CN108111472A - A kind of attack signature detection method and device - Google Patents
A kind of attack signature detection method and device Download PDFInfo
- Publication number
- CN108111472A CN108111472A CN201611061771.7A CN201611061771A CN108111472A CN 108111472 A CN108111472 A CN 108111472A CN 201611061771 A CN201611061771 A CN 201611061771A CN 108111472 A CN108111472 A CN 108111472A
- Authority
- CN
- China
- Prior art keywords
- attributive character
- access request
- access
- attack signature
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The embodiment of the present invention provides a kind of attack signature detection method and device, and wherein method includes the following steps:Obtain multiple first access requests sent in preset time range to the targeted website, first access request carries at least one first attributive character, and at least one first attributive character is one or several the combination in Accept, Cookie, Referer and User Agent;Count occurrence number of first attributive character in the multiple first access request;Determine that first attributive character is attack signature according to the occurrence number of first attributive character.Using the present invention, can realize during real time access is carried out to website, determine in time there is currently attack signature, improve the detection efficiency of attack signature.
Description
Technical field
The present invention relates to field of communication technology more particularly to a kind of attack signature detection method and device.
Background technology
CC (Challenge Collapsar) attacks are the attack methods for network service.The principle of CC attacks is to attack
The person of hitting controls some hosts ceaselessly high-frequency access target website, so as to which server resource be caused to exhaust, until the machine of delaying collapses
It bursts, so as to cause the purpose that refusal services so that the targeted website attacked can not normally provide service.Existing technical solution
In by generating intrusion feature database, the request of access target website is matched one by one, to realize interception to query-attack.
Attack signature in existing intrusion feature database is that analysis personnel is needed to carry out analyzing to determine one by one to query-attack, however,
If attack is required for manpower intervention every time, high labor cost can be caused, and if to the query-attack of targeted website could not and
When handle, can still cause the resource exhaustion of server so that targeted website can not normally open.
The content of the invention
The embodiment of the present invention provides a kind of attack signature detection method and device, can realize and website is being visited in real time
During asking, determine in time there is currently attack signature, improve the detection efficiency of attack signature.
First aspect of the embodiment of the present invention provides a kind of attack signature detection method, including:
Multiple first access requests sent in preset time range to the targeted website are obtained, first access please
Ask and carry at least one first attributive character, at least one first attributive character for Accept, Cookie, Referer and
One or several combination in User-Agent;
Count occurrence number of first attributive character in the multiple first access request;
Determine that first attributive character is attack signature according to the occurrence number of first attributive character.
Second aspect of the embodiment of the present invention provides a kind of attack signature detection device, including:
Acquisition request module is asked for obtaining to access to the targeted website is sent multiple first in preset time range
It asks, first access request carries at least one first attributive character, at least one first attributive character is Accept,
One or several combination in Cookie, Referer and User-Agent;
Number statistical module goes out occurrence for counting first attributive character in the multiple first access request
Number;
Characteristic determination module, for determining that first attributive character is according to the occurrence number of first attributive character
Attack signature.
In embodiments of the present invention, by obtaining in preset time range to the multiple including at least one of targeted website transmission
A the first access request of first attributive character;It counts each first attributive character and goes out occurrence in multiple first access requests
Number, and determine that the first attributive character is attack signature according to the occurrence number of first attributive character.So by visiting first
It asks that the occurrence number of the first attributive character in request is counted, to determine attack signature, can realize and be carried out in fact to website
When access process in, determine in time there is currently attack signature, improve the detection efficiency of attack signature.
Description of the drawings
It in order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention, for those of ordinary skill in the art, without creative efforts, can be with
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is a kind of flow diagram of attack signature detection method provided in an embodiment of the present invention;
Fig. 2 is the flow diagram of another attack signature detection method provided in an embodiment of the present invention;
Fig. 3 is a kind of structure diagram of attack signature detection device provided in an embodiment of the present invention;
Fig. 4 is the structure diagram of another attack signature detection device provided in an embodiment of the present invention;
Fig. 5 is the structure diagram of another attack signature detection device provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other under the premise of not making the creative labor
Embodiment belongs to the scope of protection of the invention.
It should be noted that the term used in embodiments of the present invention is only merely for the mesh of description specific embodiment
, it is not intended to limit the invention." the one of the embodiment of the present invention and singulative used in the attached claims
Kind ", " described " and "the" are also intended to including most forms, unless context clearly shows that other meanings.It is also understood that this
Term "and/or" used herein refers to and comprising one or more associated any or all possible group of list items purpose
It closes.In addition, the term " first ", " second ", " the 3rd " in description and claims of this specification and above-mentioned attached drawing and "
Four " etc. be for distinguishing different objects rather than for describing particular order.In addition, term " comprising " and " having " and it
Any deformation, it is intended that cover non-exclusive include.Such as it contains the process of series of steps or unit, method, be
The step of system, product or equipment are not limited to list or unit, but optionally further include the step of not listing or list
Member is optionally further included for the intrinsic other steps of these processes, method, product or equipment or unit.
Attack signature detection method provided in an embodiment of the present invention can be applied in the scene of access target website, example
Such as, multiple first access requests sent in preset time range to the targeted website are obtained, first access request is taken
With at least one first attributive character, at least one first attributive character is Accept, Cookie, Referer and User-
One or several combination in Agent;Count first attributive character going out in the multiple first access request
Occurrence number;Determine that first attributive character is attack signature according to the occurrence number of first attributive character.So pass through
The occurrence number of first attributive character in first access request is counted, to determine attack signature, can be realized to net
Stand during carrying out real time access, determine in time there is currently attack signature, improve the detection efficiency of attack signature.
The present embodiments relate to attack signature detection device can be storage and communication function can simultaneously detect attack
The background devices of the services such as feature, or the attack signature detection module being embedded in the background devices.It is of the invention real
It can be any equipment for possessing storage and communication function to apply the user terminal that example is related to, such as:Tablet computer, mobile phone, electronics
Reader, personal computer (Personal Computer, PC), mobile unit, Web TV, wearable are set laptop
The equipment such as standby.
Fig. 1 is referred to, for an embodiment of the present invention provides a kind of flow diagrams of attack signature detection method.Such as Fig. 1
It is shown, the embodiment of the present invention the method may include following steps S101- steps S103.
S101 obtains multiple first access requests sent in preset time range to the targeted website.
Specifically, attack signature detection device obtains multiple first sent in preset time range to the targeted website
Access request, wherein, the preset time range is the self-defined setting of attack signature detection device, the targeted website
For the arbitrary website of user's access can be received, for example, enterprise web site, personal website, business website, government website, education network
It stands, user can pass through web browser access target website.
Further, at least one first attributive character is in Accept, Cookie, Referer and User-Agent
One or several combination.For example, first access request can be hypertext transfer protocol (Http, Hyper
Text Transfer Protocol) request, first attributive character is carried in the header fields of Http requests,
In, the Accept sends the data type of the user terminal support of first access request, the Cookie for expression
For representing to send the text file stored in the user terminal of first access request;The Referer uses for expression
Family terminal sends uniform resource position mark URL used in the first access request;The User-Agent sends institute for expression
The system environments of the user terminal of the first access request is stated, operating system and version that system environments includes the use of, central processing
Device (CPU, Central Processing Unit) type, browser version, browser language, browser plug-in etc..
Optionally, in embodiments of the present invention the attack signature detection device obtain be in preset time range the
One access request, alternatively, the attack signature detection device can also obtain the first access request of default quantity, the present invention is real
Example is applied not limit this.
Optionally, the process that the attack signature detection device can be monitored the first access request of targeted website
It is middle to perform the step of obtaining multiple first access requests in preset time range, it can so realize to the arbitrary of targeted website
Access request performs the function of real time monitoring.
S102 counts occurrence number of first attributive character in the multiple first access request.
Specifically, the attack signature detection device counts each first attribute at least one first attributive character
Occurrence number of the feature in the multiple first access request.It is introduced using the first attributive character as " User-Agent ",
Assuming that there are 1000 requests in preset time range, since User-Agent is for the use of expression transmission first access request
The system environments of family terminal, it is assumed that the corresponding information of User-Agent includes four kinds in 1000 requests:QQ search engines, Baidu
Search engine, sogou search engines, 360 search engines.The attack signature detection device counts each User-Agent and corresponds to
Information in 1000 requests the number that occurs, for example, statistics Baidu search engine occur in 1000 requests numbers,
The number that statistics QQ search engines occur in 1000 requests.
S103 determines that first attributive character is attack signature according to the occurrence number of first attributive character.
Specifically, the attack signature detection device determines described first according to the occurrence number of first attributive character
Attributive character is attack signature.In feasible scheme, the attack signature detection device can represent maximum appearance by setting
The threshold value of number carries out judging whether first attributive character is attack signature.Alternatively, in another feasible scheme, it is described
Attack signature detection device can represent the threshold value of maximum probability of occurrence by setting, and carry out judging that first attributive character is
No is attack signature, it is to be understood that probability of occurrence is first attributive character in preset time range:First attribute
Number that feature occurs in preset time range divided by the in preset time range quantity of the first access request.
In embodiments of the present invention, by obtaining in preset time range to the multiple including at least one of targeted website transmission
A the first access request of first attributive character;It counts each first attributive character and goes out occurrence in multiple first access requests
Number, and determine that the first attributive character is attack signature according to the occurrence number of first attributive character.So by visiting first
It asks that the occurrence number of the first attributive character in request is counted, to determine attack signature, can realize and be carried out in fact to website
When access process in, determine in time there is currently attack signature, improve the detection efficiency of attack signature.
Fig. 2 is referred to, is the flow diagram an embodiment of the present invention provides another attack signature detection method.Such as figure
Shown in 2, the embodiment of the present invention the method may include following steps S201- steps S212.
S201, the quantity of the interior access request sent to the targeted website of statistical unit time range.
Specifically, the access sent in the attack signature detection device statistical unit time range to the targeted website
The quantity of request.Wherein, the unit interval scope can be pre-defined by the attack signature detection device, for example, 1
Within hour, within 20 minutes etc..The attack signature detection device often detects one to target in the range of the unit interval
The quantity of access request is then added 1 by the access request of website, and then can be obtained within the unit interval to the target network
The quantity for the access request sent of standing.
S202, judges whether the quantity of the access request is more than access number threshold value.
Specifically, the attack signature detection device judges whether the quantity of the access request is more than access number threshold
Value.Wherein, the access number threshold value attack signature detection device pre-defines, for example, 1000,2000 etc..If
The quantity of the access request is more than access number threshold value, then performs step S203;If the quantity of the access request be less than or
Equal to access number threshold value, then step S201 is continued to execute.
Optionally, the access number threshold value can in the range of the unit interval according to the corresponding server in targeted website
It is set with the access number born.For example, access number threshold value is less than what server can be born in the range of the unit interval
Access number.
S203 obtains multiple first access requests sent in preset time range to the targeted website.
Specifically, if the quantity of the access request in the range of the unit interval is more than access number threshold value, the attack is special
It levies detection device and obtains multiple first access requests sent in preset time range to the targeted website.Wherein, it is described pre-
If time range is the self-defined setting of attack signature detection device, the targeted website is that can receive user's access
Arbitrary website, for example, enterprise web site, personal website, business website, government website, Educational website etc..User can pass through webpage
Browser access targeted website.
Further, at least one first attributive character is in Accept, Cookie, Referer and User-Agent
One or several combination.For example, first access request can be that Http is asked, first attributive character
It is to be carried in the header fields of Http requests, wherein, the Accept sends first access request for expression
The data type that user terminal is supported, the Cookie send in the user terminal of first access request for expression and store
Text file;The Referer is used to represent that user terminal sends uniform resource locator used in the first access request
URL;The User-Agent sends the system environments of the user terminal of first access request for expression.System environments bag
Include the operating system used and version, cpu type, browser version, browser language, browser plug-in etc..
Optionally, in embodiments of the present invention the attack signature detection device obtain be in preset time range the
One access request, alternatively, the attack signature detection device can also obtain the first access request of default quantity, the present invention is real
Example is applied not limit this.
It should be noted that the preset time range and unit interval may range from identical time range;Also may be used
Different time ranges is thought, for example, preset time range is less than unit interval scope or preset time range is more than unit
Time range.As an example it is assumed that the preset time range and unit interval scope are one hour since the first moment
Scope, then the attack signature detection device detect that access request quantity in the range of this hour is more than access number threshold value
When, obtain whole access requests in the range of this hour.Again as an example it is assumed that when being 2 small in the preset time range,
Unit interval scope for 1 it is small when, if detect cut-off to the second moment 1 it is small when in the range of access request quantity be more than visit
Ask amount threshold, then obtain cut-off to the second moment 2 it is small when scope whole access requests.
S204 counts occurrence number of first attributive character in the multiple first access request.
Specifically, the attack signature detection device counts each first attribute at least one first attributive character
Occurrence number of the feature in the multiple first access request.It is introduced using the first attributive character as " User-Agent ",
Assuming that there are 1000 requests in preset time range, since User-Agent is for the use of expression transmission first access request
The system environments of family terminal, it is assumed that the corresponding information of User-Agent includes four kinds in 1000 requests:QQ search engines, Baidu
Search engine, sogou search engines, 360 search engines.The attack signature detection device counts each User-Agent and corresponds to
Information in 1000 requests the number that occurs, for example, statistics Baidu search engine occur in 1000 requests numbers,
The number that statistics QQ search engines occur in 1000 requests.
Whether S205, the occurrence number for detecting first attributive character are more than occurrence number threshold value.
Specifically, whether the occurrence number that the attack signature detection device detects first attributive character is more than appearance
Frequency threshold value, wherein, the occurrence number threshold value attack signature detection device pre-defines, the occurrence number threshold value
Different numerical value can be set according to different preset time ranges.Occur if the occurrence number of first attributive character is more than
Frequency threshold value then performs step S206;If the occurrence number of first attributive character is not more than occurrence number threshold value, perform
Step S207.
S206, if so, determining that first attributive character is attack signature.
If specifically, the occurrence number of first attributive character is more than occurrence number threshold value, it is determined that described first belongs to
Property is characterized as attack signature.
S207, if not, it is determined that first attributive character is not attack signature.
If specifically, the occurrence number of first attributive character is not more than occurrence number threshold value, it is determined that described first
Attributive character is not attack signature.
S208, however, it is determined that first attributive character is attack signature, then first attributive character is added to attack
In feature database.
Specifically, if it is determined that first attributive character is attack signature, then the attack signature detection device is by described in
First attributive character is added in intrusion feature database.Wherein, the intrusion feature database contains multiple for test access request
Attack signature.
Optionally, the attack signature detection device can change attack signature in intrusion feature database, delete attack spy
Sign increases attack signature etc., so that the attack signature stored in intrusion feature database is more perfect, improves detection attack signature
Validity.
S209 receives the second access request sent to the targeted website, and obtains and taken in second access request
At least one second attributive character of band.
Specifically, after first attributive character is added in intrusion feature database, the attack signature detection dress
Put receive to the targeted website send the second access request, and obtain carried in second access request it is at least one
Second attributive character.It is understood that second access request is to access the target with first access request
The request of website, further, at least one second attributive character are Accept, Cookie, Referer and User-Agent
In one or several combination.
S210 matches second attributive character using the intrusion feature database.
Specifically, the attack signature detection device uses the intrusion feature database to second attributive character progress
Match somebody with somebody, so matched by each attack signature in intrusion feature database with second attributive character, to determine described the
Whether two attributive character are attack signature.
S211, if it is special to there is first attribute to match with second attributive character in the intrusion feature database
Sign, it is determined that second access request is asked for attack access, and attack protection processing is performed to second access request.
If specifically, exist and the second attributive character phase in the attack signature detection device intrusion feature database
Matched first attributive character, it is determined that second attributive character is attack signature, and then determines that described second accesses
It asks to ask for attack access.It is understood that it is the first attributive character that will determine as attack signature in step S208
Added in intrusion feature database, therefore matched first attributive character is carried out to be confirmed as attacking with the second attributive character here
Hit the attributive character of feature.
In feasible scheme, the attack protection processing can include sending out to the user terminal for sending second access request
The processing mode of identifying code is sent, identical the testing of the user terminal feedback is so received in the attack signature detection device
After demonstrate,proving code, second access request can be sent to the corresponding server in the targeted website;If the attack signature
When detection device does not receive the identifying code of the user terminal feedback or receives the identifying codes different from the identifying code,
Continue to send another identifying code to the user terminal or abandon second access request.
In feasible program, the attack protection processing can include sending to the user terminal for sending second access request
The processing mode of verification algorithm, if the user terminal can be tested by verification algorithm to attack signature detection device feedback
After card is as a result, treat that the attack signature detection device is examined correctly, second access request can be sent to the mesh
Mark the corresponding server in website;If the user terminal is not to the attack signature detection device feedback validation result or described
After attack signature detection device examines mistake, second access request is abandoned.
In feasible scheme, the attack protection processing can include the processing mode for abandoning second access request.
After the attack signature detection device determines second access request for attack access request, described second is accessed please
Ask direct discarding.
In feasible scheme, it is whole that the attack protection processing can include the user for disconnecting with sending second access request
The processing mode of the connection at end, for example, abandoning the transmission control protocol (Transmission on second access request
Control Protocol, TCP) connection.
It is above to attack protection processing for example, being not limited to more than several ways in embodiments of the present invention.
S212, if it is special that first attribute to match with second attributive character is not present in the intrusion feature database
Sign, then be sent to the corresponding server in the targeted website by second access request.
If specifically, there is no first attributes to match with second attributive character in the intrusion feature database
Feature, then the attack signature detection device second access request is sent to the corresponding server in the targeted website,
So that the server is handled and fed back to second access request.
In embodiments of the present invention, by obtaining in preset time range to the multiple including at least one of targeted website transmission
A the first access request of first attributive character;It counts each first attributive character and goes out occurrence in multiple first access requests
Number, and determine that the first attributive character is attack signature according to the occurrence number of first attributive character.So by visiting first
It asks that the occurrence number of the first attributive character in request is counted, to determine attack signature, can realize and be carried out in fact to website
When access process in, determine in time there is currently attack signature, improve the detection efficiency of attack signature.
Below in conjunction with attached drawing 3- attached drawings 5, it is situated between in detail to attack signature detection device provided in an embodiment of the present invention
It continues.It should be noted that the attack signature detection device shown in attached drawing 3- attached drawings 5, for performing shown in Fig. 1 and Fig. 2 of the present invention
The method of embodiment for convenience of description, is illustrated only and not disclosed with the relevant part of the embodiment of the present invention, particular technique details
, it refer to Fig. 1 of the present invention and embodiment shown in Fig. 2.
Fig. 3 is referred to, for an embodiment of the present invention provides a kind of structure diagrams of attack signature detection device.Such as Fig. 3
Shown, the attack signature detection device 1 of the embodiment of the present invention can include:Acquisition request module 11, number statistical module
12 and characteristic determination module 13.
Acquisition request module 11 accesses for obtaining in preset time range to the targeted website is sent multiple first
Request, first access request carry at least one first attributive character, and at least one first attributive character is
One or several combination in Accept, Cookie, Referer and User-Agent.
Specifically, the acquisition request module 11 obtains multiple the sent in preset time range to the targeted website
One access request, wherein, the preset time range is the 2 self-defined setting of attack signature detection device, the target
Website is the arbitrary website that can receive user's access, for example, enterprise web site, personal website, business website, government website, religion
Website etc. is educated, user can pass through web browser access target website.
Further, at least one first attributive character is in Accept, Cookie, Referer and User-Agent
One or several combination.For example, first access request can be that Http is asked, first attributive character
It is to be carried in the header fields of Http requests, wherein, the Accept sends first access request for expression
The data type that user terminal is supported, the Cookie send in the user terminal of first access request for expression and store
Text file.The Referer is used to represent that user terminal sends uniform resource locator used in the first access request
URL.The User-Agent sends the system environments of the user terminal of first access request, system environments bag for expression
Include the operating system used and version, cpu type, browser version, browser language, browser plug-in etc..
Optionally, what the acquisition request module 11 obtained in embodiments of the present invention first is visited in preset time range
Request is asked, alternatively, the acquisition request module 11 can also obtain the first access request of default quantity, the embodiment of the present invention pair
This is not limited.
Optionally, the mistake that the attack signature detection device 1 can be monitored the first access request of targeted website
The step of obtaining multiple first access requests in preset time range is performed in journey, can so realize and targeted website is appointed
Access request of anticipating performs the function of real time monitoring.
Number statistical module 12, for counting appearance of first attributive character in the multiple first access request
Number.
Specifically, the number statistical module 12 counts each first attribute spy at least one first attributive character
Levy the occurrence number in the multiple first access request.It is introduced using the first attributive character as " User-Agent ", it is false
If there is 1000 requests in preset time range, since User-Agent is for the user of expression transmission first access request
The system environments of terminal, it is assumed that the corresponding information of User-Agent includes four kinds in 1000 requests:QQ search engines, Baidu are searched
Index is held up, sogou search engines, 360 search engines.The number statistical module 12 counts the corresponding letters of each User-Agent
The number occurred in 1000 requests is ceased, for example, statistics Baidu search engine is in 1000 numbers occurred in asking, statistics
The number that QQ search engines occur in 1000 requests.
Characteristic determination module 13, for determining first attributive character according to the occurrence number of first attributive character
For attack signature.
Specifically, the characteristic determination module 13 determines that described first belongs to according to the occurrence number of first attributive character
Property is characterized as attack signature.In feasible scheme, the attack signature detection device 1 can represent that maximum goes out occurrence by setting
Several threshold values carries out judging whether first attributive character is attack signature.Alternatively, in another feasible scheme, it is described to attack
The threshold value of maximum probability of occurrence can be represented by setting by hitting feature detection device 1, carry out judging that first attributive character is
No is attack signature, it is to be understood that probability of occurrence is first attributive character in preset time range:First attribute
Number that feature occurs in preset time range divided by the in preset time range quantity of the first access request.
In embodiments of the present invention, by obtaining in preset time range to the multiple including at least one of targeted website transmission
A the first access request of first attributive character.It counts each first attributive character and goes out occurrence in multiple first access requests
Number, and determine that the first attributive character is attack signature according to the occurrence number of first attributive character.So by visiting first
It asks that the occurrence number of the first attributive character in request is counted, to determine attack signature, can realize and be carried out in fact to website
When access process in, determine in time there is currently attack signature, improve the detection efficiency of attack signature.
Fig. 4 is referred to, is the structure diagram an embodiment of the present invention provides another attack signature detection device.Such as figure
Shown in 4, the attack signature detection device 1 of the embodiment of the present invention can include:Acquisition request module 11, number statistical module
12nd, characteristic determination module 13, quantity statistics module 14, feature increase module 15, request receiving module 16, characteristic matching module
17th, processing module 18 and request sending module 19 are attacked.
Quantity statistics module 14, for the number of the access request sent in statistical unit time range to the targeted website
Amount.
Specifically, the access sent in the 14 statistical unit time range of quantity statistics module to the targeted website please
The quantity asked.Wherein, the unit interval scope can be pre-defined by the attack signature detection device 1, for example, 1
Within hour, within 20 minutes etc..The attack signature detection device 1 often detects one to mesh in the range of the unit interval
The access request of website is marked, then the quantity of access request is added 1, and then can obtained within the unit interval to the target
The quantity for the access request that website is sent.
Acquisition request module 11, if being more than access number threshold value for the quantity of the access request, when obtaining default
Between multiple first access requests for being sent to the targeted website in scope.
Specifically, if the quantity of the access request in the range of the unit interval is more than access number threshold value, the request obtains
Modulus block 11 obtains multiple first access requests sent in preset time range to the targeted website.Wherein, it is described default
Time range is the 1 self-defined setting of attack signature detection device, and the targeted website is that can receive user's access
Arbitrary website, for example, enterprise web site, personal website, business website, government website, Educational website etc..User can pass through webpage
Browser access targeted website.
Further, at least one first attributive character is in Accept, Cookie, Referer and User-Agent
One or several combination.For example, first access request can be that Http is asked, first attributive character
It is to be carried in the header fields of Http requests, wherein, the Accept sends first access request for expression
The data type that user terminal is supported, the Cookie send in the user terminal of first access request for expression and store
Text file;The Referer is used to represent that user terminal sends uniform resource locator used in the first access request
URL;The User-Agent sends the system environments of the user terminal of first access request for expression.System environments bag
Include the operating system used and version, cpu type, browser version, browser language, browser plug-in etc..
Optionally, what the acquisition request module 11 obtained in embodiments of the present invention first is visited in preset time range
Request is asked, alternatively, the acquisition request module 11 can also obtain the first access request of default quantity, the embodiment of the present invention pair
This is not limited.
It should be noted that the preset time range and unit interval may range from identical time range;Also may be used
Different time ranges is thought, for example, preset time range is less than unit interval scope or preset time range is more than unit
Time range.As an example it is assumed that the preset time range and unit interval scope are one hour since the first moment
Scope when then detecting that the access request quantity in the range of this hour is more than access number threshold value, obtains one hour scope
Interior whole access requests.Again as an example it is assumed that when being 2 small in the preset time range, unit interval scope is small for 1
When, if detect cut-off to the second moment 1 it is small when in the range of access request quantity be more than access number threshold value, obtain
End to the second moment 2 it is small when scope whole access requests.
Optionally, the access number threshold value can in the range of the unit interval according to the corresponding server in targeted website
It is set with the access number born.
Number statistical module 12, for counting appearance of first attributive character in the multiple first access request
Number.
Specifically, the number statistical module 12 counts each first attribute spy at least one first attributive character
Levy the occurrence number in the multiple first access request.It is introduced using the first attributive character as " User-Agent ", it is false
If there is 1000 requests in preset time range, since User-Agent is for the user of expression transmission first access request
The system environments of terminal, it is assumed that the corresponding information of User-Agent includes four kinds in 1000 requests:QQ search engines, Baidu are searched
Index is held up, sogou search engines, 360 search engines.The number statistical module 12 counts the corresponding letters of each User-Agent
The number occurred in 1000 requests is ceased, for example, statistics Baidu search engine is in 1000 numbers occurred in asking, statistics
The number that QQ search engines occur in 1000 requests.
Characteristic determination module 13, for determining first attributive character according to the occurrence number of first attributive character
For attack signature.
Wherein, the characteristic determination module includes detection unit 131 and determination unit 132.
Detection unit 131, for detecting whether the occurrence number of first attributive character is more than occurrence number threshold value.
Specifically, whether the occurrence number that the detection unit 131 detects first attributive character is more than occurrence number
Threshold value, wherein, the occurrence number threshold value pre-defines for the attack signature detection device 1, which can
To set different numerical value according to different preset time ranges.If the occurrence number of first attributive character is more than occurrence
Number threshold value, it is determined that unit 132;If the occurrence number of first attributive character is not more than occurrence number threshold value, it is determined that institute
It is not attack signature to state the first attributive character.
Determination unit 132, if the occurrence number for detecting first attributive character for the detection unit is more than
Existing frequency threshold value, it is determined that first attributive character is attack signature.
If specifically, the occurrence number of first attributive character is more than occurrence number threshold value, the determination unit 132
It is attack signature to determine first attributive character.
If it is understood that the occurrence number of first attributive character is not more than occurrence number threshold value, it is determined that institute
It is not attack signature to state the first attributive character.
Feature increases module 15, for if it is determined that first attributive character is attack signature, then by first attribute
Feature is added in intrusion feature database.
Specifically, if it is determined that first attributive character is attack signature, then the feature increases module 15 by described the
One attributive character is added in intrusion feature database.Wherein, the intrusion feature database contain it is multiple for test access request
Attack signature.
Optionally, the attack signature detection device 1 can change attack signature in intrusion feature database, delete attack spy
Sign increases attack signature etc., so that the attack signature stored in intrusion feature database is more perfect, improves detection attack signature
Validity.
Request receiving module 16 for receiving the second access request sent to the targeted website, and obtains described the
At least one second attributive character carried in two access requests.
Specifically, after first attributive character is added in intrusion feature database, the request receiving module 16
The second access request sent to the targeted website is received, and obtains at least one the carried in second access request
Two attributive character.It is understood that second access request is to access the target network with first access request
The request stood, further, at least one second attributive character are in Accept, Cookie, Referer and User-Agent
One or several combination.
Characteristic matching module 17, for being matched using the intrusion feature database to second attributive character.
Specifically, the characteristic matching module 17 uses the intrusion feature database to second attributive character progress
Match somebody with somebody, so matched by each attack signature in intrusion feature database with second attributive character, to determine described the
Whether two attributive character are attack signature.
Processing module 18 is attacked, if for there is the institute to match with second attributive character in the intrusion feature database
State the first attributive character, it is determined that second access request is asked for attack access, and second access request is performed
Attack protection processing.
If specifically, exist and the second attributive character phase in attack 18 intrusion feature database of processing module
First attributive character matched somebody with somebody, it is determined that second attributive character is attack signature, and then determines that second access please
It asks and is asked for attack access.It is understood that it is the first attribute for will determine as attack signature in feature increases module 15
Feature is added in intrusion feature database, therefore carries out matched first attributive character with the second attributive character to be determined here
For the attributive character of attack signature.
In feasible scheme, the attack protection processing can include sending out to the user terminal for sending second access request
The processing mode of identifying code is sent, it, can be by described in so after the identical identifying code of the user terminal feedback is received
Second access request is sent to the corresponding server in the targeted website;If the identifying code of the user terminal feedback is not received
Continue to send another identifying code to the user terminal when either receiving the identifying codes different from the identifying code or lose
Abandon second access request.
In feasible program, the attack protection processing can include sending to the user terminal for sending second access request
The processing mode of verification algorithm, if the user terminal can be fed back by verification algorithm to the attack signature detection device 1
Second access request after treating that the attack signature detection device 1 is examined correctly, can be sent to described by verification result
The corresponding server in targeted website;If the user terminal not to the 1 feedback validation result of attack signature detection device or
After the attack signature detection device 1 examines mistake, second access request is abandoned.
In feasible scheme, the attack protection processing can include the processing mode for abandoning second access request.
After the attack processing module 18 determines second access request for attack access request, by second access request
Directly abandon.
In feasible scheme, it is whole that the attack protection processing can include the user for disconnecting with sending second access request
The processing mode of the connection at end, for example, abandoning the connection of the TCP on second access request.
It is above to attack protection processing for example, being not limited to more than several ways in embodiments of the present invention.
Request sending module 19, if for being not present what is matched with second attributive character in the intrusion feature database
Second access request is then sent to the corresponding server in the targeted website by first attributive character.
If specifically, there is no first attributes to match with second attributive character in the intrusion feature database
Feature, then the request sending module 19 second access request is sent to the corresponding server in the targeted website, with
The server is made to handle and feed back second access request.
In embodiments of the present invention, by obtaining in preset time range to the multiple including at least one of targeted website transmission
A the first access request of first attributive character;It counts each first attributive character and goes out occurrence in multiple first access requests
Number, and determine that the first attributive character is attack signature according to the occurrence number of first attributive character.So by visiting first
It asks that the occurrence number of the first attributive character in request is counted, to determine attack signature, can realize and be carried out in fact to website
When access process in, determine in time there is currently attack signature, improve the detection efficiency of attack signature.
Fig. 5 is referred to, is the structure diagram an embodiment of the present invention provides another attack signature detection device.Such as figure
Shown in 5, the attack signature detection device 1000 can include:At least one processor 1001, such as CPU, at least one net
Network interface 1004, user interface 1003, memory 1005, at least one communication bus 1002.Wherein, communication bus 1002 is used for
Realize the connection communication between these components.Wherein, user interface 1003 can include display screen (Display), keyboard
(Keyboard), optional user interface 1003 can also include standard wireline interface and wireless interface.Network interface 1004 is optional
Can include standard wireline interface and wireless interface (such as WI-FI interfaces).Memory 1005 can be high-speed RAM memory,
Can also be non-labile memory (non-volatile memory), for example, at least a magnetic disk storage.Memory
1005 optionally can also be at least one storage device for being located remotely from aforementioned processor 1001.As shown in figure 5, as a kind of
It can include operating system, network communication module, Subscriber Interface Module SIM in the memory 1005 of computer storage media and attack
Hit feature detection device application program.
In the attack signature detection device 1000 shown in Fig. 5, user interface 1003 is mainly used for providing input to the user
Interface, receive user and set the information such as occurrence number threshold value, preset time range, unit interval scope, access number threshold value.
And processor 1001 can be used for calling the attack signature detection device application program stored in memory 1005, and specifically perform
It operates below:
Multiple first access requests sent in preset time range to the targeted website are obtained, first access please
Ask and carry at least one first attributive character, at least one first attributive character for Accept, Cookie, Referer and
One or several combination in User-Agent.
Count occurrence number of first attributive character in the multiple first access request.
Determine that first attributive character is attack signature according to the occurrence number of first attributive character.
In a possible embodiment, the processor 1001, which performs, obtains in preset time range to the target network
It stands before multiple first access requests sent, also performs:
The quantity of the access request sent in statistical unit time range to the targeted website.
If the quantity of the access request is more than access number threshold value, perform in the acquisition preset time range to institute
The step of stating multiple first access requests of targeted website transmission.
In a possible embodiment, the processor 1001 performs the occurrence number according to first attributive character
First attributive character is determined as attack signature, it is specific to perform:
Whether the occurrence number for detecting first attributive character is more than occurrence number threshold value.
If so, determine that first attributive character is attack signature.
In a possible embodiment, the processor 1001 also performs:
If it is determined that first attributive character is attack signature, then first attributive character is added to intrusion feature database
In.
In a possible embodiment, the processor 1001 also performs:
Receive to the targeted website send the second access request, and obtain carried in second access request to
Few second attributive character.
Second attributive character is matched using the intrusion feature database.
If there is first attributive character to match with second attributive character in the intrusion feature database, really
Fixed second access request is asked for attack access, and attack protection processing is performed to second access request.
If first attributive character to match with second attributive character is not present in the intrusion feature database,
Second access request is sent to the corresponding server in the targeted website.
In a possible embodiment, the attack protection processing includes whole to the user for sending second access request
End sends the processing mode of identifying code, the processing mode for abandoning second access request and disconnects and accessed with sending described second
It is any in the processing mode of the connection of the user terminal of request.
It should be noted that the step performed by the described processor 1001 of the embodiment of the present invention can be according to above-mentioned Fig. 1
Or the method specific implementation in embodiment of the method shown in Fig. 2, details are not described herein again.
Module described in the embodiment of the present invention or unit can pass through universal integrated circuit, such as CPU (Central
Processing Unit, central processing unit) or pass through ASIC (Application Specific Integrated
Circuit, application-specific integrated circuit) it realizes.
The steps in the embodiment of the present invention can be sequentially adjusted, merged and deleted according to actual needs.
Module or unit in terminal of the embodiment of the present invention can be combined, divided and deleted according to actual needs.
One of ordinary skill in the art will appreciate that realizing all or part of flow in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in a computer read/write memory medium
In, the program is upon execution, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic
Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access
Memory, RAM) etc..
The above disclosure is only the preferred embodiments of the present invention, cannot limit the right model of the present invention with this certainly
It encloses, therefore equivalent variations made according to the claims of the present invention, it is still within the scope of the present invention.It is above disclosed to be only
Present pre-ferred embodiments cannot limit the interest field of the present invention with this certainly, therefore according to the claims in the present invention
The equivalent variations made, are still within the scope of the present invention.
Claims (12)
1. a kind of attack signature detection method, which is characterized in that including:
Multiple first access requests sent in preset time range to the targeted website are obtained, first access request is taken
With at least one first attributive character, at least one first attributive character is Accept, Cookie, Referer and User-
One or several combination in Agent;
Count occurrence number of first attributive character in the multiple first access request;
Determine that first attributive character is attack signature according to the occurrence number of first attributive character.
2. according to the method described in claim 1, it is characterized in that, to the targeted website in the acquisition preset time range
Before multiple first access requests sent, further include:
The quantity of the access request sent in statistical unit time range to the targeted website;
If the quantity of the access request is more than access number threshold value, perform in the acquisition preset time range to the mesh
The step of marking multiple first access requests that website is sent.
3. according to the method described in claim 1, it is characterized in that, the occurrence number according to first attributive character is true
Fixed first attributive character is attack signature, including:
Whether the occurrence number for detecting first attributive character is more than occurrence number threshold value;
If so, determine that first attributive character is attack signature.
4. according to claim 1-3 any one of them methods, which is characterized in that further include:
If it is determined that first attributive character is attack signature, then first attributive character is added in intrusion feature database.
5. it according to the method described in claim 4, it is characterized in that, further includes:
The second access request sent to the targeted website is received, and obtains at least one carried in second access request
A second attributive character;
Second attributive character is matched using the intrusion feature database;
If there is first attributive character to match with second attributive character in the intrusion feature database, it is determined that institute
It states the second access request to ask for attack access, and attack protection processing is performed to second access request;
If there is no first attributive character to match with second attributive character in the intrusion feature database, by institute
It states the second access request and is sent to the corresponding server in the targeted website.
6. according to the method described in claim 5, it is characterized in that, attack protection processing includes accessing to transmission described second
The user terminal of request sends the processing mode of identifying code, the processing mode for abandoning second access request and disconnects and send
It is any in the processing mode of the connection of the user terminal of second access request.
7. a kind of attack signature detection device, which is characterized in that including:
Acquisition request module, for obtaining multiple first access requests sent in preset time range to the targeted website,
First access request carries at least one first attributive character, at least one first attributive character is Accept,
One or several combination in Cookie, Referer and User-Agent;
Number statistical module, for counting occurrence number of first attributive character in the multiple first access request;
Characteristic determination module, for determining first attributive character for attack according to the occurrence number of first attributive character
Feature.
8. device according to claim 7, which is characterized in that described device further includes:
Quantity statistics module, for the quantity of the access request sent in statistical unit time range to the targeted website;
If the quantity that the acquisition request module is specifically used for the access request is more than access number threshold value, when obtaining default
Between multiple first access requests for being sent to the targeted website in scope.
9. device according to claim 7, which is characterized in that the characteristic determination module includes:
Detection unit, for detecting whether the occurrence number of first attributive character is more than occurrence number threshold value;
Determination unit, if detecting that the occurrence number of first attributive character goes out occurrence described in being more than for the detection unit
Number threshold value, it is determined that first attributive character is attack signature.
10. according to claim 7-9 any one of them devices, which is characterized in that described device further includes:
Feature increase module, for if it is determined that first attributive character be attack signature, then first attributive character is added
It adds in intrusion feature database.
11. device according to claim 10, which is characterized in that described device further includes:
Request receiving module for receiving the second access request sent to the targeted website, and obtains described second and accesses
At least one second attributive character carried in request;
Characteristic matching module, for being matched using the intrusion feature database to second attributive character;
Processing module is attacked, if for having match with second attributive character described first in the intrusion feature database
Attributive character, it is determined that second access request is asked for attack access, and performs attack protection to second access request
Processing;
Request sending module, if for match with second attributive character described the to be not present in the intrusion feature database
Second access request is then sent to the corresponding server in the targeted website by one attributive character.
12. according to the devices described in claim 11, which is characterized in that the attack protection processing includes visiting to transmission described second
It asks the processing mode of the user terminal transmission identifying code of request, abandon the processing mode of second access request and disconnect and send out
It send any in the processing mode of the connection of the user terminal of second access request.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611061771.7A CN108111472A (en) | 2016-11-24 | 2016-11-24 | A kind of attack signature detection method and device |
PCT/CN2017/107784 WO2018095192A1 (en) | 2016-11-23 | 2017-10-26 | Method and system for website attack detection and prevention |
US16/296,065 US10715546B2 (en) | 2016-11-23 | 2019-03-07 | Website attack detection and protection method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611061771.7A CN108111472A (en) | 2016-11-24 | 2016-11-24 | A kind of attack signature detection method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108111472A true CN108111472A (en) | 2018-06-01 |
Family
ID=62205385
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611061771.7A Pending CN108111472A (en) | 2016-11-23 | 2016-11-24 | A kind of attack signature detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108111472A (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108600145A (en) * | 2017-12-25 | 2018-09-28 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of determining ddos attack equipment |
CN109561090A (en) * | 2018-11-30 | 2019-04-02 | 杭州安恒信息技术股份有限公司 | A kind of web intelligence defence method, device, equipment and readable storage medium storing program for executing |
CN111198900A (en) * | 2019-12-31 | 2020-05-26 | 成都烽创科技有限公司 | Data caching method and device for industrial control network, terminal equipment and medium |
CN113783848A (en) * | 2021-08-25 | 2021-12-10 | 张惠冰 | Network active defense method and device based on deceptive artificial intelligence |
CN114640525A (en) * | 2022-03-21 | 2022-06-17 | 北京从云科技有限公司 | Method, device and equipment for protecting DDoS attack for WEB service |
CN115102781A (en) * | 2022-07-14 | 2022-09-23 | 中国电信股份有限公司 | Network attack processing method, device, electronic equipment and medium |
CN116708013A (en) * | 2023-07-25 | 2023-09-05 | 深圳市锐速云计算有限公司 | DDoS protection method and device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1725705A (en) * | 2005-05-09 | 2006-01-25 | 杭州华为三康技术有限公司 | Method for detecting flow attacking message characteristic of network equipment |
US20140047508A1 (en) * | 2004-11-10 | 2014-02-13 | Mlb Advanced Media, L.P. | Multiple user login detection and response system |
CN103701794A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Identification method and device for denial of service attack |
CN104009983A (en) * | 2014-05-14 | 2014-08-27 | 杭州安恒信息技术有限公司 | Detection method and system for CC attack |
CN104065644A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Method and apparatus for recognizing CC attacks based on log analysis |
CN105939328A (en) * | 2016-01-27 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for updating network attack feature library |
-
2016
- 2016-11-24 CN CN201611061771.7A patent/CN108111472A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140047508A1 (en) * | 2004-11-10 | 2014-02-13 | Mlb Advanced Media, L.P. | Multiple user login detection and response system |
CN1725705A (en) * | 2005-05-09 | 2006-01-25 | 杭州华为三康技术有限公司 | Method for detecting flow attacking message characteristic of network equipment |
CN103701794A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Identification method and device for denial of service attack |
CN104009983A (en) * | 2014-05-14 | 2014-08-27 | 杭州安恒信息技术有限公司 | Detection method and system for CC attack |
CN104065644A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Method and apparatus for recognizing CC attacks based on log analysis |
CN105939328A (en) * | 2016-01-27 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for updating network attack feature library |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108600145A (en) * | 2017-12-25 | 2018-09-28 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of determining ddos attack equipment |
CN108600145B (en) * | 2017-12-25 | 2020-12-25 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for determining DDoS attack equipment |
CN109561090A (en) * | 2018-11-30 | 2019-04-02 | 杭州安恒信息技术股份有限公司 | A kind of web intelligence defence method, device, equipment and readable storage medium storing program for executing |
CN109561090B (en) * | 2018-11-30 | 2022-04-26 | 杭州安恒信息技术股份有限公司 | Web intelligent defense method, device, equipment and readable storage medium |
CN111198900A (en) * | 2019-12-31 | 2020-05-26 | 成都烽创科技有限公司 | Data caching method and device for industrial control network, terminal equipment and medium |
CN111198900B (en) * | 2019-12-31 | 2023-06-09 | 成都烽创科技有限公司 | Data caching method and device for industrial control network, terminal equipment and medium |
CN113783848A (en) * | 2021-08-25 | 2021-12-10 | 张惠冰 | Network active defense method and device based on deceptive artificial intelligence |
CN114640525A (en) * | 2022-03-21 | 2022-06-17 | 北京从云科技有限公司 | Method, device and equipment for protecting DDoS attack for WEB service |
CN115102781A (en) * | 2022-07-14 | 2022-09-23 | 中国电信股份有限公司 | Network attack processing method, device, electronic equipment and medium |
CN115102781B (en) * | 2022-07-14 | 2024-01-09 | 中国电信股份有限公司 | Network attack processing method, device, electronic equipment and medium |
CN116708013A (en) * | 2023-07-25 | 2023-09-05 | 深圳市锐速云计算有限公司 | DDoS protection method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108111472A (en) | A kind of attack signature detection method and device | |
US11176573B2 (en) | Authenticating users for accurate online audience measurement | |
CN107465651B (en) | Network attack detection method and device | |
US10657249B2 (en) | Identifying fraudulent activities and the perpetrators thereof | |
WO2018095192A1 (en) | Method and system for website attack detection and prevention | |
JP6609047B2 (en) | Method and device for application information risk management | |
US10902327B1 (en) | System and method for device identification and uniqueness | |
EP1934923A2 (en) | System and method for detecting fraudulent transactions | |
CN106453216A (en) | Malicious website interception method, malicious website interception device and client | |
CN105404631B (en) | Picture identification method and device | |
CN106789939A (en) | A kind of detection method for phishing site and device | |
CN109547426B (en) | Service response method and server | |
CN111949803A (en) | Method, device and equipment for detecting network abnormal user based on knowledge graph | |
CN108090351A (en) | For handling the method and apparatus of request message | |
CN110581835B (en) | Vulnerability detection method and device and terminal equipment | |
CN109446801A (en) | Detect method, apparatus, server and the storage medium of simulator access | |
WO2019181979A1 (en) | Vulnerability checking system, distribution server, vulnerability checking method, and program | |
CN106850349B (en) | Feature information extraction method and device | |
He et al. | Mobile app identification for encrypted network flows by traffic correlation | |
JP5197681B2 (en) | Login seal management system and management server | |
CN107332856B (en) | Address information detection method and device, storage medium and electronic device | |
Ham et al. | Big Data Preprocessing Mechanism for Analytics of Mobile Web Log. | |
CN114006776B (en) | Sensitive information leakage detection method and device | |
CN114513331B (en) | Mining Trojan detection method, device and equipment based on application layer communication protocol | |
CN113709136A (en) | Access request verification method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180601 |