CN109617925A - It is a kind of for the protection of network attack, the setting method of interval mark and system - Google Patents

It is a kind of for the protection of network attack, the setting method of interval mark and system Download PDF

Info

Publication number
CN109617925A
CN109617925A CN201910087185.7A CN201910087185A CN109617925A CN 109617925 A CN109617925 A CN 109617925A CN 201910087185 A CN201910087185 A CN 201910087185A CN 109617925 A CN109617925 A CN 109617925A
Authority
CN
China
Prior art keywords
entropy
message
access message
section
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910087185.7A
Other languages
Chinese (zh)
Other versions
CN109617925B (en
Inventor
史洪博
高鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wangsu Science and Technology Co Ltd
Original Assignee
Wangsu Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wangsu Science and Technology Co Ltd filed Critical Wangsu Science and Technology Co Ltd
Priority to CN201910087185.7A priority Critical patent/CN109617925B/en
Publication of CN109617925A publication Critical patent/CN109617925A/en
Application granted granted Critical
Publication of CN109617925B publication Critical patent/CN109617925B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Abstract

The invention discloses a kind of for the protection of network attack, the setting method of interval mark and system, wherein the means of defence for network attack includes: the access message for receiving target device and sending, and calculates the comentropy of the access message;Target entropy section locating for the comentropy is determined in the entropy section of preset quantity, and identifies the target interval label in target entropy section;If it is attack message type that the target interval label, which characterizes the corresponding type of message in target entropy section, blacklist is added by the access packet loss, and by the target device, to shield the subsequent access message sent of the target device.Technical solution provided by the present application can improve the accuracy of identification to TCP Data Flood attack message in the case where avoiding being transformed client.

Description

It is a kind of for the protection of network attack, the setting method of interval mark and system
Technical field
The present invention relates to Internet technical field, in particular to a kind of protection for network attack, interval mark are set Set method and system.
Background technique
With the continuous development of internet, the network attack of appearance is also increasing.TCP Data more typical at present Client and server can be established TCP (Transmission by the attack pattern of Flood (TCP data flood), attacker Control Protocol, transmission control protocol) connection, and sent largely by TCP connection to server using client Rubbish message, so that server can not handle normal message in time, even results in service to aggravate the load of server Device enters state of paralysis.
Currently when coping with network attack, the data characteristics of data message on the one hand can be extracted, and by the data of extraction Feature is compared with the data characteristics of attack message, so that whether the data message that judgement receives is attack message.However, The attack message of TCP Data Flood usually contains random content, does not have apparent data characteristics, therefore pass through number Can not have preferable protection effect according to the mode of aspect ratio pair.On the other hand, upgrading can be carried out to client, so that The normal data message that client issues has the special fingerprint made an appointment, so as to be by identification data message It is no to carry special fingerprint, to judge whether data message is normal message.However, this mode is due to being related to changing for client It makes, the research staff of client is needed to cooperate, undoubtedly will increase the research and development cost of client in this way.
Summary of the invention
Being designed to provide for the application is a kind of for the protection of network attack, the setting method of interval mark and system, The accuracy of identification to TCP Data Flood attack message can be improved in the case where avoiding being transformed client.
To achieve the above object, on the one hand the application provides a kind of means of defence for network attack, is provided with default The entropy section of quantity, each entropy section have respective interval mark, and the interval mark is for characterizing current entropy It is worth the corresponding type of message in section, which comprises receive the access message that target device is sent, and calculate the access report The comentropy of text;Target entropy section locating for the comentropy is determined in the entropy section of the preset quantity, and is identified The target interval in target entropy section marks;If the target interval label characterizes the corresponding report in target entropy section Literary type is attack message type, blacklist is added by the access packet loss, and by the target device, described in shielding The subsequent access message sent of target device.
To achieve the above object, on the other hand the application also provides a kind of guard system for network attack, is provided with The entropy section of preset quantity, each entropy section have respective interval mark, and the interval mark is worked as characterizing The corresponding type of message in preceding entropy section, the system comprises: comentropy computing unit, the visit sent for receiving target device It asks message, and calculates the comentropy of the access message;Interval mark recognition unit, in the entropy area of the preset quantity Between target entropy section locating for the middle determination comentropy, and identify the target interval label in target entropy section;Screen Unit is covered, if being attack message class for the corresponding type of message in target interval label characterization target entropy section Blacklist is added by the access packet loss, and by the target device in type, and to shield, the target device is subsequent to be sent Access message.
To achieve the above object, on the other hand the application also provides the setting method of a kind of interval mark, the method packet It includes: determining information entropy range to be divided, and the information entropy range is divided into the entropy section of preset quantity;It obtains Message sample set is accessed, includes several access message samples in the access message sample set;Calculate separately each access The comentropy of message sample, and according to the calculated comentropy, by several access message sample distributions in described pre- If in the entropy section of quantity, to obtain the quantity for the access message sample for including in each entropy section;According to comprising The quantity of access message sample the entropy section of the preset quantity is ranked up, and according to ranking results, for each institute State entropy section setting interval mark.
To achieve the above object, on the other hand the application also provides the setting system of a kind of interval mark, the system packet Include: entropy interval division unit for determining information entropy range to be divided, and the information entropy range is divided into pre- If the entropy section of quantity;Quantity statistics unit, for for several access messages for including in default access message sample set Sample calculates separately the comentropy of each access message sample, and according to the calculated comentropy, will be described several Message sample distribution is accessed in the entropy section of the preset quantity, to obtain the access for including in each entropy section The quantity of message sample;Flag setting unit, for according to comprising access message sample quantity to the preset quantity Entropy section is ranked up, and according to ranking results, interval mark is arranged for each entropy section.
Therefore technical solution provided by the present application, it may be predetermined that go out the corresponding information entropy model of data message It encloses, and the information entropy range can be divided into multiple entropy sections.For each entropy section, corresponding area can be set Between mark, which can indicate the type for the data message that comentropy is fallen into entropy section.It is subsequent, receiving mesh When the access message that marking device is sent, the comentropy of the access message can be calculated, and judges the target entropy that the comentropy is fallen into It is worth section.By identifying that the target interval in the target entropy section marks, report belonging to the access message may thereby determine that out Literary type.If the access message belongs to attack message, black name can be added by the access packet loss, and by target device It is single, to shield the subsequent any message sent of target device, and then achieve the purpose that network attack protects.Therefore this The technical solution provided is provided, without being transformed to client, and the type of message is judged by entropy section, has Higher precision, so as to improve the accuracy of identification to TCP Data Flood attack message.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.
Fig. 1 is the setting method block diagram of interval mark in embodiment of the present invention;
Fig. 2 is the setting method flow chart of interval mark in embodiment of the present invention;
Fig. 3 is the means of defence block diagram that network attack is directed in embodiment of the present invention;
Fig. 4 is the means of defence flow chart that network attack is directed in embodiment of the present invention;
Fig. 5 is in embodiment of the present invention for the functional block diagram of the guard system of network attack.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention Formula is described in further detail.
In practical applications, it after the client of attacker's manipulation and server complete TCP three-way handshake, can be generated The content of the attack message of TCP data Flood, such message is mainly determined by client.Since client can use Proprietary protocol, different clients can have the protocol specification of itself, therefore the TCP data Flood generated by client Attack message do not have unified format usually, this results in the existing attack protection method based on aspect ratio pair to fail.
However, comentropy can be used to indicate that the average magnitude for the information for including in data message, comentropy can describe number According to the uncertainty of message.If the information content for including in a data message is bigger, then representing the uncertain of the data message Property is higher, and corresponding comentropy is also higher.Typically, the information content that normal data message carries always has a certain range , therefore the comentropy of normal data message also tends in a controllable range.And the content of attack message is usually Random, therefore its information content carried is larger, corresponding comentropy is also larger.In consideration of it, the application can pass through comentropy To distinguish normal message and attack message.
In the embodiment of the application, a kind of setting method of interval mark is provided.Referring to Fig. 1, the side Method may comprise steps of.
S11: determining the information entropy range of data message, and the information entropy range is divided into the entropy of preset quantity It is worth section.
It in the present embodiment, can be by means of the calculation formula of comentropy, to determine the information entropy model of data message It encloses.Specifically, the calculation formula of the comentropy can be as follows:
Wherein, H indicates the comentropy of data message, xiIndicate i-th kind of character in the data message, P (xi) indicate institute The probability that i-th kind of character occurs in the data message is stated, b indicates the truth of a matter of logarithm operation, and n is indicated in the data message The quantity for the kinds of characters for including.Wherein ,-P (xi)logbP(xi) it can indicate the uncertain numerical value of i-th kind of character, comentropy Can be the accumulative of the uncertain numerical value of various kinds of characters and.
In practical applications, the usual value of b in above-mentioned formula is 2, in this case, the calculation formula table of comentropy The meaning of sign are as follows: indicate the information content an of data message needs how many bit.Specifically, the character in data message has 256 kinds of different possibility, it is assumed that only comprising a kind of character in data message, then what the character occurred in the data message Probability is exactly 1, is exactly 0 according to the comentropy that above-mentioned formula is calculated.Deterministic disappear at this point, the data message is one Breath.And assume occur two kinds of kinds of characters in the data message, and the probability that both characters occur is identical, it calculates at this time Obtained comentropy is 1, indicates that the information content of the data message only needs 1 bit that can indicate.Assume again that the datagram Occur four kinds of kinds of characters in text, and the probability that these four different characters occur in the data message is identical, then The comentropy being calculated is 2, is indicated in this case, and the information content of the data message needs 2 bits to indicate.Separately Outside, a kind of extreme situation, it is assumed that occur 256 kinds of different characters, and the probability that each character occurs in data message Identical, calculated comentropy is maximum at this time, is 8, then it represents that the information content of the data message comprising 256 kinds of characters at most needs 8 bits indicate.
Therefore the truth of a matter determine in the case where, the comentropy that data message is likely to occur can have one it is fixed Range, the range can be expressed as the information entropy range of data message.It should be noted that explaining information entropy above It when range, is illustrated by taking the truth of a matter 2 as an example.This only to facilitate illustrate the technical solution of present embodiment, and Do not indicate that the truth of a matter is only 2 in practical applications.In different fields or different scenes, the truth of a matter can flexible value, from And cause information entropy range also can be different.Those skilled in the art are the case where understanding the marrow of present embodiment technical solution Under, the truth of a matter is changed to obtain different information entropy ranges, such case should also be as the protection scope in the application It is interior.
In the present embodiment, it is contemplated that normal data message often has self similarity, long related and heavytailed distribution Characteristic, be usually concentrated in some lesser range so as to cause the comentropy of normal data message, the lesser model Enclose a subset that can be above- mentioned information entropy range.In consideration of it, in the present embodiment can be by above-mentioned information entropy Range is divided into the entropy section of preset quantity, these entropy sections do not repeat mutually, and can cover entire information entropy range. For example, the information entropy range of above-mentioned 0-8 can be divided into 64 entropy sections.It certainly, in practical applications can be to entropy It is worth the quantity and partition strategy flexible setting in section, the application is to this and without limitation.
S13: obtaining access message sample set, includes several access message samples in the access message sample set.
In the present embodiment, after marking off the entropy section of preset quantity, it can be determined that in these entropy sections, which A little entropy sections are the corresponding entropy sections of normal data message.Specifically, it can be obtained a large amount of in normal business datum Access message sample, these access message samples may be constructed access message sample set.These access message samples are all just The message generated in normal operation flow, itself will not be attack message.
S15: calculating separately the comentropy of each access message sample, and according to the calculated comentropy, will Several access message sample distributions are in the entropy section of the preset quantity, to obtain each entropy section Nei Bao The quantity of the access message sample contained.
In the present embodiment, after getting a large amount of access message sample, these access message samples can be counted Comentropy locating for entropy section.Specifically, the comentropy of each access message sample can be calculated separately.It needs It is bright, the mode of the comentropy of access message sample, the detection side with traditional ddos attack are calculated in the present embodiment Formula is different.In the detection mode of traditional ddos attack, also available a large amount of normal message, it is normal then to count these Message has the total quantity for the character for including altogether, then counts time that different characters occurs in these normal messages one by one again Number, so as to calculate the probability that every kind of character occurs in normal message.For example, current to have 1500 just altogether Normal message, these normal messages include that (duplicate character also cumulative statistics, statistics is 1 word to 9000 characters altogether Symbol), and wherein some character occurs 900 times altogether, then the probability that the character occurs in whole normal message is 10%.
However, being the probability value occurred for the independent calculating character of each access message sample in present embodiment.Tool Body, message sample is accessed for either objective, time that every kind of character occurs in the target access message sample can be counted Number.Such as the target access message sample for aabccdee, wherein occur 5 kinds of characters altogether, time that this 5 kinds of characters respectively occur Number is 2,1,2,1,2.It is then possible to calculate every kind of character in the mesh according to the number that every kind of character of statistics occurs The probability occurred in mark access message sample.Specifically, for current character, the current character can be calculated in the target The ratio for the character sum for including in the number and the target access message sample occurred in access message sample, and will be described The probability that ratio occurs in the target access message sample as the current character.For example, for character a, The number of appearance is 2, and the character sum for including in target access message sample is 8, therefore character a is in target access message sample The probability occurred in this is 25%.In this way, it can be calculated in mesh for every kind of character in target access message sample The probability occurred in mark access message sample, finally, can be according to every kind of character in the target access message sample The probability of middle appearance, calculates the uncertain numerical value of every kind of character according to the formula of step S11, and by each uncertain numerical value The sum of comentropy as the target access message sample.
In the present embodiment, after the comentropy that each access message sample is calculated, it can be determined that be calculated Comentropy fall into which entropy section, so as to by these access message sample distributions in the above-mentioned entropy area marked off In.Finally, the quantity for the access message sample for including in each entropy section can be counted.For normally accessing message and Speech, often all fixation is fallen into one or more entropy section corresponding comentropy.For example, for the message of command request For, comentropy can generally be distributed in 2 to 3;And for the message of user name encrypted message, comentropy can generally divide Cloth is 4.8 to 5.2.And for entropy range as 5.8 to 6.1, normal message will not usually be hit, that is to say, that according to In the regularity of distribution that the comentropy of normal message counts, the access message sample that includes in 5.8 to 6.1 entropy section Quantity is generally 0.
S17: according to comprising the quantity of access message sample the entropy section of the preset quantity is ranked up, and root According to ranking results, interval mark is set for each entropy section.
It in the present embodiment, can after the quantity that statistics obtains the access message sample for including in each entropy section With the sequence according to the quantity of the statistics from big to small, each entropy section is ranked up.Certainly, in practical applications may be used To be ranked up according to the sequence of quantity from small to large to entropy section, the application is to this and without limitation.
In ranking results, in entropy section in the top, the quantity for the access message sample for including is more, represents this A possibility that corresponding normal message in a little entropy section, is higher.And in the entropy section to rank behind, it can be comprising less or even do not have A possibility that having access message sample, representing the corresponding normal message in these entropy sections, is lower.In consideration of it, can be according to sequence As a result, corresponding interval mark is arranged for each entropy section, it is corresponding which can be used for characterizing current entropy section Type of message.The type of message can be divided into attack message type in the present embodiment, trust type of message and can Doubt type of message.
Specifically, referring to Fig. 2, in one embodiment, the access for including can be selected from the ranking results The entropy section that the quantity of message sample is 0, and the entropy section setting for being 0 for the quantity of the access message sample for including Characterize the interval mark of attack message type.Wherein, the quantity for the access message sample for including is 0, then it represents that normal message meter Obtained comentropy generally will not fall into current entropy section, then the corresponding message in current entropy section is exactly attack report Text.
In one embodiment, can from the ranking results selected and sorted near several preceding entropy sections, If including in the total quantity for the access message sample for including in several described entropy sections and the access message sample set The ratio accessed between the total quantity of message sample is more than or equal to preset threshold, and from several described entropy sections After rejecting any entropy section, the total quantity for the access message sample for including in remaining entropy section and the access message sample Ratio between the total quantity for the access message sample that this concentration includes is less than the preset threshold, then can for it is described several Entropy section setting characterization trusts the interval mark of type of message.As an example it is assumed that above-mentioned preset threshold is 90%, then Entropy section can be successively selected from the front end of ranking results.Behind the entropy section for having selected to rank the first, it is assumed that the entropy The quantity for the access message sample for including in value section is 800, and is accessed in message sample set altogether comprising 1500 access messages Sample, then the quantity for the access message sample for including in the entropy section ranked the first does not reach the 90% of total quantity, The entropy section that selection is number two will so be continued at this time.Assuming that the access message for including in the entropy section being number two The quantity of sample is 600, then overall ranking first and the entropy section being number two, the sum for the access message sample for including Amount is 1400, and accounting for access message sample central access message total sample number amount is about 93.3%, is greater than preset threshold 90%, then The interval mark in rank the first and be number two two entropy sections can be both configured to characterization and trust type of message Interval mark.If that including 50 access message samples in the entropy section being number three, although ranking the first to ranking It includes 1450 access message samples that three entropy sections of third, which amount to, and shared ratio has also exceeded preset threshold 90%, But behind the entropy section be number three of removal, ratio shared by the access message sample that includes in remaining two entropy sections Example still exceeds 90%, then in this case, the entropy section being number three cannot be labeled as trust type of message.
In one embodiment, attack message type entropy section corresponding with type of message is trusted is being filtered out Afterwards, the interval mark for characterizing suspicious type of message can be arranged in remaining entropy section.It specifically, can be in the present count Interval mark characterization attack message type is removed in the entropy section of amount and interval mark characterization trusts the entropy of type of message Section, and be the interval mark of the suspicious type of message of remaining entropy section setting characterization.
So far, the entropy section of the preset quantity can have respective interval mark, subsequent, for different areas Between mark, different Message processing strategies can also be associated with.For example, for the interval mark for characterizing attack message type, Associated Message processing strategy may is that the access message for directly abandoning and receiving, and the equipment for sending access message is added Blacklist, to shield the message of the subsequent transmission of the equipment.And for characterization trusts the interval mark of type of message, it is associated Message processing strategy, which may is that, receives and processes access message.And for the interval mark for characterizing suspicious type of message, it closes The Message processing strategy of connection may is that continue the equipment that statistics sends suspicious message hit that section is labeled as within the unit time can The total degree in the entropy section of type of message is doubted, if the total degree that statistics obtains is more than or equal to preset decision threshold Value can temporarily shield the access message that the target device is sent in specified duration.
Therefore after being provided with the interval mark for characterizing suspicious type of message, it can also be arranged for suspicious message Decision threshold, the decision threshold are used to be characterized in the upper limit of the number value for the suspicious message that same equipment in the unit time is sent. In practical applications, the unit of the decision threshold can be pps (packets persecond, number-of-packet per second), for example, The decision threshold can be 60pps, indicate if some equipment amounted within one second time has sent 60 suspicious messages, So the equipment temporarily can be put into blacklist, after reaching specified duration, just restore to receive the message that the equipment is sent.
The application also provides a kind of setting system of interval mark, the system comprises:
Entropy interval division unit is drawn for determining information entropy range to be divided, and by the information entropy range It is divided into the entropy section of preset quantity;
Quantity statistics unit, for for several access message samples for including in default access message sample set, difference The comentropy of each access message sample is calculated, and according to the calculated comentropy, by several access messages Sample distribution is in the entropy section of the preset quantity, to obtain the access message sample for including in each entropy section Quantity;
Flag setting unit, for according to comprising access message sample quantity to the entropy section of the preset quantity It is ranked up, and according to ranking results, interval mark is set for each entropy section.
In this application, the entropy section of available preset quantity in the manner described above, and each entropy section is all Has respective interval mark, which can be used for characterizing the corresponding type of message in current entropy section.It is subsequent, With the access message sent for target device, come judge target device whether be attacker's manipulation equipment.Specifically, please join Fig. 3 and Fig. 4 are read, the application also provides a kind of means of defence for network attack, and this method may comprise steps of.
S21: receiving the access message that target device is sent, and calculates the comentropy of the access message.
In the present embodiment, the server of opening network attack safeguard function, which can be pre-configured with, above-mentioned has section mark Multiple entropy sections of note, and different Message processing strategies can be set for different interval marks.So receiving After the access message sent to target device, the comentropy of the access message can be calculated.
Specifically, the number that every kind of character occurs in the access message can be counted according to above-mentioned similar mode.So Afterwards, the number that can be occurred according to every kind of character of statistics, every kind of character of calculating occur general in the access message Rate.Finally, the probability that can be occurred in the access message according to every kind of character, calculates the uncertain number of every kind of character Value, and the comentropy by the sum of each described uncertain numerical value as the access message.Wherein, every kind of character is being calculated in institute When stating the probability occurred in access message, for current character, the current character can be calculated and gone out in the access message The ratio for the character sum for including in existing number and the access message, and using the ratio as the current character in institute State the probability occurred in access message.
S23: target entropy section locating for the comentropy is determined in the entropy section of the preset quantity, and is identified The target interval in target entropy section marks.
S25: if the corresponding type of message in target interval label characterization target entropy section is attack message class Blacklist is added by the access packet loss, and by the target device in type, and to shield, the target device is subsequent to be sent Access message.
In the present embodiment, after the comentropy that the access message is calculated, it can determine that the comentropy is fallen into Target entropy section, and can identify the target entropy section target interval label.
Wherein, different interval marks can be associated with different Message processing strategies.Specifically, if the target interval mark The corresponding type of message in note characterization target entropy section is attack message type, then can directly lose the access message It abandons, and blacklist is added in the target device, to shield the subsequent access message sent of the target device.
If it is to trust type of message that the target interval label, which characterizes the corresponding type of message in target entropy section, that Server can normally receive and handle the access message.
If it is suspicious type of message that the target interval label, which characterizes the corresponding type of message in target entropy section, that Server can continue to judge the behavior of the target device.Specifically, the target device can be counted in unit Hit section is greater than labeled as the total degree in the entropy section of suspicious type of message if counting the obtained total degree in time Or it is equal to preset decision threshold, then indicating target device, there are suspicious operations, then described in the specified duration inner shield The access message that target device is sent.After specified duration, it can continue to normally receive the access that the target device is sent Message.
Referring to Fig. 4, in one embodiment, server is first after receiving the access message that target device is sent It first can directly judge whether the target device is in current blacklist, if the target device is in current black name Dan Zhong indicates that the target device has been judged as attack equipment in decision process before, then can not have to calculate The comentropy for accessing message, directly by the access packet loss.And if the target device is not at current blacklist In, then the comentropy of the access message can be calculated according to above-mentioned process, and further sentenced according to comentropy It is disconnected.
Referring to Fig. 5, the application also provides a kind of guard system for network attack, which is provided with preset quantity Entropy section, each entropy section has a respective interval mark, and the interval mark is for characterizing current entropy area Between corresponding type of message, the system comprises:
Comentropy computing unit, the access message sent for receiving target device, and calculate the letter of the access message Cease entropy;
Interval mark recognition unit, for determining mesh locating for the comentropy in the entropy section of the preset quantity Entropy section is marked, and identifies the target interval label in target entropy section;
Screen unit, if marking the corresponding type of message in characterization target entropy section for the target interval is to attack Type of message is hit, blacklist is added by the access packet loss, and by the target device, after shielding the target device The access message that supervention comes.
In one embodiment, the system also includes:
Message sample set acquiring unit, for obtaining access message sample set, if including in the access message sample set Dry access message sample;
Section distribution unit, for calculating separately the comentropy of each access message sample, and according to calculated The comentropy, by several access message sample distributions in the entropy section of the preset quantity, to obtain each institute State the quantity for the access message sample for including in entropy section;
Interval mark setting unit, for according to comprising access message sample quantity to the entropy of the preset quantity Section is ranked up, and according to ranking results, interval mark is arranged for each entropy section.
Therefore technical solution provided by the present application, it may be predetermined that go out the corresponding information entropy model of data message It encloses, and the information entropy range can be divided into multiple entropy sections.For each entropy section, corresponding area can be set Between mark, which can indicate the type for the data message that comentropy is fallen into entropy section.It is subsequent, receiving mesh When the access message that marking device is sent, the comentropy of the access message can be calculated, and judges the target entropy that the comentropy is fallen into It is worth section.By identifying that the target interval in the target entropy section marks, report belonging to the access message may thereby determine that out Literary type.If the access message belongs to attack message, black name can be added by the access packet loss, and by target device It is single, to shield the subsequent any message sent of target device, and then achieve the purpose that network attack protects.Therefore this The technical solution provided is provided, without being transformed to client, and the type of message is judged by entropy section, has Higher precision, so as to improve the accuracy of identification to TCP Data Flood attack message.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It realizes by means of software and necessary general hardware platform, naturally it is also possible to be realized by hardware.Based on such Understand, substantially the part that contributes to existing technology can embody above-mentioned technical proposal in the form of software products in other words Out, which may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, packet Some instructions are included to use so that a computer equipment (can be personal computer, server or the network equipment etc.) executes Method described in certain parts of each embodiment or embodiment.
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.

Claims (15)

1. a kind of means of defence for network attack, which is characterized in that it is provided with the entropy section of preset quantity, it is each described Entropy section has respective interval mark, and the interval mark is for characterizing the corresponding type of message in current entropy section, institute The method of stating includes:
The access message that target device is sent is received, and calculates the comentropy of the access message;
Target entropy section locating for the comentropy is determined in the entropy section of the preset quantity, and identifies the target The target interval in entropy section marks;
If it is attack message type that the target interval label, which characterizes the corresponding type of message in target entropy section, will be described Packet loss is accessed, and blacklist is added in the target device, to shield the subsequent access message sent of the target device.
2. the method according to claim 1, wherein the interval mark in the entropy section in the following way into Row determines:
Access message sample set is obtained, includes several access message samples in the access message sample set;
The comentropy of each access message sample is calculated separately, and according to the calculated comentropy, it will be described several Message sample distribution is accessed in the entropy section of the preset quantity, to obtain the access for including in each entropy section The quantity of message sample;
According to comprising the quantity of access message sample the entropy section of the preset quantity is ranked up, and tied according to sequence Interval mark is arranged for each entropy section in fruit.
3. according to the method described in claim 2, it is characterized in that, the ranking results according to comprising access message sample Quantity is ranked up from more to few sequence;Correspondingly, according to ranking results, interval mark is set for each entropy section Include:
The entropy section that the quantity for the access message sample for selecting to include from the ranking results is 0, and described in include The interval mark for the entropy section setting characterization attack message type that the quantity for accessing message sample is 0;
Selected and sorted is near several preceding entropy sections from the ranking results, if including in several described entropy sections Access message sample total quantity and it is described access message sample set in include access message sample total quantity between Ratio is more than or equal to preset threshold, and after rejecting any entropy section in several described entropy sections, remaining The access message sample for including in the total quantity for the access message sample for including in entropy section and the access message sample set Total quantity between ratio be less than the preset threshold, then be several described entropy sections setting characterization trust type of message Interval mark;
Interval mark characterization attack message type and interval mark characterization letter are removed in the entropy section of the preset quantity Appoint the entropy section of type of message, and characterizes the interval mark of suspicious type of message for the setting of remaining entropy section.
4. according to the method described in claim 3, it is characterized in that, characterizing suspicious message class for the setting of remaining entropy section After the interval mark of type, the method also includes:
For suspicious message, decision threshold is set, the decision threshold be used to be characterized in same equipment in the unit time sends can Doubt the upper limit of the number value of message.
5. the method according to claim 1, wherein the method also includes:
If it is to trust type of message that the target interval label, which characterizes the corresponding type of message in target entropy section, receive simultaneously Handle the access message;
If it is suspicious type of message that the target interval label, which characterizes the corresponding type of message in target entropy section, institute is counted It states target device and hits section within the unit time labeled as the total degree in the entropy section of suspicious type of message;If statistics obtains The total degree be more than or equal to preset decision threshold, the access that the target device described in specified duration inner shield is sent Message.
6. the method according to claim 1, wherein after receiving the access message sent of target device, institute State method further include:
Judge whether the target device is in current blacklist, if the target device is in current blacklist, By the access packet loss;If the target device is not in current blacklist, the information of the access message is calculated Entropy.
7. the method according to claim 1, wherein the comentropy for calculating the access message includes:
Count the number that every kind of character occurs in the access message;
According to the number that every kind of character of statistics occurs, the probability that every kind of character occurs in the access message is calculated;
According to the probability that every kind of character occurs in the access message, the uncertain numerical value of every kind of character is calculated, and will Comentropy of the sum of each described uncertain numerical value as the access message.
8. the method according to the description of claim 7 is characterized in that calculate every kind of character occur in the access message it is general Rate includes:
For current character, calculates and wrapped in the number and the access message that the current character occurs in the access message The ratio of the character sum contained, and the probability that the ratio is occurred in the access message as the current character.
9. a kind of guard system for network attack, which is characterized in that it is provided with the entropy section of preset quantity, it is each described Entropy section has respective interval mark, and the interval mark is for characterizing the corresponding type of message in current entropy section, institute The system of stating includes:
Comentropy computing unit, the access message sent for receiving target device, and calculate the comentropy of the access message;
Interval mark recognition unit, for determining target entropy locating for the comentropy in the entropy section of the preset quantity It is worth section, and identifies the target interval label in target entropy section;
Screen unit, if being attack report for the corresponding type of message in target interval label characterization target entropy section Blacklist is added by the access packet loss, and by the target device, to shield supervention after the target device in literary type The access message come.
10. system according to claim 9, which is characterized in that the system also includes:
Message sample set acquiring unit includes several visits in the access message sample set for obtaining access message sample set Ask message sample;
Section distribution unit, for calculating separately the comentropy of each access message sample, and according to calculated described Comentropy, by several access message sample distributions in the entropy section of the preset quantity, to obtain each entropy The quantity for the access message sample for including in value section;
Interval mark setting unit, for according to comprising access message sample quantity to the entropy section of the preset quantity It is ranked up, and according to ranking results, interval mark is set for each entropy section.
11. a kind of setting method of interval mark, which is characterized in that the described method includes:
It determines the information entropy range of data message, and the information entropy range is divided into the entropy section of preset quantity;
Access message sample set is obtained, includes several access message samples in the access message sample set;
The comentropy of each access message sample is calculated separately, and according to the calculated comentropy, it will be described several Message sample distribution is accessed in the entropy section of the preset quantity, to obtain the access for including in each entropy section The quantity of message sample;
According to comprising the quantity of access message sample the entropy section of the preset quantity is ranked up, and tied according to sequence Interval mark is arranged for each entropy section in fruit.
12. according to the method for claim 11, which is characterized in that the ranking results according to comprising access message sample Quantity be ranked up from more to few sequence;Correspondingly, according to ranking results, section is set for each entropy section and is marked Note includes:
The entropy section that the quantity for the access message sample for selecting to include from the ranking results is 0, and described in include The interval mark for the entropy section setting characterization attack message type that the quantity for accessing message sample is 0;
Selected and sorted is near several preceding entropy sections from the ranking results, if including in several described entropy sections Access message sample total quantity and it is described access message sample set in include access message sample total quantity between Ratio is more than or equal to preset threshold, and after rejecting any entropy section in several described entropy sections, remaining The access message sample for including in the total quantity for the access message sample for including in entropy section and the access message sample set Total quantity between ratio be less than the preset threshold, then be several described entropy sections setting characterization trust type of message Interval mark;
Interval mark characterization attack message type and interval mark characterization letter are removed in the entropy section of the preset quantity Appoint the entropy section of type of message, and characterizes the interval mark of suspicious type of message for the setting of remaining entropy section.
13. according to the method for claim 12, which is characterized in that characterizing suspicious message for the setting of remaining entropy section After the interval mark of type, the method also includes:
For suspicious message, decision threshold is set, the decision threshold be used to be characterized in same equipment in the unit time sends can Doubt the upper limit of the number value of message.
14. according to the method for claim 11, which is characterized in that calculate separately the information of each access message sample Entropy includes:
Message sample is accessed for either objective, counts the number that every kind of character occurs in the target access message sample;
According to the number that every kind of character of statistics occurs, calculates every kind of character and occur in the target access message sample Probability;
According to the probability that every kind of character occurs in the target access message sample, the uncertain number of every kind of character is calculated Value, and the comentropy by the sum of each described uncertain numerical value as the target access message sample.
15. a kind of setting system of interval mark, which is characterized in that the system comprises:
Entropy interval division unit is divided into for determining information entropy range to be divided, and by the information entropy range The entropy section of preset quantity;
Quantity statistics unit, for calculating separately for several access message samples for including in default access message sample set The comentropy of each access message sample, and according to the calculated comentropy, by several access message samples It is distributed in the entropy section of the preset quantity, to obtain the number for the access message sample for including in each entropy section Amount;
Flag setting unit, for according to comprising the quantity of access message sample the entropy section of the preset quantity is carried out Sequence, and according to ranking results, for each entropy section, interval mark is set.
CN201910087185.7A 2019-01-29 2019-01-29 Method and system for protecting network attack and setting interval mark Active CN109617925B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910087185.7A CN109617925B (en) 2019-01-29 2019-01-29 Method and system for protecting network attack and setting interval mark

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910087185.7A CN109617925B (en) 2019-01-29 2019-01-29 Method and system for protecting network attack and setting interval mark

Publications (2)

Publication Number Publication Date
CN109617925A true CN109617925A (en) 2019-04-12
CN109617925B CN109617925B (en) 2021-08-27

Family

ID=66021429

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910087185.7A Active CN109617925B (en) 2019-01-29 2019-01-29 Method and system for protecting network attack and setting interval mark

Country Status (1)

Country Link
CN (1) CN109617925B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111131161A (en) * 2019-11-25 2020-05-08 美的集团股份有限公司 Intelligent equipment identity identification method and system, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105847283A (en) * 2016-05-13 2016-08-10 深圳市傲天科技股份有限公司 Information entropy variance analysis-based abnormal traffic detection method
CN106330906A (en) * 2016-08-23 2017-01-11 上海海事大学 Method for detecting DDoS (Distributed Denial of Service) attack in big data environment
CN107743113A (en) * 2016-11-23 2018-02-27 腾讯科技(深圳)有限公司 A kind of detection method and system of website attack
CN108173812A (en) * 2017-12-07 2018-06-15 东软集团股份有限公司 Prevent method, apparatus, storage medium and the equipment of network attack

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105847283A (en) * 2016-05-13 2016-08-10 深圳市傲天科技股份有限公司 Information entropy variance analysis-based abnormal traffic detection method
CN106330906A (en) * 2016-08-23 2017-01-11 上海海事大学 Method for detecting DDoS (Distributed Denial of Service) attack in big data environment
CN107743113A (en) * 2016-11-23 2018-02-27 腾讯科技(深圳)有限公司 A kind of detection method and system of website attack
CN108173812A (en) * 2017-12-07 2018-06-15 东软集团股份有限公司 Prevent method, apparatus, storage medium and the equipment of network attack

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
İLKERÖZÇELIK等: "Deceiving entropy based DoS detection", 《COMPUTERS & SECURITY》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111131161A (en) * 2019-11-25 2020-05-08 美的集团股份有限公司 Intelligent equipment identity identification method and system, electronic equipment and storage medium
US11943220B2 (en) 2019-11-25 2024-03-26 Midea Group Co., Ltd. Smart device identity recognition method and system, electronic device, and storage medium

Also Published As

Publication number Publication date
CN109617925B (en) 2021-08-27

Similar Documents

Publication Publication Date Title
Park et al. Classification of attack types for intrusion detection systems using a machine learning algorithm
CN108632227A (en) A kind of malice domain name detection process method and device
CN106295349A (en) Risk Identification Method, identification device and the anti-Ore-controlling Role that account is stolen
US20090222917A1 (en) Detecting spam from metafeatures of an email message
CN105491444B (en) A kind of data identifying processing method and device
CN106713290B (en) Method for identifying main user account and server
CN111695114A (en) User behavior detection method and device
WO2020087758A1 (en) Abnormal traffic data identification method, apparatus, computer device, and storage medium
CN109831459B (en) Method, device, storage medium and terminal equipment for secure access
CN112839014B (en) Method, system, equipment and medium for establishing abnormal visitor identification model
CN114615016B (en) Enterprise network security assessment method and device, mobile terminal and storage medium
CN105824805B (en) Identification method and device
CN112738107B (en) Network security evaluation method, device, equipment and storage medium
CN108076012A (en) Abnormal login determination methods and device
CN108985048A (en) Simulator recognition methods and relevant apparatus
CN112217650A (en) Network blocking attack effect evaluation method, device and storage medium
CN112084343A (en) Method, device and medium for quantifying social relationship graph
CN110493253B (en) Botnet analysis method of home router based on raspberry group design
CN107622406A (en) Identify the method and system of virtual unit
WO2019052469A1 (en) Network request processing method and apparatus, electronic device, and storage medium
Elekar Combination of data mining techniques for intrusion detection system
CN106790175A (en) The detection method and device of a kind of worm event
CN107948149B (en) Random forest based strategy self-learning and optimizing method and device
CN109617925A (en) It is a kind of for the protection of network attack, the setting method of interval mark and system
WO2021151333A1 (en) Sensitive word recognition method and apparatus based on artificial intelligence, and computer device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant