CN108712365A - A kind of ddos attack event detecting method and system based on traffic log - Google Patents
A kind of ddos attack event detecting method and system based on traffic log Download PDFInfo
- Publication number
- CN108712365A CN108712365A CN201810251701.0A CN201810251701A CN108712365A CN 108712365 A CN108712365 A CN 108712365A CN 201810251701 A CN201810251701 A CN 201810251701A CN 108712365 A CN108712365 A CN 108712365A
- Authority
- CN
- China
- Prior art keywords
- value
- ddos attack
- period
- flow
- threshold value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of ddos attack event detecting method based on traffic log, and step includes:It determines measurement period, reads mass network traffic log in each measurement period, count the network flow magnitude that all IP being concerned are received in each measurement period;It is more than that the IP of a threshold value T1 and its corresponding flow value are stored as discharge record by the flow received in single measurement period;Filter out the IP set that the present flow rate received in the current statistic period is more than a threshold value T2;Each IP in gathering for the IP, reads its historical traffic value from the discharge record, if there is the historical traffic value of IP is not present or less than R times of its present flow rate value, then judges the IP by ddos attack.The present invention also provides a kind of ddos attack event detection system based on traffic log.
Description
Technical field
The present invention relates to the fields such as network security, big data analysis, and in particular to a kind of magnanimity stream based on catenet
Measure the method and system that daily record finds ddos attack event.
Background technology
Distributed denial of service (DDoS:Distributed Denial of Service) attack refer to by means of client/clothes
Be engaged in device technology, multiple computers are joined together as Attack Platform, ddos attack is started to one or more targets, from into
The power of Denial of Service attack is improved again.In general, DDoS primary control programs are mounted on one by attacker using a stealing account number
On a computer, the time primary control program set at one will be communicated with a large amount of Agents, and Agent has been installed within
On many computers on network.With regard to offensive attack when Agent receives instruction.Utilize client/server technology, master control journey
Sequence can activate the operation of hundreds and thousands of secondary Agents in seconds.
Ddos attack occupies a large amount of Internet resources by a large amount of legal requests, to achieve the purpose that network of paralysing.It is this
Attack pattern can be divided into following several:(1) normal network communication is interfered or even blocked by making network over loading;(2) pass through
A large amount of requests are submitted to server, make server excess load;(3) a certain user access server is blocked;(4) block certain service with
The communication of particular system or individual.
The attack means that distributed denial of service attack is taken are exactly distributed, and the pattern attacked changes traditional
Point-to-point attack mode makes attack pattern random situation occur, and when being attacked, usually used
Be also common agreement and service, be difficult only in this way to be distinguished to attacking from agreement and the type of service.
When attack, Attacking Packets are also to be forged on source IP address, are difficult in this way by camouflage
The determination that address is carried out to attack is also to be difficult in terms of lookup, and which results in distributed denial of service attack to examine
It is difficult to accomplish in proved recipe method.
Necessary analysis is carried out to Scattered Attack, so that it may to obtain the characteristic of this attack.Distributed denial of service exists
When attack, the flow address of target of attack is concentrated, be not in then congestion control when attack
System.It can select to be attacked using random port when being attacked, it can be by thousands of ports to the target of attack
A large amount of data packet is sent, when attack using fixed port, a large amount of data packet can be sent to the same port.
The conventional method that ddos attack detection is carried out based on mass network daily record is to carry out baseline comparison, i.e., by some IP
The present flow rate level of address is compared with its historical baseline level.However, being deposited to the baseline level of all IP address
Storage can cause huge storage overhead and load expense.
Invention content
The purpose of the present invention is to provide a kind of ddos attack event detecting method and system based on traffic log, can
Overcome the baseline flow measurement storage overhead based on mass network daily record, whole base-line datas need not be stored, saves memory space.
To achieve the above object, the present invention adopts the following technical scheme that:
A kind of ddos attack event detecting method based on traffic log, step include:
It determines measurement period, reads mass network traffic log in each measurement period, count all IP being concerned and exist
The network flow magnitude received in each measurement period;
It is more than that the IP of a threshold value T1 and its corresponding flow value are stored as flowing by the flow received in single measurement period
Amount record;
Filter out the IP set that the present flow rate received in the current statistic period is more than a threshold value T2;
Each IP in gathering for the IP, reads its historical traffic value, if there is IP's from the discharge record
Historical traffic value is not present or less than R times of its present flow rate value, then judges the IP by ddos attack.
Further, the measurement period is more than or equal to 1 second, is less than or equal to 1 hour.
Further, the threshold value T2>T1, preferably, T2 >=2T1.
Further, the threshold value T1 >=1Mbps can be directed to the specific energy of system by the way that the threshold value T1 is reasonably arranged
The expense that power adjusts baseline storage and calculates.
Further, the threshold value T2≤500Mbps.
Further, the historical traffic value is the current statistic period not by nearest one day of ddos attack or several days
Same period measurement period average flow rate value.
Further, R≤0.5.
Further, discharge record is stored as NetFlow formats.
A kind of ddos attack event detection system based on traffic log, including:
One configuration management module, the repository for including parameter T1, T2, R in system initialisation phase load;
One data access module, is used for periodic reading discharge record, and row format of going forward side by side conversion facilitates follow-up data point
Analysis;
One data analysis module finds the ddos attack event in the current statistic period for analyzing discharge record;
One information output module is used for the ddos attack event found in the current statistic period to be sent to other systems
In deep excavation or visual presentation.
Further, the discharge record is stored in a big data platform, such as Hadoop.
Compared with the prior art, the advantages of the present invention are as follows:
In the methods of the invention, it only can just be stored more than the flow value of T1 threshold values, by the way that T1 values are rationally arranged, can be sieved
The high IP of ddos attack possibility is selected, whole base-line datas need not be stored, saves memory space, reduces baseline comparison procedure
Calculation amount expense;If without this mechanism, all flow values can all be stored, and expense is obviously big, such as all
Flow value storage overhead is 1GB, and is more than the flow value storage overhead 0.1GB of T1, then can save 0.9GB's using this method
Expense.The flow value of the IP filtered out is compared with T2, further filters out the higher IP of DDoS possibilities, is further contracted
Small range;It is compared with the normal stream magnitude of the history same period by present flow rate value, R values is rationally set, can determine out incident
By the IP address of ddos attack.This method can effectively detect all flow type ddos attack events in large scale network.
Description of the drawings
Fig. 1 is a kind of flow chart of ddos attack event detecting method based on traffic log in embodiment.
Fig. 2 is a kind of ddos attack event detection system block diagram based on traffic log in embodiment.
Fig. 3 is a kind of operating diagram of ddos attack event detection system based on traffic log in embodiment.
Specific implementation mode
Features described above and advantage to enable the present invention are clearer and more comprehensible, special embodiment below, and institute's attached drawing is coordinated to make
Detailed description are as follows.
The present embodiment provides a kind of ddos attack event detecting method based on traffic log, as shown in Figure 1, step packet
It includes:
1) it determines measurement period, selects certain value between 1 second to 1 hour, determine flow threshold 2Mbps≤2T1≤T2
≤ 500Mbps determines ratio value R≤0.5;
2) the customary network flow magnitude for counting all IP and being received in each measurement period;
3) it is more than that the IP of threshold value T1 and its corresponding flow value are stored as flowing by the flow received in single measurement period
Amount record;
4) the IP set that the present flow rate value received in the current statistic period is more than T2 is filtered out;
5) each IP being directed in IP set and its corresponding present flow rate, it is read not by DDoS from discharge record
The historical traffic value of nearest one day same period measurement period of attack, if the historical traffic value of an IP is not present, Huo Zhe little
In R times of present flow rate value, then judge that it can suffer from ddos attack.
The present embodiment also provides a kind of ddos attack event detection system based on traffic log, to realize the above method,
As shown in Fig. 2, including:
Configuration management module is responsible for the repository for including the parameters such as T1, T2, R in system initialisation phase load;
Data access module, the discharge record being responsible in periodic reading big data platform, row format of going forward side by side conversion are convenient
Subsequent data analysis;
Data analysis module is responsible for analysis discharge record, finds the ddos attack event in this period;
Information output module is responsible for the ddos attack event found in this period being sent to other systems, for deeply digging
Pick visualizes.
Above system is developed based on big data platform, can be exported in provincial carrier network and be acquired and analyze network log,
Possible ddos attack behavior report is exported, operating diagram as shown in Figure 3 is embodied as follows:
1, data access module is disposed, as network probe, net is acquired in key positions such as the entrances for being concerned network
Network flow, generates the daily record (discharge record) of NetFlow formats, and stores to big data platform.When platform limited storage space
When, by the way of rolling deletion, retain nearest 2 weeks to one month relative recording.
2, data analysis module analyzes the discharge record stored in big data platform, attempts parameter combination, detection
The ddos attack event detected is stored in event base by ddos attack event.
3, according to actual effect adjusting parameter value, it is applied to this system again.
The prior art stores the discharge record (being equivalent to T1=0) of all IP in which can be not added with screening, although the information of storage
It is more complete, but storage overhead increases rapidly.And method provided by the invention is rationally provided with T1 for specific network environment
Value, need not store whole base-line datas, and the big flow IP address for only focusing on apparent DDoS suspicion carries out period flow storage,
Storage overhead significantly reduces, and saves memory space, reduces the calculation amount of baseline comparison procedure;By by the flow of the IP filtered out
It is compared with T2, further screens IP, then be compared with historical traffic by present flow rate, judge ddos attack, we
Method can effectively detect all flow type ddos attack events in large scale network.
The above embodiments are merely illustrative of the technical scheme of the present invention and are not intended to be limiting thereof, and can above extend in application
To others modification, variation, application and embodiment, while thinking all such modification, variation, application, embodiments all at this
In the range of invention.
Claims (10)
1. a kind of ddos attack event detecting method based on traffic log, step include:
It determines measurement period, reads mass network traffic log in each measurement period, count all IP being concerned in each system
The network flow magnitude received in the meter period;
It is more than that the IP of a threshold value T1 and its corresponding flow value are stored as flow note by the flow received in single measurement period
Record;
Filter out the IP set that the present flow rate received in the current statistic period is more than a threshold value T2;
Each IP in gathering for the IP, reads its historical traffic value, if there is the history of IP from the discharge record
Flow value is not present or less than R times of its present flow rate value, then judges the IP by ddos attack.
2. according to the method described in claim 1, it is characterized in that, the measurement period was more than 1 second, less than or equal to 1 hour.
3. according to the method described in claim 1, it is characterized in that, the threshold value T2>T1, preferably, the threshold value T2 >=
2T1。
4. method according to claim 1 or 3, which is characterized in that the threshold value T1 >=1Mbps.
5. method according to claim 1 or 3, which is characterized in that the threshold value T2≤500Mbps.
6. according to the method described in claim 1, it is characterized in that, the historical traffic value be the current statistic period not by
The average flow rate value of nearest one day of ddos attack or several days same period measurement periods.
7. according to the method described in claim 1, it is characterized in that, R≤0.5.
8. according to the method described in claim 1, it is characterized in that, the discharge record is stored as NetFlow formats.
9. a kind of ddos attack event detection system based on traffic log, including:
One configuration management module, the repository for including parameter T1, T2, R in system initialisation phase load;
One data access module is used for periodic reading discharge record, row format of going forward side by side conversion;
One data analysis module finds the ddos attack event in the current statistic period for analyzing discharge record;
One information output module, for exporting the ddos attack event found in the current statistic period.
10. system according to claim 9, which is characterized in that the discharge record is stored in a big data platform.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710755271 | 2017-08-29 | ||
CN2017107552711 | 2017-08-29 |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108712365A true CN108712365A (en) | 2018-10-26 |
CN108712365B CN108712365B (en) | 2020-10-27 |
Family
ID=63866250
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810251701.0A Active CN108712365B (en) | 2017-08-29 | 2018-03-26 | DDoS attack event detection method and system based on flow log |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108712365B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111200614A (en) * | 2020-01-07 | 2020-05-26 | 中山大学 | Defense method and system for third-party anonymous EDoS attack |
CN111541655A (en) * | 2020-04-08 | 2020-08-14 | 国家计算机网络与信息安全管理中心 | Network abnormal flow detection method, controller and medium |
CN113179257A (en) * | 2021-04-20 | 2021-07-27 | 杭州迪普科技股份有限公司 | Threshold learning method, apparatus, device and computer readable storage medium |
CN115412363A (en) * | 2022-09-13 | 2022-11-29 | 杭州迪普科技股份有限公司 | Abnormal flow log processing method and device |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080196103A1 (en) * | 2007-02-09 | 2008-08-14 | Chao-Yu Lin | Method for analyzing abnormal network behaviors and isolating computer virus attacks |
JP4216223B2 (en) * | 2004-05-10 | 2009-01-28 | 日本電信電話株式会社 | Network attack detection apparatus and method, and program |
CN101729389A (en) * | 2008-10-21 | 2010-06-09 | 北京启明星辰信息技术股份有限公司 | Flow control device and method based on flow prediction and trusted network address learning |
CN102271068A (en) * | 2011-09-06 | 2011-12-07 | 电子科技大学 | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack |
US20130291107A1 (en) * | 2012-04-27 | 2013-10-31 | The Irc Company, Inc. | System and Method for Mitigating Application Layer Distributed Denial of Service Attacks Using Human Behavior Analysis |
CN104954192A (en) * | 2014-03-27 | 2015-09-30 | 东华软件股份公司 | Network flow monitoring method and device |
CN106411934A (en) * | 2016-11-15 | 2017-02-15 | 平安科技(深圳)有限公司 | DoS(denial of service)/DDoS(distributed denial of service) attack detection method and device |
-
2018
- 2018-03-26 CN CN201810251701.0A patent/CN108712365B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4216223B2 (en) * | 2004-05-10 | 2009-01-28 | 日本電信電話株式会社 | Network attack detection apparatus and method, and program |
US20080196103A1 (en) * | 2007-02-09 | 2008-08-14 | Chao-Yu Lin | Method for analyzing abnormal network behaviors and isolating computer virus attacks |
CN101729389A (en) * | 2008-10-21 | 2010-06-09 | 北京启明星辰信息技术股份有限公司 | Flow control device and method based on flow prediction and trusted network address learning |
CN102271068A (en) * | 2011-09-06 | 2011-12-07 | 电子科技大学 | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack |
US20130291107A1 (en) * | 2012-04-27 | 2013-10-31 | The Irc Company, Inc. | System and Method for Mitigating Application Layer Distributed Denial of Service Attacks Using Human Behavior Analysis |
CN104954192A (en) * | 2014-03-27 | 2015-09-30 | 东华软件股份公司 | Network flow monitoring method and device |
CN106411934A (en) * | 2016-11-15 | 2017-02-15 | 平安科技(深圳)有限公司 | DoS(denial of service)/DDoS(distributed denial of service) attack detection method and device |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111200614A (en) * | 2020-01-07 | 2020-05-26 | 中山大学 | Defense method and system for third-party anonymous EDoS attack |
CN111541655A (en) * | 2020-04-08 | 2020-08-14 | 国家计算机网络与信息安全管理中心 | Network abnormal flow detection method, controller and medium |
CN113179257A (en) * | 2021-04-20 | 2021-07-27 | 杭州迪普科技股份有限公司 | Threshold learning method, apparatus, device and computer readable storage medium |
CN115412363A (en) * | 2022-09-13 | 2022-11-29 | 杭州迪普科技股份有限公司 | Abnormal flow log processing method and device |
Also Published As
Publication number | Publication date |
---|---|
CN108712365B (en) | 2020-10-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101519623B1 (en) | DDoS detection apparatus and method, DDoS detection and prevention apparatus for reducing positive false | |
US7114183B1 (en) | Network adaptive baseline monitoring system and method | |
CN106790050B (en) | A kind of anomalous traffic detection method and detection system | |
CN108712365A (en) | A kind of ddos attack event detecting method and system based on traffic log | |
US20230011957A1 (en) | Detecting threats to datacenter based on analysis of anomalous events | |
Zou et al. | Monitoring and early warning for internet worms | |
US9130982B2 (en) | System and method for real-time reporting of anomalous internet protocol attacks | |
KR101077135B1 (en) | Apparatus for detecting and filtering application layer DDoS Attack of web service | |
Liljenstam et al. | Simulating realistic network worm traffic for worm warning system design and testing | |
US20160226902A1 (en) | Detection of malicious network connections | |
US20230011397A1 (en) | Analysis system detecting threats to datacenter | |
US7836496B2 (en) | Dynamic network protection | |
US6742128B1 (en) | Threat assessment orchestrator system and method | |
Lung-Yut-Fong et al. | Distributed detection/localization of change-points in high-dimensional network traffic data | |
CN108289088A (en) | Abnormal traffic detection system and method based on business model | |
US20050234920A1 (en) | System, computer-usable medium and method for monitoring network activity | |
US20230011043A1 (en) | Identification of time-ordered sets of connections to identify threats to a datacenter | |
JP2007179131A (en) | Event detection system, management terminal and program, and event detection method | |
CN109361673A (en) | Network anomaly detection method based on data on flows sample statistics and balance comentropy estimation | |
Spiekermann et al. | Unsupervised packet-based anomaly detection in virtual networks | |
CN117395076A (en) | Network perception abnormality detection system and method based on big data | |
Jia et al. | A lightweight DDoS detection scheme under SDN context | |
JP6970344B2 (en) | Infection spread attack detection device, attack source identification method and program | |
Bianchi et al. | Measurement data reduction through variation rate metering | |
KR101338223B1 (en) | System and method for analyzing network traffic |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |