CN110071941B - Network attack detection method, equipment, storage medium and computer equipment - Google Patents

Network attack detection method, equipment, storage medium and computer equipment Download PDF

Info

Publication number
CN110071941B
CN110071941B CN201910379112.5A CN201910379112A CN110071941B CN 110071941 B CN110071941 B CN 110071941B CN 201910379112 A CN201910379112 A CN 201910379112A CN 110071941 B CN110071941 B CN 110071941B
Authority
CN
China
Prior art keywords
access
uri
determining
accessing
time period
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910379112.5A
Other languages
Chinese (zh)
Other versions
CN110071941A (en
Inventor
王巍巍
殷昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing QIYI Century Science and Technology Co Ltd
Original Assignee
Beijing QIYI Century Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing QIYI Century Science and Technology Co Ltd filed Critical Beijing QIYI Century Science and Technology Co Ltd
Priority to CN201910379112.5A priority Critical patent/CN110071941B/en
Publication of CN110071941A publication Critical patent/CN110071941A/en
Application granted granted Critical
Publication of CN110071941B publication Critical patent/CN110071941B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Abstract

The invention discloses a network attack detection method, equipment, a storage medium and computer equipment, which can be used for determining access parties with the quantity of Uniform Resource Identifiers (URIs) accessed within a preset time period lower than a preset quantity; for each URI of the at least one URI accessed by the determined accessing party: determining the number of access parties accessing the URI within the preset time period, obtaining access information groups carried by each access request accessing the URI within the preset time period when the number of the access parties exceeds a first threshold value, determining the access information group with the largest occurrence frequency in each access request as a high-risk access information group, and determining the access request carrying the high-risk access information group and accessing the URI as a network attack. The invention can effectively improve the detection and identification capability of the network attack and improve the defense capability of the network attack.

Description

Network attack detection method, equipment, storage medium and computer equipment
Technical Field
The present invention relates to the field of network security protection, and in particular, to a network attack detection method, device, storage medium, and computer device.
Background
With the development of science and technology, network security becomes more important, and current website servers are often attacked by various kinds of illegal attacks. A CC (Challenge Collapsar) attack is one of the common attack behaviors. The CC attack is one of the DDoS (Distributed Denial of Service), and the CC attack continuously sends an access request to the web server through an access URI (Uniform Resource Identifier), so that the web server cannot process access to normal network resources by a legitimate user, thereby achieving the purpose of Denial of Service.
The existing network attack detection technology detects the network attack by counting the times of accessing the URI of a website server in unit time by a single IP at the website server side. When the number of times of accessing the URI of the web server by a certain IP in a unit time exceeds a threshold, the existing cyber attack detection technology may determine the access behavior of the IP as a cyber attack.
However, with the development of technology, an event of network attack through a plurality of different IPs is currently occurring. For example, an attacker who launches a CC attack may modify an IP several times, and send a page request (one type of access request) that occupies a large amount of processing resources and time to a web server through a URI that accesses the web server by different IPs, resulting in a waste of processing resources of the web server, and a CPU of the web server is in a 100% use state for a long time, so that the CPU has no way to process a normal request from a legitimate user.
As can be seen, an attacker can access the attacked URI through a plurality of different IPs, and the number of times that each IP accesses the URI does not exceed the threshold, which makes the existing cyber attack detection technology unable to detect the cyber attack.
Disclosure of Invention
In view of the above problems, the present invention is proposed to provide a network attack detection method, device, storage medium and computer device that overcome the above problems or at least partially solve the above problems, and the technical solutions are as follows:
a network attack detection method, the method comprising:
determining the number of the Uniform Resource Identifiers (URIs) accessed in a preset time period to be lower than the number of the access parties with preset number;
for each URI of the at least one URI accessed by the determined accessing party: determining the number of access parties accessing the URI within the preset time period, obtaining access information groups carried by each access request accessing the URI within the preset time period when the number of the access parties exceeds a first threshold value, determining the access information group with the largest occurrence frequency in each access request as a high-risk access information group, and determining the access request carrying the high-risk access information group and accessing the URI as a network attack.
Optionally, the access information group includes: at least one of a device fingerprint, a user identification, a user agent UA, and an HTTP _ refer access information.
Optionally, the determining that the number of the uniform resource identifiers URIs accessed within the preset time period is lower than the preset number of the accessing parties includes:
obtaining an access request for an access party to access a Uniform Resource Identifier (URI) in a preset time period, wherein the access request also carries an IP address of the access party;
determining an information combination formed by the IP address and the access information group as an access party identifier, and determining an access request carrying the same access party identifier as an access request of the same access party;
for each visitor: obtaining the number of accessed URIs carried in each access request accessed by the access party to the URI in the preset time period, and determining the access party as follows when the number is lower than the preset number: and the number of the accessed URIs in the preset time period is lower than the preset number of the access parties.
Optionally, the determining the number of the access parties accessing the URI within the preset time period includes:
and determining the number of the access parties accessing the URI in the preset time period according to the access party identification carried in each access request carrying the URI.
Optionally, the determining, as a network attack, the access request carrying the high-risk access information group and accessing the URI includes:
and determining the access request carrying the high-risk access information group and accessing the URI as the distributed network attack.
Optionally, the method further includes:
determining the URI with the sum of the times of access by all the access parties in the preset time period exceeding a second threshold value as an attacked URI;
for each attacked URI: and determining the access request sent by the determined access party and accessing the attacked URI for a number of times exceeding a third threshold value in the preset time period as the network attack.
Optionally, for each attacked URI: determining, as a network attack, an access request of the determined access party accessing the attacked URI, the number of times of accessing the attacked URI exceeding a third threshold within the preset time period, including:
for each attacked URI: and determining the access request sent by the determined access party and having the number of times of accessing the attacked URI exceeding a third threshold value in the preset time period as the high-frequency network attack.
A cyber attack detecting device including an accessing party determining unit and a first cyber attack determining unit, wherein:
the access party determining unit is used for determining access parties with the number of the Uniform Resource Identifiers (URIs) accessed in a preset time period lower than a preset number;
the first cyber attack determining unit is configured to, for each URI of at least one URI accessed by the determined access party: determining the number of access parties accessing the URI within the preset time period, obtaining access information groups carried by each access request accessing the URI within the preset time period when the number of the access parties exceeds a first threshold value, determining the access information group with the largest occurrence frequency in each access request as a high-risk access information group, and determining the access request carrying the high-risk access information group and accessing the URI as a network attack.
Optionally, the visitor determining unit specifically includes: an access request obtaining subunit, an access request determining subunit, and a quantity determining subunit, wherein:
the access request obtaining subunit is configured to obtain an access request for an access party to access the uniform resource identifier URI within a preset time period, where the access request also carries an IP address of the access party;
the access request determining subunit is configured to determine an information combination formed by the IP address and the access information group as an access party identifier, and determine an access request carrying the same access party identifier as an access request of the same access party;
the number determination subunit is configured to, for each accessor: obtaining the number of accessed URIs carried in each access request accessed by the access party to the URI in the preset time period, and determining the access party as follows when the number is lower than the preset number: and the number of the accessed URIs in the preset time period is lower than the preset number of the access parties.
Optionally, the network attack detecting device further includes a URI determining unit and a second network attack determining unit, where:
the URI determining unit is used for determining the URI of which the sum of the times of access by all the access parties in the preset time period exceeds a second threshold value as an attacked URI;
the second network attack determination unit is configured to, for each attacked URI: and determining the access request sent by the determined access party and accessing the attacked URI for a number of times exceeding a third threshold value in the preset time period as the network attack.
A storage medium having stored therein computer-executable instructions, which when loaded and executed by a processor, implement any of the network attack detection methods.
A computer device comprising a processor, a memory and a program stored on the memory and executable on the processor, the processor when executing the program implementing at least the steps of:
determining the number of the Uniform Resource Identifiers (URIs) accessed in a preset time period to be lower than the number of the access parties with preset number;
for each URI of the at least one URI accessed by the determined accessing party: determining the number of access parties accessing the URI within the preset time period, obtaining access information groups carried by each access request accessing the URI within the preset time period when the number of the access parties exceeds a first threshold value, determining the access information group with the largest occurrence frequency in each access request as a high-risk access information group, and determining the access request carrying the high-risk access information group and accessing the URI as a network attack.
By means of the technical scheme, the network attack detection method, the equipment, the storage medium and the computer equipment can determine the number of the Uniform Resource Identifiers (URIs) accessed in the preset time period to be lower than the preset number of the access parties; for each URI of the at least one URI accessed by the determined accessing party: determining the number of access parties accessing the URI within the preset time period, obtaining access information groups carried by each access request accessing the URI within the preset time period when the number of the access parties exceeds a first threshold value, determining the access information group with the largest occurrence frequency in each access request as a high-risk access information group, and determining the access request carrying the high-risk access information group and accessing the URI as a network attack. The invention can effectively improve the detection and identification capability of the network attack and improve the defense capability of the network attack.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart illustrating a network attack detection method according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating another network attack detection method provided by an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a network attack detection device according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of another network attack detection device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
An embodiment of the present invention provides a network attack detection method, as shown in fig. 1, the method may include the following steps:
s100, determining the number of the Uniform Resource Identifiers (URIs) accessed in a preset time period to be lower than the number of the access parties in the preset time period;
optionally, the technician may set the preset time period according to actual detection needs. In practical applications, the number of the preset time periods in the present invention may be one or more. For example: starting from 0 minute 0 second at 0 point of a certain day of a certain month of a certain year, every 10 seconds is a preset time period, so that a plurality of preset time periods can be set. Of course, when there are a plurality of preset time periods, the preset time periods are not necessarily connected in sequence, and a time interval may also be provided between two adjacent preset time periods, which is not limited herein. For each preset time period, the present invention may perform the steps shown in fig. 1 to determine whether there is a network attack in the preset time period, that is: the preset time periods in the steps involved in one execution process of the network attack detection method provided by the application are the same preset time period.
A Uniform Resource Identifier (URI) may be a string used to identify the name of an internet Resource (including a page, a multimedia file, etc.). In practical application, when an access party sends a specific access request to a server, for example, an access request for a certain page is sent, the access request may carry a URI corresponding to the page, and after receiving the access request, the server may return a resource (e.g., a page) corresponding to the address of the URI to the access party by identifying the URI carried in the access request. Optionally, the access party may be a computer, a mobile phone, or an iPad or other device capable of accessing the network resource of the server. The server may be a web server or the like. The method shown in fig. 1 of the present invention may be applied to a server, and may also be applied to a device that provides security protection for the server or a device that is in communication connection with the server.
Alternatively, the preset number may be smaller, for example: the technician may set the preset number to 2. Correspondingly, if a certain accessing party only accesses 1 URI within the preset time period, the accessing party is the accessing party to be determined in step S100. If the technician can also set the preset number to 3, if a certain accessing party only accesses 1 or 2 URIs within a preset time period, the accessing party is the accessing party to be determined in step S100. Of course, the technician may set the preset number to other numbers. The embodiment of the invention does not limit the setting of the preset number.
In practical applications, the accessing party performing the cyber attack usually has a characteristic of collectively accessing a small number of URIs, that is, the accessing party performing the cyber attack usually sends an access request for one or a few URIs to a target server without requesting other resources. When a certain access party has the characteristic of intensively accessing a small number of URIs, the method can determine the certain access party as the access party suspected to carry out network attack. In view of this feature, the present invention sets step S100 to lock an access suspected of performing a network attack. Further, in order to better achieve the purpose of locking the access side suspected of performing the network attack in step S100, the preset number may be set to be smaller. Specifically, if a network attack that only accesses one URI needs to be detected, the predetermined number is set to 2, and an access party suspected of performing the network attack can be determined.
The access request may carry an access information group. Optionally, the access information group may include: at least one of a device fingerprint, a user identification, a user agent UA, and an HTTP _ refer access information. Specifically, the access information group does not include an IP address.
The device fingerprint may be a device identifier for uniquely identifying a certain device, and the device identifier may be a device identifier that is inherent and difficult to tamper, for example, an International Mobile Equipment Identity (IMEI) of a Mobile phone, which may be used as a device fingerprint for uniquely determining a certain Mobile phone; for example, a Media Access Control Address (MAC) of a computer network card may be used as a device fingerprint for uniquely determining a certain computer network card. The present invention can identify different access parties by identifying device fingerprints for different devices.
The user identifier may be a user name (for example, zhangsan123, zhangsan-123, etc.) used when the user accesses a certain internet resource in the server, or may be information for identifying the user identity, such as a mobile phone number used by the user. The invention can identify different access parties through the user identification.
The User Agent (UA) may be a special string header. After receiving an access request sent by an access party, the server can identify an operating system and version, a CPU type, a browser and version, a browser rendering engine, a browser language, a browser plug-in and the like used by the access party through UA in the access request.
Wherein HTTP _ refer may be part of the HTTP request header. Specifically, when an accessing party sends an access request for a certain page to a server through a certain browser, HTTP request header information in the access request includes HTTP _ refer corresponding to the browser. Through the HTTP _ refer, the server knows the page source from which the visitor requested the page. For example, Zhang wen went the dog browser HTTPs://123.sogou.com directly accesses the Baidu official website homepage www.baidu.com, and after clicking on the link www.baidu.com appearing in the dog browser, the Baidu server receives the request for access with information in the request header of HTTP _ Referer:// 123. sogou.com.
Optionally, step S100 may specifically include:
obtaining an access request for an access party to access a Uniform Resource Identifier (URI) in a preset time period, wherein the access request also carries an IP address of the access party;
determining an information combination formed by the IP address and the access information group as an access party identifier, and determining an access request carrying the same access party identifier as an access request of the same access party;
for each visitor: obtaining the number of accessed URIs carried in each access request accessed by the access party to the URI in the preset time period, and determining the access party as follows when the number is lower than the preset number: and the number of the accessed URIs in the preset time period is lower than the preset number of the access parties.
Optionally, the access information group may include: a device fingerprint. Because the repetition rate of the device fingerprint is low (parts per million), the invention can determine the access request carrying the same device fingerprint and the same IP address of the access party as the access request of the same access party. Of course, the present invention may also use at least one of the user identifier, the user agent UA, and the HTTP _ refer as the access information group together with the device fingerprint. For example: the user agent UA, HTTP _ refer, together with the device fingerprint are taken as an access information group. Thus, the present invention can determine the access request carrying the same IP address, UA, HTTP _ Referer and device fingerprint of the accessing party as the access request of the same accessing party.
Optionally, the access information group may include: and (4) identifying the user. Because the user identification has uniqueness, the invention can determine the carried access request with the same user identification and the same IP address of the access party as the access request of the same access party. It will be appreciated that not all access requests carry a user identity. Of course, the present invention may also use at least one of the device fingerprint, the user agent UA, and the HTTP _ refer as the access information group together with the user identifier.
Optionally, the access information group may include: user agent UA and HTTP _ refer. The invention can determine the carried access request with the same IP address of the access party and the same UA and HTTP _ Referer as the access request of the same access party. Of course, the present invention may also use at least one of the user id and the device fingerprint as the access information group together with "UA and HTTP _ refer".
Optionally, the present invention may determine the IP address, the UA, and the HTTP _ refer as the identifier of the access party, and determine the access request carrying the same identifier of the access party as the access request of the same access party. For example: obtaining a first access request and a second access request within a preset time period, wherein the first access request carries: IP1, URI1, UA1, and HTTP _ refer 1, the second access request carrying: IP1, URI2, UA1, and HTTP _ refer 1, since the IP addresses carried in the two access requests, and the access party identifiers formed by UA and HTTP _ refer are the same (all are IP1, UA1, and HTTP _ refer 1), the present invention can determine that the two access requests are access requests of the same access party, and the access party identifier of the access party is: IP1, UA1, and HTTP _ refer 1. Since the URIs carried in the first access request and the second access request are different, it may be determined that the number of URIs accessed by the access parties corresponding to IP1, UA1, and HTTP _ refer 1 in the preset time period is 2, and when the preset number in step S100 is 3, it may be determined that the access party is an access party whose number of URIs accessed in the preset time period is lower than the preset number.
S200, for each URI in at least one URI accessed by the determined access party: determining the number of access parties accessing the URI within the preset time period, obtaining access information groups carried by each access request accessing the URI within the preset time period when the number of the access parties exceeds a first threshold value, determining the access information group with the largest occurrence frequency in each access request as a high-risk access information group, and determining the access request carrying the high-risk access information group and accessing the URI as a network attack.
Optionally, the determining the number of the access parties accessing the URI within the preset time period may include:
and determining the number of the access parties accessing the URI in the preset time period according to the access party identification carried in each access request carrying the URI.
Specifically, after it is determined that each access request carrying the URI carries N kinds of access party identifiers, the number of access parties accessing the URI within a preset time period may be determined to be N.
The following description will be made by taking an example 1 (in this example, the IP address, UA, and HTTP _ refer constitute an access party identifier).
Example 1: a server of a certain website obtains 9 access requests within a preset time period, which are respectively:
a first access request (carrying: IP1, URI1, UA1, and HTTP _ Referer 1);
a second access request (carrying: IP1, URI1, UA1, and HTTP _ Referer 1);
a third access request (carrying: IP1, URI1, UA1, and HTTP _ Referer 1);
a fourth access request (carrying: IP2, URI1, UA1, and HTTP _ Referer 1);
a fifth access request (carrying: IP2, URI1, UA1, and HTTP _ Referer 1);
a sixth access request (carrying: IP2, URI1, UA1, and HTTP _ Referer 1);
a seventh access request (carrying: IP3, URI1, UA1, and HTTP _ Referer 1);
an eighth access request (carrying: IP3, URI1, UA1, and HTTP _ Referer 1);
a ninth access request (carrying: IP3, URI1, UA1, and HTTP _ refer 1).
