CN110071941A - A kind of network attack detecting method, equipment, storage medium and computer equipment - Google Patents
A kind of network attack detecting method, equipment, storage medium and computer equipment Download PDFInfo
- Publication number
- CN110071941A CN110071941A CN201910379112.5A CN201910379112A CN110071941A CN 110071941 A CN110071941 A CN 110071941A CN 201910379112 A CN201910379112 A CN 201910379112A CN 110071941 A CN110071941 A CN 110071941A
- Authority
- CN
- China
- Prior art keywords
- access
- uri
- time period
- preset time
- determined
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of network attack detecting method, equipment, storage medium and computer equipments, can be by determining that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access side of preset quantity;The each URI at least one URI accessed the determining access side: the quantity that the access side of the URI is accessed in the preset time period is determined, when the quantity of the access side is more than first threshold, it obtains and accesses the access information group that each access request of the URI carries in the preset time period, the most access information group of frequency of occurrence in each access request is determined as high-risk access information group, and the high-risk access information group will be carried and access the access request of the URI and be determined as network attack.The present invention can effectively improve detection and recognition capability for network attack, promote the defence capability for network attack.
Description
Technical field
The present invention relates to network safety prevention field more particularly to a kind of network attack detecting method, equipment, storage mediums
And computer equipment.
Background technique
With the development of science and technology, network security becomes particularly important, and current Website server is often subject to various
Rogue attacks.CC (Challenge Collapsar, Challenging black hole) attack is one of common attack.CC is attacked
Hit be DDoS (distributed denial of service, Distributed Denial of Service) one kind, CC attack passes through access
URI (Uniform Resource Identifier, uniform resource identifier) constantly sends access request to Website server and causes
Make Website server that can not handle access of the legitimate user for proper network resource, to form the purpose of refusal service.
Existing network attack detection technology is by counting access of the single IP within the unit time in web site server end
The number of the URI of the Website server detects network attack.When access of some IP within the unit time Website server
URI number be more than threshold value when, the access behavior of the IP can be determined as network and attacked by existing network attack detection technology
It hits.
But with the development of technology, currently occur carrying out the event of network attack by multiple and different IP.Example
Such as, the attacker for mobilizing CC to attack can repeatedly modify IP, access the URI of Website server to website service by different IP
Device transmission occupies a large amount of process resources and the page request of time (one kind of access request), causes Website server process resource
Waste, Website server CPU is in 100% use state for a long time, and such CPU just has no idea processing from legitimate user
Normal request.
As it can be seen that attacker can access to the URI attacked by multiple and different IP, each IP to URI into
The number of row access does not all exceed threshold value, this, which allows for existing network attack detection technology, can not detect that this network is attacked
It hits.
Summary of the invention
In view of the above problems, it proposes on the present invention overcomes the above problem or at least be partially solved in order to provide one kind
Network attack detecting method, equipment, storage medium and the computer equipment of problem are stated, technical solution is as follows:
A kind of network attack detecting method, which comprises
Determine that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access side of preset quantity;
Each URI at least one URI that the determining access side is accessed: it determines in the preset time period
The quantity for accessing the access side of the URI is obtained when the quantity of the access side is more than first threshold in the preset time period
The access information group that the interior each access request for accessing the URI carries, by the most access of frequency of occurrence in each access request
Information group is determined as high-risk access information group, and by carry the high-risk access information group and access the URI access request it is true
It is set to network attack.
Optionally, the access information group includes: device-fingerprint, user identifier, user agent UA and HTTP_Referer
At least one of access information.
Optionally, the quantity of the uniform resource identifier URI accessed in the determining preset time period is lower than preset quantity
Access side, comprising:
Obtain the access request that access side within a preset period of time accesses to uniform resource identifier URI, the visit
Ask the IP address that access side is also carried in request;
The information combination that the IP address and the access information group are constituted is determined as access side's mark, by the institute of carrying
It states access side and identifies the access request that identical access request is determined as same access side;
To each access side: obtaining each access request that the access side accesses to URI in the preset time period
The quantity for the URI of middle carrying accessed determines the access side are as follows: when described default when the quantity is lower than preset quantity
Between the quantity of URI that accesses in section be lower than the access side of preset quantity.
Optionally, the quantity of the access side of the URI is accessed in the determination preset time period, comprising:
According to the access side mark carried in each access request for carrying the URI, the preset time period is determined
The quantity of the interior access side for accessing the URI.
Optionally, it is described will carry the high-risk access information group and access the access request of the URI be determined as network and attack
It hits, comprising:
By carry the high-risk access information group and access the URI access request be determined as distributed network attack.
Optionally, the method also includes:
It will be determined as in the preset time period by the URI that the number summation that all access sides access is more than second threshold
By attack URI;
To each by attack URI: that identified access side is issued, access this in the preset time period and attacked
URI number is more than that the access request of third threshold value is determined as network attack.
Optionally, described to be attacked URI to each: it is super by URI number of attack that this will be accessed in the preset time period
Cross third threshold value, identified access side accesses the access request by attack URI and is determined as network attack, comprising:
To each by attack URI: that identified access side is issued, access this in the preset time period and attacked
URI number is more than that the access request of third threshold value is determined as high frequency type network attack.
A kind of network attack detection equipment, the network attack detection equipment include access side's determination unit and first network
Attack determination unit, in which:
Access side's determination unit, for determining the quantity of the uniform resource identifier URI accessed in preset time period
Lower than the access side of preset quantity;
The first network attacks determination unit, at least one URI for being accessed the determining access side
Each URI: determine the quantity for accessing the access side of the URI in the preset time period, be more than in the quantity of the access side
When first threshold, obtains and access the access information group that each access request of the URI carries in the preset time period, it will be described
The most access information group of frequency of occurrence is determined as high-risk access information group in each access request, and will carry the high-risk access
The information group and access request for accessing the URI is determined as network attack.
Optionally, access side's determination unit, specifically includes: access request obtains subelement, access request determines son
Unit and quantity determine subelement, in which:
The access request obtains subelement, for obtaining access side within a preset period of time to uniform resource identifier
The access request that URI accesses also carries the IP address of access side in the access request;
The access request determines subelement, for combining the information of the IP address and access information group composition
It is determined as access side's mark, the access side of carrying is identified into identical access request is determined as the access of same access side and ask
It asks;
The quantity determines subelement, for each access side: it is right in the preset time period to obtain the access side
The quantity of the URI accessed carried in each access request that URI accesses, when the quantity is lower than preset quantity, by this
Access side determines are as follows: the quantity of the URI accessed in the preset time period is lower than the access side of preset quantity.
Optionally, the network attack detection equipment further includes URI determination unit and the second network attack determination unit,
In:
The URI determination unit, for will be surpassed in the preset time period by the number summation that all access sides access
The URI for crossing second threshold is determined as being attacked URI;
The second network attack determination unit, for being attacked URI to each: that identified access side is issued,
This is accessed in the preset time period, and network attack is determined as by the access request that URI number of attack is more than third threshold value.
A kind of storage medium is stored with computer executable instructions in the storage medium, and the computer is executable to be referred to
When order is loaded and executed by processor, any network attack detecting method is realized.
A kind of computer equipment, including processor, memory and be stored on the memory and can be in the processor
The program of upper operation, the processor at least perform the steps of when executing program
Determine that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access side of preset quantity;
Each URI at least one URI that the determining access side is accessed: it determines in the preset time period
The quantity for accessing the access side of the URI is obtained when the quantity of the access side is more than first threshold in the preset time period
The access information group that the interior each access request for accessing the URI carries, by the most access of frequency of occurrence in each access request
Information group is determined as high-risk access information group, and by carry the high-risk access information group and access the URI access request it is true
It is set to network attack.
By above-mentioned technical proposal, network attack detecting method, equipment, storage medium and computer provided by the invention are set
It is standby, it can be by determining that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access side of preset quantity;
The each URI at least one URI accessed the determining access side: determine that access should in the preset time period
The quantity of the access side of URI, when the quantity of the access side is more than first threshold, acquisition accesses in the preset time period
The access information group that each access request of the URI carries, by the most access information group of frequency of occurrence in each access request
It is determined as high-risk access information group, and the high-risk access information group will be carried and access the access request of the URI and be determined as net
Network attack.The present invention can effectively improve detection and recognition capability for network attack, promote the defence for network attack
Ability.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of flow chart of network attack detecting method provided in an embodiment of the present invention;
Fig. 2 shows the flow charts of another network attack detecting method provided in an embodiment of the present invention;
Fig. 3 shows a kind of structural schematic diagram of network attack detection equipment provided in an embodiment of the present invention;
Fig. 4 shows the structural schematic diagram of another network attack detection equipment provided in an embodiment of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
The embodiment of the invention provides a kind of network attack detecting methods, as shown in Figure 1, this method may include following step
It is rapid:
S100, determine that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access of preset quantity
Side;
Optionally, technical staff can need to be configured preset time period according to actually detected.In practical applications,
The quantity of preset time period in the present invention can be one, or multiple.Such as: 0 point from certain year in such a month, and on such a day 0 minute
Start within 0 second, every 10 seconds are a preset time period, and multiple preset time periods thus can be set.Certainly, work as preset time period
When being multiple, it might not be sequentially connected between each preset time period, it can also be sometimes between two adjacent preset time periods
Between be spaced, the present invention is it is not limited here.To each preset time period present invention can be carried out each step shown in FIG. 1 with
It determines in the preset time period with the presence or absence of network attack, it may be assumed that in once holding for network attack detecting method provided by the present application
Preset time period in step involved in during row is same preset time period.
Wherein, uniform resource identifier (URI, Uniform Resource Identifier) can be one for marking
Know the character string of a certain Internet resources (including the page, multimedia file etc.) title.In practical applications, access direction service
When device sends specific access request, such as the access request for a certain page is sent, can carried in the access request pair
Should the page URI, server after receiving the access request, can by identify the URI carried in the access request will
The resource (such as: the page) of the address of the corresponding URI is back to access side.Optionally, access side can be computer, mobile phone or iPad
Etc. the equipment for the Internet resources for being able to access that server.Server can be Website server etc..Method shown in Fig. 1 of the present invention can
To be applied in server, it also can be applied to the equipment that safeguard protection is provided for server or what is connect with server communication set
In standby.
Optionally, preset quantity can be smaller, such as: technical staff can set 2 for preset quantity.Correspondingly, if
Some access side only has accessed 1 URI within a preset period of time, then, which is to be determined in step S100
Access side.If preset quantity can also be arranged 3 by technical staff, if some access side only has accessed 1 or 2 within a preset period of time
A URI, then, which is access side to be determined in step S100.Certainly, technical staff can also be by present count
Amount is set as other quantity.The embodiment of the present invention to the setting of preset quantity without limitation.
In practical applications, the access side for carrying out network attack usually has the feature of a small amount of URI of central access, that is, carries out
The access side of network attack usually sends the access request for one or a few URI to destination server, without asking
Seek other resources.When certain access side has the feature of a small amount of URI of central access, this access side can be determined as by the present invention
The doubtful access side for carrying out network attack.For this feature, setting steps S100 of the present invention is to lock doubtful carry out network attack
Access side.Further, the purpose of the doubtful access side for carrying out network attack, present count are locked for preferably realization step S100
Amount can be set to smaller.Specifically, only accessing the network attack of a URI if you need to detect, preset quantity is set as 2 can
With the doubtful access side for carrying out network attack of determination.
Wherein, access information group can be carried in access request.Optionally, the access information group may include: to set
Standby at least one of fingerprint, user identifier, user agent UA and HTTP_Referer access information.Specifically, the access
It does not include IP address in information group.
Wherein, device-fingerprint can be the device identification for going out some equipment for unique identification, which can be
Equipment is intrinsic and is difficult to tamper with, such as international mobile equipment identification number (IMEI, the International Mobile of mobile phone
Equipment Identity), it can be used as the device-fingerprint for uniquely determining certain mobile phone;Such as the media interviews of computer network interface card
It controls address (MAC, Media Access Control Address), can be used as the equipment for uniquely determining some computer network interface card
Fingerprint.The present invention can identify different access sides by identifying the device-fingerprint of distinct device.
Wherein, used user name (example when user identifier can be a certain Internet resources in user access server
Such as: Zhang San, zhangsan123 and zhangsan-123), it is also possible to the identity users body such as phone number used by a user
The information of part.The present invention can identify different access sides by user identifier.
Wherein, user agent (UserAgent, UA) can be a special string head.Server is receiving access
After the access request just sent, operating system and version, CPU used in access side can be identified by the UA in access request
Type, browser and version, browser rendering engine, browser language, browser plug-in etc..
Wherein, HTTP_Referer can be a part in HTTP request head.Specifically, when access side is by a certain clear
When device of looking at sends the access request for a certain page to server, include in the HTTP request head information in the access request
The HTTP_Referer of the corresponding browser.By the HTTP_Referer, server is it can be seen that access side requests the page
Page source.For example, Zhang San directly accesses Baidu's official website homepage by sogou browser https: // 123.sogou.com
After www.baidu.com, the link www.baidu.com occurred in clicking sogou browser, the received visit of Baidu's server
Ask in the request header information of request just there is HTTP_Referer=https: the information of // 123.sogou.com.
Optionally, step S100 can be specifically included:
Obtain the access request that access side within a preset period of time accesses to uniform resource identifier URI, the visit
Ask the IP address that access side is also carried in request;
The information combination that the IP address and the access information group are constituted is determined as access side's mark, by the institute of carrying
It states access side and identifies the access request that identical access request is determined as same access side;
To each access side: obtaining each access request that the access side accesses to URI in the preset time period
The quantity for the URI of middle carrying accessed determines the access side are as follows: when described default when the quantity is lower than preset quantity
Between the quantity of URI that accesses in section be lower than the access side of preset quantity.
Optionally, the access information group may include: device-fingerprint.Due to the repetitive rate of device-fingerprint lower (million
/ mono-), therefore the present invention can be true by the IP address of the device-fingerprint of carrying and access side access request all the same
It is set to the access request of same access side.Certainly, the present invention can also be by user identifier, user agent UA and HTTP_Referer
At least one of access information and device-fingerprint together as access information group.Such as: by user agent UA, HTTP_
Referer and device-fingerprint are together as access information group.In this way, the present invention can by the IP address of the access side of carrying, UA,
HTTP_Referer and device-fingerprint access request all the same are determined as the access request of same access side.
Optionally, the access information group may include: user identifier.Since user identifier has uniqueness, this
The IP address of the user identifier of carrying and access side access request all the same can be determined as same access side by invention
Access request.It is understood that carrying user identifier in not all access request.Certainly, the present invention
Can by least one of device-fingerprint, user agent UA and HTTP_Referer access information and user identifier together as
Access information group.
Optionally, the access information group may include: user agent UA and HTTP_Referer.The present invention can will take
The IP address of the access side of band, the UA and HTTP_Referer access request all the same are determined as the access of same access side
Request.Certainly, the present invention can also be by least one of user identifier and device-fingerprint access information and " UA and HTTP_
Referer " is together as access information group.
Optionally, IP address, UA and HTTP_Referer can be determined as access side's mark by the present invention, by the institute of carrying
It states access side and identifies the access request that identical access request is determined as same access side.Such as: it obtains within a preset period of time
First access request and the second access request carry in the first access request: IP1, URI1, UA1 and HTTP_
Referer1 is carried in the second access request: IP1, URI2, UA1 and HTTP_Referer1, then since the two access are asked
The identical access side's mark for asking IP address, UA and the HTTP_Referer of middle carrying to constitute (is IP1, UA1 and HTTP_
Referer1), therefore present invention may determine that the two access requests are the access request of same access side, the visit of the access side
The side of asking identifies are as follows: IP1, UA1 and HTTP_Referer1.Due to the URI carried in the first access request and the second access request
Difference, thus may determine that the URI that the corresponding access side of IP1, UA1 and HTTP_Referer1 accesses within a preset period of time
Quantity is 2, when the preset quantity in step S100 is 3, can determine that the access side is to access in preset time period
The quantity of URI is lower than the access side of preset quantity.
Each URI in S200, at least one URI accessed the determining access side: when determining described default
Between the URI is accessed in section the quantity of access side obtain when the quantity of the access side is more than first threshold described default
The access information group that each access request of the URI carries is accessed in period, frequency of occurrence in each access request is most
Access information group be determined as high-risk access information group, and the high-risk access information group will be carried and accesses the access of the URI
Request is determined as network attack.
Optionally, the quantity that the access side of the URI is accessed in the determination preset time period may include:
According to the access side mark carried in each access request for carrying the URI, the preset time period is determined
The quantity of the interior access side for accessing the URI.
Specifically, after carrying N kind access side mark in determining each access request for carrying the URI, so that it may really
The quantity for determining to access the access side of the URI in preset time period is N.
It is illustrated below by citing 1 (IP address, UA and HTTP_Referer constitute access side's mark in the example).
Citing 1: the server of certain website obtains 9 access requests in a preset time period, is respectively as follows:
First access request (carries: IP1, URI1, UA1 and HTTP_Referer1);
Second access request (carries: IP1, URI1, UA1 and HTTP_Referer1);
Third access request (carries: IP1, URI1, UA1 and HTTP_Referer1);
4th access request (carries: IP2, URI1, UA1 and HTTP_Referer1);
5th access request (carries: IP2, URI1, UA1 and HTTP_Referer1);
6th access request (carries: IP2, URI1, UA1 and HTTP_Referer1);
7th access request (carries: IP3, URI1, UA1 and HTTP_Referer1);
8th access request (carries: IP3, URI1, UA1 and HTTP_Referer1);
9th access request (carries: IP3, URI1, UA1 and HTTP_Referer1).
It is that same access side (is set as access side according to the first access request of step S100 to third access request
First) issue access request, the 4th access request to the 6th access request be same access side (being set as access side's second) issue
Access request, the 7th access request to the 9th access request be same access side (being set as access side the third) issue access ask
It asks.When the preset quantity in step S100 is 2, it is known that access side's first, second, third only have accessed a URI, i.e. URI1, because
This is lower than the access side of preset quantity for the quantity of the URI accessed in preset time period.Since first, second, third only access URI1,
Then from the point of view of the URI1, the quantity for accessing the access side of the URI1 within a preset period of time is three, respectively access side
First, second, third.
Optionally, the first threshold is corresponding with URI, the corresponding first threshold of different UIR can it is identical or
It is different.For certain URI, the setting process of the corresponding first threshold of the URI may include: to obtain at least one historical time section
The quantity of the interior access side for accessing the URI determines first threshold corresponding with the URI according to the quantity of the access side of acquisition.
Wherein, the length of historical time section can be identical with preset time period, also may include certain in historical time section
The preset time period of quantity.
First threshold in step S200 can be obtained according to statistics, such as: for certain website, the server of the website
Several URI of oneself key monitoring can be counted in accessed situation usually, so that it is determined that first threshold.Such as to URI1, net
Site server can (period includes multiple preset times in the longer historical time section that network attack does not occur for some
Section) count the quantity for accessing the access side of URI1 in the historical time section in multiple preset time periods.If preset time period is 1 point
Clock, the longer historical time section that network attack does not occur is 1 hour, then Website server can obtain the 1st in this 1 hour
Access URI1 in the corresponding 1 minute duration of minute, the 11st minute, the 21st minute, the 31st minute, the 41st minute, the 51st minute
The quantity of access side, such as be respectively as follows: 1,0,0,2,1,0, then its average value can be determined by average algorithm, and according to average
It is worth and determines first threshold, such as first threshold is some multiple or first threshold of average value are as follows:+3 standard deviation of average value.When
So, the method for determination of first threshold also there are many, the present invention is it is not limited here.
Wherein, the quantity that the access side of the URI is accessed in each historical time section can pass through the history stream of destination server
Log is measured to obtain.Amount of access of the information for including in historical traffic log not just for each URI within each period also include
Other information, such as access the information carried in access request transmitted by the access side of each URI (for example including access side
IP address, the URI, the UA and the HTTP_Referer of access side of access side etc. that are accessed), access side be sent to server
The access time section etc. of HTTP request head and access side for URI.Certainly, pre- before preset time period is current time
If when the period, the various information that each access request in preset time period carries can also be obtained from historical traffic log.
Optionally, historical traffic log can (can be to real time data by Stream Processing system spark streaming
Stream carries out high-throughput, fault-tolerant processing Stream Processing system) from kafka, (a kind of distributed post of high-throughput subscribes to message
System) in collect and be stored in hdfs (Hadoop distributed file system) acquisition.
It should be noted that when determining that the quantity for accessing the access side of certain URI in preset time period is more than first threshold,
Illustrate that the quantity that the access side of the URI is accessed in the preset time period is more, it may be possible to due to attacker pass through it is multiple and different
IP to the URI carry out network attack caused by.In this case, the present invention can be obtained further in the preset time
The access information group (such as user agent UA and HTTP_Referer) that each access request of the URI carries is accessed in section, it will be described
A kind of most access information group of frequency of occurrence is determined as high-risk access information group in each access request.Although attacker can repair
Change IP, but will not generally modify the access information in access information group.This is because the access letter in modification access information group
Breath is more difficult and spends the time more.Such as: if modification UA, needs to modify operating system, CPU, browser, browser
At least one of plug-in unit, and this modification or it is unable to complete (such as modification CPU) or more difficult, therefore attacker one
As will not modify.Therefore, the most access information group of frequency of occurrence in each access request is determined as height by the present invention
Danger access information group.For convenience of understanding, still using 1 explanation of citing:
For 9 access requests of citing 1, if access information group is made of UA and HTTP_Referer.From the angle of URI1
Degree sees that the quantity for accessing the access side of the URI1 within a preset period of time is three, respectively access side's first, second, third.When first
When threshold value is 2, can obtain and count the UA that is carried in 9 access requests for access within a preset period of time the URI1 and
The access information group that HTTP_Referer is constituted, it is known that access information group only has one kind: UA1 and HTTP_Referer1, the UA1
With HTTP_Referer1 constitute access information group in this 9 access requests frequency of occurrence it is most, therefore for high-risk access letter
Breath group.Then step S200 can will carry the high-risk access information group and access the access request of the URI1 and be determined as network and attack
It hits, i.e., the first access request to the 9th access request is all determined as network attack.
Optionally, it is described will carry the high-risk access information group and access the access request of the URI be determined as network and attack
It hits, comprising:
By carry the high-risk access information group and access the URI access request be determined as distributed network attack.
In practical applications, the present invention can will carry the high-risk access information group and access the access request of the URI
It is determined as distributed network attack.By the analysis of the above-mentioned determination process for network attack it is found that when one default
Between the URI of certain access sides' access is more concentrated, and is accessed in the preset time period by the URI of central access in section visit
When the side of asking is also more, present invention may determine that network attack has occurred, and by access in the preset time period by central access
The access request that the most access information group of frequency of occurrence is carried in the access request of URI is determined as network attack.Due to this
The IP of attack may change, therefore attack for distributed network.
In embodiments of the present invention, the network attack that step S200 is determined removes can attack for the network carried out by modification IP
It hits outer, or the network attack carried out by multiple and different IP is realized by control broiler chicken.
Network attack detecting method disclosed by the embodiments of the present invention, can be by determining the unification accessed in preset time period
The quantity of resource identifiers, URIs is lower than the access side of preset quantity;At least one URI that the determining access side is accessed
In each URI: determine the quantity that the access side of the URI is accessed in the preset time period, it is super in the quantity of the access side
When crossing first threshold, obtains and access the access information group that each access request of the URI carries in the preset time period, by institute
It states the most access information group of frequency of occurrence in each access request and is determined as high-risk access information group, and the high-risk visit will be carried
It asks information group and accesses the access request of the URI and be determined as network attack, improve detection and knowledge of the server for network attack
Other ability.
Present inventor in the implementation of the present invention the study found that existing network attack detection technology there is also
Following problem: since existing network attack detection technology is only by counting single IP within the unit time in web site server end
The number of URI of the access Website server detect network attack, therefore when webpage Caton, user may be in short-term
Interior multiple refreshing webpage, this electronic equipment for allowing for the user are repeatedly sent out to the Website server of the webpage in a short time
Send the access request to same URI.In this case, when the access request to same URI issued in user's short time is super
When crossing threshold value, the access request which is issued is determined as network attack by existing network attack detection technology, to go out
Existing " manslaughtering " situation.In order to solve this problem, the embodiment of the present invention additionally provides another network based on step shown in FIG. 1 and attacks
Detection method is hit, as shown in Fig. 2, after step sloo, this method may also comprise the following steps::
S300, the URI by the number summation accessed in the preset time period by all access sides more than second threshold
It is determined as being attacked URI;
S400, to it is each by attack URI: it is that identified access side is issued, in the preset time period access should
Network attack is determined as by the access request that URI number of attack is more than third threshold value.
Wherein, without limitation, step S300 can be prior to by the execution sequence present invention of step S300 and step S100, S200
Or at least one of be later than step S100 and S200 and execute, step S300 can also be executed between step S100 and S200,
Step S300 can also be executed parallel with step S100, and step S300 can also be executed parallel with S200.
Wherein, step S400 is executed after step S300, and step S400 is executed after step sloo.
Specifically, step S400 can be to each by attack URI: that identified access side is issued, described default
This is accessed in period, and high frequency type network attack is determined as by the access request that URI number of attack is more than third threshold value.
Wherein, the number summation accessed in the preset time period by all access sides as certain URI is more than second threshold
When, illustrate that the accessed number of the URI is more, it is possible to just under attack.In this case, then by access may be attacked
The more access side of number of URI be determined as attacker, the access request for the URI that attacker's access may be attacked is determined
For network attack.
As it can be seen that the embodiment of the present invention is reduced to a certain extent by increasing the condition in step S300 more than second threshold
" manslaughtering " situation.Such as: although certain user repeatedly refreshes same webpage in a short time, currently accessed time of the webpage
Number summations simultaneously be less than second threshold, then the user issue access request will not be erroneously interpreted as network attack, also it is avoided that
" manslaughter ".
Optionally, the second threshold is corresponding with URI, the corresponding second threshold of different URI can it is identical or
It is different.For certain URI, the setting process of the corresponding second threshold of the URI may include:
The number summation that all access sides at least one historical time section access the URI is obtained, according to the access of acquisition
Number summation determines second threshold corresponding with the URI.
Wherein, the length of historical time section can be identical with preset time period, also may include certain in historical time section
The preset time period of quantity.
Specifically, when the length of length and preset time period that historical time section is multiple and each historical time section is homogeneous
Whens equal, the present embodiment, can be according to height after all access sides access the number summation of the URI in each historical time section of acquisition
Differentiate that the triple standard difference method of abnormal data determines second threshold in this distribution.It is of course also possible to by twice standard deviation method into
Row determines.
Wherein, the number summation that all access sides access the URI in each historical time section can be by destination server
Historical traffic log obtains.
Specifically, the number that all access sides in each historical time section access the URI can be extracted in historical traffic
Summation, and determine according to number summation the numerical value of second threshold.For example, the duration of preset time period and historical time section is 4
Minute, with 4 minutes for the unit time, in historical traffic log, extract in every day of the last week on the same day in the unit time
Interior all access sides access the number summation of the URI, further, determine all visits within the unit time in daily in this seven days
The side of asking accesses the maximum value of the number summation of the URI, such as maximum value is followed successively by 62,71,58,73,65,67 and 59.Later, will
Seven data carry out mean value calculation to obtain mean value A, which is carried out standard deviation and is calculated to obtain standard deviation B, it
Afterwards, according to triple standard difference method calculation formula, A is added into the value of 3 times of B as the second threshold of corresponding URI.
Optionally, the third threshold value is corresponding with URI, the corresponding third threshold value of different URI can it is identical or
It is different.
Network attack detecting method shown in Fig. 2 disclosed by the embodiments of the present invention, can be by high frequency type network attack
Identification, effectively avoid " manslaughtering " situation occurred during network attack detection.
Corresponding with method shown in Fig. 1, the embodiment of the invention provides a kind of network attack detection equipment, as shown in figure 3,
The network attack detection equipment may include: access side's determination unit 100 and first network attack determination unit 200, in which:
Access side's determination unit 100, for determining the number of the uniform resource identifier URI accessed in preset time period
Amount is lower than the access side of preset quantity;
Optionally, technical staff can need to be configured preset time period according to actually detected.In practical applications,
The quantity of preset time period in the present invention can be one, or multiple.Such as: 0 point from certain year in such a month, and on such a day 0 minute
Start within 0 second, every 10 seconds are a preset time period, and multiple preset time periods thus can be set.Certainly, work as preset time period
When being multiple, it might not be sequentially connected between each preset time period, it can also be sometimes between two adjacent preset time periods
Between be spaced, the present invention is it is not limited here.To each preset time period present invention can determine in the preset time period whether
There are network attacks.
The first network attacks determination unit 200, at least one URI for being accessed the determining access side
In each URI: determine the quantity that the access side of the URI is accessed in the preset time period, it is super in the quantity of the access side
When crossing first threshold, obtains and access the access information group that each access request of the URI carries in the preset time period, by institute
It states the most access information group of frequency of occurrence in each access request and is determined as high-risk access information group, and the high-risk visit will be carried
It asks information group and accesses the access request of the URI and be determined as network attack.
Optionally, the access information group may include: device-fingerprint, user identifier, user agent UA and HTTP_
At least one of Referer access information.Specifically, not including IP address in the access information group.
Wherein, access side's determination unit 100, can specifically include: it is true that access request obtains subelement, access request
Stator unit and quantity determine subelement, in which:
The access request obtains subelement, for obtaining access side within a preset period of time to uniform resource identifier
The access request that URI accesses also carries the IP address of access side in the access request;
The access request determines subelement, for combining the information of the IP address and access information group composition
It is determined as access side's mark, the access side of carrying is identified into identical access request is determined as the access of same access side and ask
It asks;
The quantity determines subelement, for each access side: it is right in the preset time period to obtain the access side
The quantity of the URI accessed carried in each access request that URI accesses, when the quantity is lower than preset quantity, by this
Access side determines are as follows: the quantity of the URI accessed in the preset time period is lower than the access side of preset quantity.
Optionally, the first network attack determination unit 200 determines the access that the URI is accessed in the preset time period
The quantity of side is specifically configured to:
According to the access side mark carried in each access request for carrying the URI, the preset time period is determined
The quantity of the interior access side for accessing the URI.
Specifically, first network, which attacks determination unit 200, carries N in determining each access request for carrying the URI
After kind access side's mark, so that it may determine that the quantity for accessing the access side of the URI in preset time period is N.
Optionally, the first threshold is corresponding with URI, the corresponding first threshold of different UIR can it is identical or
It is different.
Optionally, the first network attack determination unit 200 will carry the high-risk access information group and access the URI
Access request be determined as network attack, be specifically configured to:
By carry the high-risk access information group and access the URI access request be determined as distributed network attack.
In practical applications, the present invention can will carry the high-risk access information group and access the access request of the URI
It is determined as distributed network attack.By the analysis of the above-mentioned determination process for network attack it is found that when one default
Between the URI of certain access sides' access is more concentrated, and is accessed in the preset time period by the URI of central access in section visit
When the side of asking is also more, present invention may determine that network attack has occurred, and by access in the preset time period by central access
The access request that the most access information group of frequency of occurrence is carried in the access request of URI is determined as network attack.Due to this
The IP of attack may change, therefore attack for distributed network.
In embodiments of the present invention, the network attack that first network attack determination unit 200 determines removes can be for by repairing
Outside the network attack for changing IP progress, or realize the network attack carried out by multiple and different IP by control broiler chicken.
Network attack detection equipment disclosed by the embodiments of the present invention, can be by determining the unification accessed in preset time period
The quantity of resource identifiers, URIs is lower than the access side of preset quantity;At least one URI that the determining access side is accessed
In each URI: determine the quantity that the access side of the URI is accessed in the preset time period, it is super in the quantity of the access side
When crossing first threshold, obtains and access the access information group that each access request of the URI carries in the preset time period, by institute
It states the most access information group of frequency of occurrence in each access request and is determined as high-risk access information group, and the high-risk visit will be carried
It asks information group and accesses the access request of the URI and be determined as network attack, improve detection and knowledge of the server for network attack
Other ability.
It is corresponding with method shown in Fig. 2, as shown in figure 4, the embodiment of the invention provides another network attack detections to set
It is standby, it further include URI determination unit 300 and the second network attack determination unit in network attack detection Equipment Foundations shown in Fig. 3
400, in which:
The URI determination unit 300, the number summation for will be accessed in the preset time period by all access sides
URI more than second threshold is determined as being attacked URI;
The second network attack determination unit 400, for being attacked URI to each: identified access side is issued
, access in the preset time period this network attack be determined as more than the access request of third threshold value by URI number of attack.
Wherein, the number summation accessed in the preset time period by all access sides as certain URI is more than second threshold
When, illustrate that the accessed number of the URI is more, it is possible to just under attack.In this case, then by access may be attacked
The more access side of number of URI be determined as attacker, the access request for the URI that attacker's access may be attacked is determined
For network attack.
As it can be seen that the embodiment of the present invention passes through the condition increased in URI determination unit 300 more than second threshold, to a certain degree
On reduce " manslaughtering " situation.Such as: although certain user repeatedly refreshes same webpage in a short time, which is currently interviewed
The number summation asked simultaneously is less than second threshold, then the access request that the user issues will not be erroneously interpreted as network attack,
Avoid " manslaughtering ".
Optionally, the second threshold is corresponding with URI, the corresponding second threshold of different URI can it is identical or
It is different.
Optionally, the second network attack determination unit 400, can be specifically used for it is each by attack URI: by really
It is that fixed access side issues, the access request by URI number of attack more than third threshold value is accessed in the preset time period
It is determined as high frequency type network attack.
Optionally, the third threshold value is corresponding with URI, the corresponding third threshold value of different URI can it is identical or
It is different.
Network attack detection equipment shown in Fig. 4 disclosed by the embodiments of the present invention, can be by high frequency type network attack
Identification, effectively avoid " manslaughtering " situation occurred during network attack detection.
The network attack detection equipment includes processor and memory, above-mentioned access side's determination unit 100 and the first net
Network is attacked determination unit 200 etc. and is stored in memory as program unit, is executed by processor stored in memory
Above procedure unit realizes corresponding function.
Include kernel in processor, is gone in memory to transfer corresponding program unit by kernel.Kernel can be set one
Or more, network attack is detected by adjusting kernel parameter.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/
Or the forms such as Nonvolatile memory, if read-only memory (ROM) or flash memory (flash RAM), memory include that at least one is deposited
Store up chip.
The embodiment of the invention provides a kind of storage medium, computer executable instructions are stored in the storage medium,
When the computer executable instructions are loaded and executed by processor, network attack detection side provided in an embodiment of the present invention is realized
Method.
The embodiment of the invention provides a kind of processor, the processor is for running program, wherein described program operation
Network attack detecting method described in Shi Zhihang.
The embodiment of the invention provides a kind of computer equipments, which is characterized in that including processor, memory and is stored in
On the memory and the program that can run on the processor, following step is at least realized when the processor executes program
It is rapid:
Determine that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access side of preset quantity;
Each URI at least one URI that the determining access side is accessed: it determines in the preset time period
The quantity for accessing the access side of the URI is obtained when the quantity of the access side is more than first threshold in the preset time period
The access information group that the interior each access request for accessing the URI carries, by the most access of frequency of occurrence in each access request
Information group is determined as high-risk access information group, and by carry the high-risk access information group and access the URI access request it is true
It is set to network attack.
Computer equipment herein can be server, PC, PAD, mobile phone etc..
Present invention also provides a kind of computer program products, when executing on data processing equipment, suitable at least holding
The program of row initialization there are as below methods step:
Determine that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access side of preset quantity;
Each URI at least one URI that the determining access side is accessed: it determines in the preset time period
The quantity for accessing the access side of the URI is obtained when the quantity of the access side is more than first threshold in the preset time period
The access information group that the interior each access request for accessing the URI carries, by the most access of frequency of occurrence in each access request
Information group is determined as high-risk access information group, and by carry the high-risk access information group and access the URI access request it is true
It is set to network attack.
It should be understood by those skilled in the art that, embodiments herein can provide as method, equipment (system) or calculate
Machine program product.Therefore, the application can be used complete hardware embodiment, complete software embodiment or combine software and hardware side
The form of the embodiment in face.Moreover, it wherein includes computer usable program code that the application, which can be used in one or more,
The computer implemented in computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of program product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net
Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/
Or the forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable Jie
The example of matter.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves
State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable
Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM),
Digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices
Or any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, it calculates
Machine readable medium does not include temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability
It include so that the process, method, commodity or the equipment that include a series of elements not only include those elements, but also to wrap
Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including element
There is also other identical elements in process, method, commodity or equipment.
It will be understood by those skilled in the art that embodiments herein can provide as method, equipment (system) or computer journey
Sequence product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The above is only embodiments herein, are not intended to limit this application.To those skilled in the art,
Various changes and changes are possible in this application.It is all within the spirit and principles of the present application made by any modification, equivalent replacement,
Improve etc., it should be included within the scope of the claims of this application.
Claims (10)
1. a kind of network attack detecting method, which is characterized in that the described method includes:
Determine that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access side of preset quantity;
The each URI at least one URI accessed the determining access side: access in the preset time period is determined
The quantity of the access side of the URI, when the quantity of the access side is more than first threshold, acquisition is visited in the preset time period
The access information group that each access request of the URI carries is asked, by the most access information of frequency of occurrence in each access request
Group is determined as high-risk access information group, and will carry the high-risk access information group and access the access request of the URI and be determined as
Network attack.
2. the method according to claim 1, wherein the access information group includes: device-fingerprint, Yong Hubiao
At least one of knowledge, user agent UA and HTTP_Referer access information.
3. the method according to claim 1, wherein the unified resource mark accessed in the determining preset time period
The quantity for knowing symbol URI is lower than the access side of preset quantity, comprising:
The access request that access side within a preset period of time accesses to uniform resource identifier URI is obtained, the access is asked
The IP address of access side is also carried in asking;
The information combination that the IP address and the access information group are constituted is determined as access side's mark, by the visit of carrying
The side of asking identifies the access request that identical access request is determined as same access side;
To each access side: obtaining and taken in each access request that the access side accesses to URI in the preset time period
The quantity for the URI of band accessed determines the access side are as follows: the preset time period when the quantity is lower than preset quantity
The quantity of the URI of interior access is lower than the access side of preset quantity.
4. according to the method described in claim 3, it is characterized in that, accessing the URI's in the determination preset time period
The quantity of access side, comprising:
According to the access side mark carried in each access request for carrying the URI, determines in the preset time period and visit
Ask the quantity of the access side of the URI.
5. method according to claim 1 to 4, which is characterized in that described to carry the high-risk access letter
The breath group and access request for accessing the URI is determined as network attack, comprising:
By carry the high-risk access information group and access the URI access request be determined as distributed network attack.
6. the method according to claim 1, wherein the method also includes:
It will be determined as being attacked by the URI that the number summation that all access sides access is more than second threshold in the preset time period
Hit URI;
To each by attack URI: that identified access side is issued, access in the preset time period this by attack URI
Number is more than that the access request of third threshold value is determined as network attack.
7. according to the method described in claim 6, it is characterized in that, described attacked URI to each: will be in the preset time
It is more than that third threshold value, identified access side accesses the access request by attack URI that this is accessed in section by URI number of attack
It is determined as network attack, comprising:
To each by attack URI: that identified access side is issued, access in the preset time period this by attack URI
Number is more than that the access request of third threshold value is determined as high frequency type network attack.
8. a kind of network attack detection equipment, which is characterized in that the network attack detection equipment includes access side's determination unit
Determination unit is attacked with first network, in which:
Access side's determination unit, for determining that the quantity of the uniform resource identifier URI accessed in preset time period is lower than
The access side of preset quantity;
The first network attacks determination unit, every at least one URI for being accessed the determining access side
A URI: it determines the quantity for accessing the access side of the URI in the preset time period, is more than first in the quantity of the access side
When threshold value, obtains and access the access information group that each access request of the URI carries in the preset time period, by each visit
The access information group for asking that frequency of occurrence is most in request is determined as high-risk access information group, and will carry the high-risk access information
The group and access request for accessing the URI is determined as network attack.
9. a kind of storage medium, which is characterized in that be stored with computer executable instructions, the computer in the storage medium
When executable instruction is loaded and executed by processor, the described in any item network attack detection sides of claim 1 to 7 as above are realized
Method.
10. a kind of computer equipment, which is characterized in that including processor, memory and be stored on the memory and can be
The program run on the processor, the processor at least perform the steps of when executing program
Determine that the quantity of the uniform resource identifier URI accessed in preset time period is lower than the access side of preset quantity;
The each URI at least one URI accessed the determining access side: access in the preset time period is determined
The quantity of the access side of the URI, when the quantity of the access side is more than first threshold, acquisition is visited in the preset time period
The access information group that each access request of the URI carries is asked, by the most access information of frequency of occurrence in each access request
Group is determined as high-risk access information group, and will carry the high-risk access information group and access the access request of the URI and be determined as
Network attack.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910379112.5A CN110071941B (en) | 2019-05-08 | 2019-05-08 | Network attack detection method, equipment, storage medium and computer equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910379112.5A CN110071941B (en) | 2019-05-08 | 2019-05-08 | Network attack detection method, equipment, storage medium and computer equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110071941A true CN110071941A (en) | 2019-07-30 |
CN110071941B CN110071941B (en) | 2021-10-29 |
Family
ID=67370310
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910379112.5A Active CN110071941B (en) | 2019-05-08 | 2019-05-08 | Network attack detection method, equipment, storage medium and computer equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110071941B (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111447228A (en) * | 2020-03-27 | 2020-07-24 | 四川虹美智能科技有限公司 | Intelligent household appliance access request processing method and system, cloud server and intelligent air conditioner |
CN111917787A (en) * | 2020-08-06 | 2020-11-10 | 北京奇艺世纪科技有限公司 | Request detection method and device, electronic equipment and computer-readable storage medium |
CN112202821A (en) * | 2020-12-04 | 2021-01-08 | 北京优炫软件股份有限公司 | Identification defense system and method for CC attack |
CN113467314A (en) * | 2021-07-15 | 2021-10-01 | 广州赛度检测服务有限公司 | Information security risk assessment system and method based on big data and edge calculation |
CN113810486A (en) * | 2021-09-13 | 2021-12-17 | 珠海格力电器股份有限公司 | Internet of things platform docking method and device, electronic equipment and storage medium |
CN113992403A (en) * | 2021-10-27 | 2022-01-28 | 北京知道创宇信息技术股份有限公司 | Access speed limit interception method and device, defense server and readable storage medium |
CN115102781A (en) * | 2022-07-14 | 2022-09-23 | 中国电信股份有限公司 | Network attack processing method, device, electronic equipment and medium |
WO2023109046A1 (en) * | 2021-12-14 | 2023-06-22 | 深圳前海微众银行股份有限公司 | Anomaly detection method and apparatus, electronic device, and storage medium |
CN116647412A (en) * | 2023-07-26 | 2023-08-25 | 北京理想乡网络技术有限公司 | Security defense method and system of Web server |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110107412A1 (en) * | 2009-11-02 | 2011-05-05 | Tai Jin Lee | Apparatus for detecting and filtering ddos attack based on request uri type |
CN103297435A (en) * | 2013-06-06 | 2013-09-11 | 中国科学院信息工程研究所 | Abnormal access behavior detection method and system on basis of WEB logs |
CN104811349A (en) * | 2015-03-26 | 2015-07-29 | 浪潮集团有限公司 | Method and device of access statistics |
CN104967629A (en) * | 2015-07-16 | 2015-10-07 | 网宿科技股份有限公司 | Network attack detection method and apparatus |
CN105939361A (en) * | 2016-06-23 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for defensing CC (Challenge Collapsar) attack |
WO2017218031A1 (en) * | 2016-06-16 | 2017-12-21 | Level 3 Communications, Llc | Systems and methods for preventing denial of service attacks utilizing a proxy server |
CN107707545A (en) * | 2017-09-29 | 2018-02-16 | 深信服科技股份有限公司 | A kind of abnormal web page access fragment detection method, device, equipment and storage medium |
US20180063163A1 (en) * | 2016-08-26 | 2018-03-01 | Cisco Technology, Inc. | Learning indicators of compromise with hierarchical models |
CN108259425A (en) * | 2016-12-28 | 2018-07-06 | 阿里巴巴集团控股有限公司 | The determining method, apparatus and server of query-attack |
CN109246064A (en) * | 2017-07-11 | 2019-01-18 | 阿里巴巴集团控股有限公司 | Safe access control, the generation method of networkaccess rules, device and equipment |
-
2019
- 2019-05-08 CN CN201910379112.5A patent/CN110071941B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110107412A1 (en) * | 2009-11-02 | 2011-05-05 | Tai Jin Lee | Apparatus for detecting and filtering ddos attack based on request uri type |
CN103297435A (en) * | 2013-06-06 | 2013-09-11 | 中国科学院信息工程研究所 | Abnormal access behavior detection method and system on basis of WEB logs |
CN104811349A (en) * | 2015-03-26 | 2015-07-29 | 浪潮集团有限公司 | Method and device of access statistics |
CN104967629A (en) * | 2015-07-16 | 2015-10-07 | 网宿科技股份有限公司 | Network attack detection method and apparatus |
WO2017218031A1 (en) * | 2016-06-16 | 2017-12-21 | Level 3 Communications, Llc | Systems and methods for preventing denial of service attacks utilizing a proxy server |
CN105939361A (en) * | 2016-06-23 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for defensing CC (Challenge Collapsar) attack |
US20180063163A1 (en) * | 2016-08-26 | 2018-03-01 | Cisco Technology, Inc. | Learning indicators of compromise with hierarchical models |
CN108259425A (en) * | 2016-12-28 | 2018-07-06 | 阿里巴巴集团控股有限公司 | The determining method, apparatus and server of query-attack |
CN109246064A (en) * | 2017-07-11 | 2019-01-18 | 阿里巴巴集团控股有限公司 | Safe access control, the generation method of networkaccess rules, device and equipment |
CN107707545A (en) * | 2017-09-29 | 2018-02-16 | 深信服科技股份有限公司 | A kind of abnormal web page access fragment detection method, device, equipment and storage medium |
Non-Patent Citations (2)
Title |
---|
J CHOI等: ""A method of DDoS attack detection using HTTP packet pattern and rule engine in cloud computing environment"", 《SPRINGER》 * |
朱俚治等: ""一种检测网络流量异常和网络攻击的算法"", 《计算技术与自动化》 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111447228A (en) * | 2020-03-27 | 2020-07-24 | 四川虹美智能科技有限公司 | Intelligent household appliance access request processing method and system, cloud server and intelligent air conditioner |
CN111917787B (en) * | 2020-08-06 | 2023-07-21 | 北京奇艺世纪科技有限公司 | Request detection method, request detection device, electronic equipment and computer readable storage medium |
CN111917787A (en) * | 2020-08-06 | 2020-11-10 | 北京奇艺世纪科技有限公司 | Request detection method and device, electronic equipment and computer-readable storage medium |
CN112202821A (en) * | 2020-12-04 | 2021-01-08 | 北京优炫软件股份有限公司 | Identification defense system and method for CC attack |
CN113467314A (en) * | 2021-07-15 | 2021-10-01 | 广州赛度检测服务有限公司 | Information security risk assessment system and method based on big data and edge calculation |
CN113467314B (en) * | 2021-07-15 | 2022-04-26 | 广州赛度检测服务有限公司 | Information security risk assessment system and method based on big data and edge calculation |
CN113810486A (en) * | 2021-09-13 | 2021-12-17 | 珠海格力电器股份有限公司 | Internet of things platform docking method and device, electronic equipment and storage medium |
CN113992403A (en) * | 2021-10-27 | 2022-01-28 | 北京知道创宇信息技术股份有限公司 | Access speed limit interception method and device, defense server and readable storage medium |
WO2023109046A1 (en) * | 2021-12-14 | 2023-06-22 | 深圳前海微众银行股份有限公司 | Anomaly detection method and apparatus, electronic device, and storage medium |
CN115102781A (en) * | 2022-07-14 | 2022-09-23 | 中国电信股份有限公司 | Network attack processing method, device, electronic equipment and medium |
CN115102781B (en) * | 2022-07-14 | 2024-01-09 | 中国电信股份有限公司 | Network attack processing method, device, electronic equipment and medium |
CN116647412A (en) * | 2023-07-26 | 2023-08-25 | 北京理想乡网络技术有限公司 | Security defense method and system of Web server |
CN116647412B (en) * | 2023-07-26 | 2024-01-26 | 深圳市鹿驰科技有限公司 | Security defense method and system of Web server |
Also Published As
Publication number | Publication date |
---|---|
CN110071941B (en) | 2021-10-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110071941A (en) | A kind of network attack detecting method, equipment, storage medium and computer equipment | |
US9154516B1 (en) | Detecting risky network communications based on evaluation using normal and abnormal behavior profiles | |
US9462009B1 (en) | Detecting risky domains | |
US10635817B2 (en) | Targeted security alerts | |
CN104301302B (en) | Go beyond one's commission attack detection method and device | |
Çeker et al. | Deception-based game theoretical approach to mitigate DoS attacks | |
EP3085023B1 (en) | Communications security | |
US9300684B2 (en) | Methods and systems for statistical aberrant behavior detection of time-series data | |
US20200014714A1 (en) | Dns misuse detection through attribute cardinality tracking | |
US11647037B2 (en) | Penetration tests of systems under test | |
CN104954384B (en) | A kind of url mimicry methods of protection Web applications safety | |
CN112165488A (en) | Risk assessment method, device and equipment and readable storage medium | |
CN112350992A (en) | Safety protection method, device, equipment and storage medium based on web white list | |
CN106685899A (en) | Method and device for identifying malicious access | |
CN103905372A (en) | Method and device for removing false alarm of phishing website | |
CN104901962B (en) | A kind of detection method and device of web page attacks data | |
Casalicchio et al. | Measuring the global domain name system | |
CN105262730B (en) | Monitoring method and device based on enterprise domain name safety | |
CN112861132A (en) | Cooperative protection method and device | |
Soltanaghaei et al. | Detection of fast-flux botnets through DNS traffic analysis | |
CN105227532B (en) | A kind of blocking-up method and device of malicious act | |
US9723017B1 (en) | Method, apparatus and computer program product for detecting risky communications | |
Tang et al. | Mitigating HTTP flooding attacks with meta-data analysis | |
JP5743822B2 (en) | Information leakage prevention device and restriction information generation device | |
US11425162B2 (en) | Detection of malicious C2 channels abusing social media sites |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |