CN107979560A - It is a kind of that attack defense method is applied based on Multiple detection - Google Patents
It is a kind of that attack defense method is applied based on Multiple detection Download PDFInfo
- Publication number
- CN107979560A CN107979560A CN201610920994.8A CN201610920994A CN107979560A CN 107979560 A CN107979560 A CN 107979560A CN 201610920994 A CN201610920994 A CN 201610920994A CN 107979560 A CN107979560 A CN 107979560A
- Authority
- CN
- China
- Prior art keywords
- access
- attack
- stream
- attribute
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
Attack defense method is applied based on Multiple detection the invention discloses a kind of, wherein, including:Stream index table is built, normal application access stream information is added in stream index table, and the out-of-service time is set;Establish behavioural characteristic storehouse, the access attribute corresponding to each access type of behavioural characteristic library storage;Attack signature storehouse matching is carried out to the application access flow of reception;Check stream index table, if there are stream access information;The access attribute of access type corresponding in flow is extracted, and similarity measure is carried out by behavioural characteristic storehouse;Judge whether similarity measure result reaches secure threshold, if not up to secure threshold, then it is assumed that be attack traffic;Otherwise, it is judged as normal discharge, and the attribute information of this visit type is added to behavioural characteristic storehouse, and improve secure threshold, accesses stream information and be added to stream index table.The present invention applies attack defense method based on Multiple detection, by the way of static matching is combined with dynamic analysis, effectively increases the level of defence.
Description
Technical field
The invention belongs to technical field of network security, and attack defense method is applied more particularly to based on Multiple detection.
Background technology
With the rapid development of network technology, network security problem becomes increasingly conspicuous, and more and more application layer attacks are to net
Network causes serious destruction.This attack defending ability to network security product proposes the requirement of higher.
Existing attack defending technology can produce some effects, but with the continuous development of attack technology, attack row
To be more and more hidden, it is difficult to identified.Currently for application system attack means mainly include SQL injection, cross site scripting,
XDOS etc., these attack means implement invasion using the loophole of application system, can be with by using the mode of Transformation Attack parameter
Various attacks mutation at derivative, adds the difficulty using attack defending.
The content of the invention
It is above-mentioned existing for solving it is an object of the invention to provide a kind of application attack defense method based on Multiple detection
There is the problem of technology.
The a kind of of the present invention applies attack defense method based on Multiple detection, wherein, including:Stream index table is built, will
Normal application access stream information is added in stream index table, and sets the out-of-service time, the application access stream within the out-of-service time
Amount is considered normal discharge, and after reaching the out-of-service time, the stream information in stream index table is expired;Behavioural characteristic storehouse is established, behavior is special
Levy the access attribute corresponding to each access type of library storage;Attack signature storehouse matching is carried out to the application access flow of reception, if
Attack signature is matched, the access is regarded as attack access, abandons the flow;If being not matched to attack signature, carry out down
One step;Check stream index table, if there are stream access information, and there are stream access information, then the access accesses to be normal, otherwise,
Behavioural analysis is carried out to flowing of access;The access attribute of access type corresponding in flow is extracted, and passes through behavioural characteristic storehouse
Carry out similarity measure;Judge whether similarity measure result reaches secure threshold, if not up to secure threshold, then it is assumed that be
Attack traffic;Otherwise, it is judged as normal discharge, and the attribute information of this visit type is added to behavioural characteristic storehouse, and carries
High safety threshold value, accesses stream information and is added to stream index table.
The embodiment using attack defense method based on Multiple detection according to the present invention, wherein, access attribute bag
Include:Main body, object, time, parameter and statistical attribute.
The embodiment using attack defense method based on Multiple detection according to the present invention, wherein, extract in flow
The access attribute of corresponding access type includes:Main body, object, time, parameter and statistical attribute, to main body, object, when
Between, parameter and statistical attribute in behavioural characteristic storehouse, carry out similarity meter with existing behavior property characteristic information similarity
Calculate, and pass through weighted calculation characteristic value;Similarity measure result is this feature value.
The embodiment using attack defense method based on Multiple detection according to the present invention, wherein, this feature value
The quantity positive correlation of size and the access type in feature database.
The embodiment using attack defense method based on Multiple detection according to the present invention, wherein, judge this feature
Whether value is less than initial behavior secure threshold, if being less than secure threshold, which is considered attack traffic;If greater than peace
Full threshold value, is considered as normal discharge;And the attribute information of this visit type is added to behavioural characteristic storehouse, and improve secure threshold
But it is not more than a limit value, application access stream information is added to stream index table, the term of validity is set, prepare to receive application visit again
Ask flow.
To sum up, the present invention applies attack defense method based on Multiple detection, is combined using static matching with dynamic analysis
Mode, effectively increase the level of defence.
Brief description of the drawings
Fig. 1 show the flow chart using attack defense method of the invention based on Multiple detection;
Fig. 2 show the principle schematic using attack defense method of the invention based on Multiple detection.
Embodiment
To make the purpose of the present invention, content and advantage clearer, with reference to the accompanying drawings and examples, to the present invention's
Embodiment is described in further detail.
Fig. 1 show the flow chart using attack defense method of the invention based on Multiple detection, as shown in Figure 1, this hair
The bright application attack defense method based on Multiple detection, including:
Stream index table is built, normal application access stream information is added in stream index table, and the out-of-service time is set,
Application access flow in out-of-service time is considered normal discharge, and after reaching the out-of-service time, the stream information in stream index table is expired,
Expired stream information is deleted, and application access needs consummatory behavior analysis again.
Behavioural characteristic storehouse, the access attribute corresponding to each access type of behavioural characteristic library storage are established, access attribute includes:
Main body, object, time, parameter, statistical attribute;
Attack signature storehouse matching is carried out to the application access flow of reception, if matching attack signature, regards the access to attack
Access is hit, abandons the flow;If being not matched to attack signature, which is subjected to next step behavior auditing;
Check stream index table, if there are stream access information, there are stream access information, shows in effective period of time, should
Access and accessed to be normal;Otherwise, behavioural analysis is carried out to flowing of access;
Extract the access attribute of access type corresponding in flow:Main body, object, time, parameter, statistical attribute, it is right
Each attribute carries out similarity measure in behavioural characteristic storehouse, with existing behavior property characteristic information similarity, and passes through weighting
Calculate the characteristic value of the access, the quantity positive correlation of the access type in the size and feature database of characteristic value;
Calculate whether characteristic value is less than initial behavior secure threshold;If being less than secure threshold, which is considered to attack
Hit flow;If greater than secure threshold, it is considered as normal discharge;The attribute information of the access is added to behavioural characteristic storehouse at the same time,
And secure threshold (being not more than limit value) is improved, application access stream information is added to stream index table, the term of validity is set, in return
Step is stated, receives application access flow again.
Fig. 2 show the principle schematic using attack defense method of the invention based on Multiple detection, as shown in Fig. 2,
Application attack defense method of the present invention based on Multiple detection is matched using static nature is combined means with dynamic behaviour analysis
Realize effective defence to application layer attack and application layer DDOS attack.
As shown in Fig. 2, static nature matching is protected equivalent to a kind of " black name with the application layer that dynamic behaviour analysis is combined
The attack detecting means that list " and " white list " are combined.
First, being attacked using attack defense method the application access flow of reception based on Multiple detection of the invention
Feature storehouse matching, is to filter out known application attack by default intrusion feature database, the step for be referred to as static defence.
Secondly, for being that the network traffics for being not enough to identification carry out behavioural analysis by static nature matching, find in violation of rules and regulations
Application access, reaches and unknown applications attack is resisted.
The behavioural analysis of application access is the category that is accessed by learning records normal use based on the study to application access
Property, these attributes in behavioural characteristic storehouse include:Body attribute, object attribute, time attribute, parameter attribute and statistical attribute are multiple
Dimension.Behavior multidimensional characteristic storehouse is established by study, behavioural analysis is carried out to application access according to behavioural characteristic storehouse.
Exemplary scene:One for application system access mainly normal working hours some fixed client machines into
OK, if it find that it is probably an attack that the access of a different location carried out at dead of night, which can be suspected,;If one
The parameter of the page is usually numeral, which is then likely to be an attack as parameter using spcial character;If multiple bosoms
Doubt and all set up, then it is once to apply attack that the behavior, which can determine that, under specific usage scenario.
The present invention applies attack defense method based on Multiple detection, is combined using static matching with dynamic analysis multiple
Detection method, can carry out self study in concrete application scene, under specific usage scenario, realize that automatic behavioural characteristic is determined
System, can more effectively defensive attack flow.Effectively increase the level of defence.
The above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, without departing from the technical principles of the invention, some improvement and deformation can also be made, these are improved and deformation
Also it should be regarded as protection scope of the present invention.
Claims (5)
1. a kind of apply attack defense method based on Multiple detection, it is characterised in that including:
Stream index table is built, normal application access stream information is added in stream index table, and the out-of-service time is set, is being failed
Application access flow in time is considered normal discharge, and after reaching the out-of-service time, the stream information in stream index table is expired;
Establish behavioural characteristic storehouse, the access attribute corresponding to each access type of behavioural characteristic library storage;
Attack signature storehouse matching is carried out to the application access flow of reception, if matching attack signature, the access is regarded and is visited as attack
Ask, abandon the flow;If being not matched to attack signature, carry out in next step;
Check stream index table, if there are stream access information, and there are stream access information, then the access accesses to be normal, otherwise, right
Flowing of access carries out behavioural analysis;
The access attribute of access type corresponding in flow is extracted, and similarity measure is carried out by behavioural characteristic storehouse;
Judge whether similarity measure result reaches secure threshold, if not up to secure threshold, then it is assumed that be attack traffic;It is no
Then, it is judged as normal discharge, and the attribute information of this visit type is added to behavioural characteristic storehouse, and improves secure threshold,
Access stream information and be added to stream index table.
2. attack defense method is applied based on Multiple detection as claimed in claim 1, it is characterised in that access attribute bag
Include:Main body, object, time, parameter, statistical attribute.
3. attack defense method is applied based on Multiple detection as claimed in claim 2, it is characterised in that institute in extraction flow
The access attribute of corresponding access type includes:Main body, object, time, parameter and statistical attribute, to main body, object, when
Between, parameter and statistical attribute in behavioural characteristic storehouse, carry out similarity meter with existing behavior property characteristic information similarity
Calculate, and pass through weighted calculation characteristic value;
Similarity measure result is this feature value.
4. as claimed in claim 3 based on Multiple detection apply attack defense method, it is characterised in that this feature value it is big
The quantity positive correlation of the small access type with feature database.
5. attack defense method is applied based on Multiple detection as claimed in claim 3, it is characterised in that judge this feature value
Whether initial behavior secure threshold is less than, if being less than secure threshold, which is considered attack traffic;If greater than safety
Threshold value, is considered as normal discharge;And the attribute information of this visit type is added to behavioural characteristic storehouse, and improve secure threshold but
No more than a limit value, application access stream information is added to stream index table, the term of validity is set, preparation receives application access again
Flow.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610920994.8A CN107979560A (en) | 2016-10-21 | 2016-10-21 | It is a kind of that attack defense method is applied based on Multiple detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610920994.8A CN107979560A (en) | 2016-10-21 | 2016-10-21 | It is a kind of that attack defense method is applied based on Multiple detection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107979560A true CN107979560A (en) | 2018-05-01 |
Family
ID=62004444
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610920994.8A Pending CN107979560A (en) | 2016-10-21 | 2016-10-21 | It is a kind of that attack defense method is applied based on Multiple detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107979560A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109743282A (en) * | 2018-11-21 | 2019-05-10 | 北京奇安信科技有限公司 | A kind of high-risk security risk recognition methods and device based on industry control agreement |
| WO2021057225A1 (en) * | 2019-09-24 | 2021-04-01 | 国网河北省电力有限公司信息通信分公司 | Protection method based on abnormal traffic of grid information system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110072516A1 (en) * | 2009-09-23 | 2011-03-24 | Cohen Matthew L | Prevention of distributed denial of service attacks |
| CN102739679A (en) * | 2012-06-29 | 2012-10-17 | 东南大学 | URL(Uniform Resource Locator) classification-based phishing website detection method |
| CN103442018A (en) * | 2013-09-17 | 2013-12-11 | 网宿科技股份有限公司 | Dynamic defense method and system for CC (Challenge Collapsar) attack |
| CN105956472A (en) * | 2016-05-12 | 2016-09-21 | 宝利九章(北京)数据技术有限公司 | Method and system for identifying whether webpage includes malicious content or not |
-
2016
- 2016-10-21 CN CN201610920994.8A patent/CN107979560A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110072516A1 (en) * | 2009-09-23 | 2011-03-24 | Cohen Matthew L | Prevention of distributed denial of service attacks |
| CN102739679A (en) * | 2012-06-29 | 2012-10-17 | 东南大学 | URL(Uniform Resource Locator) classification-based phishing website detection method |
| CN103442018A (en) * | 2013-09-17 | 2013-12-11 | 网宿科技股份有限公司 | Dynamic defense method and system for CC (Challenge Collapsar) attack |
| CN105956472A (en) * | 2016-05-12 | 2016-09-21 | 宝利九章(北京)数据技术有限公司 | Method and system for identifying whether webpage includes malicious content or not |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109743282A (en) * | 2018-11-21 | 2019-05-10 | 北京奇安信科技有限公司 | A kind of high-risk security risk recognition methods and device based on industry control agreement |
| WO2021057225A1 (en) * | 2019-09-24 | 2021-04-01 | 国网河北省电力有限公司信息通信分公司 | Protection method based on abnormal traffic of grid information system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110380896A (en) | Network security situation awareness model and method based on attack graph | |
| CN106060043B (en) | A kind of detection method and device of abnormal flow | |
| CN104391979B (en) | Network malice reptile recognition methods and device | |
| CN103902888B (en) | Method, service end and the system of website degree of belief automatic measure grading | |
| CN104601591B (en) | Attack Source tissue testing method | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| CN102438025B (en) | Indirect distributed denial of service attack defense method and system based on Web agency | |
| CN102045319B (en) | Method and device for detecting SQL (Structured Query Language) injection attack | |
| Jiang et al. | Isolating and analyzing fraud activities in a large cellular network via voice call graph analysis | |
| CN107181726A (en) | Cyberthreat case evaluating method and device | |
| CN109922065A (en) | Malicious websites method for quickly identifying | |
| CN107231345A (en) | Networks congestion control methods of risk assessment based on AHP | |
| CN114003903B (en) | Network attack tracing method and device | |
| CN107241338A (en) | Network anti-attack devices, systems, and methods, computer-readable recording medium and storage control | |
| CN103916385A (en) | WAF safety monitoring system based on intelligent algorithm | |
| CN108418835A (en) | A kind of Port Scan Attacks detection method and device based on Netflow daily record datas | |
| Choraś et al. | Correlation approach for SQL injection attacks detection | |
| CN102999638A (en) | Phishing website detection method excavated based on network group | |
| Khayyambashi et al. | An approach for detecting profile cloning in online social networks | |
| CN107979560A (en) | It is a kind of that attack defense method is applied based on Multiple detection | |
| Broadhurst et al. | Crime trends | |
| CN114021040A (en) | Method and system for alarming and protecting malicious event based on service access | |
| CN109413016A (en) | A kind of rule-based message detecting method and device | |
| Wang et al. | Characterizing and detecting malicious crowdsourcing | |
| CN113051575A (en) | Method and system for generating red and blue attack resisting exercise scheme based on graph database |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180501 |
|
| RJ01 | Rejection of invention patent application after publication |