CN108521408A - Resist method of network attack, device, computer equipment and storage medium - Google Patents
Resist method of network attack, device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN108521408A CN108521408A CN201810239771.4A CN201810239771A CN108521408A CN 108521408 A CN108521408 A CN 108521408A CN 201810239771 A CN201810239771 A CN 201810239771A CN 108521408 A CN108521408 A CN 108521408A
- Authority
- CN
- China
- Prior art keywords
- client
- user
- security
- login
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses a kind of resistance method of network attack, device, computer equipment and storage mediums.The resistance method of network attack includes:The access request that client is sent is obtained, access request includes User ID and registration terminal information or service requesting information;If access request also carries security identifier and security identifier when being safe, the corresponding service requesting information of User ID is handled, service processing result is obtained;If access request does not carry security identifier, it is based on User ID and registration terminal information, obtains the feedback message for carrying security identifier;Service processing result or feedback message are sent to client corresponding with User ID.The security identifier provided by the invention resisted method of network attack and identify client carrying by server, can effectively shield the attack of malicious network traffic, and ensure that real access request is able to timely processing.
Description
Technical field
The present invention relates to network safety filed more particularly to a kind of resistance method of network attack, device, computer equipment and
Storage medium.
Background technology
The market anti-DDOS of existing server (Distributed Denial of Service, distributed denial of service)
System/mechanism includes mainly:Local anti-DDOS flow cleanings mechanism and high in the clouds flow cleaning mechanism.No matter any mechanism, all
It is not avoided that server under the scene that DDOS occurs, the real access request that client is sent goes whistle (because of client
The real access request and abnormal aggression flow sent is mixed in together), it is difficult to meet server and user service is carried out
QoS (Quality of Service, service quality) guarantee, this phenomenon is particularly acute in financial industry.How by
When being attacked to DDOS network flows, ensure server can receive client send real access request, become at present there is an urgent need for solution
Certainly the problem of.
Invention content
A kind of resistance method of network attack of offer of the embodiment of the present invention, device, computer equipment and storage medium, to solve
When being attacked by DDOS network flows, real access request the problem of going whistle that client is sent.
In a first aspect, the embodiment of the present invention provides a kind of resistance method of network attack, including:
The access request that client is sent is obtained, access request includes User ID and registration terminal information or service request letter
Breath;
If access request also carries security identifier and security identifier when being safe, handles the corresponding business of User ID and ask
Information is sought, service processing result is obtained;
If access request does not carry security identifier, it is based on User ID and registration terminal information, acquisition carries safety
The feedback message of mark;
Service processing result or feedback message are sent to client corresponding with User ID.
Second aspect, the embodiment of the present invention provide a kind of resistance network attack device, including:
Access request module is obtained, the access request for obtaining client transmission, access request includes User ID and steps on
Record end message or service requesting information;
Handling result module is obtained, if also to carry security identifier and security identifier for access request be safe,
The corresponding service requesting information of User ID is handled, service processing result is obtained;
Feedback message module is obtained, if not carrying security identifier for access request, based on User ID and is logged in eventually
Client information obtains the feedback message for carrying security identifier;
Handling result module is sent, for service processing result or feedback message to be sent to visitor corresponding with User ID
Family end.
Third aspect present invention provides a kind of computer equipment, including memory, processor and is stored in the storage
In device and the computer program that can run on the processor, the processor are realized when executing the computer program such as this
The step of method of network attack is resisted described in invention first aspect.
Fourth aspect present invention provides a kind of computer readable storage medium, and the computer-readable recording medium storage has
Computer program is realized when the computer program is executed by processor and resists network attack side as described in the first aspect of the invention
The step of method.
Resistance method of network attack, device, computer equipment and storage medium provided in an embodiment of the present invention, pass through acquisition
The access request that client is sent, and the access request carries security identifier and security identifier when being safe, just processing access
Service requesting information in request ensures that real access request is able to timely processing;For not carrying the access of security identifier
Request, then the security identifier based on User ID and registration terminal acquisition of information client, server is based on the security identifier can be with
The effectively attack of shielding malicious network traffic.
Description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below by institute in the description to the embodiment of the present invention
Attached drawing to be used is needed to be briefly described, it should be apparent that, the accompanying drawings in the following description is only some implementations of the present invention
Example, for those of ordinary skill in the art, without having to pay creative labor, can also be according to these attached drawings
Obtain other attached drawings.
Fig. 1 is the flow chart that method of network attack is resisted in the embodiment of the present invention 1.
Fig. 2 is another particular flow sheet that method of network attack is resisted in the embodiment of the present invention 1.
Fig. 3 is another particular flow sheet that method of network attack is resisted in the embodiment of the present invention 1.
Fig. 4 is another particular flow sheet that method of network attack is resisted in the embodiment of the present invention 1.
Fig. 5 is the functional block diagram that network attack device is resisted in the embodiment of the present invention 2.
Fig. 6 is a schematic diagram of 4 Computer equipment of the embodiment of the present invention.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are some of the embodiments of the present invention, instead of all the embodiments.Based on this hair
Embodiment in bright, the every other implementation that those of ordinary skill in the art are obtained without creative efforts
Example, shall fall within the protection scope of the present invention.
Existing DDOS attack can be taken as the synonym of " Large-scale automatic attack " completely.In certain special attack fields
Jing Zhong, attack traffic can reach hundreds of Gbits per second, but such case is comparatively rarer.In majority of case
Under, attacker can start flood attack with 1Gbits per second even less flows to the server of enterprise or tissue.This
The duration attacked a bit generally will not be too long, and most of DDOS attacks can only continue 30 minutes or so.Server is for peace
It is complete to consider that almost refusal includes all access requests of real access request, it seriously affects and even blocks normal client initiation
Access request.
The present invention is aiming at server when being attacked by DDOS network flows, it is difficult to ensure that server receives positive regular guest
Family end send access request and in response to the problem of and propose.
Embodiment 1
Fig. 1 shows to resist the flow chart of method of network attack in the present embodiment.The resistance method of network attack is applied in net
Network security fields.As shown in Figure 1, the resistance method of network attack includes the following steps:
S10. the access request that client is sent is obtained, access request includes that User ID and registration terminal information or business are asked
Seek information.
Wherein, access request is that user end to server proposes to carry out authentication, or provides the request of business support.
If server carries out authentication, client is needed to provide User ID, it is also necessary to provide registration terminal information;If server provides
Business support not only needs User ID, it is also necessary to which client provides service requesting information.
User ID is equivalent to user network identity card, when being user's first time Accreditation System, system distributed to user one
A one number, to other registration users in distinguishing system.Registration terminal information is exactly this accessing server by customer end
When the login IP address that uses, for example 192.168.1.100, service requesting information are to initiate to confirm transferred account service Shen to server
Please.
In this step, all access requests that server is sent by receiving client, without being asked to the access of client
It asks type to distinguish, saves the time that server carries out access request type decision.Subsequent server is asked by accessing
The content (i.e. registration terminal information or service requesting information) of carrying is asked directly to carry out corresponding business operation, if for example, visitor
The service requesting information for meeting business support request format is carried in the access request that family end proposes, then obtains in access request and take
The service requesting information of band is simultaneously further processed, efficiently convenient.
If S20. access request also carries security identifier and security identifier when being safe, the corresponding industry of User ID is handled
Business solicited message, obtains service processing result.
Wherein, security identifier is disposed on the segment identification logged in message sent when accessing server by customer end, with
Indicate whether the client is safe.Security identifier can be set according to concrete application environment, can be by safety in the present embodiment
The security identifier of client be configured to " safety " either " 0 " by the security identifier of dangerous client be configured to " danger " or
“1”。
Service requesting information is the particular content in relation to business support in the access request that user end to server proposes, than
Such as, supported if service requesting information in the access request is transferred account service, service requesting information include transfer accounts people, transfer accounts
Account, number of transferring accounts and time of transferring accounts etc..
If it is to be appreciated that also carrying security identifier in access request, illustrate the client for sending the access request
Warp-wise server is transmitted across ID authentication request and received the feedback of the mark safe to carry of server transmission before this
Message.The access request that server carries security identifier by reception in this step and security identifier is safety, illustrates the visit
Ask that request be business support request and to log in client be safe client, can to the access request of client proposition into
Row response ensures the service requesting information that server can be lifted with timely processing normal client.
If S30. access request does not carry security identifier, carried based on User ID and registration terminal information, acquisition
The feedback message of security identifier.
Wherein, feedback message is one section of TCP message that server is returned to client, to display server respective client
Hold the result of authentication.The feedback message includes TCP header segments, security identifier section and TCP data section.The security identifier section is used
The identification information, the identification information that server is carried by the client are carried when lifting business processing request with subsequent client
To judge the safety of service request.The minimum length of TCP header segments is 20 bytes, including source port and destination interface etc. are used for
Conversate the information of confirmation.TCP data section part then carries the data content of specific service request.As shown in following table one, table
One shows the feedback message format provided in this embodiment for carrying security identifier.
Table one
Further, the access request mark not safe to carry that server receives, illustrates that the access request is recognized for identity
Card request, need to be to the carry out authentication of the client.Verification result is added in the form of security identifier and feeds back to client
In the feedback message at end, so as to feed back to the feedback message mark safe to carry of client.
Message is fed back relative to the existing TCP without identification section safe to carry, this step is by giving feedback message addition peace
Full mark ensures that server is avoided by net to the flow sent to client of the later stage refusal respond with risk identification
Network attack provides technical support so that server only responds the visit for providing business support that the client of mark safe to carry is sent
It asks request, i.e., the business information in the access request is handled, to obtain service processing result.
S40. service processing result or feedback message are sent to client corresponding with User ID.
It is to be appreciated that feedback message (i.e. step S30) is returned to based on the access request server for carrying out authentication, and
The feedback message is sent to client corresponding with User ID;Correspondingly, based on the access request clothes for providing business support
Business device returns to service processing result (i.e. step S20), and the service processing result is fed back to client corresponding with User ID
End.
In this step, server returns to corresponding content in time respectively based on different types of access request, without
It accepts the interview again after first classifying to access request request, improves the information transfer efficiency between server and client side.
When server receives the access request for carrying security identifier, security identifier is read first.If security identifier is
Safety then continues the specific service requesting information for reading access request carrying;If security identifier is danger, illustrate server
The attack from network flow may be received, then the server refusal respond access request, to ensure server normal operation.
Preferably, after the step of obtaining the access request that client is sent, which further includes:
If S50. access request also carries security identifier and security identifier when being dangerous, User ID is locked, user is given
The corresponding clients of ID send prompting message.
Wherein, locking User ID refers to being when server obtains the security identifier carried in the access request that client is sent
When dangerous, freeze the User ID, no longer receives any information of User ID transmission.Freeze-off time may be configured as specific duration or
Person permanently freezes.If client usurps other people common User ID and carries out network attack, when can the User ID be set as specific
It is long, to avoid the common User ID is accidentally freezed;If client carries out network attack using new registration ID, which can be arranged
For permanently freeze namely server no longer receive the User ID transmission any information.
This step is identified as dangerous User ID by locked secure, and server is avoided to continue to the User ID for attacking
It hits purpose or other purposes repeatedly sends access request, repeatedly occupy server and judged, waste server resource.
Resistance method of network attack provided in an embodiment of the present invention, the access request sent by obtaining client, and should
Access request carries security identifier and security identifier when being safe, just handles the service requesting information in access request, guarantee
Real access request is able to timely processing;For not carrying the access request of security identifier, then it is based on User ID and logs in eventually
Client information obtains the security identifier of client, and server can effectively shield attacking for malicious network traffic based on the security identifier
It hits.The present embodiment can also be identified as dangerous User ID by locked secure, avoid waste server resource.
In a specific embodiment, as shown in Fig. 2, in step S30, that is, it is based on User ID and registration terminal information, is obtained
The feedback message for carrying security identifier is taken, is specifically comprised the following steps:
S31. User ID and registration terminal information are handled using risk supervision algorithm, obtains the login peace of client
Quan Xing, wherein login security includes normal login and abnormal login.
Wherein, risk supervision algorithm be for detect client whether be security client algorithm, including but not limited to
Abnormal traffic detection algorithm, user mode recognizer, protocol stack Behavior Pattern Analysis, specific application protection, user behavior mould
The algorithm for carrying out Risk Monitoring such as formula analysis and dynamic fingerprint identification, to give client to mark security identifier.
The detection approach of risk supervision algorithm include detect client User ID whether be normally log in, registration terminal letter
In breath log in IP address it is whether consistent with the location of client, this log in whether IP address is normally to log in IP address etc..
For example, the available IP address that logs in improper more than million tests login service device after attacker kidnaps User ID, to service
Device initiates more than one hundred million access requests.If server judges that the login IP address of attacker is improper login IP address in time,
Refusal receives the access request that all login IP address are sent, you can largely saves server resource, and can protect server
From receiving internet-relevant violence attack.
The testing result of risk supervision algorithm includes normal login and abnormal login, wherein it refers to that client does not have normally to log in
Have and is normally logged in using what the means such as brute force attack, password cracking were realized;Exception is logged in including non-just using brute force attack progress
It often logs in, log in that IP and location are inconsistent and to log in IP address be high-risk address etc..Wherein, high-risk address is stepped on by abnormal
The login IP that the mode in land is logged in.
This step is by using risk supervision algorithm, when client first logs into server, just to the login of client
Safety judged, to determine the safety for the client for sending the access request, so as to subsequently to ensure the visitor normally logged in
Family end can continue smoothly to initiate access request and refuse the client offer technical support of abnormal login.
If S32. login security is normal login, feedback message is formed, security identifier is added in feeding back message, and
Set security identifier to safety.
Wherein, a security identifier section is established in server is beamed back to client feedback message namely TCP message so that
Subsequent client carries the security identifier when lifting the access request based on business processing to server, show login security.
It is to be appreciated that server is " safety " to the security identifier that testing result is the client addition normally logged in.
In the present embodiment, " safety " can be also identified with other symbols, such as " 0 ".
The feedback message that security identifier is " safety " is arranged by generating concise security identifier in this step,
After the feedback message is sent to client, client carries safe when sending access request to same server again
Security identifier timely responds to the access request of client transmission convenient for server.
If S33. login security is abnormal login, feedback message is formed, security identifier is added in feeding back message, and
Security identifier is set as dangerous.
In this step, server is equally " danger to the security identifier for the client addition that testing result is abnormal login
Danger ".In the present embodiment, " danger " can be also identified with other symbols, such as " 1 ".Server is concise by generating
Security identifier, and the feedback message that security identifier is " danger ", after the feedback message is sent to client, client is again
Dangerous security identifier is carried when sending access request to same server, convenient for the server timely refusal respond client
Hold the access request sent.
Server judges the login security of client by risk supervision algorithm in the present embodiment, gives the feedback of client
Concise security identifier is added in message, and the access request of client transmission is timely responded to or refused convenient for server.
In a specific embodiment, abnormal traffic detection algorithm may be used in risk supervision algorithm.Abnormal flow is phase
There is the network flow of significant changes for stable network flow, it comes from the resource in congestion and router in network
Overload.Server needs timely and accurately to detect abnormal flow, and otherwise the network where server can not be transported effectively and reliably
Row.As shown in figure 3, in step S31, i.e., User ID and registration terminal information are handled using risk supervision algorithm, is obtained
The login security of client, specifically comprises the following steps:
S311. present flow rate feature corresponding with User ID and registration terminal information is obtained.
Wherein, present flow rate is characterized in that User ID is extracted from network flow in real time passes through registration terminal login service device
Afterwards, the essential characteristic data of the network flow of information exchange, including uninterrupted, packet long message, association are carried out between server
The traffic characteristics data sets such as information, port flow information and TCP zone bit informations are discussed, it can be with based on these traffic characteristic data sets
The operating status of network flow is comprehensively described in detail.Traffic characteristic data set is the base of whole network Traffic anomaly detection algorithm
Plinth.
By obtaining the present flow rate feature in network in this step, in order to which server server based computing algorithm is into one
Step judges the abnormality of the network flow.
S312. present flow rate feature is known using the abnormality detection model formed based on abnormal traffic detection algorithm
Not, recognition result is obtained.
Wherein, abnormal traffic detection algorithm is one kind in risk supervision algorithm, based on user behavior, consumer process, net
Which kind of network the model that the abnormalities such as network abnormal flow are established, to judge whether server meets with network attack, and meet with
Attack.Abnormality detection model in the present embodiment is realized based on the thought for dividing traffic characteristic layering, is used for flow
Feature is divided into two levels:Essential characteristic set and assemblage characteristic set.
Essential characteristic set includes uninterrupted, packet long message, protocol information, port flow information and TCP flag bits letter
Breath etc..Assemblage characteristic set can change setting in real time according to actual needs.For certain specific attack, will relate to
And feature of the subset of the essential characteristic of the attack as this kind of attack of description.Such as DDOS attack, combination
Characteristic set can choose the information such as flow packet/second, average packet length, the number of DDOS packets.Utilize previous essential characteristic set
Data the feature of this kind of attack is learnt and is trained, so that it may with obtain in real time the attack for identification combination
Model characterized by normal discharge or abnormal flow, i.e., the abnormality detection model formed based on abnormal traffic detection algorithm.
The abnormal inspection that explanation is formed based on abnormal traffic detection algorithm by taking TCP SYN flood (Denial of Service attack) as an example
Survey the process of model:
SYN Flood are a kind of modes of well-known DDOS (distributed denial of service attack), this is a kind of utilization
Transmission Control Protocol defect, send largely forge TCP connection request so that by attacker's resource exhaustion (server at full capacity or
Low memory) attack pattern.
Feature:Client sends a large amount of TCP request bags to destination host, and the source IP in the packet header IP is to forge, and is caused
Destination host can not receive the confirmation message that client is sent, and TCP three-way handshake can not establish.Generally, destination host can retry simultaneously
It waits for, until abandoning.SYN TIMEOUT are 30 seconds to 2 minutes.
Netflow (traffic monitoring analysis software) collected data instance:11.*.64.3|2.*.38.180|6482|
as10|5|4|1013|18|6|1|40|1;Parameter in this group of data corresponds respectively to source address | destination address | from controlling
Domain | purpose Autonomous Domain | flow into interface number | source port | destination interface | protocol type | packet quantity | byte number | stream quantity.
It can be seen that from the gathered data of Netflow, it is 6 that this abnormal flow, which is typically characterised by data pack protocol type,
(TCP), data stream size is 40 bytes (being usually the SYN connection requests of TCP).
Each is filtered out in this way and attacks corresponding data packet, each attack of statistical thinking computation is used in combination
The packet number and byte number of data packet, define threshold value respectively, you can judge whether to meet with DDOS attack, and meet with which kind of DDOS is attacked
It hits.
In the present embodiment, abnormality detection model is formed using based on abnormal traffic detection algorithm in advance, so as in this step
The present flow rate feature of this kind of attack on network can be examined in real time using the abnormality detection model in S312
It surveys, to realize, timely and effectively whether identification present flow rate feature is abnormal flow.
If S313. recognition result is normal discharge, the login security of client is normal logs in.
If being sent it is to be appreciated that the recognition result of present flow rate feature is normal discharge namely active client
Network flow is normal discharge, it was demonstrated that the client normally logs in, and server can continue to the visit of client transmission
Ask request.It, can be by ensureing the client when server identifies that the login security of client is normal logs in this step
With being continuously connected with for server, the access request which sends can obtain timely responding to for server.
If S314. recognition result is abnormal flow, the login security of client is abnormal login.
If being sent it is to be appreciated that the recognition result of present flow rate feature is abnormal flow namely active client
Network flow is abnormal flow, it was demonstrated that the client is improper login, and server, which is rejected by, responds what the client was sent
Access request.In this step, the corresponding present flow rate feature of access request that server is sent by identifying client determines
When the login security of the client is abnormal login, server can be made to refuse the access request of client transmission, so that clothes
Business device is avoided by the malicious attack from the client.
This step is by using abnormal traffic detection algorithm, when client first logs into server, just to client
Login security is judged, ensures that the client normally logged in can continue smoothly to initiate access request.
In a specific embodiment, risk supervision algorithm can also use user mode recognizer.Different networks
It applies during network transmission and interaction, mutually different behavioural characteristic can be shown in transport layer.Therefore known to utilizing
The behavioural characteristic of network application matched with the behavioural characteristic that unknown flow rate is shown, so that it may with its network flow of classifying
Application type, here it is the principles based on transport layer behavior pattern recognition.This method is not needed without parsing flow load contents
The information such as port numbers and feature field are acquired, overhead is small.
As shown in figure 4, in step S31, i.e., User ID and registration terminal information are handled using risk supervision algorithm,
The login security for obtaining client, specifically comprises the following steps:
S315. active user's flow corresponding with User ID and registration terminal information is obtained.
Wherein, active user's flow is real-time record user by being produced after User ID and registration terminal information registration server
Raw behavior flow includes the login IP address of User ID login service device, access log, user's browse path and access request
Deng.
By obtaining the present flow rate in network in this step, in order to which server is based on user mode recognizer into one
Step judges the abnormality of the network flow.
S316. active user's flow is known using the off-note database formed based on user mode recognizer
Not, recognition result is obtained.
Wherein, off-note database is to be formed abnormal flow after for statistical analysis according to abnormal flow scene
The set of abnormal flow scene.For example, counting when being abnormal flow, to the field of the access situation of particular webpage or file
When the distribution scene of scape, the access situation of different field and area, such as edu/cn/com domain name network flows, user and area
Between abnormal association scene etc..
Server can be identified timely and effectively and be worked as by comparing active user's flow and off-note database in this step
Whether preceding customer flow is abnormal flow.
If S317. recognition result is normal discharge, the login security of client is normal logs in.
It is to be appreciated that if recognition result is normal discharge, it was demonstrated that the client normally logs in, and server can continue
Receive the access request of client transmission.This step ensures the login security of client to server, ensures the client
With being continuously connected with for server, the access request which sends can obtain timely responding to for server.
If S318. recognition result is abnormal flow, the login security of client is abnormal login.
It is to be appreciated that if recognition result is abnormal flow, it was demonstrated that the client is improper login, and server can be refused
Lost art should client send access request.This step can ensure server by the malicious attack from the client.
This step just steps on client when client first logs into server by using user mode recognizer
Record safety is judged, ensures that the client normally logged in can continue smoothly to initiate access request.
Resistance method of network attack provided in an embodiment of the present invention, the access request sent by obtaining client, and should
Access request carries security identifier and security identifier when being safe, just handles the service requesting information in access request, guarantee
Real access request is able to timely processing;For not carrying the access request of security identifier, then it is based on User ID and logs in eventually
Client information obtains the security identifier of client, and server can effectively shield attacking for malicious network traffic based on the security identifier
It hits.The present embodiment can also be identified as dangerous User ID by locked secure, avoid waste server resource.
Further, server gives the feedback of client using the login security of risk supervision algorithm judgement client
Concise security identifier is added in message, and the access request of client transmission is timely responded to or refused convenient for server.
It should be understood that the size of the serial number of each step is not meant that the order of the execution order in above-described embodiment, each process
Execution sequence should be determined by its function and internal logic, the implementation process without coping with the embodiment of the present invention constitutes any limit
It is fixed.
Embodiment 2
Fig. 5 shows to resist the principle frame of network attack device correspondingly with resistance method of network attack in embodiment 1
Figure.As shown in figure 5, the resistance network attack device includes obtaining access request module 10, obtaining handling result module 20, obtain
It feeds back message module 30 and sends handling result module 40.Wherein, it obtains access request module 10, obtain handling result module
20, it obtains in the realization function and embodiment of feedback message module 30 and transmission handling result module 40 and resists method of network attack
Corresponding step corresponds, and to avoid repeating, the present embodiment is not described in detail one by one.
Obtain access request module 10, the access request for obtaining client transmission, access request include User ID and
Registration terminal information or service requesting information.
Handling result module 20 is obtained, if also to carry security identifier and security identifier for access request be safe,
The corresponding service requesting information of User ID is then handled, service processing result is obtained.
Feedback message module 30 is obtained, if not carrying security identifier for access request, is based on User ID and login
End message obtains the feedback message for carrying security identifier.
Handling result module 40 is sent, it is corresponding with User ID for being sent to service processing result or feedback message
Client.
Preferably, which further includes sending prompting message module 50.
Prompting message module 50 is sent, if also to carry security identifier and security identifier for access request be dangerous,
User ID is then locked, prompting message is sent to the corresponding client of User ID.
Preferably, acquisition feedback message module 30 further includes obtaining login security unit 31, forming feedback message list
Member 32 and addition security identifier unit 33.
Login security unit 31 is obtained, at using risk supervision algorithm to User ID and registration terminal information
Reason, obtains the login security of client, wherein login security includes normal login and abnormal login.
Feedback message unit 32 is formed, if being normally to log in for login security, feedback message is formed, is reported in feedback
Security identifier is added in text, and sets security identifier to safety.
Security identifier unit 33 is added, if being abnormal login for login security, forms feedback message, is reported in feedback
Security identifier is added in text, and security identifier is set as dangerous.
Preferably, which further includes obtaining traffic characteristic unit 311, obtaining recognition result list
Member 312, identification normal discharge unit 313 and identification abnormal flow unit 314.
Traffic characteristic unit 311 is obtained, it is special for obtaining present flow rate corresponding with User ID and registration terminal information
Sign.
Recognition result unit 312 is obtained, for using the abnormality detection model pair formed based on abnormal traffic detection algorithm
Present flow rate feature is identified, and obtains recognition result.
Identify normal discharge unit 313, if being normal discharge for recognition result, the login security of client is just
Often log in.
Identify abnormal flow unit 314, if being abnormal flow for recognition result, the login security of client is different
Often log in.
Preferably, which further includes obtaining flow cell 315, identification flow cell 316, knowing
Other normal discharge unit 317 and identification abnormal flow unit 318.
Flow cell 315 is obtained, for obtaining active user's flow corresponding with User ID and registration terminal information.
Identify flow cell 316, for using the off-note database formed based on user mode recognizer to working as
Preceding customer flow is identified, and obtains recognition result.
Identify normal discharge unit 317, if being normal discharge for recognition result, the login security of client is just
Often log in.
Identify abnormal flow unit 318, if being abnormal flow for recognition result, the login security of client is different
Often log in.
Embodiment 3
The present embodiment provides a computer readable storage medium, computer journey is stored on the computer readable storage medium
Sequence is realized in embodiment 1 when the computer program is executed by processor and resists method of network attack, to avoid repeating, here not
It repeats again.Each module/unit in network attack is resisted in embodiment 2 alternatively, being realized when the computer program is executed by processor
Function, to avoid repeating, which is not described herein again.
It is to be appreciated that computer readable storage medium may include:Appointing for the computer program code can be carried
What entity or device, recording medium, USB flash disk, mobile hard disk, magnetic disc, CD, computer storage, read-only memory (ROM,
Read-Only Memory), random access memory (RAM, Random Access Memory), electric carrier signal and telecommunications letter
Number etc..
Embodiment 4
Fig. 6 is the schematic diagram for the computer equipment that one embodiment of the invention provides.As shown in fig. 6, the calculating of the embodiment
Machine equipment 60 includes:Processor 61, memory 62 and it is stored in the calculating that can be run in memory 62 and on processor 61
Machine program 63.Processor 61 realizes the step of method of network attack is resisted in above-described embodiment 1, example when executing computer program 63
Step S10 to S40 as shown in Figure 1.Alternatively, processor 61 is realized when executing computer program 63 in above-mentioned each device embodiment
The function of each module, such as obtain access request module 10 shown in Fig. 5, obtain handling result module 20, obtain feedback message mould
Block 30 and the function of sending handling result module 40.
It is apparent to those skilled in the art that for convenience of description and succinctly, only with above-mentioned each work(
Can unit, module division progress for example, in practical application, can be as needed and by above-mentioned function distribution by different
Functional unit, module are completed, i.e., the internal structure of described device are divided into different functional units or module, more than completion
The all or part of function of description.
Embodiment described above is merely illustrative of the technical solution of the present invention, rather than its limitations;Although with reference to aforementioned reality
Applying example, invention is explained in detail, it will be understood by those of ordinary skill in the art that:It still can be to aforementioned each
Technical solution recorded in embodiment is modified or equivalent replacement of some of the technical features;And these are changed
Or replace, the spirit and scope for various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution should all
It is included within protection scope of the present invention.
Claims (10)
1. a kind of resistance method of network attack, which is characterized in that including:
The access request that client is sent is obtained, the access request includes User ID and registration terminal information or service request letter
Breath;
If the access request also carries security identifier and the security identifier when being safe, handles the User ID and correspond to
Service requesting information, obtain service processing result;
If the access request does not carry security identifier, taken based on the User ID and the registration terminal information, acquisition
Feedback message with security identifier;
The service processing result or the feedback message are sent to client corresponding with the User ID.
2. resisting method of network attack as described in claim 1, which is characterized in that described based on the User ID and described to step on
End message is recorded, the feedback message for carrying security identifier is obtained, including:
It is handled using User ID described in risk supervision algorithm evaluation and the registration terminal information, obtains the client
Login security, wherein the login security includes normal login and abnormal login;
If login security be it is normal log in, form feedback message, add security identifier in the feedback message, and by institute
It states security identifier and is set as safety;
If login security is abnormal login, feedback message is formed, adds security identifier in the feedback message, and by institute
It states security identifier and is set as dangerous.
3. resisting method of network attack as described in claim 1, which is characterized in that described using risk supervision algorithm evaluation institute
It states User ID and the registration terminal information is handled, obtain the login security of the client, including:
Obtain present flow rate feature corresponding with the User ID and the registration terminal information;
The present flow rate feature is identified using the abnormality detection model formed based on abnormal traffic detection algorithm, is obtained
Recognition result;
If recognition result is normal discharge, the login security of the client is normal logs in;
If recognition result is abnormal flow, the login security of the client is abnormal login.
4. resisting method of network attack as described in claim 1, which is characterized in that described using risk supervision algorithm evaluation institute
It states User ID and the registration terminal information is handled, obtain the login security of the client, including:
Obtain active user's flow corresponding with the User ID and the registration terminal information;
Active user's flow is identified using the off-note database formed based on user mode recognizer, is obtained
Take recognition result;
If recognition result is normal discharge, the login security of the client is normal logs in;
If recognition result is abnormal flow, the login security of the client is abnormal login.
5. resisting method of network attack as described in claim 1, which is characterized in that in the access that the acquisition client is sent
After the step of request, the resistance method of network attack further includes:
If the access request also carries security identifier and the security identifier when being dangerous, the access request is abandoned.
6. resisting method of network attack as described in claim 1, which is characterized in that in the access that the acquisition client is sent
After the step of request, the resistance method of network attack further includes:
If the access request also carries security identifier and the security identifier when being dangerous, the User ID is locked, is given
The corresponding client of the User ID sends prompting message.
7. a kind of resistance network attack device, which is characterized in that including:
Access request module is obtained, the access request for obtaining client transmission, the access request includes User ID and steps on
Record end message or service requesting information;
Handling result module is obtained, if it is safety also to carry security identifier and the security identifier for the access request
When, then the corresponding service requesting information of the User ID is handled, service processing result is obtained;
Feedback message module is obtained, if not carrying security identifier for the access request, is based on the User ID and institute
Registration terminal information is stated, the feedback message for carrying security identifier is obtained;
Handling result module is sent, for the service processing result or the feedback message to be sent to and the User ID phase
Corresponding client.
8. resisting network attack device as claimed in claim 7, which is characterized in that further include:
Obtain login security module, for using User ID described in risk supervision algorithm evaluation and the registration terminal information into
Row processing, obtains the login security of the client, wherein the login security includes normal login and abnormal login;
Feedback message module is formed, if being normally to log in for login security, feedback message is formed, in the feedback message
Middle addition security identifier, and set the security identifier to safety;
Security identity module is added, if being abnormal login for login security, feedback message is formed, in the feedback message
Middle addition security identifier, and the security identifier is set as dangerous.
9. a kind of computer equipment, including memory, processor and it is stored in the memory and can be in the processor
The computer program of upper operation, which is characterized in that the processor realized when executing the computer program as claim 1 to
The step of any one of 6 resistance method of network attack.
10. a kind of computer readable storage medium, the computer-readable recording medium storage has computer program, feature to exist
In realizing the resistance method of network attack as described in any one of claim 1 to 6 when the computer program is executed by processor
Step.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810239771.4A CN108521408B (en) | 2018-03-22 | 2018-03-22 | Method and device for resisting network attack, computer equipment and storage medium |
| PCT/CN2018/092628 WO2019178966A1 (en) | 2018-03-22 | 2018-06-25 | Network attack defense method and apparatus, and computer device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810239771.4A CN108521408B (en) | 2018-03-22 | 2018-03-22 | Method and device for resisting network attack, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108521408A true CN108521408A (en) | 2018-09-11 |
| CN108521408B CN108521408B (en) | 2021-03-12 |
Family
ID=63433991
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810239771.4A Active CN108521408B (en) | 2018-03-22 | 2018-03-22 | Method and device for resisting network attack, computer equipment and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN108521408B (en) |
| WO (1) | WO2019178966A1 (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109474672A (en) * | 2018-10-25 | 2019-03-15 | 平安科技(深圳)有限公司 | The determination method and system of business execution state |
| CN109743325A (en) * | 2019-01-11 | 2019-05-10 | 北京中睿天下信息技术有限公司 | A kind of Brute Force attack detection method, system, equipment and storage medium |
| CN109787869A (en) * | 2019-03-29 | 2019-05-21 | 新华三技术有限公司 | A kind of path failure detection method and equipment |
| CN109922013A (en) * | 2019-01-28 | 2019-06-21 | 世纪龙信息网络有限责任公司 | Service access flow control methods, device, server and storage medium |
| CN111131235A (en) * | 2019-12-23 | 2020-05-08 | 杭州安恒信息技术股份有限公司 | Safety maintenance method, device, equipment and storage medium of business system |
| CN111934949A (en) * | 2020-07-23 | 2020-11-13 | 广东电网有限责任公司 | Safety test system based on database injection test |
| CN112751815A (en) * | 2019-10-31 | 2021-05-04 | 华为技术有限公司 | Message processing method, device, equipment and computer readable storage medium |
| CN112953921A (en) * | 2021-02-02 | 2021-06-11 | 深信服科技股份有限公司 | Scanning behavior identification method, device, equipment and storage medium |
| CN113132308A (en) * | 2019-12-31 | 2021-07-16 | 华为技术有限公司 | Network security protection method and protection equipment |
| CN113923048A (en) * | 2021-11-09 | 2022-01-11 | 中国联合网络通信集团有限公司 | Network attack behavior identification method, device, equipment and storage medium |
| CN115102712A (en) * | 2022-05-17 | 2022-09-23 | 刘勇 | Enhanced terminal identification method and device, electronic equipment and storage medium |
| CN115514681A (en) * | 2022-09-16 | 2022-12-23 | 北京天融信网络安全技术有限公司 | Method, device, system, equipment and medium for testing equipment stability |
| CN115102712B (en) * | 2022-05-17 | 2024-04-16 | 刘勇 | Enhanced terminal identification method, enhanced terminal identification device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104092665A (en) * | 2014-06-19 | 2014-10-08 | 小米科技有限责任公司 | Access request filtering method, device and facility |
| CN105610856A (en) * | 2016-01-26 | 2016-05-25 | 深圳一卡易网络科技有限公司 | DDoS(Distributed Denial of Service)attack defensive system for application layer based on multiple feature recognition |
| CN106603513A (en) * | 2016-11-30 | 2017-04-26 | 中国人民解放军理工大学 | Host identifier-based resource access control method and system |
| US20170295166A1 (en) * | 2008-06-19 | 2017-10-12 | Microsoft Technology Licensing, Llc | Federated realm discovery |
| CN107426181A (en) * | 2017-06-20 | 2017-12-01 | 竞技世界(北京)网络技术有限公司 | The hold-up interception method and device of malice web access request |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
| CN101834866B (en) * | 2010-05-05 | 2013-06-26 | 北京来安科技有限公司 | CC (Communication Center) attack protective method and system thereof |
| US9661005B2 (en) * | 2014-01-09 | 2017-05-23 | International Business Machines Corporation | Security level and status exchange between TCP/UDP client(s) and server(s) for secure transactions |
| EP2916512B1 (en) * | 2014-03-07 | 2016-08-24 | Mitsubishi Electric R&D Centre Europe B.V. | Method for classifying a TCP connection carrying HTTP traffic as a trusted or an untrusted TCP connection |
-
2018
- 2018-03-22 CN CN201810239771.4A patent/CN108521408B/en active Active
- 2018-06-25 WO PCT/CN2018/092628 patent/WO2019178966A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170295166A1 (en) * | 2008-06-19 | 2017-10-12 | Microsoft Technology Licensing, Llc | Federated realm discovery |
| CN104092665A (en) * | 2014-06-19 | 2014-10-08 | 小米科技有限责任公司 | Access request filtering method, device and facility |
| CN105610856A (en) * | 2016-01-26 | 2016-05-25 | 深圳一卡易网络科技有限公司 | DDoS(Distributed Denial of Service)attack defensive system for application layer based on multiple feature recognition |
| CN106603513A (en) * | 2016-11-30 | 2017-04-26 | 中国人民解放军理工大学 | Host identifier-based resource access control method and system |
| CN107426181A (en) * | 2017-06-20 | 2017-12-01 | 竞技世界(北京)网络技术有限公司 | The hold-up interception method and device of malice web access request |
Non-Patent Citations (1)
| Title |
|---|
| 陈雪松: "前瞻性入侵检测系统中给TCP数据包置标的方法", 《计算机与数字工程》 * |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109474672B (en) * | 2018-10-25 | 2022-03-25 | 平安科技(深圳)有限公司 | Method and system for determining service execution state |
| CN109474672A (en) * | 2018-10-25 | 2019-03-15 | 平安科技(深圳)有限公司 | The determination method and system of business execution state |
| CN109743325B (en) * | 2019-01-11 | 2021-06-18 | 北京中睿天下信息技术有限公司 | Brute force attack detection method, system, equipment and storage medium |
| CN109743325A (en) * | 2019-01-11 | 2019-05-10 | 北京中睿天下信息技术有限公司 | A kind of Brute Force attack detection method, system, equipment and storage medium |
| CN109922013A (en) * | 2019-01-28 | 2019-06-21 | 世纪龙信息网络有限责任公司 | Service access flow control methods, device, server and storage medium |
| CN109922013B (en) * | 2019-01-28 | 2022-08-19 | 天翼数字生活科技有限公司 | Service access flow control method, device, server and storage medium |
| CN109787869A (en) * | 2019-03-29 | 2019-05-21 | 新华三技术有限公司 | A kind of path failure detection method and equipment |
| CN112751815B (en) * | 2019-10-31 | 2021-11-19 | 华为技术有限公司 | Message processing method, device, equipment and computer readable storage medium |
| CN112751815A (en) * | 2019-10-31 | 2021-05-04 | 华为技术有限公司 | Message processing method, device, equipment and computer readable storage medium |
| CN111131235B (en) * | 2019-12-23 | 2022-02-22 | 杭州安恒信息技术股份有限公司 | Safety maintenance method, device, equipment and storage medium of business system |
| CN111131235A (en) * | 2019-12-23 | 2020-05-08 | 杭州安恒信息技术股份有限公司 | Safety maintenance method, device, equipment and storage medium of business system |
| CN113132308A (en) * | 2019-12-31 | 2021-07-16 | 华为技术有限公司 | Network security protection method and protection equipment |
| CN113132308B (en) * | 2019-12-31 | 2022-05-17 | 华为技术有限公司 | Network security protection method and protection equipment |
| CN111934949A (en) * | 2020-07-23 | 2020-11-13 | 广东电网有限责任公司 | Safety test system based on database injection test |
| CN112953921A (en) * | 2021-02-02 | 2021-06-11 | 深信服科技股份有限公司 | Scanning behavior identification method, device, equipment and storage medium |
| CN113923048A (en) * | 2021-11-09 | 2022-01-11 | 中国联合网络通信集团有限公司 | Network attack behavior identification method, device, equipment and storage medium |
| CN113923048B (en) * | 2021-11-09 | 2023-07-04 | 中国联合网络通信集团有限公司 | Network attack behavior identification method, device, equipment and storage medium |
| CN115102712A (en) * | 2022-05-17 | 2022-09-23 | 刘勇 | Enhanced terminal identification method and device, electronic equipment and storage medium |
| CN115102712B (en) * | 2022-05-17 | 2024-04-16 | 刘勇 | Enhanced terminal identification method, enhanced terminal identification device, electronic equipment and storage medium |
| CN115514681A (en) * | 2022-09-16 | 2022-12-23 | 北京天融信网络安全技术有限公司 | Method, device, system, equipment and medium for testing equipment stability |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2019178966A1 (en) | 2019-09-26 |
| CN108521408B (en) | 2021-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108521408A (en) | Resist method of network attack, device, computer equipment and storage medium | |
| CN109951500B (en) | Network attack detection method and device | |
| CN104519018B (en) | A kind of methods, devices and systems preventing the malicious requests for server | |
| CN109688105B (en) | Threat alarm information generation method and system | |
| CN109194680B (en) | Network attack identification method, device and equipment | |
| KR101070614B1 (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
| US20060129810A1 (en) | Method and apparatus for evaluating security of subscriber network | |
| CN110417717B (en) | Login behavior identification method and device | |
| JP2006279930A (en) | Method and device for detecting and blocking unauthorized access | |
| CN102404741B (en) | Method and device for detecting abnormal online of mobile terminal | |
| CN111092900B (en) | Method and device for monitoring abnormal connection and scanning behavior of server | |
| Rout et al. | A hybrid approach for network intrusion detection | |
| CN103313429A (en) | Processing method for recognizing fabricated WIFI (Wireless Fidelity) hotspot | |
| Yan et al. | Identifying wechat red packets and fund transfers via analyzing encrypted network traffic | |
| CN109561051A (en) | Content distributing network safety detection method and system | |
| Smys et al. | Data elimination on repetition using a blockchain based cyber threat intelligence | |
| CN107623685A (en) | The method and device of quick detection SYN Flood attacks | |
| EP3932033A1 (en) | Methods, systems, and computer readable media for dynamically remediating a security system entity | |
| Dhanapal et al. | The slow HTTP distributed denial of service attack detection in cloud | |
| CN111314381A (en) | Safety isolation gateway | |
| Sharma et al. | WLI-FCM and artificial neural network based cloud intrusion detection system | |
| Rodrigues et al. | Evaluating a blockchain-based cooperative defense | |
| CN104883362A (en) | Method and device for controlling abnormal access behaviors | |
| CN110719286A (en) | Network optimization scheme sharing system and method based on big data | |
| CN116050841B (en) | Information security risk assessment method, device, terminal equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |