CN108521408B - Method and device for resisting network attack, computer equipment and storage medium - Google Patents
Method and device for resisting network attack, computer equipment and storage medium Download PDFInfo
- Publication number
- CN108521408B CN108521408B CN201810239771.4A CN201810239771A CN108521408B CN 108521408 B CN108521408 B CN 108521408B CN 201810239771 A CN201810239771 A CN 201810239771A CN 108521408 B CN108521408 B CN 108521408B
- Authority
- CN
- China
- Prior art keywords
- login
- client
- user
- access request
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses a method and a device for resisting network attack, computer equipment and a storage medium. The method for resisting the network attack comprises the following steps: acquiring an access request sent by a client, wherein the access request comprises a user ID and login terminal information or service request information; if the access request also carries a safety identification and the safety identification is safe, processing service request information corresponding to the user ID and acquiring a service processing result; if the access request does not carry the safety identification, acquiring a feedback message carrying the safety identification based on the user ID and the login terminal information; and sending the service processing result or the feedback message to the client corresponding to the user ID. The method for resisting network attack provided by the invention can effectively shield the attack of malicious network flow by identifying the security identification carried by the client through the server, and ensure that the real access request can be processed in time.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a method and an apparatus for resisting network attack, a computer device, and a storage medium.
Background
The existing server anti-DDOS (Distributed Denial of Service) system/mechanism in the market mainly includes: a local anti-DDOS traffic cleansing mechanism and a cloud traffic cleansing mechanism. In any mechanism, it cannot be avoided that the server rejects the real access request sent by the client in a scenario where the DDOS occurs (because the real access request sent by the client is mixed with abnormal attack traffic), which is difficult to satisfy the QoS (Quality of Service) guarantee of the user Service by the server, and this phenomenon is particularly serious in the financial industry. How to guarantee that a server can receive a real access request sent by a client when the server is attacked by DDOS network traffic becomes a problem which needs to be solved urgently at present.
Disclosure of Invention
Embodiments of the present invention provide a method and an apparatus for resisting network attack, a computer device, and a storage medium, so as to solve a problem that a real access request sent by a client is rejected when a DDOS network traffic attack is received.
In a first aspect, an embodiment of the present invention provides a method for resisting a network attack, including:
acquiring an access request sent by a client, wherein the access request comprises a user ID and login terminal information or service request information;
if the access request also carries a safety identification and the safety identification is safe, processing service request information corresponding to the user ID and acquiring a service processing result;
if the access request does not carry the safety identification, acquiring a feedback message carrying the safety identification based on the user ID and the login terminal information;
and sending the service processing result or the feedback message to the client corresponding to the user ID.
In a second aspect, an embodiment of the present invention provides an apparatus for resisting a network attack, including:
the access request acquisition module is used for acquiring an access request sent by a client, wherein the access request comprises a user ID and login terminal information or service request information;
the processing result obtaining module is used for processing the service request information corresponding to the user ID and obtaining a service processing result if the access request also carries a safety identification and the safety identification is safe;
the feedback message obtaining module is used for obtaining a feedback message carrying the security identifier based on the user ID and the login terminal information if the access request does not carry the security identifier;
and the processing result sending module is used for sending the service processing result or the feedback message to the client corresponding to the user ID.
A third aspect of the present invention provides a computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method for resisting network attacks according to the first aspect of the present invention when executing the computer program.
A fourth aspect of the present invention provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the steps of the method for resisting network attacks according to the first aspect of the present invention.
According to the method, the device, the computer equipment and the storage medium for resisting network attack, provided by the embodiment of the invention, the service request information in the access request is processed only when the access request sent by the client is obtained and carries the security identifier and the security identifier is safe, so that the real access request is guaranteed to be processed in time; and for the access request which does not carry the security identifier, the security identifier of the client is obtained based on the user ID and the login terminal information, and the server can effectively shield the attack of malicious network flow based on the security identifier.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.
Fig. 1 is a flowchart of a method for resisting network attacks in embodiment 1 of the present invention.
Fig. 2 is another specific flowchart of the method for resisting network attacks in embodiment 1 of the present invention.
Fig. 3 is another specific flowchart of the method for resisting network attacks in embodiment 1 of the present invention.
Fig. 4 is another specific flowchart of the method for resisting network attacks in embodiment 1 of the present invention.
Fig. 5 is a schematic block diagram of the apparatus for resisting network attack in embodiment 2 of the present invention.
Fig. 6 is a schematic diagram of a computer device in embodiment 4 of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Existing DDOS attacks can be considered as a synonym for "large-scale cyber attacks" in its entirety. In some special attack scenarios, the attack traffic can reach hundreds of Gbits per second, but this is relatively rare. In most cases, an attacker can mount a flooding attack on a server of an enterprise or organization with 1Gbits per second or even less traffic. The duration of these attacks is generally not too long, and most DDOS attacks last only around thirty minutes. The server rejects almost all access requests including the true access request for security reasons, severely affecting or even blocking normal client-initiated access requests.
The invention is provided for solving the problem that the server is difficult to ensure to receive and respond to the access request sent by the normal client when the server is attacked by DDOS network flow.
Example 1
Fig. 1 shows a flowchart of a method for resisting network attacks in the present embodiment. The method for resisting the network attack is applied to the field of network security. As shown in fig. 1, the method for resisting network attack includes the following steps:
s10, obtaining an access request sent by a client, wherein the access request comprises a user ID and login terminal information or service request information.
The access request is a request for identity authentication or service support provided by a client to a server. If the server performs identity authentication, the client needs to provide a user ID and also needs to provide login terminal information; if the server provides service support, not only the user ID but also the client is required to provide service request information.
The user ID is equivalent to a user network identity card, and is a unique number allocated to the user by the system when the user registers the system for the first time, so as to distinguish other registered users in the system. The login terminal information is the login IP address used when the client logs in the server, such as 192.168.1.100, and the service request information is the transfer confirmation service application initiated to the server.
In the step, the server receives all the access requests sent by the client, and does not distinguish the types of the access requests of the client, so that the time for judging the types of the access requests by the server is saved. The subsequent server directly performs corresponding service operation through the content (i.e., the login terminal information or the service request information) carried by the access request, for example, if the access request provided by the client carries the service request information conforming to the service support request format, the service request information carried by the access request is obtained and further processed, which is efficient and convenient.
And S20, if the access request also carries a safety identification and the safety identification is safe, processing service request information corresponding to the user ID, and acquiring a service processing result.
The security identifier is a segment of identifier in a login message sent when the client logs in the server, so as to indicate whether the client is secure. The security identifier may be set according to a specific application environment, and in this embodiment, the security identifier of the secure client may be configured as "secure" or "0", and the security identifier of the dangerous client may be configured as "dangerous" or "1".
The service request information is specific content related to service support in an access request from the client to the server, for example, if the service request information in the access request is transfer service support, the service request information includes a transfer person, a transfer account number, a transfer number, transfer time and the like.
It can be understood that, if the access request further carries the security identifier, it indicates that the client sending the access request has sent the identity authentication request to the server and received the feedback packet carrying the security identifier sent by the server before. In this step, the server receives the access request carrying the security identifier and indicating that the access request is a service support request and the login client is a secure client by receiving the access request carrying the security identifier and indicating that the access request is a service support request and the login client is a secure client, and can respond to the access request provided by the client, thereby ensuring that the server can timely process service request information lifted by a normal client.
And S30, if the access request does not carry the safety identification, acquiring a feedback message carrying the safety identification based on the user ID and the login terminal information.
The feedback message is a TCP message returned by the server to the client, and is used for displaying the authentication result of the server corresponding to the client. The feedback message includes a TCP header segment, a security identification segment, and a TCP data segment. The security identification segment is used for carrying the identification information when the subsequent client side raises the service processing request, and the server judges the security of the service request according to the identification information carried by the client side. The minimum length of the TCP header segment is 20 bytes, and includes information for session confirmation, such as a source port and a destination port. The TCP segment portion carries the data content of the specific service request. As shown in the following table i, the table i shows a feedback packet format with a security identifier provided in this embodiment.
Watch 1
Further, the access request received by the server does not carry the security identifier, which indicates that the access request is an identity authentication request and needs to perform identity verification on the client. And adding the verification result into a feedback message fed back to the client in a form of a safety identifier so that the feedback message fed back to the client carries the safety identifier.
Compared with the existing TCP feedback message without the security identifier segment, the security identifier is added to the feedback message in the step to provide technical support for refusing to respond to the traffic sent by the client with the danger identifier in the later period, so that the server is prevented from being attacked by the network, the server only responds to the access request which is sent by the client with the security identifier and provides the service support, namely, the service information in the access request is processed to obtain the service processing result.
And S40, sending the service processing result or the feedback message to the client corresponding to the user ID.
As can be appreciated, the access request server based on identity authentication returns a feedback message (i.e., step S30), and sends the feedback message to the client corresponding to the user ID; accordingly, the server returns a service processing result based on the access request providing the service support (i.e., step S20), and feeds back the service processing result to the client corresponding to the user ID.
In the step, the server respectively and timely returns corresponding contents based on different types of access requests, and the access requests do not need to be classified first and then received, so that the information transmission efficiency between the server and the client is improved.
When the server receives an access request carrying the security identifier, the security identifier is read first. If the safety identification is safe, continuing to read the specific service request information carried by the access request; if the security identifier is dangerous, which indicates that the server may receive an attack from the network traffic, the server refuses to respond to the access request, so as to ensure the normal operation of the server.
Preferably, after the step of obtaining the access request sent by the client, the method for resisting network attack further includes:
s50, if the access request also carries a safety identification and the safety identification is dangerous, locking the user ID and sending reminding information to the client corresponding to the user ID.
The locking of the user ID means that when the server acquires that the security identifier carried in the access request sent by the client is dangerous, the user ID is frozen, and any information sent by the user ID is not received any more. The freeze time may be set to a specific duration or permanently frozen. If the client steals the common user ID of other people for network attack, the user ID can be set to be specific time length so as to avoid mistakenly freezing the common user ID; if the client side uses the new registration ID to carry out network attack, the user ID can be set to be permanently frozen, namely the server does not receive any information sent by the user ID any more.
In the step, the user ID with the dangerous safety identification is locked, so that the server is prevented from continuously receiving the user ID and sending the access request for multiple times for the attack purpose or other purposes, the server is occupied for multiple times for judgment, and the server resources are wasted.
According to the method for resisting network attack, provided by the embodiment of the invention, the service request information in the access request is processed only when the access request sent by the client is obtained and carries the security identifier and the security identifier is safe, so that the real access request is guaranteed to be processed in time; and for the access request which does not carry the security identifier, the security identifier of the client is obtained based on the user ID and the login terminal information, and the server can effectively shield the attack of malicious network flow based on the security identifier. The embodiment can also avoid wasting server resources by locking the security identifier as a dangerous user ID.
In a specific embodiment, as shown in fig. 2, in step S30, that is, obtaining a feedback packet carrying a security identifier based on a user ID and login terminal information, the method specifically includes the following steps:
and S31, processing the user ID and the login terminal information by adopting a risk detection algorithm, and acquiring the login security of the client, wherein the login security comprises normal login and abnormal login.
The risk detection algorithm is an algorithm for detecting whether the client is a secure client, and includes, but is not limited to, an abnormal traffic detection algorithm, a user pattern recognition algorithm, a protocol stack behavior pattern analysis, a specific application protection, a user behavior pattern analysis, a dynamic fingerprint recognition algorithm, and other algorithms for risk monitoring, so as to mark a security identifier for the client.
The detection way of the risk detection algorithm comprises the steps of detecting whether the user ID of the client logs in normally, whether a login IP address in login terminal information is consistent with the location of the client, whether the login IP address is a normal login IP address and the like. For example, after hijacking the user ID, an attacker can test the login server by using over a million abnormal login IP addresses, and initiate hundreds of millions of access requests to the server. If the server judges that the login IP address of the attacker is the abnormal login IP address in time, the server refuses to accept all access requests sent by the login IP address, so that a large amount of server resources can be saved, and the server can be protected from receiving network brute force attack.
The detection result of the risk detection algorithm comprises normal login and abnormal login, wherein the normal login refers to normal login which is realized by a client side without means such as brute force attack, password cracking and the like; the abnormal login comprises abnormal login by adopting brute force attack, the login IP is inconsistent with the location, the login IP address is a high-risk address and the like. The high-risk address is a login IP which is used for logging in an abnormal login mode.
In the step, by adopting a risk detection algorithm, when the client logs in the server for the first time, the login security of the client is judged to determine the security of the client sending the access request, so that technical support is provided for the subsequent client which ensures normal login can continuously and smoothly initiate the access request and refuse abnormal login.
And S32, if the login security is normal login, forming a feedback message, adding a security identifier in the feedback message, and setting the security identifier as security.
The server establishes a security identifier segment in a feedback message, namely a TCP message, sent back to the client, so that the subsequent client carries the security identifier when lifting an access request based on service processing to the server, thereby indicating login security.
It is understood that the security identifier added by the server to the client whose detection result is normal login is "security". In this embodiment, "safe" may also be identified by other symbols, such as "0".
In the step, the server can respond to the access request sent by the client in time conveniently by generating a concise safety mark and setting the safety mark as a 'safe' feedback message, and after the feedback message is sent to the client, the client sends the access request to the same server again with the safe safety mark.
And S33, if the login security is abnormal login, forming a feedback message, adding a safety identification in the feedback message, and setting the safety identification as dangerous.
In this step, the server also adds a "danger" to the client whose detection result is the abnormal login. In this embodiment, "danger" may also be identified by other symbols, such as "1". After the server generates a concise and clear security identifier and the security identifier is a 'dangerous' feedback message, the client sends an access request to the same server again with the dangerous security identifier, so that the server can timely reject the response of the access request sent by the client.
In the embodiment, the server judges the login security of the client through a risk detection algorithm, and adds a simple and clear security identifier to a feedback message of the client, so that the server can respond to or refuse an access request sent by the client in time.
In one embodiment, the risk detection algorithm may employ an abnormal flow detection algorithm. Anomalous traffic is network traffic that varies significantly from stationary network traffic, resulting from congestion in the network and resource overload on routers. The server needs to detect the abnormal traffic accurately in time, otherwise the network where the server is located cannot operate effectively and reliably. As shown in fig. 3, in step S31, that is, processing the user ID and the login terminal information by using the risk detection algorithm to obtain the login security of the client, the method specifically includes the following steps:
and S311, acquiring current flow characteristics corresponding to the user ID and the login terminal information.
The current flow characteristic is the basic characteristic data of the network flow which is extracted from the network flow in real time, after a user ID logs in a server through a login terminal, information interaction is carried out between the user ID and the server, the basic characteristic data comprises flow characteristic data sets such as flow size, packet length information, protocol information, port flow information and TCP zone bit information, and the operation state of the network flow can be described comprehensively in detail based on the flow characteristic data sets. The traffic characteristic data set is the basis of the whole network traffic anomaly detection algorithm.
In this step, the current traffic characteristics in the network are obtained, so that the server can further determine the abnormality of the network traffic based on a risk detection algorithm.
And S312, identifying the current flow characteristics by adopting an abnormal detection model formed based on an abnormal flow detection algorithm to obtain an identification result.
The abnormal traffic detection algorithm is one of risk detection algorithms, and a model is established based on abnormal states such as user behaviors, user processes, network abnormal traffic and the like to judge whether the server encounters network attack and what kind of network attack the server encounters. The anomaly detection model in this embodiment is implemented based on the idea of hierarchically dividing traffic characteristics, and is used to divide traffic characteristics into two levels: a basic feature set and a combined feature set.
The basic feature set comprises traffic size, packet length information, protocol information, port traffic information, TCP zone bit information and the like. The combined feature set can be set in real time according to actual needs. For a particular attack, a subset of the basic features involved in the attack are used as features to describe the attack. For example, for DDOS attacks, the combined feature set may select information such as traffic packets/sec, average packet length, and number of DDOS packets. By learning and training the features of the attack behavior by using the data of the previous basic feature set, a model for identifying the combined features of the attack behavior as normal traffic or abnormal traffic, namely an abnormal detection model formed based on an abnormal traffic detection algorithm, can be obtained in real time.
Taking TCP SYN flood as an example to illustrate the process of the abnormal detection model formed based on the abnormal traffic detection algorithm:
SYN Flood is a well-known DDOS (distributed denial of service attack) method, which is an attack method that uses TCP protocol defects to send a large number of forged TCP connection requests, thereby causing the resources of the attacked party to be exhausted (server full load or insufficient memory).
The method is characterized in that: the client sends a large amount of TCP request packets to the target host, and the source IP in the IP packet header is forged, so that the target host cannot receive the confirmation information sent by the client, and the three-way handshake of TCP cannot be established. Typically, the target host will retry and wait until discarded. SYN TIMEOUT was 30 seconds to 2 minutes.
Data collected by Netflow (flow monitoring analysis software) are taken as an example: 11.. 64.3|2. 38.180|6482| as10|5|4|1013|18|6|1|40| 1; the parameters in this set of data correspond to the source address | destination address | source autonomous domain | destination autonomous domain | ingress interface number | source port | destination port | protocol type | number of packets | number of bytes | flow number, respectively.
As can be seen from the collected data of Netflow, the typical characteristics of this abnormal traffic are that the packet protocol type is 6(TCP), and the data flow size is 40 bytes (generally SYN connection request of TCP).
The data packets corresponding to each attack are screened out by the method, the packet number and the byte number of the data packets of each attack are calculated by statistical thinking, and threshold values are respectively defined, so that whether the DDOS attack is encountered or not and what kind of DDOS attack is encountered can be judged.
In this embodiment, an abnormal traffic detection algorithm is adopted to form an abnormal detection model in advance, so that the current traffic characteristics of the attack behavior on the network can be detected in real time by adopting the abnormal detection model in step S312, so as to timely and effectively identify whether the current traffic characteristics are abnormal traffic.
And S313, if the identification result is normal flow, the login security of the client is normal login.
It can be understood that, if the identification result of the current traffic characteristic is normal traffic, that is, the network traffic sent by the current client is normal traffic, it is verified that the client is normally logged in, and the server may continue to receive the access request sent by the client. In this step, when the server recognizes that the login security of the client is normal login, the server can respond in time to the access request sent by the client by ensuring the continuous connection between the client and the server.
S314, if the identification result is abnormal flow, the login security of the client is abnormal login.
It can be understood that, if the identification result of the current traffic characteristic is an abnormal traffic, that is, the network traffic sent by the current client is an abnormal traffic, it is proved that the client is logged in abnormally, and the server may reject to respond to the access request sent by the client. In this step, the server determines that the login security of the client is abnormal login by identifying the current traffic characteristics corresponding to the access request sent by the client, so that the server can reject the access request sent by the client, and the server is prevented from being attacked maliciously by the client.
In the step, by adopting an abnormal flow detection algorithm, when the client logs in the server for the first time, the login safety of the client is judged, and the client which normally logs in can continue to smoothly initiate an access request.
In one embodiment, the risk detection algorithm may also employ a user pattern recognition algorithm. Different network applications may exhibit different behavior characteristics in the transport layer during network transmission and interaction. Therefore, the network traffic application type can be classified by matching the behavior characteristics of the known network application with the behavior characteristics shown by the unknown traffic, which is based on the principle of transport layer behavior pattern recognition. The method does not need to analyze the content of the traffic load, does not need to collect information such as port numbers, characteristic fields and the like, and has small additional cost.
As shown in fig. 4, in step S31, that is, processing the user ID and the login terminal information by using the risk detection algorithm to obtain the login security of the client, the method specifically includes the following steps:
s315, obtaining the current user flow corresponding to the user ID and the login terminal information.
The current user flow is behavior flow generated after a user logs in a server through a user ID and login terminal information, and comprises a login IP address, an access log, a user browsing path, an access request and the like of the user ID login server.
In this step, the current traffic in the network is obtained, so that the server can further determine the abnormality of the network traffic based on the user pattern recognition algorithm.
And S316, identifying the current user flow by adopting an abnormal characteristic database formed based on a user pattern identification algorithm to obtain an identification result.
The abnormal characteristic database is a set of abnormal flow scenes formed by performing statistical analysis on abnormal flow according to the abnormal flow scenes. For example, when abnormal traffic occurs, a scenario of access conditions to a specific web page or file, access conditions in different fields and regions, a distribution scenario of domain name network traffic such as edu/cn/com, an abnormal association scenario of a user and a region time, and the like are counted.
In the step, the server can effectively identify whether the current user flow is abnormal flow in time by comparing the current user flow with the abnormal characteristic database.
And S317, if the identification result is normal flow, the login security of the client is normal login.
It is understood that if the identification result is normal traffic, the client is proved to be normally logged in, and the server may continue to receive the access request sent by the client. In the step, the login safety of the client is guaranteed to the server, the continuous connection between the client and the server is guaranteed, and the access request sent by the client can be responded by the server in time.
And S318, if the identification result is abnormal flow, the login security of the client is abnormal login.
It is understood that if the identification result is abnormal traffic, the client is proved to be abnormally logged in, and the server can refuse to respond to the access request sent by the client. This step can ensure that the server is attacked maliciously from the client.
In the step, the login safety of the client is judged when the client logs in the server for the first time by adopting a user mode identification algorithm, so that the client which normally logs in can continuously and smoothly initiate an access request.
According to the method for resisting network attack, provided by the embodiment of the invention, the service request information in the access request is processed only when the access request sent by the client is obtained and carries the security identifier and the security identifier is safe, so that the real access request is guaranteed to be processed in time; and for the access request which does not carry the security identifier, the security identifier of the client is obtained based on the user ID and the login terminal information, and the server can effectively shield the attack of malicious network flow based on the security identifier. The embodiment can also avoid wasting server resources by locking the security identifier as a dangerous user ID.
Furthermore, the server judges the login security of the client by adopting a risk detection algorithm, and adds a simple and clear security identifier in a feedback message of the client, so that the server can respond to or refuse an access request sent by the client in time.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
Example 2
Fig. 5 is a schematic block diagram of a network attack resisting apparatus corresponding to the network attack resisting method in embodiment 1. As shown in fig. 5, the apparatus for resisting network attack includes an access request obtaining module 10, a processing result obtaining module 20, a feedback message obtaining module 30, and a processing result sending module 40. The functions of the access request obtaining module 10, the processing result obtaining module 20, the feedback message obtaining module 30, and the processing result sending module 40 correspond to the steps corresponding to the method for resisting network attack in the embodiment one by one, and for avoiding repeated description, detailed description is not provided in this embodiment.
An access request obtaining module 10, configured to obtain an access request sent by a client, where the access request includes a user ID and login terminal information or service request information.
And an obtaining processing result module 20, configured to process the service request information corresponding to the user ID to obtain a service processing result if the access request further carries the security identifier and the security identifier is secure.
And the feedback message obtaining module 30 is configured to, if the access request does not carry the security identifier, obtain a feedback message carrying the security identifier based on the user ID and the login terminal information.
And a sending processing result module 40, configured to send the service processing result or the feedback packet to the client corresponding to the user ID.
Preferably, the device for resisting network attack further comprises a module 50 for sending reminding information.
And a reminding information sending module 50, configured to lock the user ID and send reminding information to the client corresponding to the user ID if the access request further carries the security identifier and the security identifier is dangerous.
Preferably, the module for obtaining feedback message 30 further includes a unit for obtaining login security 31, a unit for forming feedback message 32, and a unit for adding security identifier 33.
And an obtaining login security unit 31, configured to process the user ID and the login terminal information by using a risk detection algorithm, and obtain login security of the client, where the login security includes normal login and abnormal login.
And a feedback message forming unit 32, configured to form a feedback message if the login security is normal login, add a security identifier to the feedback message, and set the security identifier as security.
And the safety mark adding unit 33 is used for forming a feedback message if the login safety is abnormal login, adding a safety mark in the feedback message, and setting the safety mark as a danger.
Preferably, the acquire login security module 31 further includes an acquire flow characteristic unit 311, an acquire identification result unit 312, an identify normal flow unit 313, and an identify abnormal flow unit 314.
A traffic feature obtaining unit 311, configured to obtain a current traffic feature corresponding to the user ID and the login terminal information.
And an obtaining recognition result unit 312, configured to recognize the current traffic characteristic by using an abnormal detection model formed based on an abnormal traffic detection algorithm, and obtain a recognition result.
And a normal traffic identifying unit 313, configured to, if the identification result is a normal traffic, determine that the login security of the client is a normal login.
And an abnormal traffic identification unit 314, configured to, if the identification result is an abnormal traffic, determine that the login security of the client is an abnormal login.
Preferably, the get login security module 31 further includes an get traffic unit 315, an identify traffic unit 316, an identify normal traffic unit 317, and an identify abnormal traffic unit 318.
The traffic acquiring unit 315 is configured to acquire current user traffic corresponding to the user ID and the login terminal information.
And the traffic identification unit 316 is configured to identify current user traffic by using an abnormal feature database formed based on a user pattern recognition algorithm, and obtain an identification result.
A normal traffic identifying unit 317, configured to determine that the login security of the client is normal login if the identification result is normal traffic.
An abnormal traffic identification unit 318, configured to determine that the login security of the client is abnormal login if the identification result is abnormal traffic.
Example 3
This embodiment provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the method for resisting network attack in embodiment 1 is implemented, and details are not described here again to avoid repetition. Alternatively, the computer program is executed by the processor to implement the function of each module/unit in resisting the network attack in embodiment 2, and is not described herein again to avoid redundancy.
It is to be understood that the computer-readable storage medium may include: any entity or device capable of carrying said computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, etc.
Example 4
Fig. 6 is a schematic diagram of a computer device provided by an embodiment of the present invention. As shown in fig. 6, the computer device 60 of this embodiment includes: a processor 61, a memory 62 and a computer program 63 stored in the memory 62 and executable on the processor 61. The processor 61 implements the steps of the network attack resisting method in embodiment 1 described above, such as steps S10 to S40 shown in fig. 1, when executing the computer program 63. Alternatively, the processor 61 implements the functions of the modules in the device embodiments described above when executing the computer program 63, for example, the functions of the access request obtaining module 10, the processing result obtaining module 20, the feedback message obtaining module 30, and the processing result sending module 40 shown in fig. 5.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.
Claims (8)
1. A method of resisting network attacks, comprising:
acquiring an access request sent by a client, wherein the access request comprises a user ID and login terminal information or service request information;
if the access request also carries a safety identification and the safety identification is safe, processing service request information corresponding to the user ID to obtain a service processing result;
if the access request does not carry a security identifier, acquiring a feedback message carrying the security identifier based on the user ID and the login terminal information;
sending the service processing result or the feedback message to a client corresponding to the user ID;
wherein, the obtaining of the feedback packet carrying the security identifier based on the user ID and the login terminal information includes:
evaluating the user ID and the login terminal information by adopting a risk detection algorithm for processing, and acquiring the login security of the client, wherein the login security comprises normal login and abnormal login; the risk detection algorithm is used for detecting whether the client is a safe client or not and is used for marking a safe identifier for the client;
if the login security is normal login, a feedback message is formed, a security identifier is added to the feedback message, and the security identifier is set to be safe;
and if the login security is abnormal login, forming a feedback message, adding a safety identification in the feedback message, and setting the safety identification as a danger.
2. The method for resisting network attack according to claim 1, wherein the evaluating the user ID and the login terminal information by using a risk detection algorithm to process and obtain the login security of the client comprises:
acquiring current flow characteristics corresponding to the user ID and the login terminal information;
identifying the current flow characteristics by adopting an abnormal flow detection model formed based on an abnormal flow detection algorithm to obtain an identification result;
if the identification result is normal flow, the login security of the client is normal login;
and if the identification result is abnormal flow, the login security of the client is abnormal login.
3. The method for resisting network attack according to claim 1, wherein the evaluating the user ID and the login terminal information by using a risk detection algorithm to process and obtain the login security of the client comprises:
acquiring the current user flow corresponding to the user ID and the login terminal information;
identifying the current user flow by adopting an abnormal characteristic database formed based on a user pattern identification algorithm to obtain an identification result;
if the identification result is normal flow, the login security of the client is normal login;
and if the identification result is abnormal flow, the login security of the client is abnormal login.
4. The method of claim 1, wherein after the step of obtaining the access request sent by the client, the method of resisting network attacks further comprises:
and if the access request also carries a safety identification and the safety identification is dangerous, discarding the access request.
5. The method of claim 1, wherein after the step of obtaining the access request sent by the client, the method of resisting network attacks further comprises:
and if the access request also carries a safety identification and the safety identification is dangerous, locking the user ID and sending reminding information to a client corresponding to the user ID.
6. An apparatus for resisting network attacks, comprising:
the system comprises an access request acquisition module, a service request acquisition module and a service request processing module, wherein the access request acquisition module is used for acquiring an access request sent by a client, and the access request comprises a user ID and login terminal information or service request information;
the processing result obtaining module is used for processing the service request information corresponding to the user ID and obtaining a service processing result if the access request also carries a safety identification and the safety identification is safe;
a feedback message obtaining module, configured to obtain a feedback message carrying a security identifier based on the user ID and the login terminal information if the access request does not carry the security identifier;
a processing result sending module, configured to send the service processing result or the feedback packet to a client corresponding to the user ID;
wherein, the feedback message obtaining module comprises:
the login security obtaining module is used for evaluating the user ID and the login terminal information by adopting a risk detection algorithm for processing, and obtaining the login security of the client, wherein the login security comprises normal login and abnormal login; the risk detection algorithm is used for detecting whether the client is a safe client or not and is used for marking a safe identifier for the client;
a feedback message forming module, configured to form a feedback message if the login security is normal login, add a security identifier to the feedback message, and set the security identifier as security;
and the safety identification adding module is used for forming a feedback message if the login safety is abnormal login, adding a safety identification in the feedback message, and setting the safety identification as a danger.
7. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the method of resisting network attacks according to any one of claims 1 to 5 when executing the computer program.
8. A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of countering cyber attacks according to any one of claims 1 to 5.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810239771.4A CN108521408B (en) | 2018-03-22 | 2018-03-22 | Method and device for resisting network attack, computer equipment and storage medium |
| PCT/CN2018/092628 WO2019178966A1 (en) | 2018-03-22 | 2018-06-25 | Network attack defense method and apparatus, and computer device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810239771.4A CN108521408B (en) | 2018-03-22 | 2018-03-22 | Method and device for resisting network attack, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108521408A CN108521408A (en) | 2018-09-11 |
| CN108521408B true CN108521408B (en) | 2021-03-12 |
Family
ID=63433991
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810239771.4A Active CN108521408B (en) | 2018-03-22 | 2018-03-22 | Method and device for resisting network attack, computer equipment and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN108521408B (en) |
| WO (1) | WO2019178966A1 (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109474672B (en) * | 2018-10-25 | 2022-03-25 | 平安科技(深圳)有限公司 | Method and system for determining service execution state |
| CN109743325B (en) * | 2019-01-11 | 2021-06-18 | 北京中睿天下信息技术有限公司 | Brute force attack detection method, system, equipment and storage medium |
| CN109922013B (en) * | 2019-01-28 | 2022-08-19 | 天翼数字生活科技有限公司 | Service access flow control method, device, server and storage medium |
| CN109787869B (en) * | 2019-03-29 | 2020-11-06 | 新华三技术有限公司 | Path fault detection method and device |
| CN112751815B (en) * | 2019-10-31 | 2021-11-19 | 华为技术有限公司 | Message processing method, device, equipment and computer readable storage medium |
| CN111131235B (en) * | 2019-12-23 | 2022-02-22 | 杭州安恒信息技术股份有限公司 | Safety maintenance method, device, equipment and storage medium of business system |
| CN113132308B (en) * | 2019-12-31 | 2022-05-17 | 华为技术有限公司 | Network security protection method and protection equipment |
| CN111934949A (en) * | 2020-07-23 | 2020-11-13 | 广东电网有限责任公司 | Safety test system based on database injection test |
| CN112953921A (en) * | 2021-02-02 | 2021-06-11 | 深信服科技股份有限公司 | Scanning behavior identification method, device, equipment and storage medium |
| CN113923048B (en) * | 2021-11-09 | 2023-07-04 | 中国联合网络通信集团有限公司 | Network attack behavior identification method, device, equipment and storage medium |
| CN115514681B (en) * | 2022-09-16 | 2024-02-06 | 北京天融信网络安全技术有限公司 | Method, device, system, equipment and medium for testing equipment stability |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104092665A (en) * | 2014-06-19 | 2014-10-08 | 小米科技有限责任公司 | Access request filtering method, device and facility |
| CN105610856A (en) * | 2016-01-26 | 2016-05-25 | 深圳一卡易网络科技有限公司 | DDoS(Distributed Denial of Service)attack defensive system for application layer based on multiple feature recognition |
| CN106603513A (en) * | 2016-11-30 | 2017-04-26 | 中国人民解放军理工大学 | Host identifier-based resource access control method and system |
| CN107426181A (en) * | 2017-06-20 | 2017-12-01 | 竞技世界(北京)网络技术有限公司 | The hold-up interception method and device of malice web access request |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8544074B2 (en) * | 2008-06-19 | 2013-09-24 | Microsoft Corporation | Federated realm discovery |
| CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
| CN101834866B (en) * | 2010-05-05 | 2013-06-26 | 北京来安科技有限公司 | CC (Communication Center) attack protective method and system thereof |
| US9661005B2 (en) * | 2014-01-09 | 2017-05-23 | International Business Machines Corporation | Security level and status exchange between TCP/UDP client(s) and server(s) for secure transactions |
| EP2916512B1 (en) * | 2014-03-07 | 2016-08-24 | Mitsubishi Electric R&D Centre Europe B.V. | Method for classifying a TCP connection carrying HTTP traffic as a trusted or an untrusted TCP connection |
-
2018
- 2018-03-22 CN CN201810239771.4A patent/CN108521408B/en active Active
- 2018-06-25 WO PCT/CN2018/092628 patent/WO2019178966A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104092665A (en) * | 2014-06-19 | 2014-10-08 | 小米科技有限责任公司 | Access request filtering method, device and facility |
| CN105610856A (en) * | 2016-01-26 | 2016-05-25 | 深圳一卡易网络科技有限公司 | DDoS(Distributed Denial of Service)attack defensive system for application layer based on multiple feature recognition |
| CN106603513A (en) * | 2016-11-30 | 2017-04-26 | 中国人民解放军理工大学 | Host identifier-based resource access control method and system |
| CN107426181A (en) * | 2017-06-20 | 2017-12-01 | 竞技世界(北京)网络技术有限公司 | The hold-up interception method and device of malice web access request |
Non-Patent Citations (1)
| Title |
|---|
| 前瞻性入侵检测系统中给TCP数据包置标的方法;陈雪松;《计算机与数字工程》;20050420;第33卷(第4期);正文第2节第1段、第3-5节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108521408A (en) | 2018-09-11 |
| WO2019178966A1 (en) | 2019-09-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108521408B (en) | Method and device for resisting network attack, computer equipment and storage medium | |
| US11924170B2 (en) | Methods and systems for API deception environment and API traffic control and security | |
| CN109951500B (en) | Network attack detection method and device | |
| US10157280B2 (en) | System and method for identifying security breach attempts of a website | |
| EP2988468B1 (en) | Apparatus, method, and program | |
| US7536552B2 (en) | Upper-level protocol authentication | |
| US8935785B2 (en) | IP prioritization and scoring system for DDoS detection and mitigation | |
| CN103379099B (en) | Hostile attack identification method and system | |
| EP2136526A1 (en) | Method, device for identifying service flows and method, system for protecting against a denial of service attack | |
| US9800589B1 (en) | Methods and apparatus for detecting malicious attacks | |
| CN108270722B (en) | Attack behavior detection method and device | |
| US20110154492A1 (en) | Malicious traffic isolation system and method using botnet information | |
| US10257213B2 (en) | Extraction criterion determination method, communication monitoring system, extraction criterion determination apparatus and extraction criterion determination program | |
| CN104135474B (en) | Intrusion Detection based on host goes out the Network anomalous behaviors detection method of in-degree | |
| Treurniet | A network activity classification schema and its application to scan detection | |
| CN110417717B (en) | Login behavior identification method and device | |
| JP6435695B2 (en) | Controller and its attacker detection method | |
| Ireland | Intrusion detection with genetic algorithms and fuzzy logic | |
| JP2004140524A (en) | Method and apparatus for detecting dos attack, and program | |
| CN112671736B (en) | Attack flow determination method, device, equipment and storage medium | |
| CN101795277A (en) | Flow detection method and equipment in unidirectional flow detection mode | |
| Salim et al. | Preventing ARP spoofing attacks through gratuitous decision packet | |
| KR20130009130A (en) | Apparatus and method for dealing with zombie pc and ddos | |
| CN113938312B (en) | Method and device for detecting violent cracking flow | |
| CN115633359A (en) | PFCP session security detection method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |