CN110011977B - Website security defense method - Google Patents

Website security defense method Download PDF

Info

Publication number
CN110011977B
CN110011977B CN201910172602.8A CN201910172602A CN110011977B CN 110011977 B CN110011977 B CN 110011977B CN 201910172602 A CN201910172602 A CN 201910172602A CN 110011977 B CN110011977 B CN 110011977B
Authority
CN
China
Prior art keywords
access
address
website
preset time
time period
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910172602.8A
Other languages
Chinese (zh)
Other versions
CN110011977A (en
Inventor
胡磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Huaanpute Network Technology Co ltd
Original Assignee
Beijing Huaanpute Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Huaanpute Network Technology Co ltd filed Critical Beijing Huaanpute Network Technology Co ltd
Priority to CN201910172602.8A priority Critical patent/CN110011977B/en
Publication of CN110011977A publication Critical patent/CN110011977A/en
Application granted granted Critical
Publication of CN110011977B publication Critical patent/CN110011977B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The invention discloses a website security defense method, which comprises the following steps: acquiring the number of website access requests in a preset time period corresponding to each region; comparing the access request with a set standard regional intranet station access request threshold value, and determining the over-value rate of the website access request; extracting an IP address corresponding to the website logged in an area with the excess value rate larger than the set standard excess value rate; acquiring an access threshold of a website IP address; judging whether the real-time access times of all IP addresses in the area with the over-value rate larger than the set standard over-value rate are larger than the access threshold of the IP address of the website; and carrying out current limiting processing on the IP address of which the actual access times of the IP address is greater than the access threshold of the IP address of the website, and otherwise, counting the access time and the access number of the IP address in the prediction time period, and recording and storing. The invention limits the access times of the IP address, reduces the access threshold value, further reduces the access times of the IP address, avoids the website from being broken, and improves the defense capability of the website.

Description

Website security defense method
Technical Field
The invention belongs to the technical field of website defense, and relates to a website security defense method.
Background
Some malicious attackers often generate legal requests of the website by means of the server, so that the website is continuously accessed to consume the performance of the website server, the website is attacked, the website server is paralyzed, and normal users cannot use the website server.
Because the access request initiated by the attacker to the website is the same as the access request of the normal user, when the website server receives the access request sent by the attacker, the access request of the attacker or the access request of the normal user cannot be distinguished, and the access request of the attacker cannot be limited, in order to improve the anti-attack capability of the website and improve the use effect of the normal user, a website security defense method is designed, so that the security and the defense capability of the website are greatly improved.
Disclosure of Invention
The invention aims to provide a website security defense method, which is characterized in that the access request number of websites in a preset time period in an area is compared with a set website access request threshold value to determine the over-rate of a website, the access times of all IP addresses in the area with the over-rate greater than the standard over-rate are extracted, whether the access times of the IP addresses exceed the access threshold value or not is judged, and the access times of the IP addresses exceeding the access threshold value are limited, so that the problems in the prior art are solved.
The purpose of the invention can be realized by the following technical scheme:
a website security defense method comprises the following steps:
s1, acquiring the number of requests for website access within a preset time period corresponding to each region;
s2, comparing the number of access requests of each Intranet station in the region with a set standard Intranet station access request threshold value, and determining the over-rate of the access requests of the Intranet station in the region;
s3, extracting the IP address corresponding to the website in the area with the over-rate larger than the set standard over-rate;
s4, acquiring an access threshold of the IP address for logging in the website, wherein the access threshold of the IP address is the maximum number of times of access of each IP address;
s5, judging whether the real-time access times of all IP addresses in the area with the over-rate larger than the set standard over-rate are larger than the access threshold of the IP address of the website, if so, executing a step S6, otherwise, executing a step S7;
s6, limiting the current of the IP address with the actual access times of the IP address larger than the access threshold of the IP address of the website;
and S7, performing unlimited flow processing on the IP address of which the actual access frequency of the IP address is less than the access threshold value of the IP address of the website, counting the access time and the access number of the IP address in the prediction time period, and recording and storing the access time and the access number.
Furthermore, the over-rate ζ is expressed as a ratio of the number of intranet station access requests in the intranet region to exceed a set standard intranet station access request threshold value,
Figure GDA0002969571720000021
w represents the number of access requests of the website, W0Denoted as a standard intra-area network station access request threshold.
Further, the current limiting process includes the following steps:
h1, sequentially acquiring the access times of the IP addresses in the n preset time periods before the preset time period when the actual access times of the IP addresses are larger than the access threshold of the IP addresses of the website;
h2, sequencing the access times of the IP addresses in each preset time period according to a preset time period sequencing sequence of access, wherein the access times are respectively 1,2, 1, i, n, n and n are expressed as the access times of the IP addresses in the nth preset time period, the access times in the first n preset time periods form an access number set A (a1, a2, a, ai, a, an), ai is expressed as the access times of the IP addresses in the ith preset time period, and the access times in the nth preset time period are the access numbers in the preset time period exceeding the access threshold of the IP addresses;
h3, sequentially comparing the access times of the IP addresses in the previous n preset time periods with the access times of the IP addresses in the next preset time period to obtain a comparison access number set delta A (delta a1, delta a2,..,. delta ai,..,. delta a (n-1)), wherein delta ai is expressed as the difference between the access number of the IP addresses in the i +1 th preset time period and the access number of the IP addresses in the i th preset time period;
h4, counting the access mutation coefficient according to the comparison access number set, if the access mutation coefficient is smaller than the set access mutation coefficient threshold, allowing the IP address to continue accessing, otherwise, extracting the 1/2 access threshold of the IP address as a new access threshold.
Further, the formula for accessing the mutation coefficient is as follows
Figure GDA0002969571720000031
Phi is expressed as an access mutation coefficient, Δ ai is expressed as a difference value between the access number of the IP address in the (i + 1) th preset time period and the access number of the IP address in the ith preset time period, and n is expressed as the extracted nth preset time period.
The invention has the beneficial effects that:
according to the website security defense method provided by the invention, the number of website access requests in a preset time period in an area is compared with a set website access request threshold value, the excess rate of a website is determined, the access times of all IP addresses in the area with the excess rate greater than the standard excess rate are extracted, whether the access times of the IP addresses exceed the access threshold value is judged, the access times of the IP addresses exceeding the access threshold value are limited, the access threshold value is reduced, the access times of the IP addresses are further reduced, the website is prevented from being broken, and the defense capability of the website is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic diagram of a website security defense method according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, a method for defending against website security includes the following steps:
s1, acquiring the number of requests for website access within a preset time period corresponding to each region;
s2, comparing the number of access requests of each Intranet station in the region with the set standard Intranet station access request threshold value, determining the over-rate of the access requests of the Intranet station in the region, wherein the over-rate is represented as the ratio of the number of the access requests of the Intranet station in the region to the access request threshold value of the standard Intranet station in the region,
Figure GDA0002969571720000041
w represents the number of access requests of the website, W0The access request threshold value is expressed as a standard intra-area network station access request threshold value, so that the corresponding excess rate of each area can be counted conveniently, and the relation between the number of the access request of each intra-area network station and the standard intra-area network station access request threshold value can be reflected intuitively;
s3, extracting the IP address corresponding to the website in the area with the over-rate larger than the set standard over-rate;
s4, acquiring an access threshold of the IP address for logging in the website, wherein the access threshold of the IP address is the maximum number of times of access of each IP address;
s5, judging whether the real-time access times of all IP addresses in the area with the over-rate larger than the set standard over-rate are larger than the access threshold of the IP address of the website, if so, executing a step S6, otherwise, executing a step S7;
s6, limiting the current of the IP address with the actual access times of the IP address larger than the access threshold of the IP address of the website;
the current limiting process comprises the following steps:
h1, sequentially acquiring the access times of the IP addresses in the n preset time periods before the preset time period when the actual access times of the IP addresses are larger than the access threshold of the IP addresses of the website;
h2, sequencing the access times of the IP addresses in each preset time period according to a preset time period sequencing sequence of access, wherein the access times are respectively 1,2, 1, i, n, n and n are expressed as the access times of the IP addresses in the nth preset time period, the access times in the first n preset time periods form an access number set A (a1, a2, a, ai, a, an), ai is expressed as the access times of the IP addresses in the ith preset time period, and the access times in the nth preset time period are the access numbers in the preset time period exceeding the access threshold of the IP addresses;
h3, sequentially comparing the access times of the IP addresses in the previous n preset time periods with the access times of the IP addresses in the next preset time period to obtain a comparison access number set delta A (delta a1, delta a2,..,. delta ai,..,. delta a (n-1)), wherein delta ai is expressed as the difference between the access number of the IP addresses in the i +1 th preset time period and the access number of the IP addresses in the i th preset time period;
h4, counting access mutation coefficients according to the comparison access number set
Figure GDA0002969571720000051
Phi is expressed as an access mutation coefficient, if the access mutation coefficient is smaller than a set access mutation coefficient threshold value, the IP address is allowed to continue to be accessed, otherwise, the 1/2 access threshold value of the IP address is extracted as a new access threshold value, and the super-mutation coefficient is subjected to current limiting treatmentThe access request which passes the new access threshold is ignored to forbid the IP address to continue accessing, so that the access times of the IP address which exceeds the set access threshold can be effectively limited, the access times of the IP address are reduced, the website is prevented from being broken, the security defense of the website is realized, and the website defense capability is improved.
And S7, performing unlimited flow processing on the IP address of which the actual access frequency of the IP address is less than the access threshold value of the IP address of the website, counting the access time and the access number of the IP address in the prediction time period, and recording and storing the access time and the access number.
According to the website security defense method provided by the invention, the number of website access requests in a preset time period in an area is compared with a set website access request threshold value, the excess rate of a website is determined, the access times of all IP addresses in the area with the excess rate greater than the standard excess rate are extracted, whether the access times of the IP addresses exceed the access threshold value is judged, the access times of the IP addresses exceeding the access threshold value are limited, the access threshold value is reduced, the access times of the IP addresses are further reduced, the website is prevented from being broken, and the defense capability of the website is improved.
The foregoing is merely exemplary and illustrative of the principles of the present invention and various modifications, additions and substitutions of the specific embodiments described herein may be made by those skilled in the art without departing from the principles of the present invention or exceeding the scope of the claims set forth herein.

Claims (2)

1. A website security defense method is characterized in that: the method comprises the following steps:
s1, acquiring the number of requests for website access within a preset time period corresponding to each region;
s2, comparing the number of access requests of each Intranet station in the region with a set standard Intranet station access request threshold value, and determining the over-rate of the access requests of the Intranet station in the region;
s3, extracting the IP address corresponding to the website in the area with the over-rate larger than the set standard over-rate;
s4, acquiring an access threshold of the IP address for logging in the website, wherein the access threshold of the IP address is the maximum number of times of access of each IP address;
s5, judging whether the real-time access times of all IP addresses in the area with the over-rate larger than the set standard over-rate are larger than the access threshold of the IP address of the website, if so, executing a step S6, otherwise, executing a step S7;
s6, limiting the current of the IP address with the actual access times of the IP address larger than the access threshold of the IP address of the website;
s7, performing unlimited flow processing on the IP address of which the actual access times are less than the access threshold of the IP address of the website, counting the access time and the access number of the IP address in the prediction time period, and recording and storing the access time and the access number;
the current limiting process comprises the following steps:
h1, sequentially acquiring the access times of the IP addresses in the n preset time periods before the preset time period when the actual access times of the IP addresses are larger than the access threshold of the IP addresses of the website;
h2, sequencing the access times of the IP addresses in each preset time period according to a preset time period sequencing sequence of access, wherein the access times in the previous n preset time periods form an access number set A (a1, a2, a.. a., ai, a.. an, an) which is expressed as the access times of the IP addresses in the ith preset time period, and the access times in the nth preset time period are the access numbers in the preset time period exceeding the access threshold of the IP addresses;
h3, sequentially comparing the access times of the IP addresses in the previous n preset time periods with the access times of the IP addresses in the next preset time period to obtain a comparison access number set delta A (delta a1, delta a2,..,. delta ai,..,. delta a (n-1)), wherein delta ai is expressed as the difference between the access number of the IP addresses in the i +1 th preset time period and the access number of the IP addresses in the i th preset time period;
h4, counting access mutation coefficients according to the comparison access number set, if the access mutation coefficients are smaller than a set access mutation coefficient threshold, allowing the IP address to continue to access, otherwise, extracting a 1/2 access threshold of the IP address as a new access threshold;
the calculation formula of the access mutation coefficient is
Figure FDA0003080388710000021
Phi is expressed as an access mutation coefficient, Δ ai is expressed as a difference value between the access number of the IP address in the (i + 1) th preset time period and the access number of the IP address in the ith preset time period, and n is expressed as the extracted nth preset time period.
2. The method of claim 1, wherein: the over-rate ζ is expressed as a ratio of the number of access requests of the intranet station in the area to the access request threshold value of the standard intranet station in the area,
Figure FDA0003080388710000022
w represents the number of access requests of the website, W0Denoted as a standard intra-area network station access request threshold.
CN201910172602.8A 2019-03-07 2019-03-07 Website security defense method Active CN110011977B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910172602.8A CN110011977B (en) 2019-03-07 2019-03-07 Website security defense method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910172602.8A CN110011977B (en) 2019-03-07 2019-03-07 Website security defense method

Publications (2)

Publication Number Publication Date
CN110011977A CN110011977A (en) 2019-07-12
CN110011977B true CN110011977B (en) 2021-07-27

Family

ID=67166552

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910172602.8A Active CN110011977B (en) 2019-03-07 2019-03-07 Website security defense method

Country Status (1)

Country Link
CN (1) CN110011977B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110413416B (en) * 2019-07-31 2022-05-17 中国工商银行股份有限公司 Current limiting method and device for distributed server

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462445A (en) * 2014-12-15 2015-03-25 北京国双科技有限公司 Webpage access data processing method and webpage access data processing device
CN105187396A (en) * 2015-08-11 2015-12-23 小米科技有限责任公司 Method and device for identifying web crawler
CN107528815A (en) * 2016-06-22 2017-12-29 腾讯科技(深圳)有限公司 A kind of method and server of protection net site attack
CN108777805A (en) * 2018-05-17 2018-11-09 北京奇艺世纪科技有限公司 A kind of detection method, device, control server and the system of unauthorized access request

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2014244137B2 (en) * 2013-03-14 2018-12-06 Threater, Inc. Internet protocol threat prevention

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462445A (en) * 2014-12-15 2015-03-25 北京国双科技有限公司 Webpage access data processing method and webpage access data processing device
CN105187396A (en) * 2015-08-11 2015-12-23 小米科技有限责任公司 Method and device for identifying web crawler
CN107528815A (en) * 2016-06-22 2017-12-29 腾讯科技(深圳)有限公司 A kind of method and server of protection net site attack
CN108777805A (en) * 2018-05-17 2018-11-09 北京奇艺世纪科技有限公司 A kind of detection method, device, control server and the system of unauthorized access request

Also Published As

Publication number Publication date
CN110011977A (en) 2019-07-12

Similar Documents

Publication Publication Date Title
AU2017268608B2 (en) Method, device, server and storage medium of detecting DoS/DDoS attack
CN104113519B (en) Network attack detecting method and its device
CN110166454B (en) Mixed feature selection intrusion detection method based on adaptive genetic algorithm
US20210099484A1 (en) Phishing website detection
CN110830445B (en) Method and device for identifying abnormal access object
CN104994117A (en) Malicious domain name detection method and system based on DNS (Domain Name Server) resolution data
CN103929440A (en) Web page tamper prevention device based on web server cache matching and method thereof
JP2019523584A (en) Network attack prevention system and method
Nwana et al. A latent social approach to youtube popularity prediction
CN113556343B (en) DDoS attack defense method and device based on browser fingerprint identification
CN105721410B (en) Method and device for acquiring network security condition
CN106254394B (en) A kind of recording method and device of attack traffic
CN110011977B (en) Website security defense method
CN114640504B (en) CC attack protection method, device, equipment and storage medium
CN108259473A (en) Web server scan protection method
CN115460153B (en) Dynamic adjustment method and device for token bucket capacity, storage medium and electronic device
CN110519266B (en) Cc attack detection method based on statistical method
CN114363091B (en) Method and system for realizing unified login of platform application based on APISIX
CN108134774B (en) Privacy protection method and device based on content privacy and user security grading
CN112839005B (en) DNS domain name abnormal access monitoring method and device
CN112491869A (en) Application layer DDOS attack detection and protection method and system based on IP credit
CN115296855B (en) User behavior baseline generation method and related device
CN114050922B (en) Network flow anomaly detection method based on space-time IP address image
Wang et al. A novel approach for countering application layer DDoS attacks
CN112543199B (en) IP abnormal flow detection method, system, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant