CN109413022B - Method and device for detecting HTTP FLOOD attack based on user behavior - Google Patents

Method and device for detecting HTTP FLOOD attack based on user behavior Download PDF

Info

Publication number
CN109413022B
CN109413022B CN201810400534.1A CN201810400534A CN109413022B CN 109413022 B CN109413022 B CN 109413022B CN 201810400534 A CN201810400534 A CN 201810400534A CN 109413022 B CN109413022 B CN 109413022B
Authority
CN
China
Prior art keywords
target
abnormal
http
http message
host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810400534.1A
Other languages
Chinese (zh)
Other versions
CN109413022A (en
Inventor
曾祥禄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN201810400534.1A priority Critical patent/CN109413022B/en
Publication of CN109413022A publication Critical patent/CN109413022A/en
Application granted granted Critical
Publication of CN109413022B publication Critical patent/CN109413022B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a method and a device for detecting HTTP FLOOD attack based on user behavior, wherein in the method, a detection device obtains source characteristic information and target characteristic information contained in an HTTP message by analyzing the HTTP message and generates a characteristic information list; according to the feature information list, counting the abnormal behavior scores of the host accessing the target website; if the abnormal behavior score of the host is larger than the first threshold, comparing the frequency of the host sending the HTTP message in a fixed time period with a second threshold; and if the frequency of the host sending the HTTP message in a fixed time period is greater than a second threshold value, determining that the host sends an HTTP FLOOD attack to a server of the target website. According to the method and the device, whether the host sends the HTTP FLOOD attack or not is judged through the abnormal behavior condition of the host and frequency statistics, and under the condition that the second threshold value is set to be small, the condition that the normal host in the prior art is mistakenly considered to send the HTTP FLOOD attack can be avoided, DDoS can be detected, and the precision of HTTP FLOOD attack detection is improved.

Description

Method and device for detecting HTTP FLOOD attack based on user behavior
Technical Field
The application relates to the technical field of HTTP FLOOD attack detection, in particular to a method and a device for detecting HTTP FLOOD attack based on user behavior.
Background
The HTTP flood attack, i.e., the HTTP flood attack, is an attack method for stopping a target server from providing normal services with the purpose of consuming system resources of the target server. In the HTTP flood attack, an attacker launches a large number of HTTP messages to a target server through an agent or a zombie host, where the HTTP messages include URIs (uniform Resource identifiers) for consuming database resources or URIs for consuming other system resources, so that the system resources of the target server are exhausted and cannot respond to a request of a normal host. For example, the server of the portal is often attacked by HTTP flow, and the proxy or zombie host consumes the server system resource of the portal through the HTTP flow attack, so that the server system resource of the portal is exhausted and cannot provide normal service.
To implement the crack or defense against HTTPFLOOD attacks, HTTPFLOOD attacks need to be detected. The existing technology for detecting the HTTP FLOOD attack mainly includes two schemes, one scheme is to count the frequency of sending an HTTP message for requesting to access a portal website by each host within a fixed time period (for example, 5S), and if the frequency of sending the HTTP message for requesting to access the portal website within the fixed time period exceeds a first preset threshold, the host is considered to send the HTTP FLOOD attack to a server of the portal website; the other scheme is that the frequency of sending the HTTP messages of the same page in the request access portal website in a fixed time period is counted, and if the frequency of sending the HTTP messages of the same page in the request access portal website in the fixed time period exceeds a second preset threshold value, the host is considered to send an HTTP FLOOD attack to a server of the portal website.
However, the HTTP flow attack detection is performed only by means of the set threshold, and the threshold is difficult to accurately set, on one hand, when the threshold is set to be too small, the frequency of the HTTP message sent by the normal host in a fixed time period for requesting access to the portal website may exceed the first preset threshold, or the frequency of the HTTP message sent by the normal host in the fixed time period for requesting access to the same page in the portal website may exceed the second preset threshold, so that the normal host is mistakenly considered to send the HTTP flow attack. On the other hand, if the threshold is set to be too large, the frequency of the HTTP message sent by the agent or zombie host in a fixed time period to request access to the portal site may be lower than a first preset threshold, or the frequency of the HTTP message sent by the agent or zombie host in a fixed time period to request access to the same page in the portal site may be lower than a second preset threshold, so that the agent or zombie host is mistakenly considered as a normal host and cannot detect the HTTP FLOOD attack. Therefore, the existing HTTPFLOOD attack detection method has the problem of low detection precision. For example, for DDoS (distributed denial of service attack), a plurality of agents or zombie hosts attack servers of the same portal, and an attack traffic of each agent or zombie host is usually small, that is, a frequency of sending an HTTP message for requesting to access the portal within a fixed time period is usually smaller than a first preset threshold, or a frequency of sending an HTTP message for requesting to access the same page in the portal within the fixed time period is smaller than a second preset threshold, in the existing HTTP FLOOD attack detection, the agent or zombie host is often considered as a normal host, and the HTTP FLOOD attack cannot be detected.
Disclosure of Invention
The application provides a method and a device for detecting HTTP FLOOD attack based on user behavior, which aim to solve the problem of low detection precision of the existing HTTP FLOOD attack detection method.
In a first aspect of the present application, a method for detecting HTTP FLOOD attack based on user behavior is provided, including:
the detection device acquires an HTTP message which is sent by a host and used for requesting to access a target website;
the detection device acquires source characteristic information and target characteristic information contained in the HTTP message by analyzing the HTTP message, generates a characteristic information list, and arranges the HTTP messages in the characteristic information list according to the time sequence of receiving the HTTP messages;
the detection device counts the abnormal behavior scores of the host accessing the target website according to the feature information list;
if the abnormal behavior score of the host is larger than a first threshold, the detection device compares the frequency of the host sending the HTTP message in a fixed time period with a second threshold;
and if the frequency of the HTTP message sent by the host within a fixed time period is greater than a second threshold value, the detection device determines that the host sends an HTTP FLOOD attack to a server of the target website.
Optionally, the counting, by the detection device, the abnormal behavior score of the host accessing the target website according to the feature information list includes:
the detection device determines abnormal behaviors of various types corresponding to the HTTP message sent by the host according to the characteristic information list, and determines abnormal scores corresponding to the abnormal behaviors of various types;
the detection device calculates the sum of the abnormal scores corresponding to the abnormal behaviors of the types, and takes the sum of the abnormal scores corresponding to the abnormal behaviors of the types as the abnormal behavior score of the host.
Optionally, the determining, by the detection device, according to the feature information list, abnormal behaviors of each type corresponding to the HTTP packet sent by the host, and determining an abnormal score corresponding to the abnormal behavior of each type includes:
the detection device selects any one HTTP message in the characteristic information list as a first target HTTP message, and judges whether the first target HTTP message is the first HTTP message in the characteristic information list;
if the first target HTTP message is the first HTTP message in the feature information list, the detection device judges whether the target feature information contained in the first target HTTP message is matched with the home page of the target website;
if the target characteristic information contained in the first target HTTP message is not matched with the home page of the target website, the detection device determines that the abnormal behavior corresponding to the first target HTTP message is a first abnormal behavior, and determines that the abnormal score corresponding to the first abnormal behavior is a first preset score.
Optionally, the determining, by the detection device, according to the feature information list, abnormal behaviors of each type corresponding to the HTTP packet sent by the host, and determining an abnormal score corresponding to the abnormal behavior of each type includes:
the detection device determines a second target HTTP message in the HTTP messages, and divides the second target HTTP message adjacent to the feature information list into a group, wherein the target feature information is the same, and the source feature information is not the HTTP message of a target website and is the second target HTTP message;
if the number of the second target HTTP messages in the group is larger than a first preset value, the detection device determines that the abnormal behavior corresponding to the second target HTTP messages in the group is a second abnormal behavior;
and the detection device determines the abnormal coefficient of the second abnormal behavior according to the number of the second target HTTP messages in the group, and takes the product of the abnormal coefficient of the second abnormal behavior and a second preset score as the abnormal score corresponding to the second abnormal behavior.
Optionally, the determining, by the detection device, according to the feature information list, abnormal behaviors of each type corresponding to the HTTP packet sent by the host, and determining an abnormal score corresponding to the abnormal behavior of each type includes:
the detection device determines a third target HTTP message in the HTTP messages and divides the third target HTTP message adjacent to the feature information list into a group, wherein if the target feature information of the HTTP message is different from the target feature information of the previous HTTP message in the feature information list, the source feature information of the HTTP message is any one webpage in the target website, and the source feature information of the HTTP message appears in the feature information list for the first time, the HTTP message is the third target HTTP message;
if the number of the third target HTTP messages in the packet is larger than a second preset value, the detection device determines that the abnormal behavior corresponding to the third target HTTP messages in the packet is a third abnormal behavior;
and the detection device determines the abnormal coefficient of the third abnormal behavior according to the number of third target HTTP messages in the packet, and takes the product of the abnormal coefficient of the third abnormal behavior and a third preset score as the abnormal score corresponding to the third abnormal behavior.
Optionally, after the detecting device determines that the host issues an HTTP FLOOD attack, the method further includes:
the detection device pushes a page with a verification code to the host;
the detection device compares the verification code input by the host with the verification code in the page;
if the verification code input by the host is the same as the verification code in the page, the detection device clears the feature information list and resets the abnormal behavior score of the host to zero;
and if the verification code input by the host is different from the verification code in the page and the accumulated different times exceed a third preset value, the detection device refuses the HTTP message sent by the host and used for requesting to access the target website.
In another aspect of the present application, an apparatus for detecting HTTP FLOOD attack based on user behavior is provided, which includes:
the acquisition module is used for acquiring an HTTP message which is sent by a host and used for requesting to access a target website;
a feature information list generation module, configured to obtain source feature information and destination feature information included in the HTTP message by analyzing the HTTP message, and generate a feature information list, where the HTTP messages are sequentially arranged in the feature information list according to a time sequence of receiving the HTTP messages;
the abnormal score calculation module is used for counting the abnormal behavior score of the host accessing the target website according to the characteristic information list;
the first comparison module is used for comparing the frequency of the host sending the HTTP message in a fixed time period with a second threshold after the abnormal behavior score of the host is determined to be greater than the first threshold;
a determining module, configured to determine that the host sends an HTTP FLOOD attack to the server of the target website after the first comparing module determines that the frequency, at which the host sends the HTTP packet in a fixed time period, is greater than a second threshold.
Optionally, the anomaly score calculating module includes:
the determining unit is used for determining abnormal behaviors of various types corresponding to the HTTP message sent by the host according to the characteristic information list and determining abnormal scores corresponding to the abnormal behaviors of various types;
and the calculating unit is used for calculating the sum of the abnormal scores corresponding to the abnormal behaviors of all types, and taking the sum of the abnormal scores corresponding to the abnormal behaviors of all types as the abnormal behavior score of the host.
Optionally, the determining unit includes:
a first judging subunit, configured to select any one HTTP message in the feature information list as a first target HTTP message, and judge whether the first target HTTP message is a first HTTP message in the feature information list;
a second judging subunit, configured to, after the first judging subunit determines that the first target HTTP packet is the first HTTP packet in the feature information list, judge whether target feature information included in the first target HTTP packet matches with a home page of the target website;
the first calculating subunit is configured to determine that an abnormal behavior corresponding to the first target HTTP message is a first abnormal behavior after the second determining subunit determines that the target feature information included in the first target HTTP message is not matched with the top page of the target website, and determine that an abnormal score corresponding to the first abnormal behavior is a first preset score.
Optionally, the determining unit includes:
a first grouping subunit, configured to determine a second target HTTP message in the HTTP message, and divide the second target HTTP message that is immediately adjacent to the feature information list into a group, where the target feature information is the same, and an HTTP message whose source feature information is not a target website is the second target HTTP message;
the first determining subunit is configured to determine that an abnormal behavior corresponding to the second target HTTP message in the packet is a second abnormal behavior if the number of the second target HTTP messages in the packet is greater than a first preset value;
and the second calculating subunit is configured to determine an abnormal coefficient of the second abnormal behavior according to the number of second target HTTP messages in the packet, and use a product of the abnormal coefficient of the second abnormal behavior and a second preset score as an abnormal score corresponding to the second abnormal behavior.
Optionally, the determining unit includes:
a second grouping subunit, configured to determine a third target HTTP message in the HTTP message, and divide the third target HTTP message that is immediately adjacent to the feature information list into a group, where if target feature information of the HTTP message is different from target feature information of a previous HTTP message in the feature information list, source feature information of the HTTP message is any one web page in the target website, and the source feature information of the HTTP message appears in the feature information list for the first time, the HTTP message is the third target HTTP message;
the second determining subunit is configured to determine that an abnormal behavior corresponding to the third target HTTP message in the packet is a third abnormal behavior after determining that the number of the third target HTTP messages in the packet is greater than a second preset value;
and the third calculation subunit is used for determining an abnormal coefficient of the third abnormal behavior according to the number of third target HTTP messages in the packet, and taking the product of the abnormal coefficient of the third abnormal behavior and a third preset fraction as an abnormal fraction corresponding to the third abnormal behavior.
Optionally, after the determining module, the method further includes:
the page pushing module is used for pushing a page with a verification code to the host;
the second comparison module is used for comparing the verification code input by the host with the verification code in the page;
the first processing module is used for clearing the feature information list and resetting the abnormal behavior score of the host to zero after the second comparison module determines that the verification code input by the host is the same as the verification code in the page;
and the second processing module is used for determining that the accumulated different times exceed a third preset value after the second comparison module determines that the verification code input by the host is different from the verification code in the page, and rejecting the HTTP message which is sent by the host and used for requesting to access the target website.
According to the technical scheme, the method and the device for detecting the HTTP FLOOD attack based on the user behavior are provided, in the method, a detection device analyzes the HTTP message, obtains source characteristic information and target characteristic information contained in the HTTP message, generates a characteristic information list, and arranges the HTTP message in the characteristic information list according to the time sequence of receiving the HTTP message; the detection device counts the abnormal behavior scores of the host accessing the target website according to the feature information list; if the abnormal behavior score of the host is larger than a first threshold, the detection device compares the frequency of the host sending the HTTP message in a fixed time period with a second threshold; and if the frequency of the HTTP message sent by the host within a fixed time period is greater than a second threshold value, the detection device determines that the host sends an HTTP FLOOD attack to a server of the target website.
Compared with the prior art, the detection device provided by the application counts the abnormal behavior score of the host accessing the target website according to the abnormal condition of the HTTP message, and the abnormal host behavior score exceeds the first threshold value, which indicates that the host behavior is abnormal. According to the method and the device, whether the host sends the HTTP FLOOD attack or not is judged through the combination of the abnormal behavior condition of the host and the frequency statistics, therefore, the second threshold value can be set to be smaller, the condition that the normal host is mistakenly considered to send the HTTP FLOOD attack in the prior art can be avoided, and meanwhile, DDoS can be detected, so that the precision of HTTP FLOOD attack detection is improved.
Drawings
In order to more clearly explain the technical solution of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious to those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of a workflow of a method for detecting HTTP FLOOD attacks based on user behavior according to an embodiment of the present application;
fig. 2 is a schematic view of a workflow of host anomaly score calculation in a method for detecting HTTP FLOOD attack based on user behavior according to an embodiment of the present application;
fig. 3 is a schematic view of a workflow for determining an abnormal score corresponding to each type of abnormal behavior in a method for detecting an HTTP FLOOD attack based on user behavior according to an embodiment of the present application;
fig. 4 is a schematic view of another workflow for determining abnormal scores corresponding to abnormal behaviors of various types in a method for detecting HTTP FLOOD attack based on user behavior according to an embodiment of the present application;
fig. 5 is a schematic view of another workflow for determining abnormal scores corresponding to abnormal behaviors of various types in a method for detecting HTTP FLOOD attack based on user behavior according to an embodiment of the present application;
fig. 6 is a schematic view of another workflow of a method for detecting HTTP FLOOD attack based on user behavior according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an apparatus for detecting an HTTP FLOOD attack based on user behavior according to an embodiment of the present application.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.
The embodiment of the application provides a method and a device for detecting HTTP FLOOD attack based on user behavior. In the method, a detection device is arranged between a host and a server, information sent by the host passes through the detection device, and the detection device judges whether the host acts abnormally or not according to the acquired information.
Referring to a workflow diagram shown in fig. 1, a method for detecting HTTP FLOOD attack based on user behavior disclosed in an embodiment of the present application includes the following steps:
step 101, a detection device acquires an HTTP message sent by a host to request access to a target website.
The detection device can acquire the HTTP message sent by the host in various ways, and one way provided by the embodiment of the application is to acquire the HTTP message in the webpage text by capturing the webpage text content.
And 102, the detection device acquires source characteristic information and destination characteristic information contained in the HTTP message by analyzing the HTTP message, generates a characteristic information list, and arranges the HTTP messages in the characteristic information list according to the time sequence of receiving the HTTP messages.
The method comprises the steps that a host requests to access any one webpage in a target website, firstly, an HTTP message needs to be sent to a server of the target website, and a detection device can acquire a page from which the host clicks the page requested to be accessed through source characteristic information contained in the HTTP message; the detection device can acquire which page the host requests to access to the server through the target characteristic information contained in the HTTP message. For example, the referrer field in the HTTP message represents from which page the host clicked to request for access, and may be used as the source feature information; the URL field represents which page is requested to be accessed by the host through the HTTP message and can be used as target characteristic information, the HTTP message and the referrer field and the URL field contained in the HTTP message are recorded in a characteristic information list, the HTTP message sent by each host or each group of hosts corresponds to one characteristic information list, and the HTTP messages are all HTTP messages requesting to access a target website.
And 103, counting the abnormal behavior scores of the target websites accessed by the host by the detection device according to the characteristic information list.
The method comprises the steps that whether HTTP FLOOD attack occurs or not is analyzed based on user behaviors, wherein the user behaviors refer to the behaviors that a host sends HTTP messages requesting to access a target website, HTTP message information (namely source characteristic information and target characteristic information of the HTTP messages) is recorded in a characteristic information list, and a detection device calculates abnormal scores of the host by analyzing abnormal conditions of the HTTP messages in the characteristic information list.
And 104, if the abnormal behavior score of the host is greater than a first threshold, comparing the frequency of the host sending the HTTP message in a fixed time period with a second threshold by the detection device.
In this step, the first threshold and the second threshold are both preset, and the size is set according to the network environment and the requirements. And if the abnormal score of the host is larger than the first threshold value, the behavior that the host sends the HTTP message requesting to access the target website is abnormal. However, since the user behavior abnormality may be caused by an erroneous operation or the like, it cannot be directly determined whether the HTTP FLOOD attack occurs only by the user behavior, and the frequency of sending the HTTP message in a fixed time period needs to be further compared with the second threshold.
Step 105, if the frequency of sending the HTTP message by the host in a fixed time period is greater than a second threshold, the detection apparatus determines that the host sends an HTTP FLOOD attack to the server of the target website.
According to the method and the device, whether the host sends the HTTP FLOOD attack or not is judged through the combination of the abnormal behavior condition of the host and the frequency statistics, therefore, the second threshold value can be set to be smaller, the condition that the normal host is mistakenly considered to send the HTTP FLOOD attack in the prior art can be avoided, and meanwhile, DDoS can be detected, so that the precision of HTTP FLOOD attack detection is improved.
Referring to fig. 2, a schematic workflow diagram of host anomaly score calculation provided in the embodiment of the present application is shown. The detecting device counts the abnormal behavior scores of the host accessing the target website according to the feature information list, and the method comprises the following steps:
step 201, the detection apparatus determines, according to the feature information list, abnormal behaviors of each type corresponding to the HTTP message sent by the host, and determines abnormal scores corresponding to the abnormal behaviors of each type.
The abnormal behavior types provided by the embodiment of the application are mainly three, and the abnormal score corresponding to the abnormal behavior can be determined only by determining the abnormal behavior type.
Step 202, the detection device calculates the sum of the abnormal scores corresponding to the abnormal behaviors of the types, and takes the sum of the abnormal scores corresponding to the abnormal behaviors of the types as the abnormal behavior score of the host.
Under a possible condition, the host continuously sends HTTP messages, the number of the HTTP messages in the characteristic information list is continuously increased, abnormal behaviors of different types appear in a staggered or circular mode, the abnormal score of the host is the sum of abnormal scores corresponding to various types of abnormal behaviors appearing in the same characteristic information list, and whether the behavior of the host sending the HTTP messages is abnormal or not is further judged according to the abnormal score of the host.
Referring to fig. 3, a workflow diagram for determining an abnormality score corresponding to each type of abnormal behavior provided in the embodiment of the present application is shown. The detecting device determines, according to the feature information list, abnormal behaviors of each type corresponding to the HTTP message sent by the host, and determines an abnormal score corresponding to each type of abnormal behavior, including:
step 301, the detection apparatus selects any one HTTP message in the feature information list as a first target HTTP message, and determines whether the first target HTTP message is the first HTTP message in the feature information list. If yes, go to step 302.
In the HTTP FLOOD attack detection method provided in the embodiment of the present application, if the host retransmits the HTTP message at an interval of time, the feature information list formed by the HTTP message transmitted last time is cleared, and a new feature information list is regenerated. In this step, the detection apparatus may determine whether the HTTP message exists before the first target HTTP message by searching the feature information list, and further determine whether the first target HTTP message is the first HTTP message in the feature information list.
In addition, if the first target HTTP message is not the first HTTP message in the feature information list, continuing to select another HTTP message in the feature information list as the first target HTTP message, and then determining whether the reselected first target HTTP message is the first HTTP message in the feature information list.
Step 302, if the first target HTTP message is the first HTTP message in the feature information list, the detection apparatus determines whether the target feature information included in the first target HTTP message matches with the home page of the target website. If not, the operation of step 303 is executed.
Each page in the target website requested to be accessed by the host is provided with a corresponding URL address, the host requests to access the webpage corresponding to the URL field by sending an HTTP message carrying the URL field, and in addition, the first webpage accessed by the host in the target website is a website home page. In this step, the detection device compares whether the URL field included in the first target HTTP message is consistent with the URL address of the home page of the target website, that is, the detection device determines whether the host accesses the initial page through the home page of the target website, and then accesses other pages in the target website.
In addition, if the target characteristic information contained in the first target HTTP message matches with the home page of the target website, indicating that the host is an access start page through the home page of the target website, the first target HTTP message is not abnormal, and the abnormal score of the host is not changed.
Step 303, if the target feature information included in the first target HTTP message does not match the home page of the target website, the detection device determines that the abnormal behavior corresponding to the first target HTTP message is a first abnormal behavior, and determines that the abnormal score corresponding to the first abnormal behavior is a first preset score.
In this step, if the host does not directly access other web pages in the target website through the home page of the target website, the detection device considers that the host behavior is abnormal, and the abnormal behavior is the first abnormal behavior.
Referring to fig. 4, a schematic diagram of still another workflow for determining an abnormality score corresponding to each type of abnormal behavior provided in the embodiment of the present application is shown. The detecting device determines, according to the feature information list, abnormal behaviors of each type corresponding to the HTTP message sent by the host, and determines an abnormal score corresponding to each type of abnormal behavior, including:
step 401, the detection apparatus determines a second target HTTP message in the HTTP messages, and divides the second target HTTP message immediately adjacent to the feature information list into a group, where the target feature information is the same, and the HTTP message whose source feature information is not a target website is the second target HTTP message.
In this step, the second target HTTP message is used to access the same page in the target website, that is, the URL fields in the second target HTTP message are the same, and the referrer field in the HTTP message sent by the host to request access to the page does not point to the target website, where the referrer field may be empty or may be another website.
Step 402, if the number of the second target HTTP messages in the packet is greater than a first preset value, the detection device determines that the abnormal behavior corresponding to the second target HTTP messages in the packet is a second abnormal behavior.
In this step, the size of the first preset value can be set according to the network environment and the requirement, and if the number of the second target HTTP messages in the packet is smaller than the first preset value, it is determined that the second target HTTP messages in the packet are not abnormal; if the number of the second target HTTP messages in the group is larger than a first preset value, the number of times that the host continuously sends the HTTP messages requesting to access the same page is larger than the first preset value, and the HTTP messages contain the abnormality of the referrer field, the second target HTTP messages in the group are considered to be abnormal, and the second target HTTP messages correspond to second abnormal behaviors.
Step 403, the detecting device determines an abnormal coefficient of the second abnormal behavior according to the number of the second target HTTP packets in the packet, and takes the product of the abnormal coefficient of the second abnormal behavior and a second preset score as an abnormal score corresponding to the second abnormal behavior.
Assuming that the number of second target HTTP messages in one of the packets is m, the first preset value is x, and the abnormal coefficient of one of the packets in the second abnormal behavior is obtained by dividing m by x and rounding, where the abnormal coefficient of the second abnormal behavior is the sum of the abnormal coefficients of the respective packets.
Referring to fig. 5, a schematic diagram of still another workflow for determining an abnormality score corresponding to each type of abnormal behavior provided in the embodiment of the present application is shown. The detecting device determines, according to the feature information list, abnormal behaviors of each type corresponding to the HTTP message sent by the host, and determines an abnormal score corresponding to each type of abnormal behavior, including:
step 501, the detection device determines a third target HTTP message in the HTTP messages, and divides the third target HTTP message immediately adjacent to the feature information list into a group, where if the target feature information of the HTTP message is different from the target feature information of a previous HTTP message in the feature information list, the source feature information of the HTTP message is any one web page in the target website, and the source feature information of the HTTP message appears in the feature information list for the first time, the HTTP message is the third target HTTP message.
In this step, the third target HTTP message is used to access different pages in the target website, that is, URL fields in the third target HTTP message are different, and the referrer field in the HTTP message that the host sends to request to access the page points to the target website, but the host does not access the webpage to which the referrer field points before.
Step 502, if the number of the third target HTTP messages in the packet is greater than a second preset value, the detection apparatus determines that the abnormal behavior corresponding to the third target HTTP message in the packet is a third abnormal behavior.
Step 503, the detecting device determines an abnormal coefficient of the third abnormal behavior according to the number of third target HTTP messages in the packet, and takes the product of the abnormal coefficient of the third abnormal behavior and a third preset score as an abnormal score corresponding to the third abnormal behavior.
Assuming that the number of the third target HTTP messages in one of the packets is n, the second preset value is y, and the number of the third target HTTP messages in the one of the packets is divided by y and then rounded to an abnormal coefficient of one of the packets in the third abnormal behavior, where the abnormal coefficient of the third abnormal behavior is a sum of abnormal coefficients of the respective packets.
Referring to fig. 6, a schematic diagram of still another workflow of a method for detecting an HTTP FLOOD attack based on user behavior according to an embodiment of the present application is shown. The method for detecting HTTP FLOOD attack based on user behavior provided by the embodiment of the application comprises the following steps:
step 601, the detection device obtains an HTTP message sent by the host for requesting access to the target website.
Step 602, the detection apparatus obtains source feature information and destination feature information included in the HTTP message by analyzing the HTTP message, and generates a feature information list, where the HTTP messages are sequentially arranged in the feature information list according to a time sequence of receiving the HTTP messages.
Step 603, the detection device calculates the abnormal score of the host according to the feature information list.
Step 604, if the abnormal score of the host is greater than the first threshold, the detection device compares the frequency of sending the HTTP message by the host within a fixed time period with a second threshold.
Step 605, if the frequency of sending the HTTP message by the host in a fixed time period is greater than a second threshold, the detection apparatus determines that the host sends an HTTP FLOOD attack to the server of the target website.
Step 606, the detection device pushes the page with the verification code to the host.
In step 607, the detecting device compares the verification code inputted by the host with the verification code in the page.
Step 608, if the verification code input by the host is the same as the verification code in the page, the detection device clears the feature information list and resets the abnormal behavior score of the host to zero.
Step 609, if the verification code input by the host is different from the verification code in the page, and the accumulated different times exceed a third preset value, the detection device rejects the HTTP message sent by the host for requesting to access the target website.
In this step, the detection device adds the IP address with abnormal host behavior to the block list in the security policy, so that the HTTP message sent by the host to request access to the target website can be blocked outside the server, thereby denying the host from continuing to access the target website. The detection device can permanently reject the HTTP message sent by the host computer and used for requesting to access the target website, or can set rejection time, and after a period of time, the host computer is allowed to normally access the target website. The embodiment shown in fig. 6 is a response mechanism after the detection device determines that the HTTP FLOOD attack is performed, and can be used to address the situation that the host sends the HTTP FLOOD attack to a certain extent, so as to avoid adverse consequences caused by response delay.
The implementation processes of step 601, step 602, step 603, step 604, and step 605 are the same as the implementation processes of step 101, step 102, step 103, step 104, and step 105 in fig. 1, and may be referred to each other, and are not described herein again.
The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present invention. For details which are not disclosed in the embodiments of the apparatus of the present invention, reference is made to the embodiments of the method of the present invention.
Referring to fig. 7, a schematic structural diagram of an apparatus for detecting an HTTP FLOOD attack based on user behavior according to an embodiment of the present application is shown. The device for detecting HTTP FLOOD attack based on user behavior provided by the embodiment of the application comprises: the system comprises an acquisition module 100, a feature information list generation module 200, an abnormality score calculation module 300, a first comparison module 400 and a determination module 500.
The acquiring module 100 is configured to acquire an HTTP message sent by a host and used for requesting access to a target website.
A feature information list generating module 200, configured to obtain source feature information and destination feature information included in the HTTP message by analyzing the HTTP message, and generate a feature information list, where the HTTP messages are sequentially arranged in the feature information list according to a time sequence of receiving the HTTP messages.
And an abnormal score calculating module 300, configured to count an abnormal behavior score of the host accessing the target website according to the feature information list.
A first comparing module 400, configured to compare, after determining that the abnormal behavior score of the host is greater than a first threshold, a frequency at which the host sends the HTTP packet within a fixed time period with a second threshold.
A determining module 500, configured to determine that the host sends an HTTP FLOOD attack to the server of the target website after the first comparing module determines that the frequency, at which the host sends the HTTP packet in a fixed time period, is greater than a second threshold.
Optionally, the anomaly score calculating module includes:
and the determining unit is used for determining abnormal behaviors of various types corresponding to the HTTP message sent by the host according to the characteristic information list and determining abnormal scores corresponding to the abnormal behaviors of various types.
And the calculating unit is used for calculating the sum of the abnormal scores corresponding to the abnormal behaviors of all types, and taking the sum of the abnormal scores corresponding to the abnormal behaviors of all types as the abnormal behavior score of the host.
Optionally, the determining unit includes:
and the first judgment subunit is configured to select any one HTTP message in the feature information list as a first target HTTP message, and judge whether the first target HTTP message is the first HTTP message in the feature information list.
And the second judging subunit is configured to, after the first judging subunit determines that the first target HTTP message is the first HTTP message in the feature information list, judge whether the target feature information included in the first target HTTP message matches with a home page of the target website.
The first calculating subunit is configured to determine that an abnormal behavior corresponding to the first target HTTP message is a first abnormal behavior after the second determining subunit determines that the target feature information included in the first target HTTP message is not matched with the top page of the target website, and determine that an abnormal score corresponding to the first abnormal behavior is a first preset score.
Optionally, the determining unit includes:
the first grouping subunit is configured to determine a second target HTTP message in the HTTP message, and divide the second target HTTP message that is immediately adjacent to the feature information list into a group, where the target feature information is the same, and an HTTP message whose source feature information is not a target website is the second target HTTP message.
The first determining subunit is configured to determine that an abnormal behavior corresponding to the second target HTTP packet in the packet is a second abnormal behavior after determining that the number of the second target HTTP packets in the packet is greater than a first preset value.
And the second calculating subunit is configured to determine an abnormal coefficient of the second abnormal behavior according to the number of second target HTTP messages in the packet, and use a product of the abnormal coefficient of the second abnormal behavior and a second preset score as an abnormal score corresponding to the second abnormal behavior.
Optionally, the determining unit includes:
and the second grouping subunit is configured to determine a third target HTTP message in the HTTP message, and divide the third target HTTP message that is immediately adjacent to the feature information list into a group, where if the target feature information of the HTTP message is different from the target feature information of a previous HTTP message in the feature information list, the source feature information of the HTTP message is any one web page in the target website, and the source feature information of the HTTP message appears in the feature information list for the first time, the HTTP message is the third target HTTP message.
And the second determining subunit is configured to determine that the abnormal behavior corresponding to the third target HTTP message in the packet is a third abnormal behavior after determining that the number of the third target HTTP messages in the packet is greater than a second preset value.
And the third calculation subunit is used for determining an abnormal coefficient of the third abnormal behavior according to the number of third target HTTP messages in the packet, and taking the product of the abnormal coefficient of the third abnormal behavior and a third preset fraction as an abnormal fraction corresponding to the third abnormal behavior.
Optionally, after the determining module, the method further includes:
and the page pushing module is used for pushing the page with the verification code to the host.
And the second comparison module is used for comparing the verification code input by the host with the verification code in the page.
And the first processing module is used for clearing the feature information list and resetting the abnormal behavior score of the host to zero after the second comparison module determines that the verification code input by the host is the same as the verification code in the page.
And the second processing module is used for determining that the accumulated different times exceed a third preset value after the second comparison module determines that the verification code input by the host is different from the verification code in the page, and rejecting the HTTP message which is sent by the host and used for requesting to access the target website.
In a specific implementation, the present application further provides a computer storage medium, where the computer storage medium may store a program, and when the program is executed, the program may include some or all of the steps in the embodiments of the method for detecting an HTTP FLOOD attack based on user behavior provided by the present application. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will clearly understand that the techniques in the embodiments of the present application may be implemented by way of software plus a required general hardware platform. Based on such understanding, the technical solutions in the embodiments of the present application may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments or some parts of the embodiments of the present application.
The same and similar parts in the various embodiments in this specification may be referred to each other. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is simple, and the relevant points can be referred to the description in the method embodiment.
The present application has been described in detail with reference to specific embodiments and illustrative examples, but the description is not intended to limit the application. Those skilled in the art will appreciate that various equivalent substitutions, modifications or improvements may be made to the presently disclosed embodiments and implementations thereof without departing from the spirit and scope of the present disclosure, and these fall within the scope of the present disclosure. The protection scope of this application is subject to the appended claims.

Claims (10)

1. A method for detecting HTTP FLOOD attacks based on user behavior is characterized by comprising the following steps:
the detection device acquires an HTTP message which is sent by a host and used for requesting to access a target website;
the detection device acquires source characteristic information and target characteristic information contained in the HTTP message by analyzing the HTTP message, generates a characteristic information list, and arranges the HTTP messages in the characteristic information list according to the time sequence of receiving the HTTP messages;
the detection device counts the abnormal behavior scores of the host accessing the target website according to the feature information list;
if the abnormal behavior score of the host is larger than a first threshold, the detection device compares the frequency of the host sending the HTTP message in a fixed time period with a second threshold;
if the frequency of the host sending the HTTP message in a fixed time period is greater than a second threshold value, the detection device determines that the host sends an HTTP FLOOD attack to a server of the target website;
the detecting device counts the abnormal behavior score of the host accessing the target website according to the feature information list, and the method comprises the following steps:
the detection device determines abnormal behaviors of various types corresponding to the HTTP message sent by the host according to the characteristic information list, and determines abnormal scores corresponding to the abnormal behaviors of various types;
the detection device calculates the sum of the abnormal scores corresponding to the abnormal behaviors of the types, and takes the sum of the abnormal scores corresponding to the abnormal behaviors of the types as the abnormal behavior score of the host.
2. The method according to claim 1, wherein the determining, by the detection device, each type of abnormal behavior corresponding to the HTTP message sent by the host according to the feature information list, and determining an abnormal score corresponding to each type of abnormal behavior includes:
the detection device selects any one HTTP message in the characteristic information list as a first target HTTP message, and judges whether the first target HTTP message is the first HTTP message in the characteristic information list;
if the first target HTTP message is the first HTTP message in the feature information list, the detection device judges whether the target feature information contained in the first target HTTP message is matched with the home page of the target website;
if the target characteristic information contained in the first target HTTP message is not matched with the home page of the target website, the detection device determines that the abnormal behavior corresponding to the first target HTTP message is a first abnormal behavior, and determines that the abnormal score corresponding to the first abnormal behavior is a first preset score.
3. The method according to claim 1, wherein the determining, by the detection device, each type of abnormal behavior corresponding to the HTTP message sent by the host according to the feature information list, and determining an abnormal score corresponding to each type of abnormal behavior includes:
the detection device determines a second target HTTP message in the HTTP messages, and divides the second target HTTP message adjacent to the feature information list into a group, wherein the target feature information is the same, and the source feature information is not the HTTP message of a target website and is the second target HTTP message;
if the number of the second target HTTP messages in the group is larger than a first preset value, the detection device determines that the abnormal behavior corresponding to the second target HTTP messages in the group is a second abnormal behavior;
and the detection device determines the abnormal coefficient of the second abnormal behavior according to the number of the second target HTTP messages in the group, and takes the product of the abnormal coefficient of the second abnormal behavior and a second preset score as the abnormal score corresponding to the second abnormal behavior.
4. The method according to claim 1, wherein the determining, by the detection device, each type of abnormal behavior corresponding to the HTTP message sent by the host according to the feature information list, and determining an abnormal score corresponding to each type of abnormal behavior includes:
the detection device determines a third target HTTP message in the HTTP messages and divides the third target HTTP message adjacent to the feature information list into a group, wherein if the target feature information of the HTTP message is different from the target feature information of the previous HTTP message in the feature information list, the source feature information of the HTTP message is any one webpage in the target website, and the source feature information of the HTTP message appears in the feature information list for the first time, the HTTP message is the third target HTTP message;
if the number of the third target HTTP messages in the packet is larger than a second preset value, the detection device determines that the abnormal behavior corresponding to the third target HTTP messages in the packet is a third abnormal behavior;
and the detection device determines the abnormal coefficient of the third abnormal behavior according to the number of third target HTTP messages in the packet, and takes the product of the abnormal coefficient of the third abnormal behavior and a third preset score as the abnormal score corresponding to the third abnormal behavior.
5. The method of claim 1, after the detection device determines that the host issues an HTTP FLOOD attack, further comprising:
the detection device pushes a page with a verification code to the host;
the detection device compares the verification code input by the host with the verification code in the page;
if the verification code input by the host is the same as the verification code in the page, the detection device clears the feature information list and resets the abnormal behavior score of the host to zero;
and if the verification code input by the host is different from the verification code in the page and the accumulated different times exceed a third preset value, the detection device refuses the HTTP message sent by the host and used for requesting to access the target website.
6. An apparatus for detecting HTTP FLOOD attacks based on user behavior, comprising:
the acquisition module is used for acquiring an HTTP message which is sent by a host and used for requesting to access a target website;
a feature information list generation module, configured to obtain source feature information and destination feature information included in the HTTP message by analyzing the HTTP message, and generate a feature information list, where the HTTP messages are sequentially arranged in the feature information list according to a time sequence of receiving the HTTP messages;
the abnormal score calculation module is used for counting the abnormal behavior score of the host accessing the target website according to the characteristic information list;
the first comparison module is used for comparing the frequency of the host sending the HTTP message in a fixed time period with a second threshold after the abnormal behavior score of the host is determined to be greater than the first threshold;
a determining module, configured to determine that the host sends an HTTP FLOOD attack to a server of the target website after the first comparing module determines that the frequency, at which the host sends the HTTP packet in a fixed time period, is greater than a second threshold;
wherein the anomaly score calculating module comprises:
the determining unit is used for determining abnormal behaviors of various types corresponding to the HTTP message sent by the host according to the characteristic information list and determining abnormal scores corresponding to the abnormal behaviors of various types;
and the calculating unit is used for calculating the sum of the abnormal scores corresponding to the abnormal behaviors of all types, and taking the sum of the abnormal scores corresponding to the abnormal behaviors of all types as the abnormal behavior score of the host.
7. The apparatus of claim 6, wherein the determining unit comprises:
a first judging subunit, configured to select any one HTTP message in the feature information list as a first target HTTP message, and judge whether the first target HTTP message is a first HTTP message in the feature information list;
a second judging subunit, configured to, after the first judging subunit determines that the first target HTTP packet is the first HTTP packet in the feature information list, judge whether target feature information included in the first target HTTP packet matches with a home page of the target website;
the first calculating subunit is configured to determine that an abnormal behavior corresponding to the first target HTTP message is a first abnormal behavior after the second determining subunit determines that the target feature information included in the first target HTTP message is not matched with the top page of the target website, and determine that an abnormal score corresponding to the first abnormal behavior is a first preset score.
8. The apparatus of claim 6, wherein the determining unit comprises:
a first grouping subunit, configured to determine a second target HTTP message in the HTTP message, and divide the second target HTTP message that is immediately adjacent to the feature information list into a group, where the target feature information is the same, and an HTTP message whose source feature information is not a target website is the second target HTTP message;
the first determining subunit is configured to determine that an abnormal behavior corresponding to the second target HTTP packet in the packet is a second abnormal behavior after determining that the number of the second target HTTP packets in the packet is greater than a first preset value;
and the second calculating subunit is configured to determine an abnormal coefficient of the second abnormal behavior according to the number of second target HTTP messages in the packet, and use a product of the abnormal coefficient of the second abnormal behavior and a second preset score as an abnormal score corresponding to the second abnormal behavior.
9. The apparatus of claim 6, wherein the determining unit comprises:
a second grouping subunit, configured to determine a third target HTTP message in the HTTP message, and divide the third target HTTP message that is immediately adjacent to the feature information list into a group, where if target feature information of the HTTP message is different from target feature information of a previous HTTP message in the feature information list, source feature information of the HTTP message is any one web page in the target website, and the source feature information of the HTTP message appears in the feature information list for the first time, the HTTP message is the third target HTTP message;
the second determining subunit is configured to determine that an abnormal behavior corresponding to the third target HTTP message in the packet is a third abnormal behavior after determining that the number of the third target HTTP messages in the packet is greater than a second preset value;
and the third calculation subunit is used for determining an abnormal coefficient of the third abnormal behavior according to the number of third target HTTP messages in the packet, and taking the product of the abnormal coefficient of the third abnormal behavior and a third preset fraction as an abnormal fraction corresponding to the third abnormal behavior.
10. The apparatus of claim 6, further comprising, after the determining module:
the page pushing module is used for pushing a page with a verification code to the host;
the second comparison module is used for comparing the verification code input by the host with the verification code in the page;
the first processing module is used for clearing the feature information list and resetting the abnormal behavior score of the host to zero after the second comparison module determines that the verification code input by the host is the same as the verification code in the page;
and the second processing module is used for determining that the accumulated different times exceed a third preset value after the second comparison module determines that the verification code input by the host is different from the verification code in the page, and rejecting the HTTP message which is sent by the host and used for requesting to access the target website.
CN201810400534.1A 2018-04-28 2018-04-28 Method and device for detecting HTTP FLOOD attack based on user behavior Active CN109413022B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810400534.1A CN109413022B (en) 2018-04-28 2018-04-28 Method and device for detecting HTTP FLOOD attack based on user behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810400534.1A CN109413022B (en) 2018-04-28 2018-04-28 Method and device for detecting HTTP FLOOD attack based on user behavior

Publications (2)

Publication Number Publication Date
CN109413022A CN109413022A (en) 2019-03-01
CN109413022B true CN109413022B (en) 2021-07-13

Family

ID=65464134

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810400534.1A Active CN109413022B (en) 2018-04-28 2018-04-28 Method and device for detecting HTTP FLOOD attack based on user behavior

Country Status (1)

Country Link
CN (1) CN109413022B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110881212B (en) * 2019-12-09 2023-08-25 Oppo广东移动通信有限公司 Method and device for saving power of equipment, electronic equipment and medium
CN113872976B (en) * 2021-09-29 2023-06-02 绿盟科技集团股份有限公司 HTTP2 attack-based protection method and device and electronic equipment
CN117014232B (en) * 2023-10-07 2024-01-26 创云融达信息技术(天津)股份有限公司 Defending method, device, equipment and medium for denial of service attack

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101383694A (en) * 2007-09-03 2009-03-11 电子科技大学 Defense method and system rejecting service attack based on data mining technology
CN101895521A (en) * 2009-05-22 2010-11-24 中国科学院研究生院 Network worm detection and characteristic automatic extraction method and system
CN102299897A (en) * 2010-06-23 2011-12-28 电子科技大学 Characteristic-association-based peer-to-peer networking characteristic analysis method
CN103701795A (en) * 2013-12-20 2014-04-02 北京奇虎科技有限公司 Identification method and device for attack source of denial of service attack
CN105429817A (en) * 2015-10-30 2016-03-23 中兴软创科技股份有限公司 Illegal business identification device and illegal business identification method based on DPI and DFI
CN106254368A (en) * 2016-08-24 2016-12-21 杭州迪普科技有限公司 The detection method of Web vulnerability scanning and device
CN107172033A (en) * 2017-05-10 2017-09-15 深信服科技股份有限公司 A kind of WAF erroneous judgement recognition methods and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180027002A1 (en) * 2016-07-21 2018-01-25 Sap Se Outlier detection in enterprise threat detection

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101383694A (en) * 2007-09-03 2009-03-11 电子科技大学 Defense method and system rejecting service attack based on data mining technology
CN101895521A (en) * 2009-05-22 2010-11-24 中国科学院研究生院 Network worm detection and characteristic automatic extraction method and system
CN102299897A (en) * 2010-06-23 2011-12-28 电子科技大学 Characteristic-association-based peer-to-peer networking characteristic analysis method
CN103701795A (en) * 2013-12-20 2014-04-02 北京奇虎科技有限公司 Identification method and device for attack source of denial of service attack
CN105429817A (en) * 2015-10-30 2016-03-23 中兴软创科技股份有限公司 Illegal business identification device and illegal business identification method based on DPI and DFI
CN106254368A (en) * 2016-08-24 2016-12-21 杭州迪普科技有限公司 The detection method of Web vulnerability scanning and device
CN107172033A (en) * 2017-05-10 2017-09-15 深信服科技股份有限公司 A kind of WAF erroneous judgement recognition methods and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于用户访问行为的HTTP-Get Flood攻击检测方法;李敏;《北华大学学报(自然科学版)》;20110228;全文 *

Also Published As

Publication number Publication date
CN109413022A (en) 2019-03-01

Similar Documents

Publication Publication Date Title
CN109951500B (en) Network attack detection method and device
US9900344B2 (en) Identifying a potential DDOS attack using statistical analysis
AU2011305214B2 (en) IP prioritization and scoring system for DDoS detection and mitigation
KR101061375B1 (en) JR type based DDoS attack detection and response device
CN109194680B (en) Network attack identification method, device and equipment
US10944784B2 (en) Identifying a potential DDOS attack using statistical analysis
US8549645B2 (en) System and method for detection of denial of service attacks
CN106534051B (en) Processing method and device for access request
CN105577608B (en) Network attack behavior detection method and device
JP2019021294A (en) SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS
US10505974B2 (en) Network attack defense system and method
CN109922072B (en) Distributed denial of service attack detection method and device
CN110071941B (en) Network attack detection method, equipment, storage medium and computer equipment
CN109413022B (en) Method and device for detecting HTTP FLOOD attack based on user behavior
CN103179132A (en) Method and device for detecting and defending CC (challenge collapsar)
CN110417747B (en) Method and device for detecting violent cracking behavior
EP2672676A1 (en) Methods and systems for statistical aberrant behavior detection of time-series data
CN109257390B (en) CC attack detection method and device and electronic equipment
CN110061998B (en) Attack defense method and device
CN109561097B (en) Method, device, equipment and storage medium for detecting security vulnerability injection of structured query language
CN107426136B (en) Network attack identification method and device
Soltanaghaei et al. Detection of fast-flux botnets through DNS traffic analysis
KR102211503B1 (en) Harmful ip determining method
CN114172707B (en) Fast-Flux botnet detection method, device, equipment and storage medium
CN109246157A (en) A kind of HTTP requests at a slow speed the association detection method of dos attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant