CN108334774A - A kind of method, first server and the second server of detection attack - Google Patents

A kind of method, first server and the second server of detection attack Download PDF

Info

Publication number
CN108334774A
CN108334774A CN201810068435.8A CN201810068435A CN108334774A CN 108334774 A CN108334774 A CN 108334774A CN 201810068435 A CN201810068435 A CN 201810068435A CN 108334774 A CN108334774 A CN 108334774A
Authority
CN
China
Prior art keywords
detected
server
address
accessing
threshold value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810068435.8A
Other languages
Chinese (zh)
Inventor
朱浩然
杨阳
陈舟
黄自力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unionpay Co Ltd
Original Assignee
China Unionpay Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unionpay Co Ltd filed Critical China Unionpay Co Ltd
Priority to CN201810068435.8A priority Critical patent/CN108334774A/en
Publication of CN108334774A publication Critical patent/CN108334774A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/567Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware

Abstract

An embodiment of the present invention provides a kind of method, first server and the second servers of detection attack, including:First server obtains the historical requests data for accessing object to be detected, determines that the flow baseline of object to be detected, flow baseline are the normal access times that any one IP address accesses object to be detected in detection cycle by historical requests data and prediction model.Then detection threshold value is determined according to the fluctuation range of the flow baseline of object to be detected and flow baseline;Detection threshold value is sent to the corresponding second server of object to be detected, so that second server carries out attack detecting according to detection threshold value to object to be detected.Since first server determines according to historical requests data the detection threshold value of object to be detected, second server carries out attack detecting according to the detection threshold value that first server determines to object to be detected, rather than the detection threshold value manually set, to improve the precision of detection threshold value setting, the accuracy of attack detecting is improved.

Description

A kind of method, first server and the second server of detection attack
Technical field
The present embodiments relate to technical field of network security more particularly to a kind of method of detection attack, first services Device and second server.
Background technology
With the development of internet, network malicious attack is also more and more, CC (Challenge Collapsar) attacks, The attack patterns such as flow attacking emerge one after another.At present for the defence of CC attacks, the defence method of mainstream be it is artificial rule of thumb Given threshold is shielded when the number for accessing protected object in the unit interval is more than threshold value.Constantly increase with business and Variation needs object to be protected also in continuous change and to increase, and business also in continuous variation and increases, and business variation and Increase and tends not to known to Security Officer again, thus it is big by the threshold deviation that Security Officer sets.
Invention content
The embodiment of the present invention provides a kind of method, first server and the second server of detection attack, existing for solving Have and manually sets the big problem of detection threshold value deviation in attack detection method.
An embodiment of the present invention provides a kind of methods of detection attack, including:
First server obtains the historical requests data for accessing object to be detected;
The first server will access the historical requests data input prediction model of the object to be detected;
The first server exports the flow baseline of the object to be detected, the stream by prediction model prediction Amount baseline is the normal access times that any one internet protocol address accesses the object to be detected in detection cycle;
The first server is true according to the flow baseline of the object to be detected and the fluctuation range of the flow baseline Determine detection threshold value;
The detection threshold value is sent to the corresponding second server of the object to be detected by the first server, so that The second server carries out attack detecting according to the detection threshold value to the object to be detected.
Optionally, before the first server obtains the historical requests data for accessing object to be detected, further include:
The first server obtains the request that each object is accessed in the detection cycle;
For any one object, the first server counts the object in institute according to the request for accessing the object State the accessed number in detection cycle;
The relationship that number is accessed in the history of the accessed number for determining the object and the object meets default item When the accessed number of part or the object is more than predetermined threshold value, the object is determined as object to be detected.
An embodiment of the present invention provides a kind of methods of detection attack, including:
Second server obtains the request that object to be detected is accessed in detection cycle;
The second server determines the internet protocol address for accessing the object to be detected according to the request;
The IP address of the object to be detected is accessed for any one, the second server waits for described in determining access When detecting access times of the IP address of object in the detection cycle more than detection threshold value, the object to be detected will be accessed IP address be determined as attacking address, the detection threshold value is by first server according to the history for accessing the object to be detected Request data and prediction model determination are simultaneously sent to the second server.
Optionally, the request includes at least application layer data and network layer data;
The second server determines the internet protocol address for accessing the object to be detected, packet according to the request It includes:
The second server parses the application layer data, exists in determining the application layer data and is waited for described in accessing When detecting the IP address of object, the IP address that the object to be detected is accessed in the application layer data is determined as described in access The IP address of object to be detected;
Otherwise, the second server parses the network layer data and determines the IP address for accessing the object to be detected.
Optionally, the second server is determining the IP address for accessing the object to be detected in the detection cycle Access times be more than detection threshold value when, by the IP address for accessing the object to be detected be determined as attack address after, also wrap It includes:
The second server is present in preset blacklist in the determining IP address for accessing the object to be detected, or
Determine the IP address for accessing the object to be detected be the IP address that a user uses and in the detection it is all When at least one beyond the detection threshold value order of magnitude of access times in the phase, will access the IP address of the object to be detected into Row shielding;
Otherwise, the second server carries out secondary verification to the IP address for accessing the object to be detected.The present invention is real It applies example and provides a kind of first server, including:
First acquisition module, for obtaining the historical requests data for accessing object to be detected;
First processing module, the historical requests data input prediction model for the object to be detected will to be accessed;Pass through The prediction model prediction exports the flow baseline of the object to be detected, and the flow baseline is any one in detection cycle A internet protocol address accesses the normal access times of the object to be detected;According to the flow base of the object to be detected The fluctuation range of line and the flow baseline determines detection threshold value;The detection threshold value is sent to the object to be detected to correspond to Second server so that the second server carries out attack detecting according to the detection threshold value to the object to be detected.
Optionally, first acquisition module is additionally operable to:
Before obtaining the historical requests data for accessing object to be detected, obtains and access each object in the detection cycle Request;
The first processing module is additionally operable to:
For any one object, the first server counts the object in institute according to the request for accessing the object State the accessed number in detection cycle;It is accessed number in the history of the accessed number for determining the object and the object Relationship when meeting the accessed number of preset condition or the object and being more than predetermined threshold value, the object is determined as to be checked Survey object.
An embodiment of the present invention provides a kind of second servers, including:
Second acquisition module, for obtaining the request for accessing object to be detected in detection cycle;
Second processing module, for according to the determining Internet protocol IP for accessing the object to be detected of the request Location;The IP address that the object to be detected is accessed for any one exists in the determining IP address for accessing the object to be detected When access times in the detection cycle are more than detection threshold value, the IP address for accessing the object to be detected is determined as attacking Address, the detection threshold value are by first server according to the historical requests data and prediction mould for accessing the object to be detected Type is determining and is sent to the second server.
Optionally, the request includes at least application layer data and network layer data;
The Second processing module is specifically used for:
The application layer data is parsed, with there is the IP for accessing the object to be detected in determining the application layer data When location, the IP address that the object to be detected is accessed in the application layer data is determined as to access the IP of the object to be detected Address;Otherwise, it parses the network layer data and determines the IP address for accessing the object to be detected.
Optionally, the Second processing module is additionally operable to:
Determining access times of the IP address for accessing the object to be detected in the detection cycle more than detection threshold When value, the IP address for accessing the object to be detected is determined as after attacking address,
It is present in preset blacklist in the determining IP address for accessing the object to be detected, or
Determine the IP address for accessing the object to be detected be the IP address that a user uses and in the detection it is all When at least one beyond the detection threshold value order of magnitude of access times in the phase, will access the IP address of the object to be detected into Row shielding;
Otherwise, secondary verification is carried out to the IP address for accessing the object to be detected.
An embodiment of the present invention provides a kind of computing devices, including:
Memory, for storing program instruction;
Processor executes any of the above-described for calling the program instruction stored in the memory according to the program of acquisition Method described in.
An embodiment of the present invention provides a kind of computer readable storage medium, the computer-readable recording medium storage has Computer executable instructions, the computer executable instructions are for making computer execute method described in any one of the above embodiments.
To sum up, an embodiment of the present invention provides a kind of method, first server and the second server of detection attack, packets It includes:First server obtains the historical requests data for accessing object to be detected;The first server will access described to be detected The historical requests data input prediction model of object;The first server is described to be checked by prediction model prediction output The flow baseline of object is surveyed, the flow baseline is to be waited for described in the access of any one internet protocol address in detection cycle Detect the normal access times of object;Flow baseline and the flow base of the first server according to the object to be detected The fluctuation range of line determines detection threshold value;The detection threshold value is sent to the object to be detected and corresponded to by the first server Second server so that the second server carries out attack detecting according to the detection threshold value to the object to be detected. Since first server determines according to the historical requests data and prediction model that access object to be detected the inspection of object to be detected Threshold value is surveyed, detection threshold value is then sent to the corresponding second server of object to be detected, therefore second server can be according to detection Threshold value carries out attack detecting to object to be detected, without carrying out attack detecting after manually rule of thumb setting detection threshold value, To on the one hand improve the precision of detection threshold value setting, human cost is reduced, the standard of attack detecting is on the other hand improved True property.
Description of the drawings
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill in field, without having to pay creative labor, it can also be obtained according to these attached drawings His attached drawing.
Fig. 1 is a kind of system architecture schematic diagram that the embodiment of the present invention is applicable in;
Fig. 2 is a kind of flow diagram of the method for detection attack provided in an embodiment of the present invention;
Fig. 3 is a kind of flow diagram for the method determining object to be detected provided in an embodiment of the present invention;
Fig. 4 is a kind of flow diagram of the method for detection attack provided in an embodiment of the present invention;
Fig. 5 is a kind of flow signal of the method for determining IP address for accessing object to be detected provided in an embodiment of the present invention Figure;
Fig. 6 is a kind of structural schematic diagram of first server provided in an embodiment of the present invention;
Fig. 7 is a kind of structural schematic diagram of second server provided in an embodiment of the present invention.
Specific implementation mode
In order to make the purpose of the present invention, technical solution and advantageous effect be more clearly understood, below in conjunction with attached drawing and implementation Example, the present invention will be described in further detail.It should be appreciated that specific embodiment described herein is only used to explain this hair It is bright, it is not intended to limit the present invention.
Fig. 1 illustrates a kind of applicable system architecture schematic diagram of the embodiment of the present invention, as shown in Figure 1, of the invention The applicable system architecture of embodiment includes first server 101, second server 102.First server 101 and second server 102 are connected by wired or wireless mode.First server 101 is used to obtain the request that each object is accessed in detection cycle, Then object to be detected is determined from each object according to the request of acquisition.According to the historical requests data of object to be detected and in advance It surveys model and determines detection threshold value, and detection threshold value is sent to the corresponding second server of object to be detected.Second server 102 For one or more.May include an object to be detected in one second server 102, it is also possible to including multiple to be detected right As.Second server 102 is corresponding with the information of object to be detected to preserve after receiving detection threshold value.When acquisition detection cycle After the interior request for accessing object to be detected, attack address is determined according to the request of acquisition and detection threshold value.
Based on system architecture shown in FIG. 1, as shown in Fig. 2, a kind of method of detection attack provided in an embodiment of the present invention, The flow of this method can be executed by first server, be included the following steps:
Step S201, first server obtain the historical requests data for accessing object to be detected.
Step S202, first server will access the historical requests data input prediction model of object to be detected.
Step S203, first server export the flow baseline of object to be detected, flow baseline by prediction model prediction For in detection cycle any one internet protocol address access the normal access times of object to be detected.
Step S204, first server determine inspection according to the flow baseline of object to be detected and the fluctuation range of flow baseline Survey threshold value.
Detection threshold value is sent to the corresponding second server of object to be detected by step S205, first server, so that the Two servers carry out attack detecting according to detection threshold value to object to be detected.
Specifically, in step s 201, object to be detected can be server, Internet protocol (Internet Protocol, abbreviation IP) address, uniform resource locator (Uniform Resource Locator, abbreviation URL) etc..It accesses The historical requests data of object to be detected include source IP address, the IP address of access, the URL of access, access duration, ask Seek the size etc. of data packet.
In step S202 and step S203, prediction model can be machine learning model.Object to be detected will be accessed Then historical requests data export the flow of object to be detected as training sample input prediction model by prediction model prediction Baseline.In order to improve the precision of prediction, the historical requests data for accessing object to be detected can be pre-processed in advance, such as Matched by historical requests data format, with historical traffic baseline, historical requests data cleaned, remove hash and Abnormal deviation data etc..Since the situation that object to be detected is accessed not is all identical, such as some objects to be detected daily It is more in nonworkdays and active day accessed number, and the number being accessed on weekdays is relatively fewer, therefore can will access The historical requests data of object to be detected are classified according to working day, nonworkdays and active day, are then directed to each respectively Type prediction flow baseline, to improve the precision of prediction of flow baseline.
In step S204, the fluctuation range of flow baseline can be according to unusual fluctuations value, the variance of historical requests data Deng determination.The fluctuation range of the flow baseline of object to be detected and flow baseline is generated into detection according to the distribution proportion of setting Threshold value.
In step S205, first server can regularly update detection threshold value and newer threshold value is sent to the second clothes Business device.Since first server determines object to be detected according to the historical requests data and prediction model that access object to be detected Detection threshold value, detection threshold value is then sent to the corresponding second server of object to be detected, thus second server energy according to Detection threshold value carries out attack detecting to object to be detected, without carrying out attack inspection after manually rule of thumb setting detection threshold value It surveys, on the one hand improve the precision of detection threshold value setting, reduces human cost, on the other hand improve attack detecting Accuracy.
Optionally, it before first server obtains the historical requests data for accessing object to be detected, needs first from each object In determine object to be detected, an embodiment of the present invention provides a kind of methods determining object to be detected, as shown in figure 3, including Following steps:
Step S301, first server obtain the request that each object is accessed in detection cycle.
Step S302, for any one object, first server is being detected according to the request objects of statistics for accessing object Accessed number in period.
Step S303, the relationship that number is accessed in the history of the accessed number and object that determine object meet default item When the accessed number of part or object is more than predetermined threshold value, which is determined as object to be detected.
Specifically, predetermined threshold value is set as the case may be.The accessed number of object and the history of object are interviewed Ask the relationship of number meet the accessed number that preset condition can be object and object history be accessed number difference it is big In setting value.For example accessed number of the object in detection cycle is 1000 times, history of the object in detection cycle is interviewed Ask that number is 700 times, setting value 100, the difference of the accessed number of the history of the accessed number of object and object is big at this time In setting value, then the object is determined as object to be detected.The accessed number of object and the history of object are accessed number Relationship meets the accessed number that preset condition can also be object and compares the accessed number of history of elephant beyond one or more The order of magnitude.For example accessed number of the object in detection cycle is 1000 times, history of the object in detection cycle is accessed Number is 100 times, and the accessed number of history of the accessed number comparison elephant of object exceeds an order of magnitude at this time, then this is right As being determined as object to be detected.
In specific implementation, object can be server, IP address, URL etc..It is specifically described by taking URL as an example below.If It is 1s to determine detection cycle, and first server obtains the request that the first URL, the 2nd URL and the 3rd URL is accessed in 1s, wherein first URL is:www.A.com/test1/test2.html;2nd URL is:www.A.com/test.html;3rd URL is: www.C.com/test3/test4.html.It is 500 times that first URL is accessed number in 1s, and the 2nd URL is accessed in 1s Number is 700 times, and it is 800 times that the 3rd URL is accessed number in 1s.Then the first URL is split, one is obtained after fractionation Grade URL:Www.A.com, two level URL:Www.A.com/test1, three-level URL:www.A.com/test1/test2.html.Together Reason is split the 2nd URL to obtain level-one URL:Www.A.com, two level URL:www.A.com/test.html.By third URL is split to obtain level-one URL:Www.C.com, two level URL:Www.C.com/test3, three-level URL:www.C.com/ test3/test4.html.Then the accessed number of above-mentioned URL at different levels is counted respectively, and statistical result is as shown in table 1:
Table 1
The corresponding predetermined threshold values of level-one URL are set as 1000, the corresponding predetermined threshold values of two level URL are 700, URL pairs of three-level The predetermined threshold value answered is 600.Setting the corresponding history of each URL in table 1, to be accessed number as shown in table 2:
Table 2
For any one URL, first determine whether the accessed number of URL is more than predetermined threshold value, if so, should URL is determined as URL to be detected, otherwise further judges that the history of the accessed number ratio URL of URL is accessed whether number exceeds An order of magnitude, if so, the URL is determined as URL to be detected.It is found that two level URL after being judged according to Tables 1 and 2: Www.C.com/test3, three-level URL:Www.C.com/test3/test4.html, three-level URL:www.A.com/test1/ Test2.html is URL to be detected.The accessed number of each object is determined according to the request for accessing each object in detection cycle, so The relationship of number and the accessed number of object are accessed according to the history of the accessed number of object and object afterwards and preset The relationship of threshold value determines object to be detected from each object, to be checked to realize without human configuration detected object The real-time of object is surveyed to determine and detect.
Optionally, it after second server receives the detection threshold value that first server is sent, is attacked according to detection threshold value The method of detection specifically includes following steps, as shown in Figure 4:
Step S401, second server obtain the request that object to be detected is accessed in detection cycle.
Step S402, second server determine the IP address for accessing object to be detected according to request.
Step S403, the IP address of object to be detected is accessed for any one, and second server is determining that access is to be checked It is when surveying access times of the IP address of object in detection cycle more than detection threshold value, the IP address for accessing object to be detected is true It is set to attack address.
In specific implementation, detection threshold value be by first server according to the historical requests data for accessing object to be detected and Prediction model is determining and is sent to second server.The IP address that second server accesses object to be detected in judgement is detecting Whether access times in the period are more than before detection threshold value, can also first judge to access object to be detected IP address whether position In preset blacklist, if so, directly the IP address for accessing object to be detected can be determined as to attack address, otherwise into one Step judges to access whether access times of the IP address of object to be detected in detection cycle are more than detection threshold value, if so, will The IP address for accessing object to be detected is determined as attacking address and preserve to preset blacklist.
Optionally, the request for accessing object to be detected includes at least application layer data and network layer data, accesses to be detected The IP address of object can be the IP address parsed from network layer data, can also be to be parsed from application layer data IP address.Agency has been used due to working as attacker, redirects or pass through content distributing network (Content Delivery Network, abbreviation CDN) when, the IP address parsed from network layer data is not the source address of attacker, therefore of the invention Embodiment provides the following preferred method for determining the IP address for accessing object to be detected, includes the following steps, as shown in Figure 5:
Step S501, second server parse application layer data.
Step S502, second server, will when there is the IP address for accessing object to be detected in determining application layer data The IP address that object to be detected is accessed in application layer data is determined as accessing the IP address of object to be detected.
Step S503, otherwise, second server parse network layer data and determine the IP address for accessing object to be detected.
In specific implementation, second server first determines whether application layer data includes redirecting the phase increased when CDN network Field is answered, if including, the IP address of extraction access object to be detected from the respective field increased when redirecting CDN network.It is no Then judge whether application layer data includes X-Forwarded-For fields, if including, from X-Forwarded-For fields Extraction accesses the IP address of object to be detected, otherwise parses network layer data and determines the IP address for accessing object to be detected.Pass through Parsing determines the IP address for accessing object to be detected using data, therefore can accurately attack the source IP address of object to be detected surely, from And it is effectively directed to attack address and takes corresponding defensive measure.
Optionally, second server is after determining attack address in the IP address for accessing object to be detected, for difference Testing result take different defense schemes, specially:
Second server is present in preset blacklist in the determining IP address for accessing object to be detected, or is accessed determining The IP address of object to be detected is the IP address that a user uses and the access times in detection cycle exceed detection threshold value When at least one order of magnitude, the IP address for accessing object to be detected is shielded;Otherwise, second server described in access to waiting for The IP address for detecting object carries out secondary verification.In specific implementation, the access times in detection cycle exceed detection threshold value at least An order of magnitude refers to that the access times in detection cycle are more than ten times of detection threshold value or hundred times of detection threshold value or thousand Detection threshold value again etc., such as detection threshold value are 100 times, and the access times of detection cycle are that 1000 times or 10000 are inferior.When true Surely the IP address for accessing object to be detected is not the IP address that a user uses, for example accesses the IP address of object to be detected Corresponding IP address is exported for mobile network, carrier cell, if access times of the IP address in detection cycle are super at this time Go out at least one order of magnitude of detection threshold value, it is also desirable to which secondary verification is carried out to the IP address.The method of secondary verification includes but not It is limited to pop up identifying code input window on webpage, jumps to that the verification page is verified, client-side information obtains verification.
To sum up, an embodiment of the present invention provides a kind of method, first server and the second server of detection attack, packets It includes:First server obtains the historical requests data for accessing object to be detected;The first server will access described to be detected The historical requests data input prediction model of object;The first server is described to be checked by prediction model prediction output The flow baseline of object is surveyed, the flow baseline is to be waited for described in the access of any one internet protocol address in detection cycle Detect the normal access times of object;Flow baseline and the flow base of the first server according to the object to be detected The fluctuation range of line determines detection threshold value;The detection threshold value is sent to the object to be detected and corresponded to by the first server Second server so that the second server carries out attack detecting according to the detection threshold value to the object to be detected. Since first server determines according to the historical requests data and prediction model that access object to be detected the inspection of object to be detected Threshold value is surveyed, detection threshold value is then sent to the corresponding second server of object to be detected, therefore second server can be according to detection Threshold value carries out attack detecting to object to be detected, without carrying out attack detecting after manually rule of thumb setting detection threshold value, To on the one hand improve the precision of detection threshold value setting, human cost is reduced, the standard of attack detecting is on the other hand improved True property.
Based on the same technical idea, the embodiment of the present invention additionally provides a kind of first server, as shown in fig. 6, including:
First acquisition module 601, for obtaining the historical requests data for accessing object to be detected;
First processing module 602, the historical requests data input prediction model for the object to be detected will to be accessed;It is logical The flow baseline that the prediction model prediction exports the object to be detected is crossed, the flow baseline is arbitrary in detection cycle One internet protocol address accesses the normal access times of the object to be detected;According to the flow of the object to be detected The fluctuation range of baseline and the flow baseline determines detection threshold value;The detection threshold value is sent to the object pair to be detected The second server answered, so that the second server carries out attack inspection according to the detection threshold value to the object to be detected It surveys.
Optionally, first acquisition module 602 is additionally operable to:
Before obtaining the historical requests data for accessing object to be detected, obtains and access each object in the detection cycle Request;
The first processing module 602 is additionally operable to:
For any one object, the first server counts the object in institute according to the request for accessing the object State the accessed number in detection cycle;It is accessed number in the history of the accessed number for determining the object and the object Relationship when meeting the accessed number of preset condition or the object and being more than predetermined threshold value, the object is determined as to be checked Survey object.
Based on the same technical idea, the embodiment of the present invention additionally provides a kind of second server, as shown in fig. 7, comprises:
Second acquisition module 701, for obtaining the request for accessing object to be detected in detection cycle;
Second processing module 702, for determining the Internet protocol IP for accessing the object to be detected according to the request Address;The IP address that the object to be detected is accessed for any one is determining the IP address for accessing the object to be detected When access times in the detection cycle are more than detection threshold value, the IP address for accessing the object to be detected is determined as attacking Address is hit, the detection threshold value is by first server according to the historical requests data and prediction for accessing the object to be detected Model is determining and is sent to the second server.
Optionally, the request includes at least application layer data and network layer data;
The Second processing module 702 is specifically used for:
The application layer data is parsed, with there is the IP for accessing the object to be detected in determining the application layer data When location, the IP address that the object to be detected is accessed in the application layer data is determined as to access the IP of the object to be detected Address;Otherwise, it parses the network layer data and determines the IP address for accessing the object to be detected.
Optionally, the Second processing module 702 is additionally operable to:
It is present in preset blacklist in the determining IP address for accessing the object to be detected, or
Determine the IP address for accessing the object to be detected be the IP address that a user uses and in the detection it is all When at least one beyond the detection threshold value order of magnitude of access times in the phase, will access the IP address of the object to be detected into Row shielding;
Otherwise, secondary verification is carried out to the IP address for accessing the object to be detected.
An embodiment of the present invention provides a kind of computing device, which is specifically as follows desktop computer, portable Computer, smart mobile phone, tablet computer, personal digital assistant (Personal Digital Assistant, PDA) etc..The meter It may include central processing unit (Center Processing Unit, CPU), memory, input-output apparatus etc. to calculate equipment, Input equipment may include keyboard, mouse, touch screen etc., and output equipment may include display equipment, such as liquid crystal display (Liquid Crystal Display, LCD), cathode-ray tube (Cathode Ray Tube, CRT) etc..
Memory may include read-only memory (ROM) and random access memory (RAM), and be deposited to processor offer The program instruction and data stored in reservoir.In embodiments of the present invention, the method that memory can be used for storing detection attack Program instruction;
Processor executes detection attack for calling the program instruction stored in the memory according to the program of acquisition Method.
An embodiment of the present invention provides a kind of computer readable storage medium, the computer-readable recording medium storage has Computer executable instructions, the method that the computer executable instructions are used to that the computer to be made to execute detection attack.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method or computer program product. Therefore, complete hardware embodiment, complete software embodiment or embodiment combining software and hardware aspects can be used in the present invention Form.It is deposited moreover, the present invention can be used to can be used in the computer that one or more wherein includes computer usable program code The shape for the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) Formula.
The present invention be with reference to according to the method for the embodiment of the present invention, the flow of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art God and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to include these modifications and variations.

Claims (12)

1. a kind of method of detection attack, which is characterized in that including:
First server obtains the historical requests data for accessing object to be detected;
The first server will access the historical requests data input prediction model of the object to be detected;
The first server exports the flow baseline of the object to be detected, the flow base by prediction model prediction Line is the normal access times that any one internet protocol address accesses the object to be detected in detection cycle;
The first server determines inspection according to the flow baseline of the object to be detected and the fluctuation range of the flow baseline Survey threshold value;
The detection threshold value is sent to the corresponding second server of the object to be detected by the first server, so that described Second server carries out attack detecting according to the detection threshold value to the object to be detected.
2. the method as described in claim 1, which is characterized in that the first server obtains the history for accessing object to be detected Before request data, further include:
The first server obtains the request that each object is accessed in the detection cycle;
For any one object, the first server counts the object in the inspection according to the request for accessing the object Survey the accessed number in the period;
The relationship that number is accessed in the history of the accessed number for determining the object and the object meets preset condition, or When the accessed number of the object is more than predetermined threshold value, the object is determined as object to be detected.
3. a kind of method of detection attack, which is characterized in that including:
Second server obtains the request that object to be detected is accessed in detection cycle;
The second server determines the internet protocol address for accessing the object to be detected according to the request;
The IP address of the object to be detected is accessed for any one, the second server is determining that access is described to be detected When access times of the IP address of object in the detection cycle are more than detection threshold value, the IP of the object to be detected will be accessed Address is determined as attacking address, and the detection threshold value is by first server according to the historical requests for accessing the object to be detected Data and prediction model determination are simultaneously sent to the second server.
4. method as claimed in claim 3, which is characterized in that the request includes at least application layer data and the network number of plies According to;
The second server determines the internet protocol address for accessing the object to be detected according to the request, including:
The second server parses the application layer data, and it is described to be detected to there is access in determining the application layer data When the IP address of object, the IP address that the object to be detected is accessed in the application layer data is determined as accessing described to be checked Survey the IP address of object;
Otherwise, the second server parses the network layer data and determines the IP address for accessing the object to be detected.
5. method as claimed in claim 3, which is characterized in that the second server is determining the access object to be detected Access times of the IP address in detection cycle when being more than detection threshold value, the IP address of the object to be detected will be accessed It is determined as attacking after address, further includes:
The second server is present in preset blacklist in the determining IP address for accessing the object to be detected, or
Determining that the IP address for accessing the object to be detected is the IP address that a user uses and in the detection cycle Access times beyond at least one order of magnitude of the detection threshold value when, the IP address for accessing the object to be detected is shielded It covers;
Otherwise, the second server carries out secondary verification to the IP address for accessing the object to be detected.
6. a kind of first server, which is characterized in that including:
First acquisition module, for obtaining the historical requests data for accessing object to be detected;
First processing module, the historical requests data input prediction model for the object to be detected will to be accessed;By described Prediction model prediction exports the flow baseline of the object to be detected, and the flow baseline is that any one is mutual in detection cycle Networking protocol IP address accesses the normal access times of the object to be detected;According to the flow baseline of the object to be detected and The fluctuation range of the flow baseline determines detection threshold value;The detection threshold value is sent to the object to be detected corresponding Two servers, so that the second server carries out attack detecting according to the detection threshold value to the object to be detected.
7. first server as claimed in claim 6, which is characterized in that first acquisition module is additionally operable to:
Before obtaining the historical requests data for accessing object to be detected, obtains and access asking for each object in the detection cycle It asks;
The first processing module is additionally operable to:
For any one object, the first server counts the object in the inspection according to the request for accessing the object Survey the accessed number in the period;The pass of number is accessed with the history of the object in the accessed number for determining the object When system meets the accessed number of preset condition or the object more than predetermined threshold value, it is to be detected right that the object is determined as As.
8. a kind of second server, which is characterized in that including:
Second acquisition module, for obtaining the request for accessing object to be detected in detection cycle;
Second processing module, for determining the internet protocol address for accessing the object to be detected according to the request;Needle The IP address for accessing any one object to be detected is determining the IP address for accessing the object to be detected in the inspection When the access times surveyed in the period are more than detection threshold value, the IP address for accessing the object to be detected is determined as to attack address, The detection threshold value is true according to the historical requests data and prediction model for accessing the object to be detected by first server Determine and is sent to the second server.
9. second server as claimed in claim 8, which is characterized in that the request includes at least application layer data and network Layer data;
The Second processing module is specifically used for:
The application layer data is parsed, there is the IP address for accessing the object to be detected in determining the application layer data When, the IP address that the object to be detected is accessed in the application layer data is determined as with accessing the IP of the object to be detected Location;Otherwise, it parses the network layer data and determines the IP address for accessing the object to be detected.
10. second server as claimed in claim 8, which is characterized in that the Second processing module is additionally operable to:
It is present in preset blacklist in the determining IP address for accessing the object to be detected, or
Determining that the IP address for accessing the object to be detected is the IP address that a user uses and in the detection cycle Access times beyond at least one order of magnitude of the detection threshold value when, the IP address for accessing the object to be detected is shielded It covers;
Otherwise, secondary verification is carried out to the IP address for accessing the object to be detected.
11. a kind of computing device, which is characterized in that including:
Memory, for storing program instruction;
Processor, for calling the program instruction stored in the memory, according to acquisition program execute as claim 1 to 2 or claim 3 to 5 any one of them method.
12. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has computer can It executes instruction, the computer executable instructions are for making computer execute as claim 1 to 2 or claim 3 to 5 are any Method described in.
CN201810068435.8A 2018-01-24 2018-01-24 A kind of method, first server and the second server of detection attack Pending CN108334774A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810068435.8A CN108334774A (en) 2018-01-24 2018-01-24 A kind of method, first server and the second server of detection attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810068435.8A CN108334774A (en) 2018-01-24 2018-01-24 A kind of method, first server and the second server of detection attack

Publications (1)

Publication Number Publication Date
CN108334774A true CN108334774A (en) 2018-07-27

Family

ID=62925516

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810068435.8A Pending CN108334774A (en) 2018-01-24 2018-01-24 A kind of method, first server and the second server of detection attack

Country Status (1)

Country Link
CN (1) CN108334774A (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833450A (en) * 2018-08-22 2018-11-16 网宿科技股份有限公司 A kind of realization server anti-attack method and device
CN108965347A (en) * 2018-10-10 2018-12-07 腾讯科技(深圳)有限公司 A kind of detecting method of distributed denial of service attacking, device and server
CN109617868A (en) * 2018-12-06 2019-04-12 腾讯科技(深圳)有限公司 A kind of detection method of DDOS attack, device and detection service device
CN109842619A (en) * 2019-01-08 2019-06-04 北京百度网讯科技有限公司 User account hold-up interception method and device
CN109922072A (en) * 2019-03-18 2019-06-21 腾讯科技(深圳)有限公司 A kind of detecting method of distributed denial of service attacking and device
CN111314294A (en) * 2020-01-15 2020-06-19 福建奇点时空数字科技有限公司 Abnormal flow detection method based on periodic and moving window baseline algorithm
CN111541647A (en) * 2020-03-25 2020-08-14 杭州数梦工场科技有限公司 Security detection method and device, storage medium and computer equipment
CN111865949A (en) * 2020-07-09 2020-10-30 恒安嘉新(北京)科技股份公司 Abnormal communication detection method and device, server and storage medium
CN111865999A (en) * 2020-07-24 2020-10-30 中国工商银行股份有限公司 Access behavior recognition method and device, computing equipment and medium
CN113472717A (en) * 2020-03-30 2021-10-01 中国电信股份有限公司 SDN access control method and device and computer readable storage medium
CN113518064A (en) * 2021-03-23 2021-10-19 杭州安恒信息技术股份有限公司 Defense method and device for challenging black hole attack, computer equipment and storage medium

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050111367A1 (en) * 2003-11-26 2005-05-26 Hung-Hsiang Jonathan Chao Distributed architecture for statistical overload control against distributed denial of service attacks
CN101286897A (en) * 2008-05-16 2008-10-15 华中科技大学 Network flow rate abnormality detecting method based on super stochastic theory
CN101826996A (en) * 2010-03-19 2010-09-08 中国科学院计算机网络信息中心 Domain name system flow detection method and domain name server
CN102355452A (en) * 2011-08-09 2012-02-15 北京网御星云信息技术有限公司 Method and device for filtering network attack traffic
US20130042319A1 (en) * 2011-08-10 2013-02-14 Sangfor Networks Company Limited Method and apparatus for detecting and defending against cc attack
CN104125195A (en) * 2013-04-24 2014-10-29 中国民航大学 Method of filtering LDDoS attack traffic based on frequency domain of filter
CN104202329A (en) * 2014-09-12 2014-12-10 北京神州绿盟信息安全科技股份有限公司 DDoS (distributed denial of service) attack detection method and device
CN105721494A (en) * 2016-03-25 2016-06-29 中国互联网络信息中心 Method and device for detecting and disposing abnormal traffic attack
CN106789983A (en) * 2016-12-08 2017-05-31 北京安普诺信息技术有限公司 A kind of CC attack defense methods and its system of defense
CN106953833A (en) * 2016-01-07 2017-07-14 无锡聚云科技有限公司 A kind of ddos attack detecting system
CN107508815A (en) * 2017-08-30 2017-12-22 杭州安恒信息技术有限公司 Based on website traffic analysis and early warning method and device

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050111367A1 (en) * 2003-11-26 2005-05-26 Hung-Hsiang Jonathan Chao Distributed architecture for statistical overload control against distributed denial of service attacks
CN101286897A (en) * 2008-05-16 2008-10-15 华中科技大学 Network flow rate abnormality detecting method based on super stochastic theory
CN101826996A (en) * 2010-03-19 2010-09-08 中国科学院计算机网络信息中心 Domain name system flow detection method and domain name server
CN102355452A (en) * 2011-08-09 2012-02-15 北京网御星云信息技术有限公司 Method and device for filtering network attack traffic
US20130042319A1 (en) * 2011-08-10 2013-02-14 Sangfor Networks Company Limited Method and apparatus for detecting and defending against cc attack
CN104125195A (en) * 2013-04-24 2014-10-29 中国民航大学 Method of filtering LDDoS attack traffic based on frequency domain of filter
CN104202329A (en) * 2014-09-12 2014-12-10 北京神州绿盟信息安全科技股份有限公司 DDoS (distributed denial of service) attack detection method and device
CN106953833A (en) * 2016-01-07 2017-07-14 无锡聚云科技有限公司 A kind of ddos attack detecting system
CN105721494A (en) * 2016-03-25 2016-06-29 中国互联网络信息中心 Method and device for detecting and disposing abnormal traffic attack
CN106789983A (en) * 2016-12-08 2017-05-31 北京安普诺信息技术有限公司 A kind of CC attack defense methods and its system of defense
CN107508815A (en) * 2017-08-30 2017-12-22 杭州安恒信息技术有限公司 Based on website traffic analysis and early warning method and device

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833450B (en) * 2018-08-22 2020-07-10 网宿科技股份有限公司 Method and device for preventing server from being attacked
CN108833450A (en) * 2018-08-22 2018-11-16 网宿科技股份有限公司 A kind of realization server anti-attack method and device
CN108965347A (en) * 2018-10-10 2018-12-07 腾讯科技(深圳)有限公司 A kind of detecting method of distributed denial of service attacking, device and server
CN108965347B (en) * 2018-10-10 2021-06-11 腾讯科技(深圳)有限公司 Distributed denial of service attack detection method, device and server
CN109617868A (en) * 2018-12-06 2019-04-12 腾讯科技(深圳)有限公司 A kind of detection method of DDOS attack, device and detection service device
CN109842619A (en) * 2019-01-08 2019-06-04 北京百度网讯科技有限公司 User account hold-up interception method and device
CN109922072A (en) * 2019-03-18 2019-06-21 腾讯科技(深圳)有限公司 A kind of detecting method of distributed denial of service attacking and device
CN109922072B (en) * 2019-03-18 2021-07-16 腾讯科技(深圳)有限公司 Distributed denial of service attack detection method and device
CN111314294A (en) * 2020-01-15 2020-06-19 福建奇点时空数字科技有限公司 Abnormal flow detection method based on periodic and moving window baseline algorithm
CN111541647A (en) * 2020-03-25 2020-08-14 杭州数梦工场科技有限公司 Security detection method and device, storage medium and computer equipment
CN113472717A (en) * 2020-03-30 2021-10-01 中国电信股份有限公司 SDN access control method and device and computer readable storage medium
CN113472717B (en) * 2020-03-30 2022-09-23 中国电信股份有限公司 SDN access control method and device and computer readable storage medium
CN111865949A (en) * 2020-07-09 2020-10-30 恒安嘉新(北京)科技股份公司 Abnormal communication detection method and device, server and storage medium
CN111865999A (en) * 2020-07-24 2020-10-30 中国工商银行股份有限公司 Access behavior recognition method and device, computing equipment and medium
CN113518064A (en) * 2021-03-23 2021-10-19 杭州安恒信息技术股份有限公司 Defense method and device for challenging black hole attack, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
CN108334774A (en) A kind of method, first server and the second server of detection attack
CN105471823B (en) A kind of sensitive information processing method, device, server and safe decision-making system
CN109413044A (en) A kind of request recognition methods of abnormal access and terminal device
US9479516B2 (en) Automatic detection of fraudulent ratings/comments related to an application store
CN110462619B (en) Detection system, detection method, and computer program
Viswanath et al. Canal: Scaling social network-based Sybil tolerance schemes
CN107612895A (en) A kind of internet anti-attack method and certificate server
CN104392008B (en) Web data acquisition methods, browser client and CDN server
CN107172064B (en) Data access control method and device and server
US11227256B2 (en) Method and system for detecting gaps in data buckets for A/B experimentation
Mondal et al. Defending against large-scale crawls in online social networks
CN106850687A (en) Method and apparatus for detecting network attack
CN109241343A (en) A kind of brush amount user identifying system, method and device
CN111738770B (en) Advertisement abnormal flow detection method and device
CN110113366A (en) A kind of detection method and device of CSRF loophole
US11726958B2 (en) Method and system for providing pre-approved A/A data buckets
CN109756460A (en) A kind of anti-replay-attack method and device
CN111612085B (en) Method and device for detecting abnormal points in peer-to-peer group
CN106354622B (en) Test the methods of exhibiting and device of webpage
CN110581835A (en) Vulnerability detection method and device and terminal equipment
CN106209907A (en) A kind of method and device detecting malicious attack
CN113645092B (en) Network quality evaluation method and device, terminal equipment and storage medium
CN106790077A (en) A kind of DNS full flows kidnap the detection method and device of risk
CN112019377B (en) Method, system, electronic device and storage medium for network user role identification
CN109688099A (en) Server end hits library recognition methods, device, equipment and readable storage medium storing program for executing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180727