CN109257390B - CC attack detection method and device and electronic equipment - Google Patents

CC attack detection method and device and electronic equipment Download PDF

Info

Publication number
CN109257390B
CN109257390B CN201811430060.1A CN201811430060A CN109257390B CN 109257390 B CN109257390 B CN 109257390B CN 201811430060 A CN201811430060 A CN 201811430060A CN 109257390 B CN109257390 B CN 109257390B
Authority
CN
China
Prior art keywords
window
preset
information entropy
sliding
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811430060.1A
Other languages
Chinese (zh)
Other versions
CN109257390A (en
Inventor
张宁波
范渊
龙文洁
莫金友
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201811430060.1A priority Critical patent/CN109257390B/en
Publication of CN109257390A publication Critical patent/CN109257390A/en
Application granted granted Critical
Publication of CN109257390B publication Critical patent/CN109257390B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/12Arrangements for detecting or preventing errors in the information received by using return channel
    • H04L1/16Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
    • H04L1/18Automatic repetition systems, e.g. Van Duuren systems
    • H04L1/1867Arrangements specially adapted for the transmitter end
    • H04L1/187Details of sliding window management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The invention provides a detection method, a device and electronic equipment for CC attack, and relates to the technical field of network anomaly detection, wherein the detection method for CC attack comprises the following steps: setting the size of a frequency window and the single sliding distance of the frequency window; sequentially calculating the information entropy value of the time window at each sliding position according to the time window setting; and if the information entropy value of any sliding position is smaller than a preset information entropy threshold value, judging that the CC attack occurs in the sliding position of the time window. According to the method, through a frequency window model and an information entropy algorithm, the abnormal condition of the network can be found more quickly, and the method has stronger real-time detection capability; in addition, the method defines the sliding window by adopting the dimension of the request access times, so that the difference of entropy values caused by different request times in unit time can be effectively avoided, and the detection result is more accurate.

Description

CC attack detection method and device and electronic equipment
Technical Field
The present invention relates to the field of CC attack detection, and in particular, to a method, an apparatus, a system, and an electronic device for detecting a CC attack.
Background
The CC (challenge Collapsar) attack is an attack method aiming at the WEB service of an application layer. The purpose of a CC attack is to cause denial of service by depleting server resources.
The principle of CC attack is not complex, it exploits the weakness of the application layer to attack. Data queries with poor performance, bad program execution structures, and functions that consume relatively large amounts of resources in a website may be targets of CC attacks. For example, the search function of forums consumes a lot of database query time and system resources. By frequently calling the search function, an attacker cannot immediately complete the accumulation of the query requests and release resources, so that the database requests are excessively connected, the database is blocked, and the website cannot be normally opened.
At present, the existing methods for detecting CC attacks mainly include the following steps:
1. the Cookie authentication is adopted to detect the CC attack, and the defect is that the improved attack behavior cannot be identified.
2. With the HTTP _ X _ forward _ FOR variable detection, the disadvantage is that it is not suitable FOR detecting the behavior of an attack with a proxy server that does not send the HTTP _ X _ forward _ FOR variable.
3. The detection is carried out by an access request redirection mode, and the defects are that the behavior of an attacker attacking the network by using attack software capable of responding to a page redirection instruction cannot be detected, and misjudgment is easily caused.
4. Detection is performed through a threshold value, such as a mean value and standard deviation model, but complex and diverse CC attacks cannot be detected; the Markov transition state model is suitable for the condition that the variable is not a continuous parameter, and an effective result cannot be obtained when the sample is a discrete value.
In summary, the existing detection method for the CC attack has the problems of no identification or low identification rate.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for detecting a CC attack, and an electronic device, so as to alleviate or partially alleviate the technical problem that the CC attack cannot be identified or has a low identification rate in the prior art.
In a first aspect, an embodiment of the present invention provides a method for detecting a CC attack, including:
setting the size of a frequency window and the single sliding distance of the frequency window;
sequentially calculating the information entropy value of the frequency window at each sliding position according to the frequency window setting;
and if the information entropy value of any sliding position is smaller than a preset information entropy threshold value, judging that the CC attack occurs in the sliding position of the time window.
In combination with the first aspect, the embodiments of the present invention provide a first possible implementation manner of the first aspect, wherein,
the sequentially calculating the information entropy value of the time window at each sliding position according to the time window setting comprises the following steps:
for each slide position:
acquiring the request times of various URL requests of the times window in the size range of the times window;
calculating to obtain the occurrence probability of various URL requests within the range of the times window size according to the times window size and the request times of various URL requests;
and calculating the information entropy value of the time window based on the occurrence probability of various URL requests.
With reference to the first possible implementation manner of the first aspect, an embodiment of the present invention provides a second possible implementation manner of the first aspect, where the probability of occurrence of each type of URL request within the time window size range is calculated by using the following equation:
Pi=Ti/A
wherein Pi represents the probability of occurrence of the i-th type URL request, Ti represents the request frequency of the i-th type URL request, and A represents the frequency window size.
With reference to the second possible implementation manner of the first aspect, an embodiment of the present invention provides a third possible implementation manner of the first aspect, where the information entropy value of the time window at each sliding position is calculated based on the occurrence probability of each type of URL request by using the following equation:
Figure BDA0001881620900000031
where H denotes an information entropy value, Pi denotes an occurrence probability of an i-th type URL request, and i is 1,2, … n.
With reference to the first possible implementation manner of the first aspect, an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where the obtaining of the request times of various types of URL requests of the time window in the size range of the time window includes:
acquiring site URLs of all requested resources of a server; the sites comprise static sites and dynamic sites;
classifying URLs requesting all static site pages into static page URL requests, and classifying URLs requesting the same dynamic site page into a dynamic page URL request;
and counting various URL requests in the size range of the frequency window to obtain the request frequency of various URL requests.
With reference to the first aspect, an embodiment of the present invention provides a fifth possible implementation manner of the first aspect, where the method further includes:
and constructing a sliding window mechanism based on the request times, and acquiring a preset information entropy threshold value based on the sliding window mechanism.
With reference to the fifth possible implementation manner of the first aspect, an embodiment of the present invention provides a sixth possible implementation manner of the first aspect, where the constructing a sliding window mechanism based on the number of requests, and acquiring a preset information entropy threshold based on the sliding window mechanism includes:
acquiring the preset request times of a server in a normal access period;
setting a preset frequency window size and a preset single sliding distance according to the preset request frequency;
sequentially calculating information entropy values of the preset times window at a plurality of sliding positions according to the size of the preset times window and the preset single sliding distance;
and comparing the information entropy values of the preset times window at a plurality of sliding positions, and setting the minimum value of the information entropy values of the plurality of sliding positions as a preset information entropy threshold value.
With reference to the sixth possible implementation manner of the first aspect, an embodiment of the present invention provides a seventh possible implementation manner of the first aspect, where sequentially calculating information entropy values of a preset number of times window at a plurality of sliding positions according to the size of the preset number of times window and a preset single sliding distance includes:
at the first sliding position, calculating an information entropy value of a preset frequency window in a preset frequency window size range;
sliding the preset times window by a single sliding distance to enable the preset times window to be located at a second sliding position, and calculating an information entropy value of the preset times window at the second sliding position;
and analogizing in sequence to obtain information entropy values of the preset times window at a plurality of sliding positions.
In a second aspect, an embodiment of the present invention further provides a device for detecting a CC attack, where the device includes:
the setting module is used for setting the size of the times window and the single sliding distance of the times window;
the calculating module is used for sequentially calculating the information entropy value of the time window at each sliding position according to the time window setting;
and the detection module is used for judging that the CC attack occurs in the sliding position of the time window if the information entropy value of any sliding position is smaller than a preset information entropy threshold value.
In a third aspect, an embodiment of the present invention further provides an electronic device, which includes a memory and a processor, where the memory stores a computer program that is executable on the processor, and the processor implements the steps of the foregoing method when executing the computer program.
In a fourth aspect, the present invention also provides a computer readable medium having a non-volatile program code executable by a processor, where the program code causes the processor to execute the steps of the method described above.
The embodiment of the invention has the following beneficial effects: the embodiment of the invention provides a detection method, a detection device, electronic equipment and a computer readable medium for CC attack, wherein the detection method for CC attack comprises the following steps: setting the size of a frequency window and the single sliding distance of the frequency window; sequentially calculating the information entropy value of the time window at each sliding position according to the time window setting; and if the information entropy value of any sliding position is smaller than a preset information entropy threshold value, judging that the CC attack occurs in the sliding position of the time window. Therefore, in the technical scheme provided by the embodiment of the invention, the sliding window (namely the frequency window) defined by the request frequency is adopted, the information entropy value of the set frequency window at each sliding position is calculated, and the information entropy value at each position is compared with the preset information entropy threshold value to judge whether the CC attack occurs, so that the technical problem that the CC attack cannot be identified or the identification rate is low in the CC attack detection in the prior art can be solved. According to the method, through a frequency window model and an information entropy algorithm, the abnormal condition of the network can be found more quickly, and the method has stronger real-time detection capability; in addition, the method defines the sliding window by adopting the dimension of the request access times, can effectively avoid entropy value difference caused by different request times in unit time, and has more accurate detection result.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a CC attack detection method according to an embodiment of the present invention;
fig. 2 is a flowchart of another CC attack detection method according to an embodiment of the present invention;
fig. 3 is a flowchart of a third CC attack detection method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a sliding window mechanism based on request times according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a detection apparatus for CC attack according to an embodiment of the present invention;
fig. 6 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
At present, the existing CC attack detection methods mainly include the following:
1. the Cookie authentication is adopted to detect the CC attack, and the defect is that the improved attack behavior cannot be identified.
2. With the HTTP _ X _ forward _ FOR variable detection, the disadvantage is that it is not suitable FOR detecting the behavior of an attack with a proxy server that does not send the HTTP _ X _ forward _ FOR variable.
3. The detection is carried out by an access request redirection mode, and the defects are that the behavior of an attacker attacking the network by using attack software capable of responding to a page redirection instruction cannot be detected, and misjudgment is easily caused.
4. Detection is performed through a threshold value, such as a mean value and standard deviation model, but complex and diverse CC attacks cannot be detected; the Markov transition state model is suitable for the condition that the variable is not a continuous parameter, and an effective result cannot be obtained when the sample is a discrete value. Therefore, the conventional detection method for the CC attack has the problem that the CC attack cannot be identified or has a low identification rate, and based on this, the detection method, the detection device and the electronic device for the CC attack provided by the embodiments of the present invention can alleviate or partially alleviate the technical problem that the CC attack cannot be identified or has a low identification rate in the prior art, can more quickly discover the abnormal condition of the network, and have a stronger real-time detection capability.
To facilitate understanding of the present embodiment, first, a method for detecting a CC attack disclosed in the embodiment of the present invention is described in detail.
The first embodiment is as follows:
as shown in fig. 1, an embodiment of the present invention provides a method for detecting a CC attack, which is applied to the field of network CC attack detection. The detection method of the CC attack comprises the following steps:
step S101, setting the size of a frequency window and the single sliding distance of the frequency window;
the number window here means a sliding window defined by the number of requests; that is, the size of the count window and the single-slip distance are both characterized in terms of the number of requests; the order window size (or size) is characterized by the window width. The size of the count window and the single sliding distance of the count window are referred to as window parameters of the count window.
Step S102, sequentially calculating the information entropy value of the time window at each sliding position according to the time window setting;
specifically, the information entropy value of the time window at each sliding position is progressively calculated in sequence according to the window parameters of the set time window.
And step S103, if the information entropy value of any sliding position is smaller than a preset information entropy threshold, judging that the CC attack occurs in the sliding position in the frequency window.
Under normal access conditions, the resources requested by the client have a relatively large randomness characteristic. When a CC attack occurs, a server side generates a large number of request messages with the same request resource, and the randomness distribution of the access behavior is obviously different from that of a normal access behavior. The information entropy is a measure of the degree of information randomness, and the purpose of discovering the CC attack is achieved by detecting the information entropy of the requested resources at the server side.
Considering that when a CC attack occurs, the randomness requested from the URL of the server is suddenly changed, and the information entropy value is suddenly changed (suddenly reduced), and is obviously smaller than a set threshold value, so that the condition that the system of the server is attacked by the CC attack is judged.
Specifically, the information entropy value of the time window at each sliding position is sequentially compared with a preset information entropy threshold value, whether the information entropy value of the sliding position meets a threshold condition (is smaller than the preset information entropy threshold value) is judged, and a comparison result is generated; and judging whether the CC attack occurs in the access stage according to the comparison result, if so, judging that the CC attack occurs in the frequency window of the sliding position, and if not, judging that the CC attack does not occur in the frequency window of the sliding position.
The method for detecting the CC attack provided by the embodiment of the invention comprises the following steps: setting the size of a frequency window and the single sliding distance of the frequency window; sequentially calculating the information entropy value of the time window at each sliding position according to the time window setting; and if the information entropy value of any sliding position is smaller than a preset information entropy threshold value, judging that the CC attack occurs in the sliding position of the time window. Therefore, in the technical scheme provided by the embodiment of the invention, the sliding window (namely the frequency window) defined by the request frequency is adopted, the information entropy value of the set frequency window at each sliding position is calculated, and the information entropy value at each position is compared with the preset information entropy threshold value to judge whether the CC attack occurs, so that the technical problem that the CC attack cannot be identified or the identification rate is low in the CC attack detection in the prior art can be solved. According to the method, through a frequency window model and an information entropy algorithm, the abnormal condition of the network can be found more quickly, and the method has stronger real-time detection capability; in addition, the method defines the sliding window by adopting the dimension of the request access times, can effectively avoid entropy value difference caused by different request times in unit time, and has more accurate detection result.
Example two:
as shown in fig. 2, an embodiment of the present invention provides another CC attack detection method, which is applied to the field of network CC attack detection. The detection method of the CC attack comprises the following steps:
step S201, a sliding window mechanism based on the request times is constructed, and a preset information entropy threshold value is obtained based on the sliding window mechanism.
The sliding window mechanism may be established by machine learning; it should be noted that the preset information entropy threshold value may be adjusted and optimized according to the actual operation condition.
Specifically, the step S201 includes the following steps:
1. acquiring the preset request times in the normal access period;
firstly, ensuring that a detected server (or a system) is under a normal access condition; and then acquiring the preset request times M of the server in the normal access period, and taking the preset request times M as the window size for constructing a preset time window.
Specifically, the step 1 includes:
1.1 counting the request times of all URL requests in the time (for example, 1 week) under the normal access condition by the system;
1.2, calculating the request times of preset time (for example, every 2 hours) in the statistical time (the 1 week time);
1.3 the number of requests for this preset time (every 2 hours) is set as the preset number of requests M.
2. Setting a preset frequency window size and a preset single sliding distance according to the preset request frequency; setting the size of a preset frequency window as a preset request frequency M, setting a preset single sliding distance as M/C, wherein 2< C <15, and C is an integer;
3. sequentially calculating information entropy values of the preset times window at a plurality of sliding positions according to the size of the preset times window and the preset single sliding distance;
the sliding positions can be set according to actual operation requirements, for example, the sliding positions are set to be B, and B is an integer greater than 1;
specifically, the step 3 is performed by:
3.1 calculating the information entropy value of the preset times window in the size range of the preset times window at the first sliding position;
3.2 sliding the preset times window by a preset single sliding distance to enable the preset times window to be positioned at a second sliding position, and calculating an information entropy value of the preset times window at the second sliding position;
for example, the preset times window may be divided into a plurality of sub-times windows according to a preset single sliding distance, and when sliding according to the preset single sliding distance, the URL request data of the initial sub-window of the preset times window is deleted; and adding new URL request data with a preset single sliding distance to the deleted preset frequency window, thereby keeping the size of the preset frequency window unchanged.
Sliding the preset frequency window by a preset single sliding distance again to enable the preset frequency window to be located at a third sliding position, and calculating an information entropy value of the preset frequency window at the third sliding position;
and analogizing in sequence to obtain information entropy values of the preset times window at a plurality of sliding positions.
It should be noted that, the information entropy values of the preset times window at multiple sliding positions are obtained by referring to the formula for calculating the information entropy values mentioned in this embodiment
Figure BDA0001881620900000101
Wherein, Pi=TiIn which PiIndicating the probability of occurrence, T, of a class i URL requestiIndicates the number of requests of the i-th URL request, and a indicates the window size (since it is the learning phase, a here is the preset number window size).
As will be discussed in detail below.
4. And comparing the information entropy values of the preset times window at a plurality of sliding positions, and setting the minimum value of the information entropy values of the plurality of sliding positions as a preset information entropy threshold value.
Step S202, setting the size of a frequency window and the single sliding distance of the frequency window;
the number of times window size (here mainly referred to as range width) is set to M/D, D is an integer smaller than C, the single sliding distance is set to M/E, and E ═ C × D.
It should be noted that the preset number of times window size is M, the preset single sliding distance is M/C, the number of times window size (here, mainly referring to the range width) is set to M/D, the single sliding distance is set to M/E, and the preset number of times isThe relation between the number window and the frequency window satisfies the following conditions:
Figure BDA0001881620900000111
step S203, sequentially calculating the information entropy value of the time window at each sliding position according to the time window setting;
specifically, the step S203 mainly includes the following steps:
for each slide position:
step S2031, acquiring the request times of various URL requests of a time window in the size range of the time window;
wherein the URL requests include static page URL requests and dynamic page URL requests;
specifically, the URL request comprises a type of static page URL request and a type of dynamic page URL request; the number of requests is also referred to as the number of requests.
This step S2031 is performed by:
1. acquiring site URLs of all resources which can be requested; the sites comprise static sites and dynamic sites;
specifically, all the site URLs of the requested resources of the server are counted, and the server is divided into a dynamic site and a static site according to different sites.
The URL of the site is obtained by acquiring the flow of the server and analyzing; for example, a data packet of an external access request is captured by a packet capture tool, and the URL address of the site is obtained through analysis.
2. Classifying URLs requesting all static site pages into static page URL requests, and classifying URLs requesting the same dynamic site page into a dynamic page URL request;
specifically, the URL address of the received packet is classified. In other words, the analyzed URLs are classified, the URLs requesting all the static site pages are classified into one category, and the URLs requesting the same dynamic site page are classified into one category. Thus, static page URL requests are only one type; and dynamic page URL requests are of multiple categories.
3. And counting various URL requests in the size range of the frequency window to obtain the request frequency of various URL requests.
Specifically, various URL requests within the size range of the frequency window are counted to obtain the request frequency of various URL requests.
Step S2032, calculating the occurrence probability of each URL request in the size range of the frequency window according to the frequency window size and the request frequency of each URL request;
specifically, the probability of occurrence of each type of URL request within the window size of the times is calculated using the following equation:
Pi=Ti/A
wherein, PiIndicating the probability of occurrence, T, of a class i URL requestiRepresenting the request times of the i-th type URL request, and A representing the window size; since it is the detection phase, here a takes the order window size.
Step S2033, calculating the information entropy value of the frequency window based on the occurrence probability of each URL request.
Specifically, the information entropy value of the time window at each sliding position is calculated based on the occurrence probability of various URL requests by using the following formula:
Figure BDA0001881620900000121
wherein H represents an information entropy value, PiAnd the occurrence probability of the ith type URL request is shown, i is 1,2 and … n.
It should be noted that in other embodiments, all the site URLs that can be requested to be a resource are acquired, and may be acquired before any other step, for example, before the detection step S201 or before the step S202.
And step S204, if the information entropy value of any sliding position is smaller than a preset information entropy threshold, judging that the CC attack occurs in the sliding position in the frequency window.
For example, if the information entropy value of the calculation time window at a certain sliding position is smaller than a preset information entropy threshold, it is determined that the sliding position of the calculation time window has data mutation, and a CC attack occurs.
In specific implementation, the size of the frequency window is kept unchanged, the frequency window is sequentially slid according to a single sliding distance, and the information entropy of the frequency window of each sliding position is calculated; the method comprises the steps of firstly calculating an information entropy value of a time window when the time window does not slide (at an initial sliding position), then comparing the information entropy value with a preset threshold value, if no abnormity exists (namely the threshold value condition is not met), then sliding the time window once according to a single sliding distance, calculating the information entropy value of the time window after the time window slides once, comparing the information entropy value with the preset threshold value, and if abnormity occurs (the threshold value condition is met), enabling the time window to generate CC attack at the sliding position.
Example three:
as shown in fig. 3, an embodiment of the present invention provides a third method for detecting a CC attack, including:
step S301: and counting all the URL of the sites which can be requested by the server, dividing the URLs into dynamic sites and static sites according to different sites, classifying the URLs which request all the static site pages into one class, and classifying the URLs which request the same dynamic site page into one class.
For convenience of understanding, the XX official web application server is taken as an example, a packet capturing tool is used for capturing and analyzing a data packet of an external access request, and a URL address of a received request message is classified:
wherein, the home page address is http:// www.dbappsecurity.com.cn/index.aspx, and the dynamic page name is index.aspx is classified into one class; the specific product page is as follows: http:// www.dbappsecurity.com.cn/pro _ main.aspxid ═ xxxxxxxx, categorizing the dynamic page name pro _ main.aspx; the specific solution page is: http:// www.dbappsecurity.com.cn/case _ main.aspxtypeid ═ xxxxxx, the dynamic page name is case _ main.aspx, and so on, multiple types of URL requests can be obtained.
Note that the site URL is obtained by acquiring server traffic (packet) and analyzing the server traffic.
The classification of the visited sites is implemented by step S301, so as to facilitate the subsequent counting calculation to obtain the information entropy value.
Step S302: let the total URL request number counted at a time be A, and the request number for the ith type URL request be TiAccording to the formula Pi=TiThe A can calculate the occurrence probability of the URL request in the overall request; for all i-type URL requests, according to the formula
Figure BDA0001881620900000141
And calculating the information entropy of the total number A of the counted URL requests.
The information entropy calculation formula is set by step S302.
Step S303: counting all URL request times of the system in 1 week under the normal access condition, and solving the average request times M of every 2 hours in the week;
it should be noted that M is made as large as possible to reduce the random access error (avoid the situation where the number of access requests in a certain period of time is particularly large and the number of access requests in a certain period of time is particularly small), for example, M may be 100 or 1000. Similarly, the 1-week time and the 2-hour time can be set according to the operation requirement.
Step S304: establishing a sliding window mechanism based on the request times, and setting an information entropy threshold;
the method comprises the steps of establishing a sliding window mechanism based on request times for training and learning, calculating information entropies of continuous M URL requests in a T1 stage (corresponding to a first sliding position), removing URL data information of previous continuous M/C requests, adding new M/C URL request information in a T2 stage (corresponding to a second sliding position), calculating the information entropies, working out information entropy values of the T1-T5 stages by analogy, and setting the minimum value as a lower limit threshold value of the information entropy.
Specifically, referring to fig. 4, here, the window width of the preset number of times window is set to be M, the preset single sliding distance is M/10 (i.e., C takes 10), and a sliding window mechanism based on the number of times of request is established based on the number of times of request M; at the stage T1 corresponding to the first sliding position, calculating the information entropy of a continuous number M (here, the window width of a preset time window), after sliding once according to a single sliding distance, calculating the information entropy of the stage T2 corresponding to the second sliding position, namely eliminating the URL data information of the previous continuous M/10 requests, at the stage T2, adding new information of M/10 URL requests, and calculating the information entropy; and the information entropy values of the stages T1-T5 (B is 5) are calculated by analogy, and the minimum value is set as the information entropy threshold value.
And S303 and S304 construct a sliding window mechanism through learning, and obtain an information entropy threshold value.
Step S305: setting window parameters of a frequency window, detecting the accessed condition of the system based on the window parameters, and solving information entropy values of all stages;
the method comprises the following steps: setting the range width of the sliding window as M/D and the single sliding distance as M/E, detecting the visited condition of the system, and solving the information entropy value of each stage.
When the normal user accesses, the random ratio of each dynamic page clicked by the user is strong, so the formula is followed
Figure BDA0001881620900000151
The calculated information entropy is a relatively stable and large value, and when a certain dynamic page is subjected to CC attack, because a large number of requests are directed at the same type of page, the randomness of access is greatly reduced, and the information entropy calculation result is also sharply reduced.
Specifically, the sliding window width of the time window is set to M/2 (i.e., D is 2), the single sliding distance is set to M/20 (i.e., E is 20), the accessed condition of the system is detected, and the information entropy value of each stage is obtained. The information entropy calculation method may refer to the foregoing embodiments, and details are not described in this embodiment.
The step S305 can realize the quasi-real-time detection of the system, and improve the real-time performance of the detection.
Step S306: and comparing the actually detected information entropy value with the information entropy threshold value, and judging that the system is under CC attack when the information entropy value is smaller than the information threshold value.
The method provided by the embodiment can find the abnormal condition of the network more quickly, has stronger real-time detection capability, and can effectively avoid entropy difference caused by different request times in unit time by defining the sliding window by adopting the dimension of the request access times, so that the detection result is more accurate.
Example four:
as shown in fig. 5, an embodiment of the present invention further provides a device for detecting a CC attack, which is applied to CC attack detection of a server, and includes a setting module 10, a calculating module 20, and a detecting module 30.
The setting module 10 is used for setting the size of the times window and the single sliding distance of the times window;
the calculating module 20 is configured to sequentially calculate an information entropy value of each sliding position of the time window according to the time window setting;
specifically, for each sliding position, the calculating module 20 is configured to obtain the request times of various URL requests of the times window within the size range of the times window; calculating to obtain the occurrence probability of various URL requests within the range of the times window size according to the times window size and the request times of various URL requests; and calculating the information entropy value of the time window based on the occurrence probability of various URL requests.
Wherein, the probability of occurrence of various URL requests in the size range of the time window is calculated by the following formula:
Pi=Ti/A
wherein, PiIndicating the probability of occurrence, T, of a class i URL requestiIndicates the number of requests for the i-th type URL request, and a indicates the window size.
Calculating the information entropy value of the time window at each sliding position based on the occurrence probability of various URL requests by using the following formula:
Figure BDA0001881620900000161
wherein H represents an information entropy value, PiAnd the occurrence probability of the ith type URL request is shown, i is 1,2 and … n.
The detection module 30 is configured to determine that the CC attack occurs in the sliding position in the time window if the information entropy value of any sliding position is smaller than a preset information entropy threshold.
Further, the apparatus further comprises:
and the building module 40 is configured to build a sliding window mechanism based on the number of requests, and obtain a preset information entropy threshold based on the sliding window mechanism.
Specifically, the building module 40 is configured to obtain a preset number of request times during a normal access period; setting a preset frequency window size and a preset single sliding distance according to the preset request frequency; sequentially calculating information entropy values of the preset times window at a plurality of sliding positions according to the size of the preset times window and the preset single sliding distance; and comparing the information entropy values of the preset times window at a plurality of sliding positions, and setting the minimum value of the information entropy values of the plurality of sliding positions as a preset information entropy threshold value.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working process of the apparatus described above may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
The CC attack detection apparatus provided in the embodiment of the present invention has the same technical features as the CC attack detection method provided in the above embodiment, so that the same technical problems can be solved, and the same technical effects can be achieved.
In all examples shown and described herein, any particular value should be construed as merely exemplary, and not as a limitation, and thus other examples of example embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the method embodiments without reference to the device embodiments.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, and the processor implements the steps of the method for detecting CC attack when executing the computer program.
Specifically, referring to fig. 6, an electronic device 100 provided in an embodiment of the present invention includes: a processor 40, a memory 41, a bus 42 and a communication interface 43, wherein the processor 40, the communication interface 43 and the memory 41 are connected through the bus 42; the processor 40 is arranged to execute executable modules, such as computer programs, stored in the memory 41.
The Memory 41 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 43 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, etc. may be used.
The bus 42 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 6, but that does not indicate only one bus or one type of bus.
The memory 41 is used for storing a program, the processor 40 executes the program after receiving an execution instruction, and the method executed by the apparatus defined by the flow process disclosed in any of the foregoing embodiments of the present invention may be applied to the processor 40, or implemented by the processor 40.
The processor 40 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 40. The Processor 40 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory 41, and the processor 40 reads the information in the memory 41 and completes the steps of the method in combination with the hardware thereof.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method for detecting a CC attack are executed.
The computer program product for performing the method for detecting a CC attack provided in the embodiment of the present invention includes a computer-readable storage medium storing a nonvolatile program code executable by a processor, where instructions included in the program code may be used to execute the method described in the foregoing method embodiment, and specific implementation may refer to the method embodiment, which is not described herein again.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (4)

1. A method for detecting CC attack is characterized by comprising the following steps:
setting the size of a frequency window and the single sliding distance of the frequency window;
sequentially calculating the information entropy value of the frequency window at each sliding position according to the frequency window setting;
if the information entropy value of any sliding position is smaller than a preset information entropy threshold value, judging that the CC attack occurs in the sliding position of the time window;
wherein, the sequentially calculating the information entropy value of the time window at each sliding position according to the time window setting comprises:
for each slide position:
acquiring the request times of various URL requests of the times window in the size range of the times window;
calculating to obtain the occurrence probability of various URL requests within the range of the times window size according to the times window size and the request times of various URL requests;
calculating the information entropy value of the frequency window based on the occurrence probability of various URL requests;
wherein, the probability of occurrence of various URL requests in the size range of the time window is calculated by the following formula:
Pi=Ti/A
wherein, PiIndicating the probability of occurrence, T, of a class i URL requestiRepresenting the request times of the i-th URL request, wherein A represents the window size of the times;
the acquiring the request times of various URL requests of the times window in the size range of the times window comprises the following steps:
acquiring site URLs of all resources which can be requested; the sites comprise static sites and dynamic sites;
classifying URLs requesting all static site pages into static page URL requests, and classifying URLs requesting the same dynamic site page into a dynamic page URL request;
counting various URL requests within the size range of the frequency window to obtain the request frequency of various URL requests;
the information entropy value of the time window at each sliding position is calculated based on the occurrence probability of various URL requests by using the following formula:
Figure FDF0000013814090000021
wherein H represents an information entropy value, PiRepresenting the occurrence probability of the ith type URL request;
wherein the method further comprises:
constructing a sliding window mechanism based on the request times, and acquiring a preset information entropy threshold value based on the sliding window mechanism;
the constructing of the sliding window mechanism based on the request times and the obtaining of the preset information entropy threshold based on the sliding window mechanism comprise:
acquiring the preset request times in the normal access period;
setting a preset frequency window size and a preset single sliding distance according to the preset request frequency;
sequentially calculating information entropy values of the preset times window at a plurality of sliding positions according to the size of the preset times window and the preset single sliding distance;
and comparing the information entropy values of the preset times window at a plurality of sliding positions, and setting the minimum value of the information entropy values of the plurality of sliding positions as a preset information entropy threshold value.
2. The method according to claim 1, wherein sequentially calculating information entropy values of the preset times window at a plurality of sliding positions according to the preset times window size and the preset single sliding distance comprises:
at the first sliding position, calculating an information entropy value of a preset frequency window in a preset frequency window size range;
sliding the preset frequency window by a preset single sliding distance to enable the preset frequency window to be located at a second sliding position, and calculating an information entropy value of the preset frequency window at the second sliding position;
and analogizing in sequence to obtain information entropy values of the preset times window at a plurality of sliding positions.
3. An apparatus for detecting a CC attack, comprising:
the setting module is used for setting the size of the times window and the single sliding distance of the times window;
the calculating module is used for sequentially calculating the information entropy value of the time window at each sliding position according to the time window setting;
the detection module is used for judging that the CC attack occurs in the sliding position of the time window if the information entropy value of any sliding position is smaller than a preset information entropy threshold value;
wherein the computing module is to:
for each slide position:
acquiring the request times of various URL requests of the times window in the size range of the times window;
calculating to obtain the occurrence probability of various URL requests within the range of the times window size according to the times window size and the request times of various URL requests;
calculating the information entropy value of the frequency window based on the occurrence probability of various URL requests;
wherein, the probability of occurrence of various URL requests in the size range of the time window is calculated by the following formula:
Pi=Ti/A
wherein, PiIndicating the probability of occurrence, T, of a class i URL requestiRepresenting the request times of the i-th URL request, wherein A represents the window size of the times;
wherein the computing module is further to:
acquiring site URLs of all resources which can be requested; the sites comprise static sites and dynamic sites;
classifying URLs requesting all static site pages into static page URL requests, and classifying URLs requesting the same dynamic site page into a dynamic page URL request;
counting various URL requests within the size range of the frequency window to obtain the request frequency of various URL requests;
the information entropy value of the time window at each sliding position is calculated based on the occurrence probability of various URL requests by using the following formula:
Figure FDF0000013814090000041
wherein H represents an information entropy value, PiRepresenting the occurrence probability of the ith type URL request;
wherein the apparatus further comprises:
the construction module is used for constructing a sliding window mechanism based on the request times and acquiring a preset information entropy threshold value based on the sliding window mechanism;
wherein the building module is configured to:
acquiring the preset request times in the normal access period;
setting a preset frequency window size and a preset single sliding distance according to the preset request frequency;
sequentially calculating information entropy values of the preset times window at a plurality of sliding positions according to the size of the preset times window and the preset single sliding distance;
and comparing the information entropy values of the preset times window at a plurality of sliding positions, and setting the minimum value of the information entropy values of the plurality of sliding positions as a preset information entropy threshold value.
4. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the method of any of the preceding claims 1 to 2 are implemented when the computer program is executed by the processor.
CN201811430060.1A 2018-11-27 2018-11-27 CC attack detection method and device and electronic equipment Active CN109257390B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811430060.1A CN109257390B (en) 2018-11-27 2018-11-27 CC attack detection method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811430060.1A CN109257390B (en) 2018-11-27 2018-11-27 CC attack detection method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN109257390A CN109257390A (en) 2019-01-22
CN109257390B true CN109257390B (en) 2021-11-05

Family

ID=65042604

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811430060.1A Active CN109257390B (en) 2018-11-27 2018-11-27 CC attack detection method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN109257390B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995714B (en) * 2019-12-06 2022-07-26 杭州安恒信息技术股份有限公司 Method, device and medium for detecting group attack on Web site
CN111262795B (en) * 2020-01-08 2024-02-06 京东科技控股股份有限公司 Service interface-based current limiting method and device, electronic equipment and storage medium
CN111818037A (en) * 2020-07-02 2020-10-23 上海工业控制安全创新科技有限公司 Vehicle-mounted network flow abnormity detection defense method and system based on information entropy
CN112333168B (en) * 2020-10-27 2023-03-24 杭州安恒信息技术股份有限公司 Attack identification method, device, equipment and computer readable storage medium
CN114499917B (en) * 2021-10-25 2024-01-09 中国银联股份有限公司 CC attack detection method and CC attack detection device
CN114124507A (en) * 2021-11-16 2022-03-01 北京安天网络安全技术有限公司 Data request frequency statistical method and device, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580222A (en) * 2015-01-12 2015-04-29 山东大学 DDoS attack distributed detection and response system and method based on information entropy
CN105357228A (en) * 2015-12-19 2016-02-24 中国人民解放军信息工程大学 Burst traffic detection method based on dynamic threshold
CN105553974A (en) * 2015-12-14 2016-05-04 中国电子信息产业集团有限公司第六研究所 Prevention method of HTTP slow attack
CN106357641A (en) * 2016-09-18 2017-01-25 中国科学院信息工程研究所 Method and device for defending interest flooding attacks in information centric network
CN107231348A (en) * 2017-05-17 2017-10-03 桂林电子科技大学 A kind of network flow abnormal detecting method based on relative entropy theory
CN108234472A (en) * 2017-12-28 2018-06-29 北京百度网讯科技有限公司 Detection method and device, computer equipment and the readable medium of Challenging black hole attack

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10616271B2 (en) * 2017-01-03 2020-04-07 Microsemi Frequency And Time Corporation System and method for mitigating distributed denial of service attacks

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580222A (en) * 2015-01-12 2015-04-29 山东大学 DDoS attack distributed detection and response system and method based on information entropy
CN105553974A (en) * 2015-12-14 2016-05-04 中国电子信息产业集团有限公司第六研究所 Prevention method of HTTP slow attack
CN105357228A (en) * 2015-12-19 2016-02-24 中国人民解放军信息工程大学 Burst traffic detection method based on dynamic threshold
CN106357641A (en) * 2016-09-18 2017-01-25 中国科学院信息工程研究所 Method and device for defending interest flooding attacks in information centric network
CN107231348A (en) * 2017-05-17 2017-10-03 桂林电子科技大学 A kind of network flow abnormal detecting method based on relative entropy theory
CN108234472A (en) * 2017-12-28 2018-06-29 北京百度网讯科技有限公司 Detection method and device, computer equipment and the readable medium of Challenging black hole attack

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
DDoS Attack Detection Using Sliding Window Method;Lu-yong ZHANG, Ming QIAN,Yun-bing CHI;《WCNE 2017》;20171224;全文 *
基于信息熵的DNS拒绝服务攻击的检测研究;严芬、丁超、殷新春;《计算机科学》;20150330;正文第3.2节 *

Also Published As

Publication number Publication date
CN109257390A (en) 2019-01-22

Similar Documents

Publication Publication Date Title
CN109257390B (en) CC attack detection method and device and electronic equipment
US11212306B2 (en) Graph database analysis for network anomaly detection systems
US11601400B2 (en) Aggregating alerts of malicious events for computer security
US10574681B2 (en) Detection of known and unknown malicious domains
US9900344B2 (en) Identifying a potential DDOS attack using statistical analysis
CN107992738B (en) Account login abnormity detection method and device and electronic equipment
CN109325193B (en) WAF normal flow modeling method and device based on machine learning
JP2019523584A (en) Network attack prevention system and method
WO2022042194A1 (en) Block detection method and apparatus for login device, server, and storage medium
CN109561097B (en) Method, device, equipment and storage medium for detecting security vulnerability injection of structured query language
CN112437062B (en) ICMP tunnel detection method, device, storage medium and electronic equipment
CN107426136B (en) Network attack identification method and device
Marchetti et al. Identification of correlated network intrusion alerts
CN112839017B (en) Network attack detection method and device, equipment and storage medium thereof
David et al. Detection of distributed denial of service attacks based on information theoretic approach in time series models
CN107231383B (en) CC attack detection method and device
CN111092849B (en) Traffic-based detection method and device for distributed denial of service
CN109413022B (en) Method and device for detecting HTTP FLOOD attack based on user behavior
CN106850632B (en) Method and device for detecting abnormal combined data
CN112765502A (en) Malicious access detection method and device, electronic equipment and storage medium
US10313127B1 (en) Method and system for detecting and alerting users of device fingerprinting attempts
CN109361658B (en) Industrial control industry-based abnormal flow information storage method and device and electronic equipment
CN110866831A (en) Asset activity level determination method and device and server
CN116108880A (en) Training method of random forest model, malicious website detection method and device
CN114172707B (en) Fast-Flux botnet detection method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant