CN109040140A - A kind of attack detection method and device at a slow speed - Google Patents

A kind of attack detection method and device at a slow speed Download PDF

Info

Publication number
CN109040140A
CN109040140A CN201811203799.9A CN201811203799A CN109040140A CN 109040140 A CN109040140 A CN 109040140A CN 201811203799 A CN201811203799 A CN 201811203799A CN 109040140 A CN109040140 A CN 109040140A
Authority
CN
China
Prior art keywords
attack
message
value
threshold value
slow speed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811203799.9A
Other languages
Chinese (zh)
Other versions
CN109040140B (en
Inventor
许雪峰
吴庆
王树太
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPtech Information Technology Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201811203799.9A priority Critical patent/CN109040140B/en
Publication of CN109040140A publication Critical patent/CN109040140A/en
Application granted granted Critical
Publication of CN109040140B publication Critical patent/CN109040140B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

Disclose a kind of attack detection method and device at a slow speed.A kind of attack detection method at a slow speed, which is characterized in that the described method includes: determining the default attack signature for calculating attack value according to preset attack value computation rule;It determines the value of each default attack signature in the message received, and calculates the attack value of the message according to the characteristic value;Whether attack value more calculated is greater than default attack threshold value;In the case where attack value calculated is greater than default attack threshold value, determine that the message is attack message at a slow speed, and calculate new attack threshold value;The new attack threshold value is used for subsequent attack detecting at a slow speed, and the new attack threshold value is not more than old attack threshold value.

Description

A kind of attack detection method and device at a slow speed
Technical field
This specification embodiment is related to network communication technology field, more particularly to a kind of attack detection method and dress at a slow speed It sets.
Background technique
With the high speed development of network, network security problem is also increasing.DDoS(Distributed Denial of Service, distributed denial of service) attack is one of attack that is most powerful at present, being most difficult to defence, main purpose be allow it is specified Target can not provide normal service.Previous ddos attack is mainly based on the attack of the big flow of single message, in recent years Develop into and attack at a slow speed, this is attacked at a slow speed with more concealment, is the deformation to proper network agreement, is complied fully with agreement and want It asks, it is therefore, more difficult to the protection attacked at a slow speed.
Attack is mainly by maintaining the connection with server, to disappear with lesser data volume, lower rate at a slow speed Consume server resource.Detection to attacking at a slow speed in the prior art, the main size by detection request data, server response Time and the attributes such as rate, judge whether it is and attack at a slow speed, therefore there are certain rate of false alarms.
Summary of the invention
In view of this, this specification embodiment provides one kind, attack detection method and device, technical solution are as follows at a slow speed:
A kind of attack detection method at a slow speed, which is characterized in that the described method includes:
According to preset attack value computation rule, the default attack signature for calculating attack value is determined;
It determines the value of each default attack signature in the message received, and attacking for the message is calculated according to the characteristic value Hit value;
Whether attack value more calculated is greater than default attack threshold value;
In the case where attack value calculated is greater than default attack threshold value, determine that the message is attack message at a slow speed, And calculate new attack threshold value;The new attack threshold value is used for subsequent attack detecting at a slow speed, and the new attack threshold value is not more than Old attack threshold value.
A kind of attack detecting device at a slow speed, which is characterized in that described device includes:
Characteristic determination module, for according to preset attack value computation rule, determination to be attacked for calculating the default of attack value Hit feature;
Attack value computing module, for determining the value of each default attack signature in the message received, and according to the spy Value indicative calculates the attack value of the message;
Whether attack value comparison module is greater than default attack threshold value for attack value more calculated;
Determining module is attacked, for determining the report in the case where attack value calculated is greater than default attack threshold value Text is attack message at a slow speed;
Threshold value update module, for calculating new attack in the case where attack value calculated is greater than default attack threshold value Threshold value;The new attack threshold value is used for subsequent attack detecting at a slow speed, and the new attack threshold value is not more than old attack threshold value.
Technical solution provided by this specification embodiment is extracted in advance by all kinds of features attacked at a slow speed, for reception The message arrived calculates the attack value of the message according to whether having, meeting the feature attacked at a slow speed, thus according to the attack value Size judge whether message that this is received is attack message, also, the attack report sent with same transmitting terminal at a slow speed The increase of literary number, the attack value for being identified as attack message will also become smaller, thus dynamic, neatly detect and attack at a slow speed, subtract Small rate of false alarm.
It should be understood that above general description and following detailed description be only it is exemplary and explanatory, not This specification embodiment can be limited.
In addition, any embodiment in this specification embodiment does not need to reach above-mentioned whole effects.
Detailed description of the invention
In order to illustrate more clearly of this specification embodiment or technical solution in the prior art, below will to embodiment or Attached drawing needed to be used in the description of the prior art is briefly described, it should be apparent that, the accompanying drawings in the following description is only The some embodiments recorded in this specification embodiment for those of ordinary skill in the art can also be attached according to these Figure obtains other attached drawings.
Fig. 1 is the flow diagram of this specification embodiment attack detection method at a slow speed;
Fig. 2 is the structural schematic diagram of this specification embodiment attack detecting device at a slow speed;
Fig. 3 is a kind of structural schematic diagram of this specification embodiment attack value computing module;
Fig. 4 is another structural schematic diagram of this specification embodiment attack value computing module;
Fig. 5 is another structural schematic diagram of this specification embodiment attack value computing module.
Specific embodiment
In order to make those skilled in the art more fully understand the technical solution in this specification embodiment, below in conjunction with this Attached drawing in specification embodiment is described in detail the technical solution in this specification embodiment, it is clear that described Embodiment is only a part of the embodiment of this specification, instead of all the embodiments.The embodiment of base in this manual, Those of ordinary skill in the art's every other embodiment obtained, all should belong to the range of protection.
Attack is mainly by maintaining the connection with server, to disappear with lesser data volume, lower rate at a slow speed Consume server resource.It mainly include Slow headers, Slow body and Slow read three classes.
The principle of Slow headers attack is, because HTTP header contains the important letter that some applications may use Breath, server must could handle the data in HTTP request after having received all HTTP headers.Server must be received To 2 it is continuous r n, that is, receive " r n r n " when just will be considered that HTTP header is sent, to start to process.Cause This, the transmitting terminal as attacker will initiate a HTTP request, and ceaselessly send HTTP header always, thus the service of consuming The connection of device and memory source.
The principle of Slow body attack, which is that the transmitting terminal as attacker sends a HTTP POST to server, asks It asks, the Content-Length header value of the request is very big, therefore data of the server to need transmission very big for the end, thus It is always maintained at connection to prepare to receive data, but attacker only sends minimal amount of data every time, and the connection is made to be always maintained at survival, To consume server vast resources.
The principle of Slow read attack is that the transmitting terminal and server as attacker establish connection and have sent one HTTP request establishes connection, the connection is always maintained at, and then with the response data of very low speed reading service device, with consumption The connection of server and memory source.
In the prior art to the above-mentioned detection scheme attacked at a slow speed, main includes 2 kinds.
The first is by mod_reqtimeout module, and configuration receives the time-out time of HTTP header and HTTP body And minimum-rate can take return if transmitting terminal cannot send head or body data within setup time The means such as 408REQUEST TIME OUT mistake are protected.
Another kind be HTTP request threshold value is configured by mod_qos module, if within certain period, the amount of requesting access to It is excessive, it has been more than threshold value, then can have taken certain preventive means.
In above-mentioned 2 kinds of detection schemes, to time-out time, minimum-rate or request the configuration of threshold value more single, if The numerical value of configuration is more stringent, then rate of false alarm is higher, and if configure numerical value it is more loose, can not effectively detect attack simultaneously It is protected.
In view of the above technical problems, this specification embodiment provides a kind of attack detection method at a slow speed, shown in Figure 1, This method may comprise steps of:
S101 determines the default attack signature for calculating attack value according to preset attack value computation rule;
According to the mode that 3 classes of foregoing description are attacked at a slow speed, the feature that needs are attacked when detection can be determined.For example, needle To Slow headers attack, can will " r n r n " be set in advance as attack signature;For another example, it is attacked for Slow body, " Content-Length " can be set in advance as attack signature;Etc., it is to be understood that it is right in this specification embodiment It does not need to be defined in specific default attack signature, those skilled in the art can choose and set according to actual needs.
S102 determines the value of each default attack signature in the message received, and calculates the report according to the characteristic value The attack value of text;
In a kind of specific embodiment of this specification embodiment, the length of the message received can be determined first, And whether message length determined by judging is preset length value, for example, judging whether request packet data length is 0.
In the case where identified message length is preset length value, can further judge whether the message is true Recognize (ACK) message.In addition, controlling the data flows when transmission data by window size, therefore it can also judge the message Receive whether window value is preset window value, such as whether being 0.
In the case where the message is confirmation message and reception window value is preset window value, according to the preset length Value, confirmation message type and preset window value, obtain the value of corresponding attack signature.
In the case where identified message length is not preset length value, it can further judge whether the message wraps Include preset characters string.Such as, if including " r n r n ", if including, it can determine that the message is not Slow Headers attack message;If not including, other features can be further judged.
Specifically, in the case where the message includes preset characters string, judge in the message whether to include head information With load.In the case where only including head information in the message, the predetermined word segment value in the head information can be only recorded, such as Content-Length field value, and can determine the non-attack message at a slow speed of the message, do not go on detection;In the report In the case where in text including head information and load, predetermined word segment value (such as Content-Length word in the head information is recorded Segment value) and included payload length value, and can determine the non-attack message at a slow speed of the message, not go on detection.
And in the case where only including load in the message, then need whether detection service device receives Slow body Attack, specifically, it is first determined the corresponding upper request message of the message, according to the payload length of this message and described upper one The payload length of request message obtains total load length, compares in total load length and the head information of a upper request message Predetermined word segment value, for example, comparing the Content-Length field in the head information of total load length and a upper request message Value (has been carried out record when detecting a upper message), if total load length is less than the Content-Length field value, It may be to receive Slow body attack, i.e., according to comparison result and the request message type, obtain corresponding attack signature Value.
In the case where the message does not include preset characters string, it can further judge that other features specifically can To determine the biggest subsection of the message first, then whether the message length it is long be less than the maximum segment Degree, if so, obtaining the value of corresponding attack signature according to the message length and the biggest subsection.
It is determined in the message received after the value of each default attack signature in detection, it can be according to the characteristic value, base In preset attack value computation rule, the attack value of the message is calculated.
For example, can be by each feature for detecting, such as " message length is less than the biggest subsection ", " total load length Less than Content-Length field value ", " including preset characters string " etc., determine possible attack type.And it preset attacks It hits in value computation rule, corresponding weighted value or other design factors can be set for all kinds of attack types in advance, to pass through The ranking operation of type or other operations acquire total attack value.
In another example design factor can be set for each default attack signature in advance in preset attack value computation rule, from And according to meet in the message after detection or including attack signature acquire total attack value in conjunction with design factor.
Whether S103, attack value more calculated are greater than default attack threshold value;
S104 determines that the message is to attack at a slow speed in the case where attack value calculated is greater than default attack threshold value Message, and calculate new attack threshold value;The new attack threshold value is used for subsequent attack detecting at a slow speed, and the new attack threshold value is not Greater than old attack threshold value.
In a kind of specific embodiment of this specification embodiment, determining that the message is the feelings of attack message at a slow speed Under condition, the transmitting terminal mark of the message, such as IP address, the MAC Address of transmitting terminal are recorded.
To determine the transmitting terminal mark of the message first, then when needing to calculate new attack threshold value every time Identified according to pre-recorded transmitting terminal, determine the number of times of attack of the corresponding transmitting terminal of this message, and according to the number of times of attack with Attack threshold value, calculate new attack threshold value, wherein the new attack threshold value and number of times of attack it is negatively correlated and with old attack threshold value positive It closes.
For example, it is assumed that the number that the transmission of certain IP address is determined as attack message at a slow speed is total to n times, current attack threshold value is Y, And default calculating basis m (m > 1), then the calculation formula of new attack threshold value Y ' can be with are as follows:
By more new attack threshold value so that for whether be attack message at a slow speed detection, with attacker send attack at a slow speed The number for hitting message generates positive correlation, thus more flexible and be more accurately detected and attack at a slow speed.
In a kind of specific embodiment of this specification embodiment, can also record and calculate between multiple attack when Between be spaced and the duration.Specifically, the message can be recorded in the case where determining the message is attack message at a slow speed Transmitting terminal mark, and current time is recorded as attack time, then identified according to pre-recorded attack time and transmitting terminal, Determine that the corresponding transmitting terminal of this message whether there is the attack time recorded, if so, calculating last attack time and this Time interval between secondary attack time, and according to the relationship of the time interval and preset durations threshold value, it determines to institute State the corresponding attack processing operation of transmitting terminal.
For example, judging whether the time interval is not less than preset durations threshold value, if so, by the transmitting terminal mark Know and blacklist is added.The duration of closing of blacklist can also be preset, and count be added blacklist duration, if when be up to To duration is closed, then it can contact and close.
For the record of transmitting terminal mark and attack time, can be recorded by the Hash table pre-established, specifically Ground can be stored in the Hash table, and attack time is stored in corresponding node using different transmitting terminals as a node, So as to record the number that transmitting terminals different from determining send attack message at a slow speed to server by the node in Hash table With the time.
Also, the burden attacked at a slow speed is detected in order to mitigate server, detection cycle can also be set, if same transmitting terminal To server send be determined as attack message time interval it is too long, have exceeded detection cycle, then without more new attack threshold value, Blacklist is added and the operation such as closes.
In a kind of specific embodiment of this specification embodiment, it can also determine that the message is that attack is reported at a slow speed In the case where text, according to the value of identified each default attack signature, this attack type attacked at a slow speed is determined, and according to pre- The corresponding relationship of the attack type first set and protection movement takes the corresponding protection movement of this attack type.
Wherein, the protection movement includes: blocking movement and/or alarm movement;The blocking movement is described for blocking The connection of the transmitting terminal and local terminal of message such as sends RST packet;The alarm movement by predetermined manner for being issued by a slow speed The alarm of attack such as sends log in safety equipment.
As it can be seen that can be counted by all kinds of the characteristics of attacking at a slow speed using the attack detecting scheme at a slow speed that this specification provides The attack value of the message received is compared with preset attack threshold value, determines whether the message may be to attack at a slow speed Message, if also, same transmitting terminal repeatedly send attack message at a slow speed in a short time, its attack threshold value will gradually be subtracted It is small, i.e., will be gradually stringent to its detection, to realize more flexible and more accurate attack detecting at a slow speed, reduce rate of false alarm with It improves and realizes balance between detection stringency.
Corresponding to above method embodiment, this specification embodiment also provides a kind of attack detecting device at a slow speed, referring to fig. 2 It is shown, the apparatus may include:
Characteristic determination module 110, for determining for calculating the default of attack value according to preset attack value computation rule Attack signature;
Attack value computing module 120, for determining the value of each default attack signature in the message received, and according to described Characteristic value calculates the attack value of the message;
Whether attack value comparison module 130 is greater than default attack threshold value for attack value more calculated;
Determining module 140 is attacked, described in determining in the case where attack value calculated is greater than default attack threshold value Message is attack message at a slow speed;
Threshold value update module 150, in the case where attack value calculated is greater than default attack threshold value, calculating newly to be attacked Hit threshold value;The new attack threshold value is used for subsequent attack detecting at a slow speed, and the new attack threshold value is not more than old attack threshold value.
It is shown in Figure 3 in a kind of specific embodiment of this specification embodiment, the attack value computing module 120, may include:
Whether first judging submodule 121 judges identified message length for determining the length of the message received For preset length value;
Second judgment submodule 122 is used in the case where identified message length is preset length value, described in judgement Whether it is preset window value that whether message is the reception window value of confirmation message and the message;
Characteristic value determines submodule 123, for the message be confirmation message and receive window value be preset window value In the case where, according to the preset length value, confirmation message type and preset window value, obtain the value of corresponding attack signature.
It is shown in Figure 4 in a kind of specific embodiment of this specification embodiment, the attack value computing module 120, can also include:
Third judging submodule 124, for judging institute in the case where identified message length is not preset length value State whether message includes preset characters string;
4th judging submodule 125, for judging in the message in the case where the message includes preset characters string It whether include head information and load;
The characteristic value determines submodule 123, is also used in the message only include in the case where load, described in determination The corresponding upper request message of message;According to the payload length of the payload length of this message and a upper request message, obtain Total load length;Compare the predetermined word segment value in the head information of total load length and a upper request message, and according to comparing As a result the value of corresponding attack signature is obtained including preset characters string with described.
It is shown in Figure 5 in a kind of specific embodiment of this specification embodiment, the attack value computing module 120, can also include:
Preset value record sub module 126 in the case where for only including head information in the message, records the head letter Predetermined word segment value in breath;And/or it in the case where including head information in the message and load, records in the head information The value of predetermined word segment value and included payload length.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual The purpose for needing to select some or all of the modules therein to realize this specification example scheme.Ordinary skill people Member can understand and implement without creative efforts.
Although this specification includes many specific implementation details, these are not necessarily to be construed as the model for limiting any invention It encloses or range claimed, and is primarily used for describing the feature of the specific embodiment of specific invention.In this specification Certain features described in multiple embodiments can also be combined implementation in a single embodiment.On the other hand, individually implementing Various features described in example can also be performed separately in various embodiments or be implemented with any suitable sub-portfolio.This Outside, although feature can work in certain combinations as described above and even initially so be claimed, institute is come from One or more features in claimed combination can be removed from the combination in some cases, and claimed Combination can be directed toward the modification of sub-portfolio or sub-portfolio.
Similarly, although depicting operation in the accompanying drawings with particular order, this is understood not to require these behaviour Make the particular order shown in execute or sequentially carry out or require the operation of all illustrations to be performed, to realize desired knot Fruit.In some cases, multitask and parallel processing may be advantageous.In addition, the various system modules in above-described embodiment Separation with component is understood not to be required to such separation in all embodiments, and it is to be understood that described Program assembly and system can be usually integrated in together in single software product, or be packaged into multiple software product.
The specific embodiment of theme has been described as a result,.Other embodiments are within the scope of the appended claims.? In some cases, the movement recorded in claims can be executed in different order and still realize desired result.This Outside, the processing described in attached drawing and it is nonessential shown in particular order or sequential order, to realize desired result.In certain realities In existing, multitask and parallel processing be may be advantageous.
The foregoing is merely the preferred embodiments of this specification embodiment, do not implement to limit this specification Example, all within the spirit and principle of this specification embodiment, any modification, equivalent substitution, improvement and etc. done should all include Within the scope of the protection of this specification embodiment.

Claims (10)

1. a kind of attack detection method at a slow speed, which is characterized in that the described method includes:
According to preset attack value computation rule, the default attack signature for calculating attack value is determined;
It determines the value of each default attack signature in the message received, and calculates the attack of the message according to the characteristic value Value;
Whether attack value more calculated is greater than default attack threshold value;
In the case where attack value calculated is greater than default attack threshold value, determine that the message is attack message at a slow speed, and count Calculate new attack threshold value;The new attack threshold value is used for subsequent attack detecting at a slow speed, and the new attack threshold value is attacked no more than old Hit threshold value.
2. the method according to claim 1, wherein each default attack signature in the message that the determination receives Value, comprising:
Determine the length of the message received;
Whether message length determined by judging is preset length value;
In the case where identified message length is preset length value, judge whether the message is confirmation message and the report Whether the reception window value of text is preset window value;
The message be confirmation message and receive window value be preset window value in the case where, according to the preset length value, Confirmation message type and preset window value, obtain the value of corresponding attack signature.
3. according to the method described in claim 2, it is characterized in that, the method also includes:
In the case where identified message length is not preset length value, judge whether the message includes preset characters string;
In the case where the message includes preset characters string, judge in the message whether to include head information and load;
In the case where only including load in the message, the corresponding upper request message of the message is determined;
According to the payload length of the payload length of this message and a upper request message, total load length is obtained;
Compare the predetermined word segment value in total load length and the head information of a upper request message, and according to comparison result and institute State the value that corresponding attack signature is obtained including preset characters string.
4. according to the method described in claim 3, it is characterized in that, the method also includes:
In the case where only including head information in the message, the predetermined word segment value in the head information is recorded;
And/or
In the case where including head information and load in the message, predetermined word segment value in the head information and included is recorded The value of payload length.
5. according to the method described in claim 3, it is characterized in that, the method also includes:
In the case where the message does not include preset characters string, the biggest subsection of the message is determined;
Compare whether the message length is less than the biggest subsection, if so, according to the message length and it is described most Big section length obtains the value of corresponding attack signature.
6. the method according to claim 1, wherein the method also includes:
In the case where determining the message is attack message at a slow speed, the transmitting terminal mark of the message is recorded;
The calculating new attack threshold value, comprising:
Determine the transmitting terminal mark of the message;
It is identified according to pre-recorded transmitting terminal, determines the number of times of attack of the corresponding transmitting terminal of this message;
According to the number of times of attack and attack threshold value, new attack threshold value is calculated, wherein the new attack threshold value and number of times of attack are negative It is related and with the positive correlation of old attack threshold value.
7. the method according to claim 1, wherein the method also includes:
In the case where determining the message is attack message at a slow speed, the transmitting terminal mark of the message is recorded, and by current time It is recorded as attack time;
It is identified according to pre-recorded attack time and transmitting terminal, determines that the corresponding transmitting terminal of this message whether there is and recorded Attack time;
If so, calculating the time interval between last attack time and this attack time, and according to the time interval With the relationship of preset durations threshold value, the corresponding attack processing operation to the transmitting terminal is determined.
8. the method according to the description of claim 7 is characterized in that described according to the time interval and preset durations threshold The relationship of value determines the corresponding attack processing operation to the transmitting terminal, comprising:
Judge whether the time interval is not less than preset durations threshold value;
Blacklist is added if so, the transmitting terminal is identified.
9. the method according to claim 1, wherein the method also includes:
In the case where determining the message is attack message at a slow speed, according to the value of identified each default attack signature, determine This attack type attacked at a slow speed;
According to the corresponding relationship of preset attack type and protection movement, take the corresponding protection of this attack type dynamic Make;
Wherein, the protection movement includes: blocking movement and/or alarm movement;
The blocking acts the connection for blocking the transmitting terminal and local terminal of the message;
The alarm movement is for issuing the alarm attacked at a slow speed by predetermined manner.
10. a kind of attack detecting device at a slow speed, which is characterized in that described device includes:
Characteristic determination module, for according to preset attack value computation rule, determining that the default attack for calculating attack value is special Sign;
Attack value computing module, for determining the value of each default attack signature in the message received, and according to the characteristic value Calculate the attack value of the message;
Whether attack value comparison module is greater than default attack threshold value for attack value more calculated;
Determining module is attacked, for determining that the message is in the case where attack value calculated is greater than default attack threshold value Attack message at a slow speed;
Threshold value update module, for calculating new attack threshold value in the case where attack value calculated is greater than default attack threshold value; The new attack threshold value is used for subsequent attack detecting at a slow speed, and the new attack threshold value is not more than old attack threshold value.
CN201811203799.9A 2018-10-16 2018-10-16 Slow attack detection method and device Active CN109040140B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811203799.9A CN109040140B (en) 2018-10-16 2018-10-16 Slow attack detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811203799.9A CN109040140B (en) 2018-10-16 2018-10-16 Slow attack detection method and device

Publications (2)

Publication Number Publication Date
CN109040140A true CN109040140A (en) 2018-12-18
CN109040140B CN109040140B (en) 2021-03-23

Family

ID=64613344

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811203799.9A Active CN109040140B (en) 2018-10-16 2018-10-16 Slow attack detection method and device

Country Status (1)

Country Link
CN (1) CN109040140B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111478893A (en) * 2020-04-02 2020-07-31 中核武汉核电运行技术股份有限公司 Detection method for slow HTTP attack
CN112738099A (en) * 2020-12-28 2021-04-30 北京天融信网络安全技术有限公司 Method and device for detecting slow attack, storage medium and electronic equipment
CN112866233A (en) * 2021-01-14 2021-05-28 华南理工大学 Method, equipment and medium for protecting slow DDOS attack
CN113242260A (en) * 2021-06-09 2021-08-10 中国银行股份有限公司 Attack detection method and device, electronic equipment and storage medium
CN114422272A (en) * 2022-03-28 2022-04-29 北京信安世纪科技股份有限公司 Data processing system, method and server side equipment
CN115242551A (en) * 2022-09-21 2022-10-25 北京中科网威信息技术有限公司 Slow attack defense method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101998400A (en) * 2009-08-12 2011-03-30 中国移动通信集团天津有限公司 Authentication random number detection method and SIM (Subscriber Identity Module) card
KR20130006750A (en) * 2011-06-20 2013-01-18 한국전자통신연구원 Method for identifying a denial of service attack and apparatus for the same
US20130055375A1 (en) * 2011-08-29 2013-02-28 Arbor Networks, Inc. Method and Protection System for Mitigating Slow HTTP Attacks Using Rate and Time Monitoring
CN105991509A (en) * 2015-01-27 2016-10-05 杭州迪普科技有限公司 Session processing method and apparatus
CN106471778A (en) * 2014-07-04 2017-03-01 日本电信电话株式会社 Attack detecting device, attack detection method and attack detecting program

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101998400A (en) * 2009-08-12 2011-03-30 中国移动通信集团天津有限公司 Authentication random number detection method and SIM (Subscriber Identity Module) card
KR20130006750A (en) * 2011-06-20 2013-01-18 한국전자통신연구원 Method for identifying a denial of service attack and apparatus for the same
US20130055375A1 (en) * 2011-08-29 2013-02-28 Arbor Networks, Inc. Method and Protection System for Mitigating Slow HTTP Attacks Using Rate and Time Monitoring
CN106471778A (en) * 2014-07-04 2017-03-01 日本电信电话株式会社 Attack detecting device, attack detection method and attack detecting program
CN105991509A (en) * 2015-01-27 2016-10-05 杭州迪普科技有限公司 Session processing method and apparatus

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111478893A (en) * 2020-04-02 2020-07-31 中核武汉核电运行技术股份有限公司 Detection method for slow HTTP attack
CN111478893B (en) * 2020-04-02 2022-06-28 中核武汉核电运行技术股份有限公司 Detection method for slow HTTP attack
CN112738099A (en) * 2020-12-28 2021-04-30 北京天融信网络安全技术有限公司 Method and device for detecting slow attack, storage medium and electronic equipment
CN112738099B (en) * 2020-12-28 2022-07-12 北京天融信网络安全技术有限公司 Method and device for detecting slow attack, storage medium and electronic equipment
CN112866233A (en) * 2021-01-14 2021-05-28 华南理工大学 Method, equipment and medium for protecting slow DDOS attack
CN113242260A (en) * 2021-06-09 2021-08-10 中国银行股份有限公司 Attack detection method and device, electronic equipment and storage medium
CN113242260B (en) * 2021-06-09 2023-02-21 中国银行股份有限公司 Attack detection method and device, electronic equipment and storage medium
CN114422272A (en) * 2022-03-28 2022-04-29 北京信安世纪科技股份有限公司 Data processing system, method and server side equipment
CN115242551A (en) * 2022-09-21 2022-10-25 北京中科网威信息技术有限公司 Slow attack defense method and device, electronic equipment and storage medium
CN115242551B (en) * 2022-09-21 2022-12-06 北京中科网威信息技术有限公司 Slow attack defense method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN109040140B (en) 2021-03-23

Similar Documents

Publication Publication Date Title
CN109040140A (en) A kind of attack detection method and device at a slow speed
US11924170B2 (en) Methods and systems for API deception environment and API traffic control and security
CN105577608B (en) Network attack behavior detection method and device
US10771501B2 (en) DDoS attack defense method, system, and related device
Tang et al. SIP flooding attack detection with a multi-dimensional sketch design
CN107645478B (en) Network attack defense system, method and device
Gasior et al. Exploring covert channel in android platform
Jeyanthi et al. An Entropy Based Approach to Detect and Distinguish DDoS Attacks from Flash Crowds in VoIP Networks.
CN108234516B (en) Method and device for detecting network flooding attack
Fu et al. Analytical and empirical analysis of countermeasures to traffic analysis attacks
CN109743314A (en) Monitoring method, device, computer equipment and its storage medium of Network Abnormal
CN110858831B (en) Safety protection method and device and safety protection equipment
Wang et al. Walkie-talkie: An effective and efficient defense against website fingerprinting
CN108616488A (en) A kind of defence method and defensive equipment of attack
Liu et al. Real-time diagnosis of network anomaly based on statistical traffic analysis
CN107454065A (en) A kind of means of defence and device of UDP Flood attacks
CN104125213A (en) Distributed denial of service DDOS attack resisting method and device for firewall
Gharvirian et al. Neural network based protection of software defined network controller against distributed denial of service attacks
CN105939321B (en) A kind of DNS attack detection method and device
Sree et al. Detection of http flooding attacks in cloud using dynamic entropy method
Huang et al. Detecting stepping-stone intruders by identifying crossover packets in SSH connections
Mohammadi et al. Software defined network-based HTTP flooding attack defender
Bhale et al. An adaptive and lightweight solution to detect mixed rate ip spoofed ddos attack in iot ecosystem
Liu et al. Anomaly diagnosis based on regression and classification analysis of statistical traffic features
Al-Dayil et al. Detecting social media mobile botnets using user activity correlation and artificial immune system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20210610

Address after: 310051 05, room A, 11 floor, Chung Cai mansion, 68 Tong Xing Road, Binjiang District, Hangzhou, Zhejiang.

Patentee after: Hangzhou Dip Information Technology Co.,Ltd.

Address before: 6 / F, Zhongcai building, 68 Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee before: Hangzhou DPtech Technologies Co.,Ltd.

TR01 Transfer of patent right