Number is used for instruction user and the behavior of the server interaction;
    Every kind of cybernetics control number at least one cybernetics control number is normalized;
    According to every kind of cybernetics control number after normalization, determine that each user's is at least one by equation below The behavior degree of correlation:
    <mrow> <mi>cov</mi> <mrow> <mo>(</mo> <mi>x</mi> <mo>,</mo> <mi>y</mi> <mo>)</mo> </mrow> <mo>=</mo> <mfrac> <mrow> <munderover> <mo>&amp;Sigma;</mo> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </munderover> <mrow> <mo>(</mo> <mfrac> <mrow> <msub> <mi>x</mi> <mi>i</mi> </msub> <mo>-</mo> <mover> <mi>x</mi> <mo>&amp;OverBar;</mo> </mover> </mrow> <msub> <mi>s</mi> <mi>x</mi> </msub> </mfrac> <mo>)</mo> </mrow> <mrow> <mo>(</mo> <mfrac> <mrow> <msub> <mi>y</mi> <mi>i</mi> </msub> <mo>-</mo> <mover> <mi>y</mi> <mo>&amp;OverBar;</mo> </mover> </mrow> <msub> <mi>s</mi> <mi>y</mi> </msub> </mfrac> <mo>)</mo> </mrow> </mrow> <mrow> <mi>n</mi> <mo>-</mo> <mn>1</mn> </mrow> </mfrac> </mrow>
    Wherein, cov (x, y) is the behavior degree of correlation between two kinds of behaviors, and x is a kind of value of cybernetics control number, and y is another kind The value of cybernetics control number,For the average value of x in preset time period,For the average value of y in preset time period, n is user's The quantity of the species of behavior, wherein sxFor x standard deviation, syFor y standard deviation.
  3. 3. defence method as claimed in claim 1, it is characterised in that included according at least one behavior degree of correlation set Multiple behavior degrees of correlation determine at least one interval range, including:
    The behavior degree of correlation in each behavior degree of correlation set at least one behavior degree of correlation set is obtained successively Maximum and minimum value;
    By the maximum in each behavior degree of correlation set and standard deviation sum and the minimum value and standard deviation it It is defined as the interval range of each behavior degree of correlation set with the scope of formation.
  4. 4. the defence method as described in claim 1-3 is any, it is characterised in that close the Internet protocol IP of first user Address, including:
    If it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user is not in each behavior degree of correlation Corresponding to place behavior degree of correlation set in interval range, then according to closing the determination of the behavior degree of correlation of first user Multiple durations of the IP address of first user, the corresponding duration of each behavior degree of correlation of first user;
    First duration is determined according to the multiple duration, and the IP address of first user is closed in first duration;
    Wherein, each duration is determined by below equation:
    <mrow> <mi>T</mi> <mi>i</mi> <mi>m</mi> <mi>e</mi> <mo>=</mo> <msup> <mi>Te</mi> <mrow> <munderover> <mo>&amp;Sigma;</mo> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </munderover> <msub> <mi>x</mi> <mi>i</mi> </msub> </mrow> </msup> </mrow>
    Wherein, Time is the first duration, and e is constant, and n is the quantity of at least one behavior degree of correlation set, xiUsed for described first I-th of behavior degree of correlation at family and the difference of corresponding interval range, the difference are i-th of behavior degree of correlation and the corresponding area Between the maximum of scope or the difference of minimum value.
  5. 5. defence method as claimed in claim 4, it is characterised in that the first duration is determined according to the multiple duration, including:
    Any one duration in the multiple duration is defined as first duration;
    Or, the most long duration in the multiple duration is defined as first duration.
  6. 6. the defence method as described in claim 4 or 5, it is characterised in that the defence method also includes:
    In the preset time period, if each behavior degree of correlation in all behavior degrees of correlation of first user is in institute At least one behavioural characteristic ginseng of first user in interval range, is then being recorded corresponding to behavior degree of correlation set Number;
    At least one behavior that first user is redefined according at least one cybernetics control number of record is related Degree;
    At least one behavior degree of correlation redefined is updated at least one behavior degree of correlation set.
  7. 7. defence method as claimed in claim 6, it is characterised in that the cybernetics control number includes user and accesses the clothes The duration of business device, user input the frequency of information with the frequency of the default behavior of the server interaction and user.
  8. A kind of 8. defensive equipment of distributed denial of service ddos attack, it is characterised in that including:
    First determining module, for determining at least one behavior degree of correlation set of each user;Wherein, a behavior phase Guan Du set includes a kind of behavior of a user and server interaction behavior degree of correlation between other kind of behavior respectively, institute The behavior degree of correlation is stated to be used to indicate a kind of pass of the behavior respectively between any one behavior in other kind of behavior Connection degree;
    Second determining module, multiple behavior degrees of correlation for being included according at least one behavior degree of correlation set determine to A few interval range;Wherein, the corresponding interval range of a behavior degree of correlation set, the interval range are used to indicate to use A kind of default fluctuation range of behavior of family and server interaction behavior degree of correlation between other kind of behavior respectively;
    Module is closed, in preset time period, however, it is determined that each behavior phase in all behavior degrees of correlation of the first user Pass degree corresponding to behavior degree of correlation set in interval range, then closes described first not where each behavior degree of correlation The Internet protocol IP address of user.
  9. 9. defensive equipment as claimed in claim 8, it is characterised in that first determining module is specifically used for:
    Obtain at least one cybernetics control number with each user of the server interaction;Wherein, the behavioural characteristic ginseng Number is used for instruction user and the behavior of the server interaction;
    Every kind of cybernetics control number at least one cybernetics control number is normalized;
    According to every kind of cybernetics control number after normalization, determine that each user's is at least one by equation below The behavior degree of correlation:
    <mrow> <mi>cov</mi> <mrow> <mo>(</mo> <mi>x</mi> <mo>,</mo> <mi>y</mi> <mo>)</mo> </mrow> <mo>=</mo> <mfrac> <mrow> <munderover> <mo>&amp;Sigma;</mo> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </munderover> <mrow> <mo>(</mo> <mfrac> <mrow> <msub> <mi>x</mi> <mi>i</mi> </msub> <mo>-</mo> <mover> <mi>x</mi> <mo>&amp;OverBar;</mo> </mover> </mrow> <msub> <mi>s</mi> <mi>x</mi> </msub> </mfrac> <mo>)</mo> </mrow> <mrow> <mo>(</mo> <mfrac> <mrow> <msub> <mi>y</mi> <mi>i</mi> </msub> <mo>-</mo> <mover> <mi>y</mi> <mo>&amp;OverBar;</mo> </mover> </mrow> <msub> <mi>s</mi> <mi>y</mi> </msub> </mfrac> <mo>)</mo> </mrow> </mrow> <mrow> <mi>n</mi> <mo>-</mo> <mn>1</mn> </mrow> </mfrac> </mrow>
    Wherein, cov (x, y) is the behavior degree of correlation between two kinds of behaviors, and x is a kind of value of cybernetics control number, and y is another kind The value of cybernetics control number,For the average value of x in preset time period,For the average value of y in preset time period, n is user's The quantity of the species of behavior, wherein sxFor x standard deviation, syFor y standard deviation.
  10. 10. defensive equipment as claimed in claim 8, it is characterised in that second determining module is specifically used for:
    The behavior degree of correlation in each behavior degree of correlation set at least one behavior degree of correlation set is obtained successively Maximum and minimum value;
    The scope that the maximum in each behavior degree of correlation set and the minimum value are formed is defined as described every The interval range of individual behavior degree of correlation set.
  11. 11. the defensive equipment as described in claim 8-10 is any, it is characterised in that the module of closing is specifically used for:
    If it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user is not in each behavior degree of correlation Corresponding to place behavior degree of correlation set in interval range, then according to closing the determination of the behavior degree of correlation of first user Multiple durations of the IP address of first user, the corresponding duration of each behavior degree of correlation of first user;
    First duration is determined according to the multiple duration, and the IP address of first user is closed in first duration;
    Wherein, each duration is determined by below equation:
    <mrow> <mi>T</mi> <mi>i</mi> <mi>m</mi> <mi>e</mi> <mo>=</mo> <msup> <mi>Te</mi> <mrow> <munderover> <mo>&amp;Sigma;</mo> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </munderover> <msub> <mi>x</mi> <mi>i</mi> </msub> </mrow> </msup> </mrow>
    Wherein, Time is the first duration, and e is constant, and n is the quantity of at least one behavior degree of correlation set, xiUsed for described first I-th of behavior degree of correlation at family and the difference of corresponding interval range, the difference are i-th of behavior degree of correlation and the corresponding area Between the maximum of scope or the difference of minimum value.
  12. 12. defensive equipment as claimed in claim 11, it is characterised in that the module of closing is additionally operable to:
    Any one duration in the multiple duration is defined as first duration;
    Or, the most long duration in the multiple duration is defined as first duration.
  13. 13. the defensive equipment as described in claim 11 or 12, it is characterised in that the defensive equipment also includes update module, The update module is used for:
    In the preset time period, if each behavior degree of correlation in all behavior degrees of correlation of first user is in institute At least one behavioural characteristic ginseng of first user in interval range, is then being recorded corresponding to behavior degree of correlation set Number;
    At least one behavior that first user is redefined according at least one cybernetics control number of record is related Degree;
    At least one behavior degree of correlation redefined is updated at least one behavior degree of correlation set.
  14. 14. defensive equipment as claimed in claim 13, it is characterised in that the cybernetics control number is included described in user's access The duration of server, user input the frequency of information with the frequency of the default behavior of the server interaction and user.
  15. 15. a kind of computer installation, it is characterised in that described device includes processor, and the processor is used to perform memory Realized during the computer program of middle storage as any one of claim 1-7 the step of method.
  16. 16. a kind of computer-readable recording medium, is stored thereon with computer program, it is characterised in that:The computer program Realized when being executed by processor as any one of claim 1-7 the step of method.
CN201710908810.0A 2017-09-29 2017-09-29 Defense method and device for DDoS attack Active CN107528859B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710908810.0A CN107528859B (en) 2017-09-29 2017-09-29 Defense method and device for DDoS attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710908810.0A CN107528859B (en) 2017-09-29 2017-09-29 Defense method and device for DDoS attack

Publications (2)

Publication Number Publication Date
CN107528859A true CN107528859A (en) 2017-12-29
CN107528859B CN107528859B (en) 2020-07-10

Family

ID=60683953

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710908810.0A Active CN107528859B (en) 2017-09-29 2017-09-29 Defense method and device for DDoS attack

Country Status (1)

Country Link
CN (1) CN107528859B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111241543A (en) * 2020-01-07 2020-06-05 中国搜索信息科技股份有限公司 Method and system for intelligently resisting DDoS attack by application layer
CN112003873A (en) * 2020-08-31 2020-11-27 成都安恒信息技术有限公司 HTTP (hyper text transport protocol) traffic defense method and system for resisting DDoS (distributed denial of service) attack

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103916365A (en) * 2012-12-31 2014-07-09 西门子公司 Method and apparatus for exporting and verifying network behavioral characteristics of malicious code
CN103944919A (en) * 2014-05-06 2014-07-23 浙江大学城市学院 Wireless multi-step attack mode excavation method for WLAN
US20140283085A1 (en) * 2013-03-14 2014-09-18 TechGuard Security, L.L.C. Internet protocol threat prevention
US20150049659A1 (en) * 2007-06-26 2015-02-19 Blackberry Limited System and method for conserving power for a wireless device while maintaining a connection to a network
CN104519031A (en) * 2013-09-30 2015-04-15 西门子公司 Method and device for detecting malicious network behaviors
CN105208040A (en) * 2015-10-12 2015-12-30 北京神州绿盟信息安全科技股份有限公司 Network attack detection method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150049659A1 (en) * 2007-06-26 2015-02-19 Blackberry Limited System and method for conserving power for a wireless device while maintaining a connection to a network
CN103916365A (en) * 2012-12-31 2014-07-09 西门子公司 Method and apparatus for exporting and verifying network behavioral characteristics of malicious code
US20140283085A1 (en) * 2013-03-14 2014-09-18 TechGuard Security, L.L.C. Internet protocol threat prevention
CN104519031A (en) * 2013-09-30 2015-04-15 西门子公司 Method and device for detecting malicious network behaviors
CN103944919A (en) * 2014-05-06 2014-07-23 浙江大学城市学院 Wireless multi-step attack mode excavation method for WLAN
CN105208040A (en) * 2015-10-12 2015-12-30 北京神州绿盟信息安全科技股份有限公司 Network attack detection method and device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111241543A (en) * 2020-01-07 2020-06-05 中国搜索信息科技股份有限公司 Method and system for intelligently resisting DDoS attack by application layer
CN112003873A (en) * 2020-08-31 2020-11-27 成都安恒信息技术有限公司 HTTP (hyper text transport protocol) traffic defense method and system for resisting DDoS (distributed denial of service) attack
CN112003873B (en) * 2020-08-31 2022-04-19 成都安恒信息技术有限公司 HTTP (hyper text transport protocol) traffic defense method and system for resisting DDoS (distributed denial of service) attack

Also Published As

Publication number Publication date
CN107528859B (en) 2020-07-10

Similar Documents

Publication Publication Date Title
US8370389B1 (en) Techniques for authenticating users of massive multiplayer online role playing games using adaptive authentication
Cox, Jr Game theory and risk analysis
CN104836781B (en) Distinguish the method and device for accessing user identity
Wu et al. On modeling and simulation of game theory-based defense mechanisms against DoS and DDoS attacks
CN107465648A (en) The recognition methods of warping apparatus and device
CN109078333B (en) Method and device for matching game friends
CN107465651A (en) Network attack detecting method and device
US20140157415A1 (en) Information security analysis using game theory and simulation
CN106302534B (en) A kind of method and system of detection and processing illegal user
CN107666473A (en) The method and controller of a kind of attack detecting
CN105897674A (en) DDoS attack protection method applied to CDN server group and system
CN110213208A (en) A kind of method and apparatus and storage medium of processing request
CN107517200B (en) Malicious crawler defense strategy selection method for Web server
CN110381041B (en) Distributed denial of service attack situation detection method and device
Liu et al. A decentralized cloud firewall framework with resources provisioning cost optimization
CN109589607A (en) A kind of game anti-cheating method and game anti-cheating system based on block chain
CN106850687A (en) Method and apparatus for detecting network attack
CN106850509A (en) Method for network access control and device
CN107395553A (en) A kind of detection method and device of network attack
CN107528859A (en) The defence method and equipment of a kind of ddos attack
CN108632634A (en) A kind of providing method and device of direct broadcast service
Boumkheld et al. Honeypot type selection games for smart grid networks
Rashidi et al. Android fine-grained permission control system with real-time expert recommendations
CN110365637A (en) Internetbank login detecting method, device, electronic equipment and storage medium
Abulaish et al. Socialbots: Impacts, threat-dimensions, and defense challenges

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee after: NSFOCUS Technologies Group Co.,Ltd.

Patentee after: NSFOCUS TECHNOLOGIES Inc.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Patentee before: NSFOCUS TECHNOLOGIES Inc.

CP01 Change in the name or title of a patent holder