CN107528859A - The defence method and equipment of a kind of ddos attack - Google Patents
The defence method and equipment of a kind of ddos attack Download PDFInfo
- Publication number
- CN107528859A CN107528859A CN201710908810.0A CN201710908810A CN107528859A CN 107528859 A CN107528859 A CN 107528859A CN 201710908810 A CN201710908810 A CN 201710908810A CN 107528859 A CN107528859 A CN 107528859A
- Authority
- CN
- China
- Prior art keywords
- behavior
- correlation
- user
- degree
- mrow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses a kind of defence method of ddos attack and equipment, distinguishes the degree of accuracy of broiler chicken user from customer group for improving, and then makes effective prevention policies.The defence method of ddos attack therein includes:It is determined that at least one behavior degree of correlation set of each user, wherein, the behavior degree of correlation between other kind of behavior, the behavior degree of correlation are used to indicate a kind of correlation degree of behavior respectively between any one behavior in other kind of behavior respectively for a kind of behavior of one behavior degree of correlation set including a user and server interaction;The multiple behavior degrees of correlation included according at least one behavior degree of correlation set determine at least one interval range, the corresponding interval range of a behavior degree of correlation set;In preset time period, however, it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user in interval range, is not then closing the IP address of the first user corresponding to behavior degree of correlation set where each behavior degree of correlation.
Description
Technical field
The present invention relates to technical field of network security, the defence method and equipment of more particularly to a kind of ddos attack.
Background technology
Distributed denial of service (Distributed Denial of Service, DDoS) attack is a kind of network attack
Mode, sent using special attack Software tool generally by the use of broiler chicken group as Attack Platform or to victim host and seem reasonable
Service request take the ample resources of server, so as to cause network congestion or server resource exhausts and causes server
Refusal service validated user.Broiler chicken, which may be considered, has suffered trojan horse, can be by the computer equipment of remote control.
Due to broiler chicken group's ddos attack, there is certain similitude in the behavior with normal users, cause conventional DDoS to defend
Method, such as the behavior of analysis checking attacker's protocol stack, watermarking algorithm etc. can not separate broiler chicken user from normal users
Come, so as to cause to protect the protection effect of algorithm undesirable, or even failure, huge economic loss is caused to service provider.
Therefore, broiler chicken user and normal users how are distinguished, broiler chicken user is timely and accurately extracted simultaneously from customer group
It is a very urgent and urgent thing that protection is timely carried out to it..
The content of the invention
The embodiment of the present invention provides a kind of defence method and equipment of ddos attack, is distinguished for improving from customer group
The degree of accuracy of broiler chicken user, and then make effective prevention policies.
In a first aspect, one embodiment of the invention provides a kind of defence method of ddos attack, the defence method includes:
It is determined that at least one behavior degree of correlation set of each user;Wherein, a behavior degree of correlation set includes
A kind of behavior of one user and server interaction behavior degree of correlation between other kind of behavior respectively, the behavior degree of correlation
For indicating a kind of correlation degree of the behavior respectively between any one behavior in other kind of behavior;
At least one section model is determined according to multiple behavior degrees of correlation that at least one behavior degree of correlation set includes
Enclose;Wherein, the corresponding interval range of a behavior degree of correlation set, the interval range are used for instruction user and the service
A kind of default fluctuation range of behavior behavior degree of correlation between other kind of behavior respectively of device interaction;
In preset time period, however, it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user does not exist
Where each behavior degree of correlation the internet of first user is then closed corresponding to behavior degree of correlation set in interval range
Protocol IP address.
Optionally, it is determined that at least one behavior degree of correlation set of each user, including:
Obtain at least one cybernetics control number with each user of the server interaction;Wherein, the behavior is special
Levy parameter and be used for instruction user and the behavior of the server interaction;
Every kind of cybernetics control number at least one cybernetics control number is normalized;
According to every kind of cybernetics control number after normalization, each user is determined at least by equation below
One behavior degree of correlation:
Wherein, cov (x, y) is the behavior degree of correlation between two kinds of behaviors, and x is a kind of value of cybernetics control number, and y is another
A kind of value of cybernetics control number,For the average value of x in preset time period,For the average value of y in preset time period, n is use
The quantity of the species of the behavior at family, wherein sxFor x standard deviation, syFor y standard deviation.
Optionally, the multiple behavior degrees of correlation included according at least one behavior degree of correlation set determine at least one
Interval range, including:
The behavior obtained successively in each behavior degree of correlation set at least one behavior degree of correlation set is related
The maximum and minimum value of degree;
The scope that the maximum in each behavior degree of correlation set and the minimum value are formed is defined as institute
State the interval range of each behavior degree of correlation set.
Optionally, the Internet protocol IP address of first user is closed, including:
If it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user is not in each behavior phase
Corresponding to behavior degree of correlation set where Guan Du in interval range, then determine to close according to the behavior degree of correlation of first user
Multiple durations of the IP address of first user, the corresponding duration of each behavior degree of correlation of first user;
First duration is determined according to the multiple duration, and with closing in first duration IP of first user
Location;
Wherein, each duration is determined by below equation:
Wherein, Time is the first duration, and e is constant, and n is the quantity of at least one behavior degree of correlation set, xiTo be described
I-th of behavior degree of correlation of first user and the difference of corresponding interval range, the difference be i-th behavior degree of correlation with it is described
The maximum of corresponding interval range or the difference of minimum value.
Optionally, the first duration is determined according to the multiple duration, including:
Any one duration in the multiple duration is defined as first duration;
Or, the most long duration in the multiple duration is defined as first duration.
Optionally, the defence method also includes:
In the preset time period, if each behavior degree of correlation in all behavior degrees of correlation of first user is equal
At least one behavioural characteristic of first user in interval range, is then being recorded corresponding to place behavior degree of correlation set
Parameter;
At least one behavior of first user is redefined according at least one cybernetics control number of record
The degree of correlation;
At least one behavior degree of correlation redefined is updated at least one behavior degree of correlation set.
Optionally, the cybernetics control number includes duration, user and the server that user accesses the server
The frequency of interactive default behavior and user input the frequency of information.
Second aspect, one embodiment of the invention provide a kind of defensive equipment of ddos attack, and the defensive equipment includes:
First determining module, for determining at least one behavior degree of correlation set of each user;Wherein, a row
It is related to include behavior of the user to a kind of behavior of server interaction respectively between other kind of behavior for degree of correlation set
Degree, the behavior degree of correlation are used to indicate a kind of behavior respectively between any one behavior in other kind of behavior
Correlation degree;
Second determining module, multiple behavior degrees of correlation for being included according at least one behavior degree of correlation set are true
Fixed at least one interval range;Wherein, the corresponding interval range of a behavior degree of correlation set, the interval range are used to refer to
Show a kind of default fluctuation model of behavior of user and server interaction behavior degree of correlation between other kind of behavior respectively
Enclose;
Module is closed, in preset time period, however, it is determined that each row in all behavior degrees of correlation of the first user
Corresponding to behavior degree of correlation set in interval range, then closed described not where each behavior degree of correlation for the degree of correlation
The Internet protocol IP address of first user.
Optionally, first determining module is specifically used for:
Obtain at least one cybernetics control number with each user of the server interaction;Wherein, the behavior is special
Levy parameter and be used for instruction user and the behavior of the server interaction;
Every kind of cybernetics control number at least one cybernetics control number is normalized;
According to every kind of cybernetics control number after normalization, each user is determined at least by equation below
One behavior degree of correlation:
Wherein, cov (x, y) is the behavior degree of correlation between two kinds of behaviors, and x is a kind of value of cybernetics control number, and y is another
A kind of value of cybernetics control number,For the average value of x in preset time period,For the average value of y in preset time period, n is use
The quantity of the species of the behavior at family, wherein sxFor x standard deviation, syFor y standard deviation.
Optionally, second determining module is specifically used for:
The behavior obtained successively in each behavior degree of correlation set at least one behavior degree of correlation set is related
The maximum and minimum value of degree;
The scope that the maximum in each behavior degree of correlation set and the minimum value are formed is defined as institute
State the interval range of each behavior degree of correlation set.
Optionally, the module of closing is specifically used for:
If it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user is not in each behavior phase
Corresponding to behavior degree of correlation set where Guan Du in interval range, then determine to close according to the behavior degree of correlation of first user
Multiple durations of the IP address of first user, the corresponding duration of each behavior degree of correlation of first user;
First duration is determined according to the multiple duration, and with closing in first duration IP of first user
Location;
Wherein, each duration is determined by below equation:
Wherein, Time is the first duration, and e is constant, and n is the quantity of at least one behavior degree of correlation set, xiTo be described
I-th of behavior degree of correlation of first user and the difference of corresponding interval range, the difference be i-th behavior degree of correlation with it is described
The maximum of corresponding interval range or the difference of minimum value.
Optionally, the module of closing is additionally operable to:
Any one duration in the multiple duration is defined as first duration;
Or, the most long duration in the multiple duration is defined as first duration.
Optionally, the defensive equipment also includes update module, and the update module is used for:
In the preset time period, if each behavior degree of correlation in all behavior degrees of correlation of first user is equal
At least one behavioural characteristic of first user in interval range, is then being recorded corresponding to place behavior degree of correlation set
Parameter;
At least one behavior of first user is redefined according at least one cybernetics control number of record
The degree of correlation;
At least one behavior degree of correlation redefined is updated at least one behavior degree of correlation set.
Optionally, the cybernetics control number includes duration, user and the server that user accesses the server
The frequency of interactive default behavior and user input the frequency of information.
The third aspect, one embodiment of the invention also provide a kind of computer installation, and the computer installation includes processor,
The processor is realized in the defence method provided such as first aspect when being used to perform the computer program stored in memory appoints
The step of one methods described.
Fourth aspect, one embodiment of the invention provide a kind of computer-readable recording medium, are stored thereon with computer
Program, method any one of the defence method provided such as first aspect is realized when the computer program is executed by processor
The step of.
The embodiments of the invention provide a kind of defence method of new ddos attack, by determining a user and server
The behavior degree of correlation between interactive a kind of behavior and other behaviors, and then determine a kind of behavior of the user and server interaction
The default fluctuation range of the behavior degree of correlation between other kind of behavior respectively, that is, the daily behavior custom of user, if
Certain behavior degree of correlation of user is in corresponding default fluctuation range, then it is considered that the usually behavioural habits of the user are exactly this
Sample.Therefore, if in preset time period, each behavior degree of correlation in all behavior degrees of correlation of the user is not in each row
To preset ripple scope corresponding to the degree of correlation, then it is considered that the behavior of the user and server interaction and usual behavioural habits are not
Together, i.e. the behavioural habits of the user are completely different from usual behavior, it is believed that are that disabled user utilizes the account of the user to clothes
Business device carries out ddos attack.Broiler chicken user is so assured that, that is, improves the accuracy rate for determining ddos attack, now can be with
Effective prevention policies are made, such as close the IP address of the user.
Brief description of the drawings
Fig. 1 is the flow chart of the defence method of ddos attack provided in an embodiment of the present invention;
Fig. 2 is a kind of structural representation of the defensive equipment of ddos attack provided in an embodiment of the present invention;
Fig. 3 is a kind of structural representation of computer installation provided in an embodiment of the present invention.
Embodiment
For the object, technical solutions and advantages of the present invention are more clearly understood, below in conjunction with the embodiment of the present invention
Accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described.
Because broiler chicken group and normal users have certain similitude or infected normal users, cause its transmission
Packet be not different with normal discharge, so as to cause in general defence method None- identified to go out ddos attack, and then can not
It is on the defensive in time for ddos attack
In consideration of it, the embodiments of the invention provide a kind of defence method of new ddos attack, the defence method passes through true
The behavior degree of correlation between a fixed user and a kind of behavior and other behaviors of server interaction, if certain behavior of user
The degree of correlation is in corresponding default fluctuation range, then it is considered that so the usually behavioural habits of the user are exactly.Therefore, if pre-
If in the period, each behavior degree of correlation in all behavior degrees of correlation of the user is not corresponding to each behavior degree of correlation
Default ripple scope, then it is considered that the user is different with usual behavioural habits from the behavior of server interaction, then the user
Broiler chicken may be infected into.Daily behavior i.e. according to user is accustomed to, and infected user, Ran Houzhen are distinguished from customer group
User is infected to these means are closed using IP, it is closed.
Technical scheme provided in an embodiment of the present invention is described in detail with reference to Figure of description.
Fig. 1 is referred to, one embodiment of the invention provides a kind of defence method of ddos attack, and the defence method can lead to
Any electronic equipment is crossed to perform.The flow of the defence method is described as follows:
S101:It is determined that at least one behavior degree of correlation set of each user, wherein, a behavior degree of correlation set includes
The behavior degree of correlation between other kind of behavior, the behavior degree of correlation are used for respectively for a kind of behavior of one user and server interaction
Indicate a kind of correlation degree of behavior respectively between any one behavior in other kind of behavior;
S102:The multiple behavior degrees of correlation included according at least one behavior degree of correlation set determine at least one section model
Enclose, wherein, the corresponding interval range of behavior degree of correlation set, interval range is used for instruction user and server interaction
A kind of default fluctuation range of the behavior behavior degree of correlation between other kind of behavior respectively;
S103:In preset time period, however, it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user
Not corresponding to behavior degree of correlation set where each behavior degree of correlation in interval range, then with closing the IP of the first user
Location.
The behavior degree of correlation refers to the correlation degree between user and two behaviors of server interaction, it can be understood as user
A kind of behavior with server interaction correlation degree between any one behavior in other kind of behavior respectively.Certainly, take
The application that business device is supported is different, and the behavior of user and server interaction is also different.For example, what if server was supported
Using being chess and card games, then the behavior of user and server interaction comes in handy the behavior of family input chat message, user
The behavior played a card or user switch the behavior in room.If the application that server is supported is RPG (Role-
Playing game, RPG), then the behavior of user and server interaction may have the behavior of selection hero, discharge the speed of technical ability
Behavior of degree etc..
Below the behavior degree of correlation is introduced so that the application of server support is object for appreciation chess and card games as an example.A for example, user
Play chess and card games, then the behavior of this user and server interaction come in handy family input chat message behavior, use
The behavior that the behavior in family switching room, user play a card, if the frequency that user inputs chat message is higher, then the user may
Have a wonderful time, the number played a card may be more, and the possibility for switching room is just smaller.So it is considered that the row that user includes
There is user to input the associated degree of the behavior of chat message and the behavior in user's switching room, user's input chat for the degree of correlation
The associated degree of the behavior of information and behavior that user plays a card, the behavior that user plays a card and user switch the phase of the behavior in room
Correlation degree.
Because user and a kind of behavior of server interaction are real all in the presence of associated degree, the present invention with a variety of behaviors respectively
Applying example can be by a kind of behavior of a user and server interaction behavior degree of correlation division between other kind of behavior respectively
For a set, i.e. behavior degree of correlation set.Generally, the same application supported for server, a user
It is little with the behavioural habits change of server interaction, that is, any one behavior of the user and server interaction and other kinds
The change of the behavior degree of correlation between behavior is little, i.e., the maximum or the ripple of minimum value that corresponding behavior degree of correlation set includes
Dynamic scope is smaller.Fluctuation range corresponding to behavior degree of correlation set is also referred to as interval range, section model in the embodiment of the present invention
Enclose and can serve to indicate that a kind of the pre- of behavior of user and server interaction behavior degree of correlation between other kind of behavior respectively
If fluctuation range.If each behavior in a period of time in a variety of behaviors of a user and server interaction respectively with its
He plants each behavior degree of correlation of behavior in corresponding interval range, i.e., multiple behavior degrees of correlation of the user are in default ripple
In dynamic scope, it is believed that multiple behaviors of the user are normal, and the behavioural habits that the user accesses the server are exactly such as
This.If on the contrary, each degree of correlation in multiple behavior degrees of correlation of the user within certain time is not in corresponding area
Between in the range of, that is, the user is different from the behavior of server interaction and the usually behavioural habits of the user, then the user
It may be infected, therefore once detect each degree of correlation in multiple behavior degrees of correlation of the user not corresponding default
Fluctuation, then be probably that server receives ddos attack, now can is on the defensive to ddos attack.
The defence method for the ddos attack that the embodiment of the present invention is provided is exactly by by multiple behavior phases of a user
Whether Guan Du judges this user to server compared with multiple behavior degrees of correlation before the user, according to comparative result
Ddos attack is carried out, with timely defending DDoS (Distributed Denial of Service) attacks.
The embodiment of the present invention can determine each behavior degree of correlation of the validated user within a period of time, so that it is determined that at least
One behavior degree of correlation set, the corresponding interval range of each behavior degree of correlation set.The embodiment of the present invention can obtain with
At least one cybernetics control number of each user of server interaction, determined according at least one cybernetics control number of acquisition
Each behavior degree of correlation.Cybernetics control number can serve to indicate that the behavior of user and server interaction, and a user corresponds to extremely
A kind of few cybernetics control number.For example, if the application that server is supported is chess and card games, then user hands over server
Mutual behavior can go out the behavior of one card or next step chess including user, user switches the behavior in room, user's input is chatted
Behavior of its information etc..Cybernetics control number can include the pre- of the duration of user access server, user and server interaction
If the frequency of behavior and user input the frequency of information.The default behavior of user and server interaction in the embodiment of the present invention can
It is correspondingly arranged with the species for the application supported according to server, if for example, the application that server is supported is swum for chess category
Play, then default behavior can include user and go out the behavior of one card or next step chess, the behavior in user's switching room etc..
At least one the cybernetics control number how embodiment of the present invention obtains user is described below.
Because the behavior of user and server interaction has time response, if for example, the application that server is supported is
Game class application, then the number that possible user interacts with server at night is more, and behavior is also more, may be in the morning
The number interacted with server is less, and behavior is also less.If by obtaining a user and service in certain time period
The behavior of device interaction determines the behavior degree of correlation between the behavior two-by-two of the user, it is clear that accuracy rate is relatively low.
In consideration of it, the embodiment of the present invention can be obtained with server interaction extremely according to user behavior and the correlation of time
At least one cybernetics control number of a few user, and behavior two-by-two is determined by least one cybernetics control number of acquisition
Between the behavior degree of correlation.In possible embodiment, the embodiment of the present invention can be obtained in preset time period T and server
At least one cybernetics control number of interactive at least one user.Wherein, preset time period can be one set in advance
Period, at least occur once in the various actions of each period and server interaction including at least one user as far as possible.
For example, generally, user and the number that server interacts are more at night, and behavior is also more, in the morning user and server
The number interacted is less, and behavior is also less, also may not interacted with server in morning user.So preset time period
T can be 1 day, as long as at least one user can be included in the various actions of each period and server interaction at least as far as possible
Occur once, to avoid the error come due to time-bands as far as possible.Certainly, preset time period T can also be that other are possible
Value, just differ one schematically illustrates here.In the specific implementation, the embodiment of the present invention can be by the way of traffic mirroring, i.e., to user
With server interaction caused by data flow carry out the mode of mirror image and obtain and flow to the data flow of server, the data flow is generally wrapped
Internet protocol (Internet Protocol, IP) address, the user access server duration of user is included, user hands over server
The number of mutual default behavior and user input the number of information.The embodiment of the present invention can be by acquired user and server
The number of interactive default behavior and user input the number of information as cybernetics control number, can also be by acquired user
The number that information is inputted with the number of the default behavior of server interaction and user is converted into corresponding frequency as behavioural characteristic
Parameter.
Because the quantity of the behavior of user and server interaction in the different periods in preset time period is poor
It is different.For example, generally, user and the number that server interacts are more at night, and behavior is also more, user and service in the morning
The number that device interacts is less, and behavior is also less, also may not interacted with server in morning user.If that obtain
At least one cybernetics control number of the interior user with server interaction of preset time period, it is clear that obtain the data for flowing to server
It is also larger to flow the amount of calculation of larger at least one cybernetics control number in extraction data flow, adds the burden of electronic equipment.
In consideration of it, preset time period can be divided into multiple periods by the embodiment of the present invention, such as it is divided into the period of the day from 11 a.m. to 1 p.m
It is section, period at noon, afternoon hours, period in morning, middle out of this multiple periods to choose some periods the period in the evening, only obtain
At least one cybernetics control number of interior at least one user with server interaction of some periods.For example, generally at noon when
Section, user and the number of server interaction more the period in the evening, then the behavior of user and server interaction is also more.Therefore can
To determine the row between the behavior two-by-two of the user by the behavior of a user and server interaction in the two periods
For the degree of correlation.So only need acquisition period at noon, to flow to the data flow of server the period in the evening, carried from the data flow of acquisition
Take the amount of calculation of at least one cybernetics control number just smaller, the burden of electronic equipment can be mitigated.It is right in the embodiment of the present invention
The division of preset time period is only citing, and as several periods are divided into, the duration of each period can be according to actual feelings
Condition is set, and the embodiment of the present invention is not restricted to this.
The embodiment of the present invention obtains at least one cybernetics control number can determine at least one behavior of user afterwards
The degree of correlation, every kind of cybernetics control number at least one cybernetics control number can be specifically normalized, will
At least one cybernetics control number is uniformly arrived under same referential, and so every kind of cybernetics control number is joined with other behavioural characteristics
Number does not influence each other.Then according to every kind of cybernetics control number after normalization, each user is determined at least by formula (1)
One behavior degree of correlation.
In formula (1), cov (x, y) is the behavior degree of correlation between two kinds of behaviors, and n is at least one behavior of user
Species quantity, the behavior of user and server interaction has user access server, user and server interaction to preset behavior,
Such as play a card and switch room, user input information, then the behavior of user and server interaction include 4 kinds, n is exactly 4.X is
A kind of value of cybernetics control number, y is the value of another cybernetics control number, for example, a kind of behavior of a user is to play a card,
Another behavior is switching room, and the frequency played a card of the user is 10 beats/min, switch the frequency in room for 3 times/when, that
X be 10 beats/min, y be 3 times/when.For the average value of x in preset time period,For the average value of y in preset time period,
Wherein sxFor x standard deviation, syFor y standard deviation.
The behavior degree of correlation between any two behavior of a user can be calculated by formula (1).It is of the invention real
The first behavior of user behavior phase with every kind of behavior of other kind of behavior respectively can be determined by formula (1) by applying example
Guan Du, the like, the embodiment of the present invention can determine any one behavior in all behaviors of user respectively with other kinds
Behavior degree of correlation of every kind of behavior in behavior etc..
The embodiment of the present invention determine any one behavior in all behaviors of each user respectively with other kind of behavior
In every kind of behavior the behavior degree of correlation after, can be according to the species of behavior, it is determined that at least one behavior phase of each user
Guan Du gathers, and then included according to each behavior degree of correlation set at least one behavior degree of correlation set of each user
Multiple behavior degrees of correlation determine interval range corresponding to each behavior degree of correlation set.
For a behavior degree of correlation set, the embodiment of the present invention can obtain behavior degree of correlation set include it is multiple
The maximum and minimum value of the behavior degree of correlation, that is, a certain behavior behavior phase between other kind of behavior respectively of user
Guan Du maximum and minimum value, the scope that the maximum of acquisition and minimum value are formed can be defined as behavior degree of correlation collection
The interval range of conjunction.As a rule, the custom conversion amplitude of user is smaller, and therefore, the embodiment of the present invention can be by acquisition most
Approximate two end values as interval range of big value and minimum value.But the custom of user is not unalterable, even
Maximum and minimum value are also to have fluctuation.Under the circumstances, an end of the interval range in the embodiment of the present invention
Value can be the standard deviation sum of maximum and maximum, another end value can be minimum value and minimum value standard deviation it
Difference.Standard deviation can be used for the error for characterizing a behavior degree of correlation.Wherein, the standard deviation of maximum can pass through formula (2)
Calculate gained.
Wherein, σ is standard deviation, and S is the value of the first cybernetics control number, and μ is the average value of S in preset time period, and N is use
The quantity of the species of the behavior at family.
The embodiment of the present invention according to the method described above, travels through each behavior degree of correlation at least one behavior degree of correlation set
Set is assured that interval range corresponding to each behavior degree of correlation set, i.e., at least one interval range.Each section model
A kind of behavioural habits of user and server interaction can be represented by enclosing, then can determine the user from least one interval range
With the behavioural habits of server interaction, if the user is infected, then it is used for carrying out ddos attack to server, then felt
The behavioural habits that user after dye gives the behavioural habits of server interaction and the normal users can difference, i.e. user
Each behavior degree of correlation in the part or all of behavior degree of correlation may not be in corresponding interval range.Therefore, the present invention is real
Applying example in preset time period, can monitor all behavior degrees of correlation of any one user to determine whether the user is illegal
Whether user, i.e. server are by ddos attack, with timely defending DDoS (Distributed Denial of Service) attacks.This is introduced by taking a user as an example below
Inventive embodiments how defending DDoS (Distributed Denial of Service) attacks.
All behavior degrees of correlation of the first user are monitored, for any one behavior degree of correlation in all behavior degrees of correlation
It is detected whether in interval range corresponding to behavior degree of correlation set where the behavior degree of correlation, if in corresponding section model
Enclose, then it is considered that the behavior of the first user is probably normal.If not in corresponding interval range, then can recognize
The behavior for the first user is probably abnormal, and the first user is possible to be infected.Therefore, if the embodiment of the present invention
Monitor each behavior degree of correlation not behavior where each behavior degree of correlation in all behavior degrees of correlation of the first user
Corresponding to degree of correlation set in interval range.Or first user all behavior degrees of correlation in default one or more
The behavior degree of correlation is not corresponding to behavior degree of correlation set where each behavior degree of correlation in interval range, then it is considered that
The behavior of one user and server interaction occurs abnormal, it is likely that infected, then can now to close infection user's
IP address, to forbid the first user access server, reach the purpose of defending DDoS (Distributed Denial of Service) attacks.
The embodiment of the present invention can close the IP address of the first user in the first duration.Wherein the first duration can basis
It is every in the part or all of behavior degree of correlation and the part or all of behavior degree of correlation in all behavior degrees of correlation of first user
Interval range determines corresponding to behavior degree of correlation set where the individual behavior degree of correlation.In all behavior degrees of correlation of first user
Any one behavior degree of correlation can obtain a duration, for any one behavior degree of correlation, can be counted by formula (3)
Calculation obtains a duration.
In formula (3), Time is duration, and e is constant, that is, the logarithm of the natural truth of a matter, n are that at least one behavior is related
Spend the quantity of set, xiFor i-th of the behavior degree of correlation and the difference of corresponding interval range of the first user, the difference is i-th
The behavior degree of correlation and the maximum of corresponding interval range or the difference of minimum value.If for example, i-th of behavior phase of the first user
Guan Du is less than the minimum value of corresponding interval range, then the difference is exactly i-th of behavior degree of correlation of the first user and corresponding area
Between scope minimum value difference absolute value.If i-th of behavior degree of correlation of the first user is more than corresponding interval range
Maximum, then the difference is exactly difference of i-th of behavior degree of correlation with the maximum of corresponding interval range of the first user.
Each behavior degree of correlation is obtained with all behavior degrees of correlation of the first user by formula (3) to correspond to respectively
Duration, i.e., multiple durations.First duration can be defined as any one duration in this multiple duration.Or first duration
The most long duration that can also be defined as in multiple durations, can be thorough with the time long point for closing the IP of disabled user as far as possible
Defending DDoS (Distributed Denial of Service) attacks.
The electronic equipment of the embodiment of the present invention calculates multiple durations corresponding to all behavior degrees of correlation of the first user, calculates
Amount is obviously larger, and the burden of electronic equipment may be heavier.Accordingly, it is possible to embodiment in, the embodiment of the present invention can only count
It is multiple durations corresponding to the degree of correlation to calculate branch in the middle part of all behavior degrees of correlation, to mitigate the burden of electronic equipment.Wherein, part
The behavior degree of correlation can be the default behavior degree of correlation, for example, the behavior of the first behavior of the first user and second of behavior
The degree of correlation can substantially characterize the behavioural habits of the first user, then now the default behavior degree of correlation can be the first user
The behavior degree of correlation of the first behavior and second of behavior.In another example the first behavior of the first user and second of behavior
The behavior degree of correlation of the third behavior and the 4th kind of behavior that the behavior degree of correlation combines the first user just can substantially characterize first
The behavioural habits of user, then now the default behavior degree of correlation can be the first behavior and second of behavior of the first user
The behavior degree of correlation, and the behavior degree of correlation of the third behavior and the 4th kind of behavior of the first user.
If in preset time period, the embodiment of the present invention is if it is determined that each in all behavior degrees of correlation of the first user
The behavior degree of correlation is corresponding to place behavior degree of correlation set in interval range, that is, the first user is validated user, and
It is not infected.So behavioural habits of a user and server interaction may change, now can record the
At least one cybernetics control number of one user, to redefine the first user by least one cybernetics control number of record
At least one behavior degree of correlation, redefine at least one behavior degree of correlation renewal arrives at least one behavior degree of correlation collection
Close, that is, redefine the behavioural habits of the first user and server interaction, the detection can subsequently to disabled user is more
At least one behavior degree of correlation collection of the first user after new is combined into standard, to improve the degree of accuracy of detection.
The embodiments of the invention provide a kind of defence method of new ddos attack, by determining a user and server
The behavior degree of correlation between interactive a kind of behavior and other behaviors, and then determine behavior of the user usually with server interaction
Custom.Therefore, if in preset time period, each behavior degree of correlation in all behavior degrees of correlation of the user is not each
Ripple scope is preset corresponding to the behavior degree of correlation, then it is considered that the behavior of the user and server interaction and usual behavioural habits
It is different, then the user may be infected.It can be considered to carry out ddos attack after normal users are infected, improve determination
The accuracy rate of ddos attack, the IP address of the user can be now closed, with timely defending DDoS (Distributed Denial of Service) attacks.
Equipment provided in an embodiment of the present invention is introduced below in conjunction with the accompanying drawings.
Fig. 2 is referred to, based on same inventive concept, one embodiment of the invention provides a kind of defensive equipment of ddos attack,
The defensive equipment includes the first determining module 201, the second determining module 202 and closes module 203.Wherein, the first determining module
201 are determined at least one behavior degree of correlation set of each user, and a behavior degree of correlation set includes a use
The behavior degree of correlation between other kind of behavior, the behavior degree of correlation are used to indicate one respectively for a kind of behavior of family and server interaction
Kind of the behavior correlation degree between any one behavior in other kind of behavior respectively.Second determining module 202 can be used for
The multiple behavior degrees of correlation included according at least one behavior degree of correlation set determine at least one interval range, a behavior phase
The corresponding interval range of Guan Du set, interval range be used for a kind of behavior of instruction user and server interaction respectively with other
The default fluctuation range of the behavior degree of correlation between kind behavior.Module 203 is closed to can be used in preset time period, however, it is determined that
Each behavior degree of correlation in all behavior degrees of correlation of first user not behavior degree of correlation where each behavior degree of correlation
Corresponding to set in interval range, then the IP address of the first user is closed.
Optionally, the first determining module 201 specifically can be used for:
At least one cybernetics control number with each user of server interaction is obtained, wherein, cybernetics control number is used
In instruction user and the behavior of server interaction;
Every kind of cybernetics control number at least one cybernetics control number is normalized;
According to every kind of cybernetics control number after normalization, at least one behavior of each user is determined by equation below
The degree of correlation:
Wherein, cov (x, y) is the behavior degree of correlation between two kinds of behaviors, and x is a kind of value of cybernetics control number, and y is another
A kind of value of cybernetics control number,For the average value of x in preset time period,For the average value of y in preset time period, n is use
The quantity of the species of the behavior at family, wherein sxFor x standard deviation, syFor y standard deviation.
Optionally, the second determining module 202 specifically can be used for:
The behavior degree of correlation in each behavior degree of correlation set at least one behavior degree of correlation set is obtained successively
Maximum and minimum value;
The scope that maximum in each behavior degree of correlation set and minimum value are formed is defined as each behavior degree of correlation
The interval range of set.
Optionally, module 203 is closed specifically to can be used for:
If it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user is not in each behavior degree of correlation
Corresponding to place behavior degree of correlation set in interval range, then determined to close the first user according to the behavior degree of correlation of the first user
IP address multiple durations, the corresponding duration of each behavior degree of correlation of the first user;
The first duration is determined according to multiple durations, and the IP address of the first user is closed in the first duration;
Wherein, each duration is determined by below equation:
Wherein, Time is the first duration, and e is constant, and n is the quantity of at least one behavior degree of correlation set, xiTo be described
I-th of behavior degree of correlation of first user and the difference of corresponding interval range, difference are i-th of behavior degree of correlation and corresponding section
The maximum of scope or the difference of minimum value.
Optionally, module 203 is closed to can be also used for:
Any one duration in multiple durations is defined as the first duration;
Or, the most long duration in multiple durations is defined as the first duration.
Optionally, the defensive equipment also includes update module 204, and update module 204 can be used for:
In preset time period, if each behavior degree of correlation in all behavior degrees of correlation of the first user is being expert at
In interval range, then to record at least one cybernetics control number of the first user corresponding to degree of correlation set;
At least one behavior degree of correlation of the first user is redefined according at least one cybernetics control number of record;
At least one behavior degree of correlation redefined is updated at least one behavior degree of correlation set.
Optionally, cybernetics control number includes duration, user and the server interaction that user accesses the server
Default behavior frequency and user input information frequency.
The equipment can be used for performing the method that the embodiment shown in Fig. 1 is provided.Therefore, for each function of the equipment
Function that module can be realized etc. refers to the description of the embodiment shown in Fig. 1, seldom repeats.
Fig. 3 is referred to, one embodiment of the invention also provides a kind of computer installation, and the computer installation includes processor
301, processor 301 is provided in an embodiment of the present invention such as Fig. 1 institutes for being realized when performing the computer program stored in memory
The step of defence method of the ddos attack shown.
Optionally, processor 301 can be specifically central processing unit, ASIC (English:
Application Specific Integrated Circuit, referred to as:ASIC), can be that one or more is used to control journey
The integrated circuit that sequence performs, can be using field programmable gate array (English:Field Programmable Gate
Array, referred to as:FPGA) the hardware circuit of exploitation, can be BBP.
Optionally, processor 301 can include at least one processing core.
Optionally, the computer installation also includes memory 302, and memory 302 can include read-only storage (English:
Read Only Memory, referred to as:ROM), random access memory (English:Random Access Memory, referred to as:RAM)
And magnetic disk storage.Memory 302 is used to store data required when processor 301 is run.The quantity of memory 302 is one
It is or multiple.Wherein, memory 302 is shown in the lump in figure 3, but it is understood that memory 302 is not essential function mould
Block, thus it is shown in broken lines in figure 3.
It is apparent to those skilled in the art that for convenience and simplicity of description, only with above-mentioned each function
The division progress of module, can be as needed and by above-mentioned function distribution by different function moulds for example, in practical application
Block is completed, i.e., the internal structure of device is divided into different functional modules, to complete all or part of work(described above
Energy.The specific work process of the system, apparatus, and unit of foregoing description, it may be referred to corresponding in preceding method embodiment
Journey, it will not be repeated here.
In several embodiments provided by the present invention, it should be understood that disclosed apparatus and method, it can be passed through
Its mode is realized.For example, device embodiment described above is only schematical, for example, the module or unit
Division, only a kind of division of logic function, can there is other dividing mode, such as multiple units or component when actually realizing
Another system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or
The mutual coupling discussed or direct-coupling or communication connection can be the indirect couplings by some interfaces, device or unit
Close or communicate to connect, can be electrical, mechanical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit
The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
In addition, each functional unit in each embodiment of the application can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list
Member can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.
If the integrated unit is realized in the form of SFU software functional unit and is used as independent production marketing or use
When, it can be stored in a computer read/write memory medium.Based on such understanding, the technical scheme of the application is substantially
The part to be contributed in other words to prior art or all or part of the technical scheme can be in the form of software products
Embody, the computer software product is stored in a storage medium, including some instructions are causing a computer
It is each that equipment (can be personal computer, server, or network equipment etc.) or processor (processor) perform the application
The all or part of step of embodiment methods described.And foregoing storage medium includes:General serial bus USB
(Universal Serial Bus flash disk), mobile hard disk, read-only storage (Read-Only Memory, ROM),
Random access memory (Random Access Memory, RAM), magnetic disc or CD etc. are various can be with store program codes
Medium.
Obviously, those skilled in the art can carry out the essence of various changes and modification without departing from the present invention to the present invention
God and scope.So, if these modifications and variations of the present invention belong to the scope of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to comprising including these changes and modification.
Claims (16)
- A kind of 1. defence method of distributed denial of service ddos attack, it is characterised in that including:It is determined that at least one behavior degree of correlation set of each user;Wherein, a behavior degree of correlation set includes one The behavior degree of correlation between other kind of behavior, the behavior degree of correlation are used for respectively for a kind of behavior of user and server interaction Indicate a kind of correlation degree of the behavior respectively between any one behavior in other kind of behavior;At least one interval range is determined according to multiple behavior degrees of correlation that at least one behavior degree of correlation set includes;Its In, the corresponding interval range of a behavior degree of correlation set, the interval range is used for instruction user and handed over the server A kind of default fluctuation range of mutual behavior behavior degree of correlation between other kind of behavior respectively;In preset time period, however, it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user is not described Where each behavior degree of correlation the Internet protocol of first user is then closed corresponding to behavior degree of correlation set in interval range IP address.
- 2. defence method as claimed in claim 1, it is characterised in that it is determined that at least one behavior degree of correlation collection of each user Close, including:Obtain at least one cybernetics control number with each user of the server interaction;Wherein, the behavioural characteristic ginseng Number is used for instruction user and the behavior of the server interaction;Every kind of cybernetics control number at least one cybernetics control number is normalized;According to every kind of cybernetics control number after normalization, determine that each user's is at least one by equation below The behavior degree of correlation:<mrow> <mi>cov</mi> <mrow> <mo>(</mo> <mi>x</mi> <mo>,</mo> <mi>y</mi> <mo>)</mo> </mrow> <mo>=</mo> <mfrac> <mrow> <munderover> <mo>&Sigma;</mo> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </munderover> <mrow> <mo>(</mo> <mfrac> <mrow> <msub> <mi>x</mi> <mi>i</mi> </msub> <mo>-</mo> <mover> <mi>x</mi> <mo>&OverBar;</mo> </mover> </mrow> <msub> <mi>s</mi> <mi>x</mi> </msub> </mfrac> <mo>)</mo> </mrow> <mrow> <mo>(</mo> <mfrac> <mrow> <msub> <mi>y</mi> <mi>i</mi> </msub> <mo>-</mo> <mover> <mi>y</mi> <mo>&OverBar;</mo> </mover> </mrow> <msub> <mi>s</mi> <mi>y</mi> </msub> </mfrac> <mo>)</mo> </mrow> </mrow> <mrow> <mi>n</mi> <mo>-</mo> <mn>1</mn> </mrow> </mfrac> </mrow>Wherein, cov (x, y) is the behavior degree of correlation between two kinds of behaviors, and x is a kind of value of cybernetics control number, and y is another kind The value of cybernetics control number,For the average value of x in preset time period,For the average value of y in preset time period, n is user's The quantity of the species of behavior, wherein sxFor x standard deviation, syFor y standard deviation.
- 3. defence method as claimed in claim 1, it is characterised in that included according at least one behavior degree of correlation set Multiple behavior degrees of correlation determine at least one interval range, including:The behavior degree of correlation in each behavior degree of correlation set at least one behavior degree of correlation set is obtained successively Maximum and minimum value;By the maximum in each behavior degree of correlation set and standard deviation sum and the minimum value and standard deviation it It is defined as the interval range of each behavior degree of correlation set with the scope of formation.
- 4. the defence method as described in claim 1-3 is any, it is characterised in that close the Internet protocol IP of first user Address, including:If it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user is not in each behavior degree of correlation Corresponding to place behavior degree of correlation set in interval range, then according to closing the determination of the behavior degree of correlation of first user Multiple durations of the IP address of first user, the corresponding duration of each behavior degree of correlation of first user;First duration is determined according to the multiple duration, and the IP address of first user is closed in first duration;Wherein, each duration is determined by below equation:<mrow> <mi>T</mi> <mi>i</mi> <mi>m</mi> <mi>e</mi> <mo>=</mo> <msup> <mi>Te</mi> <mrow> <munderover> <mo>&Sigma;</mo> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </munderover> <msub> <mi>x</mi> <mi>i</mi> </msub> </mrow> </msup> </mrow>Wherein, Time is the first duration, and e is constant, and n is the quantity of at least one behavior degree of correlation set, xiUsed for described first I-th of behavior degree of correlation at family and the difference of corresponding interval range, the difference are i-th of behavior degree of correlation and the corresponding area Between the maximum of scope or the difference of minimum value.
- 5. defence method as claimed in claim 4, it is characterised in that the first duration is determined according to the multiple duration, including:Any one duration in the multiple duration is defined as first duration;Or, the most long duration in the multiple duration is defined as first duration.
- 6. the defence method as described in claim 4 or 5, it is characterised in that the defence method also includes:In the preset time period, if each behavior degree of correlation in all behavior degrees of correlation of first user is in institute At least one behavioural characteristic ginseng of first user in interval range, is then being recorded corresponding to behavior degree of correlation set Number;At least one behavior that first user is redefined according at least one cybernetics control number of record is related Degree;At least one behavior degree of correlation redefined is updated at least one behavior degree of correlation set.
- 7. defence method as claimed in claim 6, it is characterised in that the cybernetics control number includes user and accesses the clothes The duration of business device, user input the frequency of information with the frequency of the default behavior of the server interaction and user.
- A kind of 8. defensive equipment of distributed denial of service ddos attack, it is characterised in that including:First determining module, for determining at least one behavior degree of correlation set of each user;Wherein, a behavior phase Guan Du set includes a kind of behavior of a user and server interaction behavior degree of correlation between other kind of behavior respectively, institute The behavior degree of correlation is stated to be used to indicate a kind of pass of the behavior respectively between any one behavior in other kind of behavior Connection degree;Second determining module, multiple behavior degrees of correlation for being included according at least one behavior degree of correlation set determine to A few interval range;Wherein, the corresponding interval range of a behavior degree of correlation set, the interval range are used to indicate to use A kind of default fluctuation range of behavior of family and server interaction behavior degree of correlation between other kind of behavior respectively;Module is closed, in preset time period, however, it is determined that each behavior phase in all behavior degrees of correlation of the first user Pass degree corresponding to behavior degree of correlation set in interval range, then closes described first not where each behavior degree of correlation The Internet protocol IP address of user.
- 9. defensive equipment as claimed in claim 8, it is characterised in that first determining module is specifically used for:Obtain at least one cybernetics control number with each user of the server interaction;Wherein, the behavioural characteristic ginseng Number is used for instruction user and the behavior of the server interaction;Every kind of cybernetics control number at least one cybernetics control number is normalized;According to every kind of cybernetics control number after normalization, determine that each user's is at least one by equation below The behavior degree of correlation:<mrow> <mi>cov</mi> <mrow> <mo>(</mo> <mi>x</mi> <mo>,</mo> <mi>y</mi> <mo>)</mo> </mrow> <mo>=</mo> <mfrac> <mrow> <munderover> <mo>&Sigma;</mo> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </munderover> <mrow> <mo>(</mo> <mfrac> <mrow> <msub> <mi>x</mi> <mi>i</mi> </msub> <mo>-</mo> <mover> <mi>x</mi> <mo>&OverBar;</mo> </mover> </mrow> <msub> <mi>s</mi> <mi>x</mi> </msub> </mfrac> <mo>)</mo> </mrow> <mrow> <mo>(</mo> <mfrac> <mrow> <msub> <mi>y</mi> <mi>i</mi> </msub> <mo>-</mo> <mover> <mi>y</mi> <mo>&OverBar;</mo> </mover> </mrow> <msub> <mi>s</mi> <mi>y</mi> </msub> </mfrac> <mo>)</mo> </mrow> </mrow> <mrow> <mi>n</mi> <mo>-</mo> <mn>1</mn> </mrow> </mfrac> </mrow>Wherein, cov (x, y) is the behavior degree of correlation between two kinds of behaviors, and x is a kind of value of cybernetics control number, and y is another kind The value of cybernetics control number,For the average value of x in preset time period,For the average value of y in preset time period, n is user's The quantity of the species of behavior, wherein sxFor x standard deviation, syFor y standard deviation.
- 10. defensive equipment as claimed in claim 8, it is characterised in that second determining module is specifically used for:The behavior degree of correlation in each behavior degree of correlation set at least one behavior degree of correlation set is obtained successively Maximum and minimum value;The scope that the maximum in each behavior degree of correlation set and the minimum value are formed is defined as described every The interval range of individual behavior degree of correlation set.
- 11. the defensive equipment as described in claim 8-10 is any, it is characterised in that the module of closing is specifically used for:If it is determined that each behavior degree of correlation in all behavior degrees of correlation of the first user is not in each behavior degree of correlation Corresponding to place behavior degree of correlation set in interval range, then according to closing the determination of the behavior degree of correlation of first user Multiple durations of the IP address of first user, the corresponding duration of each behavior degree of correlation of first user;First duration is determined according to the multiple duration, and the IP address of first user is closed in first duration;Wherein, each duration is determined by below equation:<mrow> <mi>T</mi> <mi>i</mi> <mi>m</mi> <mi>e</mi> <mo>=</mo> <msup> <mi>Te</mi> <mrow> <munderover> <mo>&Sigma;</mo> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </munderover> <msub> <mi>x</mi> <mi>i</mi> </msub> </mrow> </msup> </mrow>Wherein, Time is the first duration, and e is constant, and n is the quantity of at least one behavior degree of correlation set, xiUsed for described first I-th of behavior degree of correlation at family and the difference of corresponding interval range, the difference are i-th of behavior degree of correlation and the corresponding area Between the maximum of scope or the difference of minimum value.
- 12. defensive equipment as claimed in claim 11, it is characterised in that the module of closing is additionally operable to:Any one duration in the multiple duration is defined as first duration;Or, the most long duration in the multiple duration is defined as first duration.
- 13. the defensive equipment as described in claim 11 or 12, it is characterised in that the defensive equipment also includes update module, The update module is used for:In the preset time period, if each behavior degree of correlation in all behavior degrees of correlation of first user is in institute At least one behavioural characteristic ginseng of first user in interval range, is then being recorded corresponding to behavior degree of correlation set Number;At least one behavior that first user is redefined according at least one cybernetics control number of record is related Degree;At least one behavior degree of correlation redefined is updated at least one behavior degree of correlation set.
- 14. defensive equipment as claimed in claim 13, it is characterised in that the cybernetics control number is included described in user's access The duration of server, user input the frequency of information with the frequency of the default behavior of the server interaction and user.
- 15. a kind of computer installation, it is characterised in that described device includes processor, and the processor is used to perform memory Realized during the computer program of middle storage as any one of claim 1-7 the step of method.
- 16. a kind of computer-readable recording medium, is stored thereon with computer program, it is characterised in that:The computer program Realized when being executed by processor as any one of claim 1-7 the step of method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710908810.0A CN107528859B (en) | 2017-09-29 | 2017-09-29 | Defense method and device for DDoS attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710908810.0A CN107528859B (en) | 2017-09-29 | 2017-09-29 | Defense method and device for DDoS attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107528859A true CN107528859A (en) | 2017-12-29 |
CN107528859B CN107528859B (en) | 2020-07-10 |
Family
ID=60683953
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710908810.0A Active CN107528859B (en) | 2017-09-29 | 2017-09-29 | Defense method and device for DDoS attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107528859B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111241543A (en) * | 2020-01-07 | 2020-06-05 | 中国搜索信息科技股份有限公司 | Method and system for intelligently resisting DDoS attack by application layer |
CN112003873A (en) * | 2020-08-31 | 2020-11-27 | 成都安恒信息技术有限公司 | HTTP (hyper text transport protocol) traffic defense method and system for resisting DDoS (distributed denial of service) attack |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103916365A (en) * | 2012-12-31 | 2014-07-09 | 西门子公司 | Method and apparatus for exporting and verifying network behavioral characteristics of malicious code |
CN103944919A (en) * | 2014-05-06 | 2014-07-23 | 浙江大学城市学院 | Wireless multi-step attack mode excavation method for WLAN |
US20140283085A1 (en) * | 2013-03-14 | 2014-09-18 | TechGuard Security, L.L.C. | Internet protocol threat prevention |
US20150049659A1 (en) * | 2007-06-26 | 2015-02-19 | Blackberry Limited | System and method for conserving power for a wireless device while maintaining a connection to a network |
CN104519031A (en) * | 2013-09-30 | 2015-04-15 | 西门子公司 | Method and device for detecting malicious network behaviors |
CN105208040A (en) * | 2015-10-12 | 2015-12-30 | 北京神州绿盟信息安全科技股份有限公司 | Network attack detection method and device |
-
2017
- 2017-09-29 CN CN201710908810.0A patent/CN107528859B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150049659A1 (en) * | 2007-06-26 | 2015-02-19 | Blackberry Limited | System and method for conserving power for a wireless device while maintaining a connection to a network |
CN103916365A (en) * | 2012-12-31 | 2014-07-09 | 西门子公司 | Method and apparatus for exporting and verifying network behavioral characteristics of malicious code |
US20140283085A1 (en) * | 2013-03-14 | 2014-09-18 | TechGuard Security, L.L.C. | Internet protocol threat prevention |
CN104519031A (en) * | 2013-09-30 | 2015-04-15 | 西门子公司 | Method and device for detecting malicious network behaviors |
CN103944919A (en) * | 2014-05-06 | 2014-07-23 | 浙江大学城市学院 | Wireless multi-step attack mode excavation method for WLAN |
CN105208040A (en) * | 2015-10-12 | 2015-12-30 | 北京神州绿盟信息安全科技股份有限公司 | Network attack detection method and device |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111241543A (en) * | 2020-01-07 | 2020-06-05 | 中国搜索信息科技股份有限公司 | Method and system for intelligently resisting DDoS attack by application layer |
CN112003873A (en) * | 2020-08-31 | 2020-11-27 | 成都安恒信息技术有限公司 | HTTP (hyper text transport protocol) traffic defense method and system for resisting DDoS (distributed denial of service) attack |
CN112003873B (en) * | 2020-08-31 | 2022-04-19 | 成都安恒信息技术有限公司 | HTTP (hyper text transport protocol) traffic defense method and system for resisting DDoS (distributed denial of service) attack |
Also Published As
Publication number | Publication date |
---|---|
CN107528859B (en) | 2020-07-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8370389B1 (en) | Techniques for authenticating users of massive multiplayer online role playing games using adaptive authentication | |
Cox, Jr | Game theory and risk analysis | |
CN104836781B (en) | Distinguish the method and device for accessing user identity | |
Wu et al. | On modeling and simulation of game theory-based defense mechanisms against DoS and DDoS attacks | |
CN107465648A (en) | The recognition methods of warping apparatus and device | |
CN109078333B (en) | Method and device for matching game friends | |
CN107465651A (en) | Network attack detecting method and device | |
US20140157415A1 (en) | Information security analysis using game theory and simulation | |
CN106302534B (en) | A kind of method and system of detection and processing illegal user | |
CN107666473A (en) | The method and controller of a kind of attack detecting | |
CN105897674A (en) | DDoS attack protection method applied to CDN server group and system | |
CN110213208A (en) | A kind of method and apparatus and storage medium of processing request | |
CN107517200B (en) | Malicious crawler defense strategy selection method for Web server | |
CN110381041B (en) | Distributed denial of service attack situation detection method and device | |
Liu et al. | A decentralized cloud firewall framework with resources provisioning cost optimization | |
CN109589607A (en) | A kind of game anti-cheating method and game anti-cheating system based on block chain | |
CN106850687A (en) | Method and apparatus for detecting network attack | |
CN106850509A (en) | Method for network access control and device | |
CN107395553A (en) | A kind of detection method and device of network attack | |
CN107528859A (en) | The defence method and equipment of a kind of ddos attack | |
CN108632634A (en) | A kind of providing method and device of direct broadcast service | |
Boumkheld et al. | Honeypot type selection games for smart grid networks | |
Rashidi et al. | Android fine-grained permission control system with real-time expert recommendations | |
CN110365637A (en) | Internetbank login detecting method, device, electronic equipment and storage medium | |
Abulaish et al. | Socialbots: Impacts, threat-dimensions, and defense challenges |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee after: NSFOCUS Technologies Group Co.,Ltd. Patentee after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Patentee before: NSFOCUS TECHNOLOGIES Inc. |
|
CP01 | Change in the name or title of a patent holder |