CN109040140A - A kind of attack detection method and device at a slow speed - Google Patents
A kind of attack detection method and device at a slow speed Download PDFInfo
- Publication number
- CN109040140A CN109040140A CN201811203799.9A CN201811203799A CN109040140A CN 109040140 A CN109040140 A CN 109040140A CN 201811203799 A CN201811203799 A CN 201811203799A CN 109040140 A CN109040140 A CN 109040140A
- Authority
- CN
- China
- Prior art keywords
- attack
- message
- value
- threshold value
- slow speed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
Disclose a kind of attack detection method and device at a slow speed.A kind of attack detection method at a slow speed, which is characterized in that the described method includes: determining the default attack signature for calculating attack value according to preset attack value computation rule;It determines the value of each default attack signature in the message received, and calculates the attack value of the message according to the characteristic value;Whether attack value more calculated is greater than default attack threshold value;In the case where attack value calculated is greater than default attack threshold value, determine that the message is attack message at a slow speed, and calculate new attack threshold value;The new attack threshold value is used for subsequent attack detecting at a slow speed, and the new attack threshold value is not more than old attack threshold value.
Description
Technical field
This specification embodiment is related to network communication technology field, more particularly to a kind of attack detection method and dress at a slow speed
It sets.
Background technique
With the high speed development of network, network security problem is also increasing.DDoS(Distributed Denial of
Service, distributed denial of service) attack is one of attack that is most powerful at present, being most difficult to defence, main purpose be allow it is specified
Target can not provide normal service.Previous ddos attack is mainly based on the attack of the big flow of single message, in recent years
Develop into and attack at a slow speed, this is attacked at a slow speed with more concealment, is the deformation to proper network agreement, is complied fully with agreement and want
It asks, it is therefore, more difficult to the protection attacked at a slow speed.
Attack is mainly by maintaining the connection with server, to disappear with lesser data volume, lower rate at a slow speed
Consume server resource.Detection to attacking at a slow speed in the prior art, the main size by detection request data, server response
Time and the attributes such as rate, judge whether it is and attack at a slow speed, therefore there are certain rate of false alarms.
Summary of the invention
In view of this, this specification embodiment provides one kind, attack detection method and device, technical solution are as follows at a slow speed:
A kind of attack detection method at a slow speed, which is characterized in that the described method includes:
According to preset attack value computation rule, the default attack signature for calculating attack value is determined;
It determines the value of each default attack signature in the message received, and attacking for the message is calculated according to the characteristic value
Hit value;
Whether attack value more calculated is greater than default attack threshold value;
In the case where attack value calculated is greater than default attack threshold value, determine that the message is attack message at a slow speed,
And calculate new attack threshold value;The new attack threshold value is used for subsequent attack detecting at a slow speed, and the new attack threshold value is not more than
Old attack threshold value.
A kind of attack detecting device at a slow speed, which is characterized in that described device includes:
Characteristic determination module, for according to preset attack value computation rule, determination to be attacked for calculating the default of attack value
Hit feature;
Attack value computing module, for determining the value of each default attack signature in the message received, and according to the spy
Value indicative calculates the attack value of the message;
Whether attack value comparison module is greater than default attack threshold value for attack value more calculated;
Determining module is attacked, for determining the report in the case where attack value calculated is greater than default attack threshold value
Text is attack message at a slow speed;
Threshold value update module, for calculating new attack in the case where attack value calculated is greater than default attack threshold value
Threshold value;The new attack threshold value is used for subsequent attack detecting at a slow speed, and the new attack threshold value is not more than old attack threshold value.
Technical solution provided by this specification embodiment is extracted in advance by all kinds of features attacked at a slow speed, for reception
The message arrived calculates the attack value of the message according to whether having, meeting the feature attacked at a slow speed, thus according to the attack value
Size judge whether message that this is received is attack message, also, the attack report sent with same transmitting terminal at a slow speed
The increase of literary number, the attack value for being identified as attack message will also become smaller, thus dynamic, neatly detect and attack at a slow speed, subtract
Small rate of false alarm.
It should be understood that above general description and following detailed description be only it is exemplary and explanatory, not
This specification embodiment can be limited.
In addition, any embodiment in this specification embodiment does not need to reach above-mentioned whole effects.
Detailed description of the invention
In order to illustrate more clearly of this specification embodiment or technical solution in the prior art, below will to embodiment or
Attached drawing needed to be used in the description of the prior art is briefly described, it should be apparent that, the accompanying drawings in the following description is only
The some embodiments recorded in this specification embodiment for those of ordinary skill in the art can also be attached according to these
Figure obtains other attached drawings.
Fig. 1 is the flow diagram of this specification embodiment attack detection method at a slow speed;
Fig. 2 is the structural schematic diagram of this specification embodiment attack detecting device at a slow speed;
Fig. 3 is a kind of structural schematic diagram of this specification embodiment attack value computing module;
Fig. 4 is another structural schematic diagram of this specification embodiment attack value computing module;
Fig. 5 is another structural schematic diagram of this specification embodiment attack value computing module.
Specific embodiment
In order to make those skilled in the art more fully understand the technical solution in this specification embodiment, below in conjunction with this
Attached drawing in specification embodiment is described in detail the technical solution in this specification embodiment, it is clear that described
Embodiment is only a part of the embodiment of this specification, instead of all the embodiments.The embodiment of base in this manual,
Those of ordinary skill in the art's every other embodiment obtained, all should belong to the range of protection.
Attack is mainly by maintaining the connection with server, to disappear with lesser data volume, lower rate at a slow speed
Consume server resource.It mainly include Slow headers, Slow body and Slow read three classes.
The principle of Slow headers attack is, because HTTP header contains the important letter that some applications may use
Breath, server must could handle the data in HTTP request after having received all HTTP headers.Server must be received
To 2 it is continuous r n, that is, receive " r n r n " when just will be considered that HTTP header is sent, to start to process.Cause
This, the transmitting terminal as attacker will initiate a HTTP request, and ceaselessly send HTTP header always, thus the service of consuming
The connection of device and memory source.
The principle of Slow body attack, which is that the transmitting terminal as attacker sends a HTTP POST to server, asks
It asks, the Content-Length header value of the request is very big, therefore data of the server to need transmission very big for the end, thus
It is always maintained at connection to prepare to receive data, but attacker only sends minimal amount of data every time, and the connection is made to be always maintained at survival,
To consume server vast resources.
The principle of Slow read attack is that the transmitting terminal and server as attacker establish connection and have sent one
HTTP request establishes connection, the connection is always maintained at, and then with the response data of very low speed reading service device, with consumption
The connection of server and memory source.
In the prior art to the above-mentioned detection scheme attacked at a slow speed, main includes 2 kinds.
The first is by mod_reqtimeout module, and configuration receives the time-out time of HTTP header and HTTP body
And minimum-rate can take return if transmitting terminal cannot send head or body data within setup time
The means such as 408REQUEST TIME OUT mistake are protected.
Another kind be HTTP request threshold value is configured by mod_qos module, if within certain period, the amount of requesting access to
It is excessive, it has been more than threshold value, then can have taken certain preventive means.
In above-mentioned 2 kinds of detection schemes, to time-out time, minimum-rate or request the configuration of threshold value more single, if
The numerical value of configuration is more stringent, then rate of false alarm is higher, and if configure numerical value it is more loose, can not effectively detect attack simultaneously
It is protected.
In view of the above technical problems, this specification embodiment provides a kind of attack detection method at a slow speed, shown in Figure 1,
This method may comprise steps of:
S101 determines the default attack signature for calculating attack value according to preset attack value computation rule;
According to the mode that 3 classes of foregoing description are attacked at a slow speed, the feature that needs are attacked when detection can be determined.For example, needle
To Slow headers attack, can will " r n r n " be set in advance as attack signature;For another example, it is attacked for Slow body,
" Content-Length " can be set in advance as attack signature;Etc., it is to be understood that it is right in this specification embodiment
It does not need to be defined in specific default attack signature, those skilled in the art can choose and set according to actual needs.
S102 determines the value of each default attack signature in the message received, and calculates the report according to the characteristic value
The attack value of text;
In a kind of specific embodiment of this specification embodiment, the length of the message received can be determined first,
And whether message length determined by judging is preset length value, for example, judging whether request packet data length is 0.
In the case where identified message length is preset length value, can further judge whether the message is true
Recognize (ACK) message.In addition, controlling the data flows when transmission data by window size, therefore it can also judge the message
Receive whether window value is preset window value, such as whether being 0.
In the case where the message is confirmation message and reception window value is preset window value, according to the preset length
Value, confirmation message type and preset window value, obtain the value of corresponding attack signature.
In the case where identified message length is not preset length value, it can further judge whether the message wraps
Include preset characters string.Such as, if including " r n r n ", if including, it can determine that the message is not Slow
Headers attack message;If not including, other features can be further judged.
Specifically, in the case where the message includes preset characters string, judge in the message whether to include head information
With load.In the case where only including head information in the message, the predetermined word segment value in the head information can be only recorded, such as
Content-Length field value, and can determine the non-attack message at a slow speed of the message, do not go on detection;In the report
In the case where in text including head information and load, predetermined word segment value (such as Content-Length word in the head information is recorded
Segment value) and included payload length value, and can determine the non-attack message at a slow speed of the message, not go on detection.
And in the case where only including load in the message, then need whether detection service device receives Slow body
Attack, specifically, it is first determined the corresponding upper request message of the message, according to the payload length of this message and described upper one
The payload length of request message obtains total load length, compares in total load length and the head information of a upper request message
Predetermined word segment value, for example, comparing the Content-Length field in the head information of total load length and a upper request message
Value (has been carried out record when detecting a upper message), if total load length is less than the Content-Length field value,
It may be to receive Slow body attack, i.e., according to comparison result and the request message type, obtain corresponding attack signature
Value.
In the case where the message does not include preset characters string, it can further judge that other features specifically can
To determine the biggest subsection of the message first, then whether the message length it is long be less than the maximum segment
Degree, if so, obtaining the value of corresponding attack signature according to the message length and the biggest subsection.
It is determined in the message received after the value of each default attack signature in detection, it can be according to the characteristic value, base
In preset attack value computation rule, the attack value of the message is calculated.
For example, can be by each feature for detecting, such as " message length is less than the biggest subsection ", " total load length
Less than Content-Length field value ", " including preset characters string " etc., determine possible attack type.And it preset attacks
It hits in value computation rule, corresponding weighted value or other design factors can be set for all kinds of attack types in advance, to pass through
The ranking operation of type or other operations acquire total attack value.
In another example design factor can be set for each default attack signature in advance in preset attack value computation rule, from
And according to meet in the message after detection or including attack signature acquire total attack value in conjunction with design factor.
Whether S103, attack value more calculated are greater than default attack threshold value;
S104 determines that the message is to attack at a slow speed in the case where attack value calculated is greater than default attack threshold value
Message, and calculate new attack threshold value;The new attack threshold value is used for subsequent attack detecting at a slow speed, and the new attack threshold value is not
Greater than old attack threshold value.
In a kind of specific embodiment of this specification embodiment, determining that the message is the feelings of attack message at a slow speed
Under condition, the transmitting terminal mark of the message, such as IP address, the MAC Address of transmitting terminal are recorded.
To determine the transmitting terminal mark of the message first, then when needing to calculate new attack threshold value every time
Identified according to pre-recorded transmitting terminal, determine the number of times of attack of the corresponding transmitting terminal of this message, and according to the number of times of attack with
Attack threshold value, calculate new attack threshold value, wherein the new attack threshold value and number of times of attack it is negatively correlated and with old attack threshold value positive
It closes.
For example, it is assumed that the number that the transmission of certain IP address is determined as attack message at a slow speed is total to n times, current attack threshold value is Y,
And default calculating basis m (m > 1), then the calculation formula of new attack threshold value Y ' can be with are as follows:
By more new attack threshold value so that for whether be attack message at a slow speed detection, with attacker send attack at a slow speed
The number for hitting message generates positive correlation, thus more flexible and be more accurately detected and attack at a slow speed.
In a kind of specific embodiment of this specification embodiment, can also record and calculate between multiple attack when
Between be spaced and the duration.Specifically, the message can be recorded in the case where determining the message is attack message at a slow speed
Transmitting terminal mark, and current time is recorded as attack time, then identified according to pre-recorded attack time and transmitting terminal,
Determine that the corresponding transmitting terminal of this message whether there is the attack time recorded, if so, calculating last attack time and this
Time interval between secondary attack time, and according to the relationship of the time interval and preset durations threshold value, it determines to institute
State the corresponding attack processing operation of transmitting terminal.
For example, judging whether the time interval is not less than preset durations threshold value, if so, by the transmitting terminal mark
Know and blacklist is added.The duration of closing of blacklist can also be preset, and count be added blacklist duration, if when be up to
To duration is closed, then it can contact and close.
For the record of transmitting terminal mark and attack time, can be recorded by the Hash table pre-established, specifically
Ground can be stored in the Hash table, and attack time is stored in corresponding node using different transmitting terminals as a node,
So as to record the number that transmitting terminals different from determining send attack message at a slow speed to server by the node in Hash table
With the time.
Also, the burden attacked at a slow speed is detected in order to mitigate server, detection cycle can also be set, if same transmitting terminal
To server send be determined as attack message time interval it is too long, have exceeded detection cycle, then without more new attack threshold value,
Blacklist is added and the operation such as closes.
In a kind of specific embodiment of this specification embodiment, it can also determine that the message is that attack is reported at a slow speed
In the case where text, according to the value of identified each default attack signature, this attack type attacked at a slow speed is determined, and according to pre-
The corresponding relationship of the attack type first set and protection movement takes the corresponding protection movement of this attack type.
Wherein, the protection movement includes: blocking movement and/or alarm movement;The blocking movement is described for blocking
The connection of the transmitting terminal and local terminal of message such as sends RST packet;The alarm movement by predetermined manner for being issued by a slow speed
The alarm of attack such as sends log in safety equipment.
As it can be seen that can be counted by all kinds of the characteristics of attacking at a slow speed using the attack detecting scheme at a slow speed that this specification provides
The attack value of the message received is compared with preset attack threshold value, determines whether the message may be to attack at a slow speed
Message, if also, same transmitting terminal repeatedly send attack message at a slow speed in a short time, its attack threshold value will gradually be subtracted
It is small, i.e., will be gradually stringent to its detection, to realize more flexible and more accurate attack detecting at a slow speed, reduce rate of false alarm with
It improves and realizes balance between detection stringency.
Corresponding to above method embodiment, this specification embodiment also provides a kind of attack detecting device at a slow speed, referring to fig. 2
It is shown, the apparatus may include:
Characteristic determination module 110, for determining for calculating the default of attack value according to preset attack value computation rule
Attack signature;
Attack value computing module 120, for determining the value of each default attack signature in the message received, and according to described
Characteristic value calculates the attack value of the message;
Whether attack value comparison module 130 is greater than default attack threshold value for attack value more calculated;
Determining module 140 is attacked, described in determining in the case where attack value calculated is greater than default attack threshold value
Message is attack message at a slow speed;
Threshold value update module 150, in the case where attack value calculated is greater than default attack threshold value, calculating newly to be attacked
Hit threshold value;The new attack threshold value is used for subsequent attack detecting at a slow speed, and the new attack threshold value is not more than old attack threshold value.
It is shown in Figure 3 in a kind of specific embodiment of this specification embodiment, the attack value computing module
120, may include:
Whether first judging submodule 121 judges identified message length for determining the length of the message received
For preset length value;
Second judgment submodule 122 is used in the case where identified message length is preset length value, described in judgement
Whether it is preset window value that whether message is the reception window value of confirmation message and the message;
Characteristic value determines submodule 123, for the message be confirmation message and receive window value be preset window value
In the case where, according to the preset length value, confirmation message type and preset window value, obtain the value of corresponding attack signature.
It is shown in Figure 4 in a kind of specific embodiment of this specification embodiment, the attack value computing module
120, can also include:
Third judging submodule 124, for judging institute in the case where identified message length is not preset length value
State whether message includes preset characters string;
4th judging submodule 125, for judging in the message in the case where the message includes preset characters string
It whether include head information and load;
The characteristic value determines submodule 123, is also used in the message only include in the case where load, described in determination
The corresponding upper request message of message;According to the payload length of the payload length of this message and a upper request message, obtain
Total load length;Compare the predetermined word segment value in the head information of total load length and a upper request message, and according to comparing
As a result the value of corresponding attack signature is obtained including preset characters string with described.
It is shown in Figure 5 in a kind of specific embodiment of this specification embodiment, the attack value computing module
120, can also include:
Preset value record sub module 126 in the case where for only including head information in the message, records the head letter
Predetermined word segment value in breath;And/or it in the case where including head information in the message and load, records in the head information
The value of predetermined word segment value and included payload length.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus
Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with
It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize this specification example scheme.Ordinary skill people
Member can understand and implement without creative efforts.
Although this specification includes many specific implementation details, these are not necessarily to be construed as the model for limiting any invention
It encloses or range claimed, and is primarily used for describing the feature of the specific embodiment of specific invention.In this specification
Certain features described in multiple embodiments can also be combined implementation in a single embodiment.On the other hand, individually implementing
Various features described in example can also be performed separately in various embodiments or be implemented with any suitable sub-portfolio.This
Outside, although feature can work in certain combinations as described above and even initially so be claimed, institute is come from
One or more features in claimed combination can be removed from the combination in some cases, and claimed
Combination can be directed toward the modification of sub-portfolio or sub-portfolio.
Similarly, although depicting operation in the accompanying drawings with particular order, this is understood not to require these behaviour
Make the particular order shown in execute or sequentially carry out or require the operation of all illustrations to be performed, to realize desired knot
Fruit.In some cases, multitask and parallel processing may be advantageous.In addition, the various system modules in above-described embodiment
Separation with component is understood not to be required to such separation in all embodiments, and it is to be understood that described
Program assembly and system can be usually integrated in together in single software product, or be packaged into multiple software product.
The specific embodiment of theme has been described as a result,.Other embodiments are within the scope of the appended claims.?
In some cases, the movement recorded in claims can be executed in different order and still realize desired result.This
Outside, the processing described in attached drawing and it is nonessential shown in particular order or sequential order, to realize desired result.In certain realities
In existing, multitask and parallel processing be may be advantageous.
The foregoing is merely the preferred embodiments of this specification embodiment, do not implement to limit this specification
Example, all within the spirit and principle of this specification embodiment, any modification, equivalent substitution, improvement and etc. done should all include
Within the scope of the protection of this specification embodiment.
Claims (10)
1. a kind of attack detection method at a slow speed, which is characterized in that the described method includes:
According to preset attack value computation rule, the default attack signature for calculating attack value is determined;
It determines the value of each default attack signature in the message received, and calculates the attack of the message according to the characteristic value
Value;
Whether attack value more calculated is greater than default attack threshold value;
In the case where attack value calculated is greater than default attack threshold value, determine that the message is attack message at a slow speed, and count
Calculate new attack threshold value;The new attack threshold value is used for subsequent attack detecting at a slow speed, and the new attack threshold value is attacked no more than old
Hit threshold value.
2. the method according to claim 1, wherein each default attack signature in the message that the determination receives
Value, comprising:
Determine the length of the message received;
Whether message length determined by judging is preset length value;
In the case where identified message length is preset length value, judge whether the message is confirmation message and the report
Whether the reception window value of text is preset window value;
The message be confirmation message and receive window value be preset window value in the case where, according to the preset length value,
Confirmation message type and preset window value, obtain the value of corresponding attack signature.
3. according to the method described in claim 2, it is characterized in that, the method also includes:
In the case where identified message length is not preset length value, judge whether the message includes preset characters string;
In the case where the message includes preset characters string, judge in the message whether to include head information and load;
In the case where only including load in the message, the corresponding upper request message of the message is determined;
According to the payload length of the payload length of this message and a upper request message, total load length is obtained;
Compare the predetermined word segment value in total load length and the head information of a upper request message, and according to comparison result and institute
State the value that corresponding attack signature is obtained including preset characters string.
4. according to the method described in claim 3, it is characterized in that, the method also includes:
In the case where only including head information in the message, the predetermined word segment value in the head information is recorded;
And/or
In the case where including head information and load in the message, predetermined word segment value in the head information and included is recorded
The value of payload length.
5. according to the method described in claim 3, it is characterized in that, the method also includes:
In the case where the message does not include preset characters string, the biggest subsection of the message is determined;
Compare whether the message length is less than the biggest subsection, if so, according to the message length and it is described most
Big section length obtains the value of corresponding attack signature.
6. the method according to claim 1, wherein the method also includes:
In the case where determining the message is attack message at a slow speed, the transmitting terminal mark of the message is recorded;
The calculating new attack threshold value, comprising:
Determine the transmitting terminal mark of the message;
It is identified according to pre-recorded transmitting terminal, determines the number of times of attack of the corresponding transmitting terminal of this message;
According to the number of times of attack and attack threshold value, new attack threshold value is calculated, wherein the new attack threshold value and number of times of attack are negative
It is related and with the positive correlation of old attack threshold value.
7. the method according to claim 1, wherein the method also includes:
In the case where determining the message is attack message at a slow speed, the transmitting terminal mark of the message is recorded, and by current time
It is recorded as attack time;
It is identified according to pre-recorded attack time and transmitting terminal, determines that the corresponding transmitting terminal of this message whether there is and recorded
Attack time;
If so, calculating the time interval between last attack time and this attack time, and according to the time interval
With the relationship of preset durations threshold value, the corresponding attack processing operation to the transmitting terminal is determined.
8. the method according to the description of claim 7 is characterized in that described according to the time interval and preset durations threshold
The relationship of value determines the corresponding attack processing operation to the transmitting terminal, comprising:
Judge whether the time interval is not less than preset durations threshold value;
Blacklist is added if so, the transmitting terminal is identified.
9. the method according to claim 1, wherein the method also includes:
In the case where determining the message is attack message at a slow speed, according to the value of identified each default attack signature, determine
This attack type attacked at a slow speed;
According to the corresponding relationship of preset attack type and protection movement, take the corresponding protection of this attack type dynamic
Make;
Wherein, the protection movement includes: blocking movement and/or alarm movement;
The blocking acts the connection for blocking the transmitting terminal and local terminal of the message;
The alarm movement is for issuing the alarm attacked at a slow speed by predetermined manner.
10. a kind of attack detecting device at a slow speed, which is characterized in that described device includes:
Characteristic determination module, for according to preset attack value computation rule, determining that the default attack for calculating attack value is special
Sign;
Attack value computing module, for determining the value of each default attack signature in the message received, and according to the characteristic value
Calculate the attack value of the message;
Whether attack value comparison module is greater than default attack threshold value for attack value more calculated;
Determining module is attacked, for determining that the message is in the case where attack value calculated is greater than default attack threshold value
Attack message at a slow speed;
Threshold value update module, for calculating new attack threshold value in the case where attack value calculated is greater than default attack threshold value;
The new attack threshold value is used for subsequent attack detecting at a slow speed, and the new attack threshold value is not more than old attack threshold value.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811203799.9A CN109040140B (en) | 2018-10-16 | 2018-10-16 | Slow attack detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811203799.9A CN109040140B (en) | 2018-10-16 | 2018-10-16 | Slow attack detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109040140A true CN109040140A (en) | 2018-12-18 |
CN109040140B CN109040140B (en) | 2021-03-23 |
Family
ID=64613344
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811203799.9A Active CN109040140B (en) | 2018-10-16 | 2018-10-16 | Slow attack detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109040140B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111478893A (en) * | 2020-04-02 | 2020-07-31 | 中核武汉核电运行技术股份有限公司 | Detection method for slow HTTP attack |
CN112738099A (en) * | 2020-12-28 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Method and device for detecting slow attack, storage medium and electronic equipment |
CN112866233A (en) * | 2021-01-14 | 2021-05-28 | 华南理工大学 | Method, equipment and medium for protecting slow DDOS attack |
CN113242260A (en) * | 2021-06-09 | 2021-08-10 | 中国银行股份有限公司 | Attack detection method and device, electronic equipment and storage medium |
CN114422272A (en) * | 2022-03-28 | 2022-04-29 | 北京信安世纪科技股份有限公司 | Data processing system, method and server side equipment |
CN115242551A (en) * | 2022-09-21 | 2022-10-25 | 北京中科网威信息技术有限公司 | Slow attack defense method and device, electronic equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101998400A (en) * | 2009-08-12 | 2011-03-30 | 中国移动通信集团天津有限公司 | Authentication random number detection method and SIM (Subscriber Identity Module) card |
KR20130006750A (en) * | 2011-06-20 | 2013-01-18 | 한국전자통신연구원 | Method for identifying a denial of service attack and apparatus for the same |
US20130055375A1 (en) * | 2011-08-29 | 2013-02-28 | Arbor Networks, Inc. | Method and Protection System for Mitigating Slow HTTP Attacks Using Rate and Time Monitoring |
CN105991509A (en) * | 2015-01-27 | 2016-10-05 | 杭州迪普科技有限公司 | Session processing method and apparatus |
CN106471778A (en) * | 2014-07-04 | 2017-03-01 | 日本电信电话株式会社 | Attack detecting device, attack detection method and attack detecting program |
-
2018
- 2018-10-16 CN CN201811203799.9A patent/CN109040140B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101998400A (en) * | 2009-08-12 | 2011-03-30 | 中国移动通信集团天津有限公司 | Authentication random number detection method and SIM (Subscriber Identity Module) card |
KR20130006750A (en) * | 2011-06-20 | 2013-01-18 | 한국전자통신연구원 | Method for identifying a denial of service attack and apparatus for the same |
US20130055375A1 (en) * | 2011-08-29 | 2013-02-28 | Arbor Networks, Inc. | Method and Protection System for Mitigating Slow HTTP Attacks Using Rate and Time Monitoring |
CN106471778A (en) * | 2014-07-04 | 2017-03-01 | 日本电信电话株式会社 | Attack detecting device, attack detection method and attack detecting program |
CN105991509A (en) * | 2015-01-27 | 2016-10-05 | 杭州迪普科技有限公司 | Session processing method and apparatus |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111478893A (en) * | 2020-04-02 | 2020-07-31 | 中核武汉核电运行技术股份有限公司 | Detection method for slow HTTP attack |
CN111478893B (en) * | 2020-04-02 | 2022-06-28 | 中核武汉核电运行技术股份有限公司 | Detection method for slow HTTP attack |
CN112738099A (en) * | 2020-12-28 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Method and device for detecting slow attack, storage medium and electronic equipment |
CN112738099B (en) * | 2020-12-28 | 2022-07-12 | 北京天融信网络安全技术有限公司 | Method and device for detecting slow attack, storage medium and electronic equipment |
CN112866233A (en) * | 2021-01-14 | 2021-05-28 | 华南理工大学 | Method, equipment and medium for protecting slow DDOS attack |
CN113242260A (en) * | 2021-06-09 | 2021-08-10 | 中国银行股份有限公司 | Attack detection method and device, electronic equipment and storage medium |
CN113242260B (en) * | 2021-06-09 | 2023-02-21 | 中国银行股份有限公司 | Attack detection method and device, electronic equipment and storage medium |
CN114422272A (en) * | 2022-03-28 | 2022-04-29 | 北京信安世纪科技股份有限公司 | Data processing system, method and server side equipment |
CN115242551A (en) * | 2022-09-21 | 2022-10-25 | 北京中科网威信息技术有限公司 | Slow attack defense method and device, electronic equipment and storage medium |
CN115242551B (en) * | 2022-09-21 | 2022-12-06 | 北京中科网威信息技术有限公司 | Slow attack defense method and device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN109040140B (en) | 2021-03-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109040140A (en) | A kind of attack detection method and device at a slow speed | |
US11924170B2 (en) | Methods and systems for API deception environment and API traffic control and security | |
CN105577608B (en) | Network attack behavior detection method and device | |
US10771501B2 (en) | DDoS attack defense method, system, and related device | |
Tang et al. | SIP flooding attack detection with a multi-dimensional sketch design | |
CN107645478B (en) | Network attack defense system, method and device | |
Gasior et al. | Exploring covert channel in android platform | |
Jeyanthi et al. | An Entropy Based Approach to Detect and Distinguish DDoS Attacks from Flash Crowds in VoIP Networks. | |
CN108234516B (en) | Method and device for detecting network flooding attack | |
Fu et al. | Analytical and empirical analysis of countermeasures to traffic analysis attacks | |
CN109743314A (en) | Monitoring method, device, computer equipment and its storage medium of Network Abnormal | |
CN110858831B (en) | Safety protection method and device and safety protection equipment | |
Wang et al. | Walkie-talkie: An effective and efficient defense against website fingerprinting | |
CN108616488A (en) | A kind of defence method and defensive equipment of attack | |
Liu et al. | Real-time diagnosis of network anomaly based on statistical traffic analysis | |
CN107454065A (en) | A kind of means of defence and device of UDP Flood attacks | |
CN104125213A (en) | Distributed denial of service DDOS attack resisting method and device for firewall | |
Gharvirian et al. | Neural network based protection of software defined network controller against distributed denial of service attacks | |
CN105939321B (en) | A kind of DNS attack detection method and device | |
Sree et al. | Detection of http flooding attacks in cloud using dynamic entropy method | |
Huang et al. | Detecting stepping-stone intruders by identifying crossover packets in SSH connections | |
Mohammadi et al. | Software defined network-based HTTP flooding attack defender | |
Bhale et al. | An adaptive and lightweight solution to detect mixed rate ip spoofed ddos attack in iot ecosystem | |
Liu et al. | Anomaly diagnosis based on regression and classification analysis of statistical traffic features | |
Al-Dayil et al. | Detecting social media mobile botnets using user activity correlation and artificial immune system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20210610 Address after: 310051 05, room A, 11 floor, Chung Cai mansion, 68 Tong Xing Road, Binjiang District, Hangzhou, Zhejiang. Patentee after: Hangzhou Dip Information Technology Co.,Ltd. Address before: 6 / F, Zhongcai building, 68 Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee before: Hangzhou DPtech Technologies Co.,Ltd. |
|
TR01 | Transfer of patent right |