CN109246157B - Correlation detection method for HTTP slow request DOS attack - Google Patents

Correlation detection method for HTTP slow request DOS attack Download PDF

Info

Publication number
CN109246157B
CN109246157B CN201811367329.6A CN201811367329A CN109246157B CN 109246157 B CN109246157 B CN 109246157B CN 201811367329 A CN201811367329 A CN 201811367329A CN 109246157 B CN109246157 B CN 109246157B
Authority
CN
China
Prior art keywords
data packet
srcip
http
server
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811367329.6A
Other languages
Chinese (zh)
Other versions
CN109246157A (en
Inventor
郎朗
范渊
莫凡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN201811367329.6A priority Critical patent/CN109246157B/en
Publication of CN109246157A publication Critical patent/CN109246157A/en
Application granted granted Critical
Publication of CN109246157B publication Critical patent/CN109246157B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates toAn association detection method for HTTP slow request DOS attack collects and analyzes the incoming flow data packet and the outgoing flow data packet of WEB server toTAnd screening to obtain an HTTP protocol data packet set for a time unit, analyzing the slow attack characteristic and the return code of the flow data packet set, respectively obtaining and associating the total number of data packets with the slow attack characteristic and the total number of data packets which cannot be accessed by the server, and detecting to obtain the state of providing the HTTP service externally by the server. The invention can quickly identify the data packet with the HTTP slow request characteristic, support cold start, give an alarm in time and stop loss in time before a safety event occurs; when the server resource is detected to be exhausted and the service cannot be normally provided, the quick response to the service error is carried out, the detection accuracy is improved, and the false alarm is reduced; the statistical time window is short, the detection is timely, the processing can be timely carried out under the condition of large data volume, and excessive performance loss or calculation delay can not be caused.

Description

Correlation detection method for HTTP slow request DOS attack
Technical Field
The invention relates to the technical field of digital computing equipment or data processing methods particularly suitable for specific functions, in particular to an association detection method for HTTP slow request DOS attacks.
Background
A DoS attack (Denial-of-service attack) is a network attack in which an attacker may attack a server for a short time or a long time, so that the server or a network source may not provide a service to a user normally. A typical attacker, in order to launch a large attack with limited resources, will typically set the query speed per second of a single broiler chicken to a large value, e.g. 5 to 10 times per second, which is typically directed to lower layers in the network stack, typically the transport layer, whereas an HTTP slow request attack exploits the drawbacks of the HTTP protocol, launching the attack through the seventh layer.
The HTTP Post method is to use the long connection defect of the HTTP protocol version 1.1, and an attacker declares a large value in the content length of a data packet, but sends the remaining data at a very slow rate, so that the connection is always occupied, and a general user cannot acquire the resource of the server.
Patent application No. CN201610556957.3 discloses a method and device for detecting DDoS attacks on a Web application layer based on generalized Jacard similarity coefficients, which are used for calculating the similarity between an attribute set and a historical normal attribute set in a time interval by using a Jacard similarity coefficient calculation formula, comparing the similarity with a preset threshold value, and detecting the Http slow request attacks. The defects of the patent technology are that the historical flow needs to be subjected to calculation learning, and the model training takes much time and is complicated in calculation.
Patent application No. CN201510925630.4 discloses a method for preventing HTTP slow attack, which includes the steps of firstly, depending on traffic learning, intelligently learning the traffic of a protected host which is normally accessed, identifying which pages are resource-consuming pages by using an access time difference value, recording the information of the pages, then, constructing a URL hash monitoring table by using page URLs of the resource-consuming pages, counting the number of times that each source IP accesses each resource-consuming page and the total number of times that the source IP accesses the website in each period, then summarizing when the period time is up, and calculating the number of time-consuming page accesses of each source IP; if the number of the resource consumption pages accessed by some source IPs exceeds the set threshold value in a plurality of continuous periods, the source IPs are indicated to be engaged in low flow all the time to obtain large calculation amount server resources, and then the access is limited. The technology of the patent has the defects that the hash table is larger and larger along with the time, the judgment threshold is difficult to determine, and false alarm is easy to generate.
Disclosure of Invention
The invention solves the problems that computation learning of historical flow is required, model training takes more time and computation is complex, a hash table is larger and larger along with the time, a judgment threshold value is difficult to determine, and false alarm is easy to generate in the prior art in the detection of the HTTP slow request DOS attack.
The technical scheme adopted by the invention is that the correlation detection method of the HTTP slow request DOS attack comprises the following steps:
step 1: respectively collecting an incoming flow data packet and an outgoing flow data packet of a WEB server;
step 2: analyzing the incoming flow data packet and the outgoing flow data packet, and screening to obtain an HTTP protocol data packet set D by taking T as a time uniti={X1,X2,X3,……XmM is the number of data packets;
and step 3: for flow data packet set DiThe slow attack characteristics are analyzed to obtain the total number S of the data packets with the slow attack characteristicspost
And 4, step 4: for flow data packet set DiThe return code is analyzed to obtain the total number S of the data packets which cannot be accessed by the servererror
And 5: to SpostAnd SerrorAnd performing association, and detecting the state of the server for providing the HTTP service externally.
Preferably, in the step 2, T is 10 minutes.
Preferably, in step 3, the slow attack feature is a SlowHTTP POST feature.
Preferably, the step 3 comprises the steps of:
step 3.1: let t be 1;
step 3.2: if packet XtIf the request header of (1) meets the condition that the content length is greater than 5000 and the connection state is active, then for XtThe value is assigned to 1, otherwise, the value is assigned to 0; t is t +1, if t is more than m, the next step is carried out, otherwise, the step 3.2 is repeated;
step 3.3: all assignments with the same source IP obtained in step 3.2 are taken as set RsrcIP={r1,r2,r3,……rn},RsrcIPThe value in (3) is consistent with the value assigned to the data packet;
step 3.4: the total number of the data packets with the HTTP slow request attack characteristic is obtained
Figure BDA0001868921650000031
Preferably, the step 4 comprises the steps of:
step 4.1: let t be 1;
step 4.2: if packet XtIf the return code is more than or equal to 200 and less than 500, the value is assigned to be 0, otherwise, the value is assigned to be 1; t is t +1, if t is more than m, the next step is carried out, otherwise, the step 4.2 is repeated;
step 4.3: all assignments with the same source IP obtained in step 4.2 are taken as set CsrcIP={c1,c2,c3,……cn},CsrcIPThe value in (3) is consistent with the value assigned to the data packet;
step 4.4: obtaining the total number of the data packets which cannot be accessed by the server as
Figure BDA0001868921650000032
Preferably, the step 5 comprises the steps of:
step 5.1: when S ispostWhen the security Event is more than 150, a security Event1 is generatedsrcIP
Step 5.2: when S iserrorWhen the security value is more than 100, a security Event2 is generatedsrcIP
Step 5.3: for each of the requesting parties, the requesting party,
if an Event1 is generated at the same timesrcIPAnd Event2srcIPIf the server is not capable of providing the service normally, the server is judged to be attacked by HTTP slow request DOS;
if only Event1 is generatedsrcIPIf yes, judging that the requesting party tries to carry out HTTP slow request DOS attack but does not cause damage;
if only Event2 is generatedsrcIPJudging that the server cannot normally provide the service;
if no Event1 is generatedsrcIPAnd Event2srcIPThe server is normal.
The invention provides an optimized correlation detection method for HTTP slow request DOS attack, which is characterized in that an HTTP protocol data packet set D is obtained by acquiring and analyzing an incoming flow data packet and an outgoing flow data packet of a WEB server and screening by taking T as a time unitiFor a set of traffic packets DiIs divided into a slow attack feature and a return codeAnalyzing, respectively obtaining and correlating the total number S of the data packets with the slow attack characteristicspostAnd total number of data packets S inaccessible to the servererrorAnd detecting the state of the server for providing the HTTP service externally.
The invention has the following beneficial effects:
(1) the method can quickly identify the data packet with the HTTP slow request characteristic, supports cold start, can give an alarm in time in the initial stage of attack initiation, and can stop loss in time before a security event occurs;
(2) by adopting a causal association method, when the server resource is detected to be exhausted and the service cannot be normally provided, whether the service is caused by HTTP slow request DOS attack or not is distinguished, the service error can be quickly responded, the detection accuracy is improved, and the false alarm is reduced;
(3) the method has the advantages of realizing quasi-real-time detection, having short statistical time window, realizing timely detection, realizing timely processing under the condition of large data volume, and avoiding excessive performance loss or calculation delay.
Detailed Description
The present invention is described in further detail with reference to the following examples, but the scope of the present invention is not limited thereto.
The invention relates to a correlation detection method of HTTP slow request DOS attack, which comprises the steps of firstly, collecting data packets, then analyzing, screening a data packet set meeting conditions, calculating and correlating, and detecting the behavior that the server cannot access the DoS attack in the HTTP slow request mode.
The method comprises the following steps.
Step 1: and respectively collecting an incoming flow data packet and an outgoing flow data packet of the WEB server.
Step 2: analyzing the incoming flow data packet and the outgoing flow data packet, and screening to obtain an HTTP protocol data packet set D by taking T as a time uniti={X1,X2,X3,……XmAnd m is the number of the data packets.
In the step 2, T is 10 minutes.
In the invention, the actual value of T can be analyzed and configured autonomously according to the actual situation by the technical personnel in the field.
And step 3: for flow data packet set DiThe slow attack characteristics are analyzed to obtain the total number S of the data packets with the slow attack characteristicspost
In the step 3, the slow attack feature is a slowHTTP POST feature.
The step 3 comprises the following steps:
step 3.1: let t be 1;
step 3.2: if packet XtIf the request header of (1) meets the condition that the content length is greater than 5000 and the connection state is active, then for XtThe value is assigned to 1, otherwise, the value is assigned to 0; t is t +1, if t is more than m, the next step is carried out, otherwise, the step 3.2 is repeated;
step 3.3: all assignments with the same source IP obtained in step 3.2 are taken as set RsrcIP={r1,r2,r3,……rn},RsrcIPThe value in (3) is consistent with the value assigned to the data packet;
step 3.4: the total number of the data packets with the HTTP slow request attack characteristic is obtained
Figure BDA0001868921650000051
In the invention, the SlowHTTP POST characteristic is a slow attack characteristic, and under the characteristic, a request head generally meets the requirements of' ContentLength: [0-9] [0-9] [0-9] [0-9 ]? Keep-Alive, meaning that the attacker declares a large value in the content length of the packet, but keeps sending and sends the remaining data at a very slow rate, for packets with this characteristic, 1 is assigned, i.e. as a count.
In the invention, the set of the step 3.3 is the result calculated according to the method of the step 3.2 based on the source IP, and the data packets with consistent source IP calculate the result according to the step 3.2 in the time T and are put into a set RsrcIPTherefore, this set is the set of the same source IP computation results.
In the present invention, the determination in step 3.4And is to combine the set RsrcIPAll the data packets with the value of 1 are added together to obtain the sum Spost
And 4, step 4: for flow data packet set DiThe return code is analyzed to obtain the total number S of the data packets which cannot be accessed by the servererror
The step 4 comprises the following steps:
step 4.1: let t be 1;
step 4.2: if packet XtIf the return code is more than or equal to 200 and less than 500, the value is assigned to be 0, otherwise, the value is assigned to be 1; t is t +1, if t is more than m, the next step is carried out, otherwise, the step 4.2 is repeated;
step 4.3: all assignments with the same source IP obtained in step 4.2 are taken as set CsrcIP={c1,c2,c3,……cn},CsrcIPThe value in (3) is consistent with the value assigned to the data packet;
step 4.4: obtaining the total number of the data packets which cannot be accessed by the server as
Figure BDA0001868921650000061
In the invention, in step 4, when the server has the phenomenon of being unable to access, a large number of return codes which are not beginning with 2, 3 and 4 appear in normal access, so when the return codes are more than or equal to 200 and less than 500, the value is assigned to be 0 to indicate normal, otherwise, 1 indicates error and is used for counting.
In the invention, the set of the step 4.3 is the result calculated according to the method of the step 4.2 based on the source IP, and in the time T, the data packets with consistent source IP calculate the result according to the step 4.2 and are put into a set CsrcIPTherefore, this set is the set of the same source IP computation results.
In the present invention, the summation of step 4.4 is to combine the set CsrcIPAll the data packets with the value of 1 are added together to obtain the sum Serror
And 5: to SpostAnd SerrorAnd performing association, and detecting the state of the server for providing the HTTP service externally.
The step 5 comprises the following steps:
step 5.1: when S ispostWhen the security Event is more than 150, a security Event1 is generatedsrcIP
Step 5.2: when S iserrorWhen the security value is more than 100, a security Event2 is generatedsrcIP
Step 5.3: for each of the requesting parties, the requesting party,
if an Event1 is generated at the same timesrcIPAnd Event2srcIPIf the server is not capable of providing the service normally, the server is judged to be attacked by HTTP slow request DOS;
if only Event1 is generatedsrcIPIf yes, judging that the requesting party tries to carry out HTTP slow request DOS attack but does not cause damage;
if only Event2 is generatedsrcIPJudging that the server cannot normally provide the service;
if no Event1 is generatedsrcIPAnd Event2srcIPThe server is normal.
The invention obtains the HTTP protocol data packet set D by collecting and analyzing the incoming flow data packet and the outgoing flow data packet of the WEB server and screening the data packets with T as the time unitiFor a set of traffic packets DiThe slow attack characteristic and the return code are analyzed to respectively obtain and correlate the total number S of the data packets with the slow attack characteristicpostAnd total number of data packets S inaccessible to the servererrorAnd detecting the state of the server for providing the HTTP service externally. The method can quickly identify the data packet with the HTTP slow request characteristic, supports cold start, can give an alarm in time in the initial stage of attack initiation, and stops loss in time before a security event occurs; by adopting a causal association method, when the server resource is detected to be exhausted and the service cannot be normally provided, whether the service is caused by HTTP slow request DOS attack or not is distinguished, the service error can be quickly responded, the detection accuracy is improved, and the false alarm is reduced; the method has the advantages of realizing quasi-real-time detection, having short statistical time window, realizing timely detection, realizing timely processing under the condition of large data volume, and avoiding excessive performance loss or calculation delay.

Claims (5)

1. An association detection method for HTTP slow request DOS attack is characterized in that: the method comprises the following steps:
step 1: respectively collecting an incoming flow data packet and an outgoing flow data packet of a WEB server;
step 2: analyzing the incoming flow data packet and the outgoing flow data packet, and screening to obtain an HTTP protocol data packet set D by taking T as a time uniti={X1,X2,X3,......XmM is the number of data packets;
and step 3: for flow data packet set DiThe slow attack characteristics are analyzed to obtain the total number S of the data packets with the slow attack characteristicspost
And 4, step 4: for flow data packet set DiThe return code is analyzed to obtain the total number S of the data packets which cannot be accessed by the servererror
And 5: to SpostAnd SerrorPerforming association, and detecting to obtain the state of the server for providing the HTTP service;
the step 5 comprises the following steps:
step 5.1: when S ispostWhen the security Event is more than 150, a security Event1 is generatedsrcIP
Step 5.2: when S iserrorWhen the security value is more than 100, a security Event2 is generatedsrcIP(ii) a Step 5.3: for each of the requesting parties, the requesting party,
if an Event1 is generated at the same timesrcIPAnd Event2srcIPIf the server is not capable of providing the service normally, the server is judged to be attacked by HTTP slow request DOS;
if only Event1 is generatedsrcIPIf yes, judging that the requesting party tries to carry out HTTP slow request DOS attack but does not cause damage;
if only Event2 is generatedsrcIPJudging that the server cannot normally provide the service;
if no Event1 is generatedsrcIPAnd Event2srcIPThe server is normal.
2. The correlation detection method for the HTTP slow request DOS attack according to claim 1, characterized in that: in the step 2, T is 10 minutes.
3. The correlation detection method for the HTTP slow request DOS attack according to claim 1, characterized in that: in the step 3, the slow attack feature is a slowHTTP POST feature.
4. The correlation detection method for the HTTP slow request DOS attack according to claim 3, characterized in that: the step 3 comprises the following steps:
step 3.1: let t be 1;
step 3.2: if packet XtIf the request header of (1) meets the condition that the content length is greater than 5000 and the connection state is active, then for XtThe value is assigned to 1, otherwise, the value is assigned to 0; t is t +1, if t is more than m, the next step is carried out, otherwise, the step 3.2 is repeated;
step 3.3: all assignments with the same source IP obtained in step 3.2 are taken as set RsrcIP={r1,r2,r3,......rm},RsrcIPThe value in (3) is consistent with the value assigned to the data packet;
step 3.4: the total number of the data packets with the HTTP slow request attack characteristic is obtained
Figure FDA0002850216710000021
5. The correlation detection method for the HTTP slow request DOS attack according to claim 1, characterized in that: the step 4 comprises the following steps:
step 4.1: let t be 1;
step 4.2: if packet XtIf the return code is more than or equal to 200 and less than 500, the value is assigned to be 0, otherwise, the value is assigned to be 1; t is t +1, if t is more than m, the next step is carried out, otherwise, the step 4.2 is repeated;
step 4.3:all assignments with the same source IP obtained in step 4.2 are taken as set CsrcIP={c1,c2,c3,......cm},CsrcIPThe value in (3) is consistent with the value assigned to the data packet;
step 4.4: obtaining the total number of the data packets which cannot be accessed by the server as
Figure FDA0002850216710000031
CN201811367329.6A 2018-11-16 2018-11-16 Correlation detection method for HTTP slow request DOS attack Active CN109246157B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811367329.6A CN109246157B (en) 2018-11-16 2018-11-16 Correlation detection method for HTTP slow request DOS attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811367329.6A CN109246157B (en) 2018-11-16 2018-11-16 Correlation detection method for HTTP slow request DOS attack

Publications (2)

Publication Number Publication Date
CN109246157A CN109246157A (en) 2019-01-18
CN109246157B true CN109246157B (en) 2021-03-02

Family

ID=65075615

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811367329.6A Active CN109246157B (en) 2018-11-16 2018-11-16 Correlation detection method for HTTP slow request DOS attack

Country Status (1)

Country Link
CN (1) CN109246157B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112948152B (en) * 2021-04-16 2022-10-18 深圳市今天国际物流技术股份有限公司 Method for processing layout data and calling interface service
CN114221813B (en) * 2021-12-16 2024-01-30 中国电信股份有限公司 HTTP slow attack detection method, system, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882880A (en) * 2012-10-10 2013-01-16 常州大学 Detection method and detection system of distributed denial of service (DDoS) attack aiming at domain name server (DNS) service
CN105553974A (en) * 2015-12-14 2016-05-04 中国电子信息产业集团有限公司第六研究所 Prevention method of HTTP slow attack
CN105577608A (en) * 2014-10-08 2016-05-11 腾讯科技(深圳)有限公司 Network attack behavior detection method and network attack behavior detection device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9742798B2 (en) * 2015-03-16 2017-08-22 Cisco Technology, Inc. Mitigating neighbor discovery-based denial of service attacks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882880A (en) * 2012-10-10 2013-01-16 常州大学 Detection method and detection system of distributed denial of service (DDoS) attack aiming at domain name server (DNS) service
CN105577608A (en) * 2014-10-08 2016-05-11 腾讯科技(深圳)有限公司 Network attack behavior detection method and network attack behavior detection device
CN105553974A (en) * 2015-12-14 2016-05-04 中国电子信息产业集团有限公司第六研究所 Prevention method of HTTP slow attack

Also Published As

Publication number Publication date
CN109246157A (en) 2019-01-18

Similar Documents

Publication Publication Date Title
US20210352090A1 (en) Network security monitoring method, network security monitoring device, and system
Dou et al. A confidence-based filtering method for DDoS attack defense in cloud environment
US9462009B1 (en) Detecting risky domains
US8844034B2 (en) Method and apparatus for detecting and defending against CC attack
Li Change trend of averaged Hurst parameter of traffic under DDOS flood attacks
KR101061375B1 (en) JR type based DDoS attack detection and response device
CN109194680B (en) Network attack identification method, device and equipment
CN107579956B (en) User behavior detection method and device
CN108881250B (en) Power communication network security situation prediction method, device, equipment and storage medium
CN111654487B (en) DGA domain name identification method based on bypass network full flow and behavior characteristics
CN110611635B (en) Detection method based on multi-dimensional lost account
CN111478893B (en) Detection method for slow HTTP attack
CN109246157B (en) Correlation detection method for HTTP slow request DOS attack
CN109561097B (en) Method, device, equipment and storage medium for detecting security vulnerability injection of structured query language
CN1297101C (en) Technique of detecting denial of service attacks
CN112422554B (en) Method, device, equipment and storage medium for detecting abnormal traffic external connection
KR20130006750A (en) Method for identifying a denial of service attack and apparatus for the same
Cipriano et al. Nexat: A history-based approach to predict attacker actions
CN110138759A (en) The lightweight self-adapting detecting method and system of Packet-In injection attacks are directed under SDN environment
CN111835681A (en) Large-scale abnormal flow host detection method and device
CN110708339A (en) Correlation analysis method based on WEB log
CN114244564A (en) Attack defense method, device, equipment and readable storage medium
WO2024027079A1 (en) Domain-name reflection attack detection method and apparatus, and electronic device and storage medium
Yassin et al. Packet header anomaly detection using statistical analysis
CN112491869A (en) Application layer DDOS attack detection and protection method and system based on IP credit

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant