CN108712365A - A kind of ddos attack event detecting method and system based on traffic log - Google Patents

A kind of ddos attack event detecting method and system based on traffic log Download PDF

Info

Publication number
CN108712365A
CN108712365A CN201810251701.0A CN201810251701A CN108712365A CN 108712365 A CN108712365 A CN 108712365A CN 201810251701 A CN201810251701 A CN 201810251701A CN 108712365 A CN108712365 A CN 108712365A
Authority
CN
China
Prior art keywords
value
ddos attack
period
flow
threshold value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810251701.0A
Other languages
Chinese (zh)
Other versions
CN108712365B (en
Inventor
李明哲
刘丙双
涂波
张洛什
尚秋里
苗权
康春建
刘鑫沛
李传海
戴帅夫
张建宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CHANGAN COMMUNICATION TECHNOLOGY Co Ltd
National Computer Network and Information Security Management Center
Original Assignee
CHANGAN COMMUNICATION TECHNOLOGY Co Ltd
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CHANGAN COMMUNICATION TECHNOLOGY Co Ltd, National Computer Network and Information Security Management Center filed Critical CHANGAN COMMUNICATION TECHNOLOGY Co Ltd
Publication of CN108712365A publication Critical patent/CN108712365A/en
Application granted granted Critical
Publication of CN108712365B publication Critical patent/CN108712365B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of ddos attack event detecting method based on traffic log, and step includes:It determines measurement period, reads mass network traffic log in each measurement period, count the network flow magnitude that all IP being concerned are received in each measurement period;It is more than that the IP of a threshold value T1 and its corresponding flow value are stored as discharge record by the flow received in single measurement period;Filter out the IP set that the present flow rate received in the current statistic period is more than a threshold value T2;Each IP in gathering for the IP, reads its historical traffic value from the discharge record, if there is the historical traffic value of IP is not present or less than R times of its present flow rate value, then judges the IP by ddos attack.The present invention also provides a kind of ddos attack event detection system based on traffic log.

Description

A kind of ddos attack event detecting method and system based on traffic log
Technical field
The present invention relates to the fields such as network security, big data analysis, and in particular to a kind of magnanimity stream based on catenet Measure the method and system that daily record finds ddos attack event.
Background technology
Distributed denial of service (DDoS:Distributed Denial of Service) attack refer to by means of client/clothes Be engaged in device technology, multiple computers are joined together as Attack Platform, ddos attack is started to one or more targets, from into The power of Denial of Service attack is improved again.In general, DDoS primary control programs are mounted on one by attacker using a stealing account number On a computer, the time primary control program set at one will be communicated with a large amount of Agents, and Agent has been installed within On many computers on network.With regard to offensive attack when Agent receives instruction.Utilize client/server technology, master control journey Sequence can activate the operation of hundreds and thousands of secondary Agents in seconds.
Ddos attack occupies a large amount of Internet resources by a large amount of legal requests, to achieve the purpose that network of paralysing.It is this Attack pattern can be divided into following several:(1) normal network communication is interfered or even blocked by making network over loading;(2) pass through A large amount of requests are submitted to server, make server excess load;(3) a certain user access server is blocked;(4) block certain service with The communication of particular system or individual.
The attack means that distributed denial of service attack is taken are exactly distributed, and the pattern attacked changes traditional Point-to-point attack mode makes attack pattern random situation occur, and when being attacked, usually used Be also common agreement and service, be difficult only in this way to be distinguished to attacking from agreement and the type of service. When attack, Attacking Packets are also to be forged on source IP address, are difficult in this way by camouflage The determination that address is carried out to attack is also to be difficult in terms of lookup, and which results in distributed denial of service attack to examine It is difficult to accomplish in proved recipe method.
Necessary analysis is carried out to Scattered Attack, so that it may to obtain the characteristic of this attack.Distributed denial of service exists When attack, the flow address of target of attack is concentrated, be not in then congestion control when attack System.It can select to be attacked using random port when being attacked, it can be by thousands of ports to the target of attack A large amount of data packet is sent, when attack using fixed port, a large amount of data packet can be sent to the same port.
The conventional method that ddos attack detection is carried out based on mass network daily record is to carry out baseline comparison, i.e., by some IP The present flow rate level of address is compared with its historical baseline level.However, being deposited to the baseline level of all IP address Storage can cause huge storage overhead and load expense.
Invention content
The purpose of the present invention is to provide a kind of ddos attack event detecting method and system based on traffic log, can Overcome the baseline flow measurement storage overhead based on mass network daily record, whole base-line datas need not be stored, saves memory space.
To achieve the above object, the present invention adopts the following technical scheme that:
A kind of ddos attack event detecting method based on traffic log, step include:
It determines measurement period, reads mass network traffic log in each measurement period, count all IP being concerned and exist The network flow magnitude received in each measurement period;
It is more than that the IP of a threshold value T1 and its corresponding flow value are stored as flowing by the flow received in single measurement period Amount record;
Filter out the IP set that the present flow rate received in the current statistic period is more than a threshold value T2;
Each IP in gathering for the IP, reads its historical traffic value, if there is IP's from the discharge record Historical traffic value is not present or less than R times of its present flow rate value, then judges the IP by ddos attack.
Further, the measurement period is more than or equal to 1 second, is less than or equal to 1 hour.
Further, the threshold value T2>T1, preferably, T2 >=2T1.
Further, the threshold value T1 >=1Mbps can be directed to the specific energy of system by the way that the threshold value T1 is reasonably arranged The expense that power adjusts baseline storage and calculates.
Further, the threshold value T2≤500Mbps.
Further, the historical traffic value is the current statistic period not by nearest one day of ddos attack or several days Same period measurement period average flow rate value.
Further, R≤0.5.
Further, discharge record is stored as NetFlow formats.
A kind of ddos attack event detection system based on traffic log, including:
One configuration management module, the repository for including parameter T1, T2, R in system initialisation phase load;
One data access module, is used for periodic reading discharge record, and row format of going forward side by side conversion facilitates follow-up data point Analysis;
One data analysis module finds the ddos attack event in the current statistic period for analyzing discharge record;
One information output module is used for the ddos attack event found in the current statistic period to be sent to other systems In deep excavation or visual presentation.
Further, the discharge record is stored in a big data platform, such as Hadoop.
Compared with the prior art, the advantages of the present invention are as follows:
In the methods of the invention, it only can just be stored more than the flow value of T1 threshold values, by the way that T1 values are rationally arranged, can be sieved The high IP of ddos attack possibility is selected, whole base-line datas need not be stored, saves memory space, reduces baseline comparison procedure Calculation amount expense;If without this mechanism, all flow values can all be stored, and expense is obviously big, such as all Flow value storage overhead is 1GB, and is more than the flow value storage overhead 0.1GB of T1, then can save 0.9GB's using this method Expense.The flow value of the IP filtered out is compared with T2, further filters out the higher IP of DDoS possibilities, is further contracted Small range;It is compared with the normal stream magnitude of the history same period by present flow rate value, R values is rationally set, can determine out incident By the IP address of ddos attack.This method can effectively detect all flow type ddos attack events in large scale network.
Description of the drawings
Fig. 1 is a kind of flow chart of ddos attack event detecting method based on traffic log in embodiment.
Fig. 2 is a kind of ddos attack event detection system block diagram based on traffic log in embodiment.
Fig. 3 is a kind of operating diagram of ddos attack event detection system based on traffic log in embodiment.
Specific implementation mode
Features described above and advantage to enable the present invention are clearer and more comprehensible, special embodiment below, and institute's attached drawing is coordinated to make Detailed description are as follows.
The present embodiment provides a kind of ddos attack event detecting method based on traffic log, as shown in Figure 1, step packet It includes:
1) it determines measurement period, selects certain value between 1 second to 1 hour, determine flow threshold 2Mbps≤2T1≤T2 ≤ 500Mbps determines ratio value R≤0.5;
2) the customary network flow magnitude for counting all IP and being received in each measurement period;
3) it is more than that the IP of threshold value T1 and its corresponding flow value are stored as flowing by the flow received in single measurement period Amount record;
4) the IP set that the present flow rate value received in the current statistic period is more than T2 is filtered out;
5) each IP being directed in IP set and its corresponding present flow rate, it is read not by DDoS from discharge record The historical traffic value of nearest one day same period measurement period of attack, if the historical traffic value of an IP is not present, Huo Zhe little In R times of present flow rate value, then judge that it can suffer from ddos attack.
The present embodiment also provides a kind of ddos attack event detection system based on traffic log, to realize the above method, As shown in Fig. 2, including:
Configuration management module is responsible for the repository for including the parameters such as T1, T2, R in system initialisation phase load;
Data access module, the discharge record being responsible in periodic reading big data platform, row format of going forward side by side conversion are convenient Subsequent data analysis;
Data analysis module is responsible for analysis discharge record, finds the ddos attack event in this period;
Information output module is responsible for the ddos attack event found in this period being sent to other systems, for deeply digging Pick visualizes.
Above system is developed based on big data platform, can be exported in provincial carrier network and be acquired and analyze network log, Possible ddos attack behavior report is exported, operating diagram as shown in Figure 3 is embodied as follows:
1, data access module is disposed, as network probe, net is acquired in key positions such as the entrances for being concerned network Network flow, generates the daily record (discharge record) of NetFlow formats, and stores to big data platform.When platform limited storage space When, by the way of rolling deletion, retain nearest 2 weeks to one month relative recording.
2, data analysis module analyzes the discharge record stored in big data platform, attempts parameter combination, detection The ddos attack event detected is stored in event base by ddos attack event.
3, according to actual effect adjusting parameter value, it is applied to this system again.
The prior art stores the discharge record (being equivalent to T1=0) of all IP in which can be not added with screening, although the information of storage It is more complete, but storage overhead increases rapidly.And method provided by the invention is rationally provided with T1 for specific network environment Value, need not store whole base-line datas, and the big flow IP address for only focusing on apparent DDoS suspicion carries out period flow storage, Storage overhead significantly reduces, and saves memory space, reduces the calculation amount of baseline comparison procedure;By by the flow of the IP filtered out It is compared with T2, further screens IP, then be compared with historical traffic by present flow rate, judge ddos attack, we Method can effectively detect all flow type ddos attack events in large scale network.
The above embodiments are merely illustrative of the technical scheme of the present invention and are not intended to be limiting thereof, and can above extend in application To others modification, variation, application and embodiment, while thinking all such modification, variation, application, embodiments all at this In the range of invention.

Claims (10)

1. a kind of ddos attack event detecting method based on traffic log, step include:
It determines measurement period, reads mass network traffic log in each measurement period, count all IP being concerned in each system The network flow magnitude received in the meter period;
It is more than that the IP of a threshold value T1 and its corresponding flow value are stored as flow note by the flow received in single measurement period Record;
Filter out the IP set that the present flow rate received in the current statistic period is more than a threshold value T2;
Each IP in gathering for the IP, reads its historical traffic value, if there is the history of IP from the discharge record Flow value is not present or less than R times of its present flow rate value, then judges the IP by ddos attack.
2. according to the method described in claim 1, it is characterized in that, the measurement period was more than 1 second, less than or equal to 1 hour.
3. according to the method described in claim 1, it is characterized in that, the threshold value T2>T1, preferably, the threshold value T2 >= 2T1。
4. method according to claim 1 or 3, which is characterized in that the threshold value T1 >=1Mbps.
5. method according to claim 1 or 3, which is characterized in that the threshold value T2≤500Mbps.
6. according to the method described in claim 1, it is characterized in that, the historical traffic value be the current statistic period not by The average flow rate value of nearest one day of ddos attack or several days same period measurement periods.
7. according to the method described in claim 1, it is characterized in that, R≤0.5.
8. according to the method described in claim 1, it is characterized in that, the discharge record is stored as NetFlow formats.
9. a kind of ddos attack event detection system based on traffic log, including:
One configuration management module, the repository for including parameter T1, T2, R in system initialisation phase load;
One data access module is used for periodic reading discharge record, row format of going forward side by side conversion;
One data analysis module finds the ddos attack event in the current statistic period for analyzing discharge record;
One information output module, for exporting the ddos attack event found in the current statistic period.
10. system according to claim 9, which is characterized in that the discharge record is stored in a big data platform.
CN201810251701.0A 2017-08-29 2018-03-26 DDoS attack event detection method and system based on flow log Active CN108712365B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710755271 2017-08-29
CN2017107552711 2017-08-29

Publications (2)

Publication Number Publication Date
CN108712365A true CN108712365A (en) 2018-10-26
CN108712365B CN108712365B (en) 2020-10-27

Family

ID=63866250

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810251701.0A Active CN108712365B (en) 2017-08-29 2018-03-26 DDoS attack event detection method and system based on flow log

Country Status (1)

Country Link
CN (1) CN108712365B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111200614A (en) * 2020-01-07 2020-05-26 中山大学 Defense method and system for third-party anonymous EDoS attack
CN111541655A (en) * 2020-04-08 2020-08-14 国家计算机网络与信息安全管理中心 Network abnormal flow detection method, controller and medium
CN113179257A (en) * 2021-04-20 2021-07-27 杭州迪普科技股份有限公司 Threshold learning method, apparatus, device and computer readable storage medium
CN115412363A (en) * 2022-09-13 2022-11-29 杭州迪普科技股份有限公司 Abnormal flow log processing method and device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080196103A1 (en) * 2007-02-09 2008-08-14 Chao-Yu Lin Method for analyzing abnormal network behaviors and isolating computer virus attacks
JP4216223B2 (en) * 2004-05-10 2009-01-28 日本電信電話株式会社 Network attack detection apparatus and method, and program
CN101729389A (en) * 2008-10-21 2010-06-09 北京启明星辰信息技术股份有限公司 Flow control device and method based on flow prediction and trusted network address learning
CN102271068A (en) * 2011-09-06 2011-12-07 电子科技大学 Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack
US20130291107A1 (en) * 2012-04-27 2013-10-31 The Irc Company, Inc. System and Method for Mitigating Application Layer Distributed Denial of Service Attacks Using Human Behavior Analysis
CN104954192A (en) * 2014-03-27 2015-09-30 东华软件股份公司 Network flow monitoring method and device
CN106411934A (en) * 2016-11-15 2017-02-15 平安科技(深圳)有限公司 DoS(denial of service)/DDoS(distributed denial of service) attack detection method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4216223B2 (en) * 2004-05-10 2009-01-28 日本電信電話株式会社 Network attack detection apparatus and method, and program
US20080196103A1 (en) * 2007-02-09 2008-08-14 Chao-Yu Lin Method for analyzing abnormal network behaviors and isolating computer virus attacks
CN101729389A (en) * 2008-10-21 2010-06-09 北京启明星辰信息技术股份有限公司 Flow control device and method based on flow prediction and trusted network address learning
CN102271068A (en) * 2011-09-06 2011-12-07 电子科技大学 Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack
US20130291107A1 (en) * 2012-04-27 2013-10-31 The Irc Company, Inc. System and Method for Mitigating Application Layer Distributed Denial of Service Attacks Using Human Behavior Analysis
CN104954192A (en) * 2014-03-27 2015-09-30 东华软件股份公司 Network flow monitoring method and device
CN106411934A (en) * 2016-11-15 2017-02-15 平安科技(深圳)有限公司 DoS(denial of service)/DDoS(distributed denial of service) attack detection method and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111200614A (en) * 2020-01-07 2020-05-26 中山大学 Defense method and system for third-party anonymous EDoS attack
CN111541655A (en) * 2020-04-08 2020-08-14 国家计算机网络与信息安全管理中心 Network abnormal flow detection method, controller and medium
CN113179257A (en) * 2021-04-20 2021-07-27 杭州迪普科技股份有限公司 Threshold learning method, apparatus, device and computer readable storage medium
CN115412363A (en) * 2022-09-13 2022-11-29 杭州迪普科技股份有限公司 Abnormal flow log processing method and device

Also Published As

Publication number Publication date
CN108712365B (en) 2020-10-27

Similar Documents

Publication Publication Date Title
KR101519623B1 (en) DDoS detection apparatus and method, DDoS detection and prevention apparatus for reducing positive false
US7114183B1 (en) Network adaptive baseline monitoring system and method
CN106790050B (en) A kind of anomalous traffic detection method and detection system
CN108712365A (en) A kind of ddos attack event detecting method and system based on traffic log
US20230011957A1 (en) Detecting threats to datacenter based on analysis of anomalous events
Zou et al. Monitoring and early warning for internet worms
US9130982B2 (en) System and method for real-time reporting of anomalous internet protocol attacks
KR101077135B1 (en) Apparatus for detecting and filtering application layer DDoS Attack of web service
Liljenstam et al. Simulating realistic network worm traffic for worm warning system design and testing
US20160226902A1 (en) Detection of malicious network connections
US20230011397A1 (en) Analysis system detecting threats to datacenter
US7836496B2 (en) Dynamic network protection
US6742128B1 (en) Threat assessment orchestrator system and method
Lung-Yut-Fong et al. Distributed detection/localization of change-points in high-dimensional network traffic data
CN108289088A (en) Abnormal traffic detection system and method based on business model
US20050234920A1 (en) System, computer-usable medium and method for monitoring network activity
US20230011043A1 (en) Identification of time-ordered sets of connections to identify threats to a datacenter
JP2007179131A (en) Event detection system, management terminal and program, and event detection method
CN109361673A (en) Network anomaly detection method based on data on flows sample statistics and balance comentropy estimation
Spiekermann et al. Unsupervised packet-based anomaly detection in virtual networks
CN117395076A (en) Network perception abnormality detection system and method based on big data
Jia et al. A lightweight DDoS detection scheme under SDN context
JP6970344B2 (en) Infection spread attack detection device, attack source identification method and program
Bianchi et al. Measurement data reduction through variation rate metering
KR101338223B1 (en) System and method for analyzing network traffic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant