CN108334774A - A kind of method, first server and the second server of detection attack - Google Patents
A kind of method, first server and the second server of detection attack Download PDFInfo
- Publication number
- CN108334774A CN108334774A CN201810068435.8A CN201810068435A CN108334774A CN 108334774 A CN108334774 A CN 108334774A CN 201810068435 A CN201810068435 A CN 201810068435A CN 108334774 A CN108334774 A CN 108334774A
- Authority
- CN
- China
- Prior art keywords
- detected
- server
- address
- accessing
- threshold value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/567—Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
Abstract
An embodiment of the present invention provides a kind of method, first server and the second servers of detection attack, including:First server obtains the historical requests data for accessing object to be detected, determines that the flow baseline of object to be detected, flow baseline are the normal access times that any one IP address accesses object to be detected in detection cycle by historical requests data and prediction model.Then detection threshold value is determined according to the fluctuation range of the flow baseline of object to be detected and flow baseline;Detection threshold value is sent to the corresponding second server of object to be detected, so that second server carries out attack detecting according to detection threshold value to object to be detected.Since first server determines according to historical requests data the detection threshold value of object to be detected, second server carries out attack detecting according to the detection threshold value that first server determines to object to be detected, rather than the detection threshold value manually set, to improve the precision of detection threshold value setting, the accuracy of attack detecting is improved.
Description
Technical field
The present embodiments relate to technical field of network security more particularly to a kind of method of detection attack, first services
Device and second server.
Background technology
With the development of internet, network malicious attack is also more and more, CC (Challenge Collapsar) attacks,
The attack patterns such as flow attacking emerge one after another.At present for the defence of CC attacks, the defence method of mainstream be it is artificial rule of thumb
Given threshold is shielded when the number for accessing protected object in the unit interval is more than threshold value.Constantly increase with business and
Variation needs object to be protected also in continuous change and to increase, and business also in continuous variation and increases, and business variation and
Increase and tends not to known to Security Officer again, thus it is big by the threshold deviation that Security Officer sets.
Invention content
The embodiment of the present invention provides a kind of method, first server and the second server of detection attack, existing for solving
Have and manually sets the big problem of detection threshold value deviation in attack detection method.
An embodiment of the present invention provides a kind of methods of detection attack, including:
First server obtains the historical requests data for accessing object to be detected;
The first server will access the historical requests data input prediction model of the object to be detected;
The first server exports the flow baseline of the object to be detected, the stream by prediction model prediction
Amount baseline is the normal access times that any one internet protocol address accesses the object to be detected in detection cycle;
The first server is true according to the flow baseline of the object to be detected and the fluctuation range of the flow baseline
Determine detection threshold value;
The detection threshold value is sent to the corresponding second server of the object to be detected by the first server, so that
The second server carries out attack detecting according to the detection threshold value to the object to be detected.
Optionally, before the first server obtains the historical requests data for accessing object to be detected, further include:
The first server obtains the request that each object is accessed in the detection cycle;
For any one object, the first server counts the object in institute according to the request for accessing the object
State the accessed number in detection cycle;
The relationship that number is accessed in the history of the accessed number for determining the object and the object meets default item
When the accessed number of part or the object is more than predetermined threshold value, the object is determined as object to be detected.
An embodiment of the present invention provides a kind of methods of detection attack, including:
Second server obtains the request that object to be detected is accessed in detection cycle;
The second server determines the internet protocol address for accessing the object to be detected according to the request;
The IP address of the object to be detected is accessed for any one, the second server waits for described in determining access
When detecting access times of the IP address of object in the detection cycle more than detection threshold value, the object to be detected will be accessed
IP address be determined as attacking address, the detection threshold value is by first server according to the history for accessing the object to be detected
Request data and prediction model determination are simultaneously sent to the second server.
Optionally, the request includes at least application layer data and network layer data;
The second server determines the internet protocol address for accessing the object to be detected, packet according to the request
It includes:
The second server parses the application layer data, exists in determining the application layer data and is waited for described in accessing
When detecting the IP address of object, the IP address that the object to be detected is accessed in the application layer data is determined as described in access
The IP address of object to be detected;
Otherwise, the second server parses the network layer data and determines the IP address for accessing the object to be detected.
Optionally, the second server is determining the IP address for accessing the object to be detected in the detection cycle
Access times be more than detection threshold value when, by the IP address for accessing the object to be detected be determined as attack address after, also wrap
It includes:
The second server is present in preset blacklist in the determining IP address for accessing the object to be detected, or
Determine the IP address for accessing the object to be detected be the IP address that a user uses and in the detection it is all
When at least one beyond the detection threshold value order of magnitude of access times in the phase, will access the IP address of the object to be detected into
Row shielding;
Otherwise, the second server carries out secondary verification to the IP address for accessing the object to be detected.The present invention is real
It applies example and provides a kind of first server, including:
First acquisition module, for obtaining the historical requests data for accessing object to be detected;
First processing module, the historical requests data input prediction model for the object to be detected will to be accessed;Pass through
The prediction model prediction exports the flow baseline of the object to be detected, and the flow baseline is any one in detection cycle
A internet protocol address accesses the normal access times of the object to be detected;According to the flow base of the object to be detected
The fluctuation range of line and the flow baseline determines detection threshold value;The detection threshold value is sent to the object to be detected to correspond to
Second server so that the second server carries out attack detecting according to the detection threshold value to the object to be detected.
Optionally, first acquisition module is additionally operable to:
Before obtaining the historical requests data for accessing object to be detected, obtains and access each object in the detection cycle
Request;
The first processing module is additionally operable to:
For any one object, the first server counts the object in institute according to the request for accessing the object
State the accessed number in detection cycle;It is accessed number in the history of the accessed number for determining the object and the object
Relationship when meeting the accessed number of preset condition or the object and being more than predetermined threshold value, the object is determined as to be checked
Survey object.
An embodiment of the present invention provides a kind of second servers, including:
Second acquisition module, for obtaining the request for accessing object to be detected in detection cycle;
Second processing module, for according to the determining Internet protocol IP for accessing the object to be detected of the request
Location;The IP address that the object to be detected is accessed for any one exists in the determining IP address for accessing the object to be detected
When access times in the detection cycle are more than detection threshold value, the IP address for accessing the object to be detected is determined as attacking
Address, the detection threshold value are by first server according to the historical requests data and prediction mould for accessing the object to be detected
Type is determining and is sent to the second server.
Optionally, the request includes at least application layer data and network layer data;
The Second processing module is specifically used for:
The application layer data is parsed, with there is the IP for accessing the object to be detected in determining the application layer data
When location, the IP address that the object to be detected is accessed in the application layer data is determined as to access the IP of the object to be detected
Address;Otherwise, it parses the network layer data and determines the IP address for accessing the object to be detected.
Optionally, the Second processing module is additionally operable to:
Determining access times of the IP address for accessing the object to be detected in the detection cycle more than detection threshold
When value, the IP address for accessing the object to be detected is determined as after attacking address,
It is present in preset blacklist in the determining IP address for accessing the object to be detected, or
Determine the IP address for accessing the object to be detected be the IP address that a user uses and in the detection it is all
When at least one beyond the detection threshold value order of magnitude of access times in the phase, will access the IP address of the object to be detected into
Row shielding;
Otherwise, secondary verification is carried out to the IP address for accessing the object to be detected.
An embodiment of the present invention provides a kind of computing devices, including:
Memory, for storing program instruction;
Processor executes any of the above-described for calling the program instruction stored in the memory according to the program of acquisition
Method described in.
An embodiment of the present invention provides a kind of computer readable storage medium, the computer-readable recording medium storage has
Computer executable instructions, the computer executable instructions are for making computer execute method described in any one of the above embodiments.
To sum up, an embodiment of the present invention provides a kind of method, first server and the second server of detection attack, packets
It includes:First server obtains the historical requests data for accessing object to be detected;The first server will access described to be detected
The historical requests data input prediction model of object;The first server is described to be checked by prediction model prediction output
The flow baseline of object is surveyed, the flow baseline is to be waited for described in the access of any one internet protocol address in detection cycle
Detect the normal access times of object;Flow baseline and the flow base of the first server according to the object to be detected
The fluctuation range of line determines detection threshold value;The detection threshold value is sent to the object to be detected and corresponded to by the first server
Second server so that the second server carries out attack detecting according to the detection threshold value to the object to be detected.
Since first server determines according to the historical requests data and prediction model that access object to be detected the inspection of object to be detected
Threshold value is surveyed, detection threshold value is then sent to the corresponding second server of object to be detected, therefore second server can be according to detection
Threshold value carries out attack detecting to object to be detected, without carrying out attack detecting after manually rule of thumb setting detection threshold value,
To on the one hand improve the precision of detection threshold value setting, human cost is reduced, the standard of attack detecting is on the other hand improved
True property.
Description of the drawings
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill in field, without having to pay creative labor, it can also be obtained according to these attached drawings
His attached drawing.
Fig. 1 is a kind of system architecture schematic diagram that the embodiment of the present invention is applicable in;
Fig. 2 is a kind of flow diagram of the method for detection attack provided in an embodiment of the present invention;
Fig. 3 is a kind of flow diagram for the method determining object to be detected provided in an embodiment of the present invention;
Fig. 4 is a kind of flow diagram of the method for detection attack provided in an embodiment of the present invention;
Fig. 5 is a kind of flow signal of the method for determining IP address for accessing object to be detected provided in an embodiment of the present invention
Figure;
Fig. 6 is a kind of structural schematic diagram of first server provided in an embodiment of the present invention;
Fig. 7 is a kind of structural schematic diagram of second server provided in an embodiment of the present invention.
Specific implementation mode
In order to make the purpose of the present invention, technical solution and advantageous effect be more clearly understood, below in conjunction with attached drawing and implementation
Example, the present invention will be described in further detail.It should be appreciated that specific embodiment described herein is only used to explain this hair
It is bright, it is not intended to limit the present invention.
Fig. 1 illustrates a kind of applicable system architecture schematic diagram of the embodiment of the present invention, as shown in Figure 1, of the invention
The applicable system architecture of embodiment includes first server 101, second server 102.First server 101 and second server
102 are connected by wired or wireless mode.First server 101 is used to obtain the request that each object is accessed in detection cycle,
Then object to be detected is determined from each object according to the request of acquisition.According to the historical requests data of object to be detected and in advance
It surveys model and determines detection threshold value, and detection threshold value is sent to the corresponding second server of object to be detected.Second server 102
For one or more.May include an object to be detected in one second server 102, it is also possible to including multiple to be detected right
As.Second server 102 is corresponding with the information of object to be detected to preserve after receiving detection threshold value.When acquisition detection cycle
After the interior request for accessing object to be detected, attack address is determined according to the request of acquisition and detection threshold value.
Based on system architecture shown in FIG. 1, as shown in Fig. 2, a kind of method of detection attack provided in an embodiment of the present invention,
The flow of this method can be executed by first server, be included the following steps:
Step S201, first server obtain the historical requests data for accessing object to be detected.
Step S202, first server will access the historical requests data input prediction model of object to be detected.
Step S203, first server export the flow baseline of object to be detected, flow baseline by prediction model prediction
For in detection cycle any one internet protocol address access the normal access times of object to be detected.
Step S204, first server determine inspection according to the flow baseline of object to be detected and the fluctuation range of flow baseline
Survey threshold value.
Detection threshold value is sent to the corresponding second server of object to be detected by step S205, first server, so that the
Two servers carry out attack detecting according to detection threshold value to object to be detected.
Specifically, in step s 201, object to be detected can be server, Internet protocol (Internet
Protocol, abbreviation IP) address, uniform resource locator (Uniform Resource Locator, abbreviation URL) etc..It accesses
The historical requests data of object to be detected include source IP address, the IP address of access, the URL of access, access duration, ask
Seek the size etc. of data packet.
In step S202 and step S203, prediction model can be machine learning model.Object to be detected will be accessed
Then historical requests data export the flow of object to be detected as training sample input prediction model by prediction model prediction
Baseline.In order to improve the precision of prediction, the historical requests data for accessing object to be detected can be pre-processed in advance, such as
Matched by historical requests data format, with historical traffic baseline, historical requests data cleaned, remove hash and
Abnormal deviation data etc..Since the situation that object to be detected is accessed not is all identical, such as some objects to be detected daily
It is more in nonworkdays and active day accessed number, and the number being accessed on weekdays is relatively fewer, therefore can will access
The historical requests data of object to be detected are classified according to working day, nonworkdays and active day, are then directed to each respectively
Type prediction flow baseline, to improve the precision of prediction of flow baseline.
In step S204, the fluctuation range of flow baseline can be according to unusual fluctuations value, the variance of historical requests data
Deng determination.The fluctuation range of the flow baseline of object to be detected and flow baseline is generated into detection according to the distribution proportion of setting
Threshold value.
In step S205, first server can regularly update detection threshold value and newer threshold value is sent to the second clothes
Business device.Since first server determines object to be detected according to the historical requests data and prediction model that access object to be detected
Detection threshold value, detection threshold value is then sent to the corresponding second server of object to be detected, thus second server energy according to
Detection threshold value carries out attack detecting to object to be detected, without carrying out attack inspection after manually rule of thumb setting detection threshold value
It surveys, on the one hand improve the precision of detection threshold value setting, reduces human cost, on the other hand improve attack detecting
Accuracy.
Optionally, it before first server obtains the historical requests data for accessing object to be detected, needs first from each object
In determine object to be detected, an embodiment of the present invention provides a kind of methods determining object to be detected, as shown in figure 3, including
Following steps:
Step S301, first server obtain the request that each object is accessed in detection cycle.
Step S302, for any one object, first server is being detected according to the request objects of statistics for accessing object
Accessed number in period.
Step S303, the relationship that number is accessed in the history of the accessed number and object that determine object meet default item
When the accessed number of part or object is more than predetermined threshold value, which is determined as object to be detected.
Specifically, predetermined threshold value is set as the case may be.The accessed number of object and the history of object are interviewed
Ask the relationship of number meet the accessed number that preset condition can be object and object history be accessed number difference it is big
In setting value.For example accessed number of the object in detection cycle is 1000 times, history of the object in detection cycle is interviewed
Ask that number is 700 times, setting value 100, the difference of the accessed number of the history of the accessed number of object and object is big at this time
In setting value, then the object is determined as object to be detected.The accessed number of object and the history of object are accessed number
Relationship meets the accessed number that preset condition can also be object and compares the accessed number of history of elephant beyond one or more
The order of magnitude.For example accessed number of the object in detection cycle is 1000 times, history of the object in detection cycle is accessed
Number is 100 times, and the accessed number of history of the accessed number comparison elephant of object exceeds an order of magnitude at this time, then this is right
As being determined as object to be detected.
In specific implementation, object can be server, IP address, URL etc..It is specifically described by taking URL as an example below.If
It is 1s to determine detection cycle, and first server obtains the request that the first URL, the 2nd URL and the 3rd URL is accessed in 1s, wherein first
URL is:www.A.com/test1/test2.html;2nd URL is:www.A.com/test.html;3rd URL is:
www.C.com/test3/test4.html.It is 500 times that first URL is accessed number in 1s, and the 2nd URL is accessed in 1s
Number is 700 times, and it is 800 times that the 3rd URL is accessed number in 1s.Then the first URL is split, one is obtained after fractionation
Grade URL:Www.A.com, two level URL:Www.A.com/test1, three-level URL:www.A.com/test1/test2.html.Together
Reason is split the 2nd URL to obtain level-one URL:Www.A.com, two level URL:www.A.com/test.html.By third
URL is split to obtain level-one URL:Www.C.com, two level URL:Www.C.com/test3, three-level URL:www.C.com/
test3/test4.html.Then the accessed number of above-mentioned URL at different levels is counted respectively, and statistical result is as shown in table 1:
Table 1
The corresponding predetermined threshold values of level-one URL are set as 1000, the corresponding predetermined threshold values of two level URL are 700, URL pairs of three-level
The predetermined threshold value answered is 600.Setting the corresponding history of each URL in table 1, to be accessed number as shown in table 2:
Table 2
For any one URL, first determine whether the accessed number of URL is more than predetermined threshold value, if so, should
URL is determined as URL to be detected, otherwise further judges that the history of the accessed number ratio URL of URL is accessed whether number exceeds
An order of magnitude, if so, the URL is determined as URL to be detected.It is found that two level URL after being judged according to Tables 1 and 2:
Www.C.com/test3, three-level URL:Www.C.com/test3/test4.html, three-level URL:www.A.com/test1/
Test2.html is URL to be detected.The accessed number of each object is determined according to the request for accessing each object in detection cycle, so
The relationship of number and the accessed number of object are accessed according to the history of the accessed number of object and object afterwards and preset
The relationship of threshold value determines object to be detected from each object, to be checked to realize without human configuration detected object
The real-time of object is surveyed to determine and detect.
Optionally, it after second server receives the detection threshold value that first server is sent, is attacked according to detection threshold value
The method of detection specifically includes following steps, as shown in Figure 4:
Step S401, second server obtain the request that object to be detected is accessed in detection cycle.
Step S402, second server determine the IP address for accessing object to be detected according to request.
Step S403, the IP address of object to be detected is accessed for any one, and second server is determining that access is to be checked
It is when surveying access times of the IP address of object in detection cycle more than detection threshold value, the IP address for accessing object to be detected is true
It is set to attack address.
In specific implementation, detection threshold value be by first server according to the historical requests data for accessing object to be detected and
Prediction model is determining and is sent to second server.The IP address that second server accesses object to be detected in judgement is detecting
Whether access times in the period are more than before detection threshold value, can also first judge to access object to be detected IP address whether position
In preset blacklist, if so, directly the IP address for accessing object to be detected can be determined as to attack address, otherwise into one
Step judges to access whether access times of the IP address of object to be detected in detection cycle are more than detection threshold value, if so, will
The IP address for accessing object to be detected is determined as attacking address and preserve to preset blacklist.
Optionally, the request for accessing object to be detected includes at least application layer data and network layer data, accesses to be detected
The IP address of object can be the IP address parsed from network layer data, can also be to be parsed from application layer data
IP address.Agency has been used due to working as attacker, redirects or pass through content distributing network (Content Delivery
Network, abbreviation CDN) when, the IP address parsed from network layer data is not the source address of attacker, therefore of the invention
Embodiment provides the following preferred method for determining the IP address for accessing object to be detected, includes the following steps, as shown in Figure 5:
Step S501, second server parse application layer data.
Step S502, second server, will when there is the IP address for accessing object to be detected in determining application layer data
The IP address that object to be detected is accessed in application layer data is determined as accessing the IP address of object to be detected.
Step S503, otherwise, second server parse network layer data and determine the IP address for accessing object to be detected.
In specific implementation, second server first determines whether application layer data includes redirecting the phase increased when CDN network
Field is answered, if including, the IP address of extraction access object to be detected from the respective field increased when redirecting CDN network.It is no
Then judge whether application layer data includes X-Forwarded-For fields, if including, from X-Forwarded-For fields
Extraction accesses the IP address of object to be detected, otherwise parses network layer data and determines the IP address for accessing object to be detected.Pass through
Parsing determines the IP address for accessing object to be detected using data, therefore can accurately attack the source IP address of object to be detected surely, from
And it is effectively directed to attack address and takes corresponding defensive measure.
Optionally, second server is after determining attack address in the IP address for accessing object to be detected, for difference
Testing result take different defense schemes, specially:
Second server is present in preset blacklist in the determining IP address for accessing object to be detected, or is accessed determining
The IP address of object to be detected is the IP address that a user uses and the access times in detection cycle exceed detection threshold value
When at least one order of magnitude, the IP address for accessing object to be detected is shielded;Otherwise, second server described in access to waiting for
The IP address for detecting object carries out secondary verification.In specific implementation, the access times in detection cycle exceed detection threshold value at least
An order of magnitude refers to that the access times in detection cycle are more than ten times of detection threshold value or hundred times of detection threshold value or thousand
Detection threshold value again etc., such as detection threshold value are 100 times, and the access times of detection cycle are that 1000 times or 10000 are inferior.When true
Surely the IP address for accessing object to be detected is not the IP address that a user uses, for example accesses the IP address of object to be detected
Corresponding IP address is exported for mobile network, carrier cell, if access times of the IP address in detection cycle are super at this time
Go out at least one order of magnitude of detection threshold value, it is also desirable to which secondary verification is carried out to the IP address.The method of secondary verification includes but not
It is limited to pop up identifying code input window on webpage, jumps to that the verification page is verified, client-side information obtains verification.
To sum up, an embodiment of the present invention provides a kind of method, first server and the second server of detection attack, packets
It includes:First server obtains the historical requests data for accessing object to be detected;The first server will access described to be detected
The historical requests data input prediction model of object;The first server is described to be checked by prediction model prediction output
The flow baseline of object is surveyed, the flow baseline is to be waited for described in the access of any one internet protocol address in detection cycle
Detect the normal access times of object;Flow baseline and the flow base of the first server according to the object to be detected
The fluctuation range of line determines detection threshold value;The detection threshold value is sent to the object to be detected and corresponded to by the first server
Second server so that the second server carries out attack detecting according to the detection threshold value to the object to be detected.
Since first server determines according to the historical requests data and prediction model that access object to be detected the inspection of object to be detected
Threshold value is surveyed, detection threshold value is then sent to the corresponding second server of object to be detected, therefore second server can be according to detection
Threshold value carries out attack detecting to object to be detected, without carrying out attack detecting after manually rule of thumb setting detection threshold value,
To on the one hand improve the precision of detection threshold value setting, human cost is reduced, the standard of attack detecting is on the other hand improved
True property.
Based on the same technical idea, the embodiment of the present invention additionally provides a kind of first server, as shown in fig. 6, including:
First acquisition module 601, for obtaining the historical requests data for accessing object to be detected;
First processing module 602, the historical requests data input prediction model for the object to be detected will to be accessed;It is logical
The flow baseline that the prediction model prediction exports the object to be detected is crossed, the flow baseline is arbitrary in detection cycle
One internet protocol address accesses the normal access times of the object to be detected;According to the flow of the object to be detected
The fluctuation range of baseline and the flow baseline determines detection threshold value;The detection threshold value is sent to the object pair to be detected
The second server answered, so that the second server carries out attack inspection according to the detection threshold value to the object to be detected
It surveys.
Optionally, first acquisition module 602 is additionally operable to:
Before obtaining the historical requests data for accessing object to be detected, obtains and access each object in the detection cycle
Request;
The first processing module 602 is additionally operable to:
For any one object, the first server counts the object in institute according to the request for accessing the object
State the accessed number in detection cycle;It is accessed number in the history of the accessed number for determining the object and the object
Relationship when meeting the accessed number of preset condition or the object and being more than predetermined threshold value, the object is determined as to be checked
Survey object.
Based on the same technical idea, the embodiment of the present invention additionally provides a kind of second server, as shown in fig. 7, comprises:
Second acquisition module 701, for obtaining the request for accessing object to be detected in detection cycle;
Second processing module 702, for determining the Internet protocol IP for accessing the object to be detected according to the request
Address;The IP address that the object to be detected is accessed for any one is determining the IP address for accessing the object to be detected
When access times in the detection cycle are more than detection threshold value, the IP address for accessing the object to be detected is determined as attacking
Address is hit, the detection threshold value is by first server according to the historical requests data and prediction for accessing the object to be detected
Model is determining and is sent to the second server.
Optionally, the request includes at least application layer data and network layer data;
The Second processing module 702 is specifically used for:
The application layer data is parsed, with there is the IP for accessing the object to be detected in determining the application layer data
When location, the IP address that the object to be detected is accessed in the application layer data is determined as to access the IP of the object to be detected
Address;Otherwise, it parses the network layer data and determines the IP address for accessing the object to be detected.
Optionally, the Second processing module 702 is additionally operable to:
It is present in preset blacklist in the determining IP address for accessing the object to be detected, or
Determine the IP address for accessing the object to be detected be the IP address that a user uses and in the detection it is all
When at least one beyond the detection threshold value order of magnitude of access times in the phase, will access the IP address of the object to be detected into
Row shielding;
Otherwise, secondary verification is carried out to the IP address for accessing the object to be detected.
An embodiment of the present invention provides a kind of computing device, which is specifically as follows desktop computer, portable
Computer, smart mobile phone, tablet computer, personal digital assistant (Personal Digital Assistant, PDA) etc..The meter
It may include central processing unit (Center Processing Unit, CPU), memory, input-output apparatus etc. to calculate equipment,
Input equipment may include keyboard, mouse, touch screen etc., and output equipment may include display equipment, such as liquid crystal display
(Liquid Crystal Display, LCD), cathode-ray tube (Cathode Ray Tube, CRT) etc..
Memory may include read-only memory (ROM) and random access memory (RAM), and be deposited to processor offer
The program instruction and data stored in reservoir.In embodiments of the present invention, the method that memory can be used for storing detection attack
Program instruction;
Processor executes detection attack for calling the program instruction stored in the memory according to the program of acquisition
Method.
An embodiment of the present invention provides a kind of computer readable storage medium, the computer-readable recording medium storage has
Computer executable instructions, the method that the computer executable instructions are used to that the computer to be made to execute detection attack.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method or computer program product.
Therefore, complete hardware embodiment, complete software embodiment or embodiment combining software and hardware aspects can be used in the present invention
Form.It is deposited moreover, the present invention can be used to can be used in the computer that one or more wherein includes computer usable program code
The shape for the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Formula.
The present invention be with reference to according to the method for the embodiment of the present invention, the flow of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram
The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided
Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real
The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to
Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or
The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
God and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (12)
1. a kind of method of detection attack, which is characterized in that including:
First server obtains the historical requests data for accessing object to be detected;
The first server will access the historical requests data input prediction model of the object to be detected;
The first server exports the flow baseline of the object to be detected, the flow base by prediction model prediction
Line is the normal access times that any one internet protocol address accesses the object to be detected in detection cycle;
The first server determines inspection according to the flow baseline of the object to be detected and the fluctuation range of the flow baseline
Survey threshold value;
The detection threshold value is sent to the corresponding second server of the object to be detected by the first server, so that described
Second server carries out attack detecting according to the detection threshold value to the object to be detected.
2. the method as described in claim 1, which is characterized in that the first server obtains the history for accessing object to be detected
Before request data, further include:
The first server obtains the request that each object is accessed in the detection cycle;
For any one object, the first server counts the object in the inspection according to the request for accessing the object
Survey the accessed number in the period;
The relationship that number is accessed in the history of the accessed number for determining the object and the object meets preset condition, or
When the accessed number of the object is more than predetermined threshold value, the object is determined as object to be detected.
3. a kind of method of detection attack, which is characterized in that including:
Second server obtains the request that object to be detected is accessed in detection cycle;
The second server determines the internet protocol address for accessing the object to be detected according to the request;
The IP address of the object to be detected is accessed for any one, the second server is determining that access is described to be detected
When access times of the IP address of object in the detection cycle are more than detection threshold value, the IP of the object to be detected will be accessed
Address is determined as attacking address, and the detection threshold value is by first server according to the historical requests for accessing the object to be detected
Data and prediction model determination are simultaneously sent to the second server.
4. method as claimed in claim 3, which is characterized in that the request includes at least application layer data and the network number of plies
According to;
The second server determines the internet protocol address for accessing the object to be detected according to the request, including:
The second server parses the application layer data, and it is described to be detected to there is access in determining the application layer data
When the IP address of object, the IP address that the object to be detected is accessed in the application layer data is determined as accessing described to be checked
Survey the IP address of object;
Otherwise, the second server parses the network layer data and determines the IP address for accessing the object to be detected.
5. method as claimed in claim 3, which is characterized in that the second server is determining the access object to be detected
Access times of the IP address in detection cycle when being more than detection threshold value, the IP address of the object to be detected will be accessed
It is determined as attacking after address, further includes:
The second server is present in preset blacklist in the determining IP address for accessing the object to be detected, or
Determining that the IP address for accessing the object to be detected is the IP address that a user uses and in the detection cycle
Access times beyond at least one order of magnitude of the detection threshold value when, the IP address for accessing the object to be detected is shielded
It covers;
Otherwise, the second server carries out secondary verification to the IP address for accessing the object to be detected.
6. a kind of first server, which is characterized in that including:
First acquisition module, for obtaining the historical requests data for accessing object to be detected;
First processing module, the historical requests data input prediction model for the object to be detected will to be accessed;By described
Prediction model prediction exports the flow baseline of the object to be detected, and the flow baseline is that any one is mutual in detection cycle
Networking protocol IP address accesses the normal access times of the object to be detected;According to the flow baseline of the object to be detected and
The fluctuation range of the flow baseline determines detection threshold value;The detection threshold value is sent to the object to be detected corresponding
Two servers, so that the second server carries out attack detecting according to the detection threshold value to the object to be detected.
7. first server as claimed in claim 6, which is characterized in that first acquisition module is additionally operable to:
Before obtaining the historical requests data for accessing object to be detected, obtains and access asking for each object in the detection cycle
It asks;
The first processing module is additionally operable to:
For any one object, the first server counts the object in the inspection according to the request for accessing the object
Survey the accessed number in the period;The pass of number is accessed with the history of the object in the accessed number for determining the object
When system meets the accessed number of preset condition or the object more than predetermined threshold value, it is to be detected right that the object is determined as
As.
8. a kind of second server, which is characterized in that including:
Second acquisition module, for obtaining the request for accessing object to be detected in detection cycle;
Second processing module, for determining the internet protocol address for accessing the object to be detected according to the request;Needle
The IP address for accessing any one object to be detected is determining the IP address for accessing the object to be detected in the inspection
When the access times surveyed in the period are more than detection threshold value, the IP address for accessing the object to be detected is determined as to attack address,
The detection threshold value is true according to the historical requests data and prediction model for accessing the object to be detected by first server
Determine and is sent to the second server.
9. second server as claimed in claim 8, which is characterized in that the request includes at least application layer data and network
Layer data;
The Second processing module is specifically used for:
The application layer data is parsed, there is the IP address for accessing the object to be detected in determining the application layer data
When, the IP address that the object to be detected is accessed in the application layer data is determined as with accessing the IP of the object to be detected
Location;Otherwise, it parses the network layer data and determines the IP address for accessing the object to be detected.
10. second server as claimed in claim 8, which is characterized in that the Second processing module is additionally operable to:
It is present in preset blacklist in the determining IP address for accessing the object to be detected, or
Determining that the IP address for accessing the object to be detected is the IP address that a user uses and in the detection cycle
Access times beyond at least one order of magnitude of the detection threshold value when, the IP address for accessing the object to be detected is shielded
It covers;
Otherwise, secondary verification is carried out to the IP address for accessing the object to be detected.
11. a kind of computing device, which is characterized in that including:
Memory, for storing program instruction;
Processor, for calling the program instruction stored in the memory, according to acquisition program execute as claim 1 to
2 or claim 3 to 5 any one of them method.
12. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has computer can
It executes instruction, the computer executable instructions are for making computer execute as claim 1 to 2 or claim 3 to 5 are any
Method described in.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810068435.8A CN108334774A (en) | 2018-01-24 | 2018-01-24 | A kind of method, first server and the second server of detection attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810068435.8A CN108334774A (en) | 2018-01-24 | 2018-01-24 | A kind of method, first server and the second server of detection attack |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108334774A true CN108334774A (en) | 2018-07-27 |
Family
ID=62925516
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810068435.8A Pending CN108334774A (en) | 2018-01-24 | 2018-01-24 | A kind of method, first server and the second server of detection attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108334774A (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108833450A (en) * | 2018-08-22 | 2018-11-16 | 网宿科技股份有限公司 | A kind of realization server anti-attack method and device |
CN108965347A (en) * | 2018-10-10 | 2018-12-07 | 腾讯科技(深圳)有限公司 | A kind of detecting method of distributed denial of service attacking, device and server |
CN109617868A (en) * | 2018-12-06 | 2019-04-12 | 腾讯科技(深圳)有限公司 | A kind of detection method of DDOS attack, device and detection service device |
CN109842619A (en) * | 2019-01-08 | 2019-06-04 | 北京百度网讯科技有限公司 | User account hold-up interception method and device |
CN109922072A (en) * | 2019-03-18 | 2019-06-21 | 腾讯科技(深圳)有限公司 | A kind of detecting method of distributed denial of service attacking and device |
CN111314294A (en) * | 2020-01-15 | 2020-06-19 | 福建奇点时空数字科技有限公司 | Abnormal flow detection method based on periodic and moving window baseline algorithm |
CN111541647A (en) * | 2020-03-25 | 2020-08-14 | 杭州数梦工场科技有限公司 | Security detection method and device, storage medium and computer equipment |
CN111865949A (en) * | 2020-07-09 | 2020-10-30 | 恒安嘉新(北京)科技股份公司 | Abnormal communication detection method and device, server and storage medium |
CN111865999A (en) * | 2020-07-24 | 2020-10-30 | 中国工商银行股份有限公司 | Access behavior recognition method and device, computing equipment and medium |
CN113472717A (en) * | 2020-03-30 | 2021-10-01 | 中国电信股份有限公司 | SDN access control method and device and computer readable storage medium |
CN113518064A (en) * | 2021-03-23 | 2021-10-19 | 杭州安恒信息技术股份有限公司 | Defense method and device for challenging black hole attack, computer equipment and storage medium |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050111367A1 (en) * | 2003-11-26 | 2005-05-26 | Hung-Hsiang Jonathan Chao | Distributed architecture for statistical overload control against distributed denial of service attacks |
CN101286897A (en) * | 2008-05-16 | 2008-10-15 | 华中科技大学 | Network flow rate abnormality detecting method based on super stochastic theory |
CN101826996A (en) * | 2010-03-19 | 2010-09-08 | 中国科学院计算机网络信息中心 | Domain name system flow detection method and domain name server |
CN102355452A (en) * | 2011-08-09 | 2012-02-15 | 北京网御星云信息技术有限公司 | Method and device for filtering network attack traffic |
US20130042319A1 (en) * | 2011-08-10 | 2013-02-14 | Sangfor Networks Company Limited | Method and apparatus for detecting and defending against cc attack |
CN104125195A (en) * | 2013-04-24 | 2014-10-29 | 中国民航大学 | Method of filtering LDDoS attack traffic based on frequency domain of filter |
CN104202329A (en) * | 2014-09-12 | 2014-12-10 | 北京神州绿盟信息安全科技股份有限公司 | DDoS (distributed denial of service) attack detection method and device |
CN105721494A (en) * | 2016-03-25 | 2016-06-29 | 中国互联网络信息中心 | Method and device for detecting and disposing abnormal traffic attack |
CN106789983A (en) * | 2016-12-08 | 2017-05-31 | 北京安普诺信息技术有限公司 | A kind of CC attack defense methods and its system of defense |
CN106953833A (en) * | 2016-01-07 | 2017-07-14 | 无锡聚云科技有限公司 | A kind of ddos attack detecting system |
CN107508815A (en) * | 2017-08-30 | 2017-12-22 | 杭州安恒信息技术有限公司 | Based on website traffic analysis and early warning method and device |
-
2018
- 2018-01-24 CN CN201810068435.8A patent/CN108334774A/en active Pending
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050111367A1 (en) * | 2003-11-26 | 2005-05-26 | Hung-Hsiang Jonathan Chao | Distributed architecture for statistical overload control against distributed denial of service attacks |
CN101286897A (en) * | 2008-05-16 | 2008-10-15 | 华中科技大学 | Network flow rate abnormality detecting method based on super stochastic theory |
CN101826996A (en) * | 2010-03-19 | 2010-09-08 | 中国科学院计算机网络信息中心 | Domain name system flow detection method and domain name server |
CN102355452A (en) * | 2011-08-09 | 2012-02-15 | 北京网御星云信息技术有限公司 | Method and device for filtering network attack traffic |
US20130042319A1 (en) * | 2011-08-10 | 2013-02-14 | Sangfor Networks Company Limited | Method and apparatus for detecting and defending against cc attack |
CN104125195A (en) * | 2013-04-24 | 2014-10-29 | 中国民航大学 | Method of filtering LDDoS attack traffic based on frequency domain of filter |
CN104202329A (en) * | 2014-09-12 | 2014-12-10 | 北京神州绿盟信息安全科技股份有限公司 | DDoS (distributed denial of service) attack detection method and device |
CN106953833A (en) * | 2016-01-07 | 2017-07-14 | 无锡聚云科技有限公司 | A kind of ddos attack detecting system |
CN105721494A (en) * | 2016-03-25 | 2016-06-29 | 中国互联网络信息中心 | Method and device for detecting and disposing abnormal traffic attack |
CN106789983A (en) * | 2016-12-08 | 2017-05-31 | 北京安普诺信息技术有限公司 | A kind of CC attack defense methods and its system of defense |
CN107508815A (en) * | 2017-08-30 | 2017-12-22 | 杭州安恒信息技术有限公司 | Based on website traffic analysis and early warning method and device |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108833450B (en) * | 2018-08-22 | 2020-07-10 | 网宿科技股份有限公司 | Method and device for preventing server from being attacked |
CN108833450A (en) * | 2018-08-22 | 2018-11-16 | 网宿科技股份有限公司 | A kind of realization server anti-attack method and device |
CN108965347A (en) * | 2018-10-10 | 2018-12-07 | 腾讯科技(深圳)有限公司 | A kind of detecting method of distributed denial of service attacking, device and server |
CN108965347B (en) * | 2018-10-10 | 2021-06-11 | 腾讯科技(深圳)有限公司 | Distributed denial of service attack detection method, device and server |
CN109617868A (en) * | 2018-12-06 | 2019-04-12 | 腾讯科技(深圳)有限公司 | A kind of detection method of DDOS attack, device and detection service device |
CN109842619A (en) * | 2019-01-08 | 2019-06-04 | 北京百度网讯科技有限公司 | User account hold-up interception method and device |
CN109922072A (en) * | 2019-03-18 | 2019-06-21 | 腾讯科技(深圳)有限公司 | A kind of detecting method of distributed denial of service attacking and device |
CN109922072B (en) * | 2019-03-18 | 2021-07-16 | 腾讯科技(深圳)有限公司 | Distributed denial of service attack detection method and device |
CN111314294A (en) * | 2020-01-15 | 2020-06-19 | 福建奇点时空数字科技有限公司 | Abnormal flow detection method based on periodic and moving window baseline algorithm |
CN111541647A (en) * | 2020-03-25 | 2020-08-14 | 杭州数梦工场科技有限公司 | Security detection method and device, storage medium and computer equipment |
CN113472717A (en) * | 2020-03-30 | 2021-10-01 | 中国电信股份有限公司 | SDN access control method and device and computer readable storage medium |
CN113472717B (en) * | 2020-03-30 | 2022-09-23 | 中国电信股份有限公司 | SDN access control method and device and computer readable storage medium |
CN111865949A (en) * | 2020-07-09 | 2020-10-30 | 恒安嘉新(北京)科技股份公司 | Abnormal communication detection method and device, server and storage medium |
CN111865999A (en) * | 2020-07-24 | 2020-10-30 | 中国工商银行股份有限公司 | Access behavior recognition method and device, computing equipment and medium |
CN113518064A (en) * | 2021-03-23 | 2021-10-19 | 杭州安恒信息技术股份有限公司 | Defense method and device for challenging black hole attack, computer equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108334774A (en) | A kind of method, first server and the second server of detection attack | |
CN105471823B (en) | A kind of sensitive information processing method, device, server and safe decision-making system | |
CN109413044A (en) | A kind of request recognition methods of abnormal access and terminal device | |
US9479516B2 (en) | Automatic detection of fraudulent ratings/comments related to an application store | |
CN110462619B (en) | Detection system, detection method, and computer program | |
Viswanath et al. | Canal: Scaling social network-based Sybil tolerance schemes | |
CN107612895A (en) | A kind of internet anti-attack method and certificate server | |
CN104392008B (en) | Web data acquisition methods, browser client and CDN server | |
CN107172064B (en) | Data access control method and device and server | |
US11227256B2 (en) | Method and system for detecting gaps in data buckets for A/B experimentation | |
Mondal et al. | Defending against large-scale crawls in online social networks | |
CN106850687A (en) | Method and apparatus for detecting network attack | |
CN109241343A (en) | A kind of brush amount user identifying system, method and device | |
CN111738770B (en) | Advertisement abnormal flow detection method and device | |
CN110113366A (en) | A kind of detection method and device of CSRF loophole | |
US11726958B2 (en) | Method and system for providing pre-approved A/A data buckets | |
CN109756460A (en) | A kind of anti-replay-attack method and device | |
CN111612085B (en) | Method and device for detecting abnormal points in peer-to-peer group | |
CN106354622B (en) | Test the methods of exhibiting and device of webpage | |
CN110581835A (en) | Vulnerability detection method and device and terminal equipment | |
CN106209907A (en) | A kind of method and device detecting malicious attack | |
CN113645092B (en) | Network quality evaluation method and device, terminal equipment and storage medium | |
CN106790077A (en) | A kind of DNS full flows kidnap the detection method and device of risk | |
CN112019377B (en) | Method, system, electronic device and storage medium for network user role identification | |
CN109688099A (en) | Server end hits library recognition methods, device, equipment and readable storage medium storing program for executing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180727 |