According to step S100, it is known that the first access request to the third access request are all access requests issued by the same accessing party (set as accessing party a), the fourth access request to the sixth access request are all access requests issued by the same accessing party (set as accessing party b), and the seventh access request to the ninth access request are all access requests issued by the same accessing party (set as accessing party c). When the preset number in step S100 is 2, it is known that the visitors a, b, and c all access only one URI, that is, URI1, and thus the number of URIs accessed in the preset time period is lower than the preset number of visitors. Since both parties A, B, and C access only the URI1, the number of access parties accessing the URI1 within a preset time period is three from the standpoint of the URI1, and is access parties A, B, and C, respectively.
Optionally, the first threshold corresponds to a URI, and the first thresholds corresponding to different UIRs may be the same or different. For a URI, the setting process of the first threshold corresponding to the URI may include: and obtaining the number of the access parties accessing the URI in at least one historical time period, and determining a first threshold value corresponding to the URI according to the obtained number of the access parties.
The length of the historical time period may be the same as the preset time period, and the historical time period may also include a certain number of preset time periods.
The first threshold in step S200 may be obtained according to statistics, for example: for a certain website, the server of the website can count the accessed condition of several URIs which are intensively monitored by the server at ordinary times, so as to determine the first threshold value. For the URI1, the web server may count the number of visitors who access the URI1 in a plurality of preset time periods within a certain long historical time period (the time period includes a plurality of preset time periods) during which no network attack occurs. Assuming that the preset time period is 1 minute, and the longer historical time period in which the cyber attack does not occur is 1 hour, the website server may obtain the number of access parties accessing the URI1 within a time period of 1 minute corresponding to the 1 st minute, the 11 th minute, the 21 st minute, the 31 st minute, the 41 st minute, and the 51 st minute within the 1 hour, for example: 1. 0, 2, 1, 0, the average value thereof may be determined by an averaging algorithm, and the first threshold value may be determined according to the average value, for example, the first threshold value is a multiple of the average value, or the first threshold value is: mean +3 standard deviations. Of course, there are various ways to determine the first threshold, and the invention is not limited herein.
The number of access parties accessing the URI in each historical time period can be obtained through a historical flow log of the target server. The information included in the history traffic log is not only the access amount of each URI in each time period, but also includes other information, such as information carried in an access request sent by an accessing party accessing each URI (for example, including the IP address of the accessing party, the accessed URI, the UA of the accessing party, and the HTTP _ refer of the accessing party), an HTTP request header sent by the accessing party to the server, and an access time period for the URI of the accessing party. Of course, when the preset time period is a preset time period before the current time, various information carried by each access request in the preset time period may also be obtained from the historical traffic log.
Optionally, the historical traffic log may be collected from kafka (a high throughput distributed publish-subscribe messaging system) by a streaming processing system spark streaming (a streaming processing system capable of performing high throughput and fault-tolerant processing on real-time data streams) and stored in hdfs (Hadoop distributed file system) to obtain.
It should be noted that, when it is determined that the number of access parties accessing a URI within a preset time period exceeds a first threshold, it indicates that the number of access parties accessing the URI within the preset time period is large, and may be caused by an attacker performing a network attack on the URI through a plurality of different IPs. In this case, the present invention may further obtain access information groups (such as the user agent UA and the HTTP _ refer) carried by each access request for accessing the URI within the preset time period, and determine an access information group with the largest occurrence frequency in each access request as a high-risk access information group. Although an attacker can modify the IP, access information in the set of access information is not typically modified. This is because it is difficult and time consuming to modify the access information in the access information set. For example: if the UA is modified, at least one of an operating system, a CPU, a browser, and a browser plug-in needs to be modified, and such modification is either impossible (e.g., CPU modification) or difficult, so an attacker typically does not modify the UA. Therefore, the access information group with the largest occurrence frequency in each access request is determined as the high-risk access information group. For ease of understanding, example 1 is still used to illustrate:
for example 1, 9 access requests, the access information group is composed of UA and HTTP _ refer. From the perspective of the URI1, the number of visitors accessing the URI1 within a preset time period is three, respectively visitors a, b, and c. When the first threshold is 2, access information groups consisting of UA and HTTP _ refer carried in 9 access requests that access the URI1 within a preset time period may be obtained and counted, and it is known that there is only one of the access information groups: UA1 and HTTP _ refer 1, and the access information group formed by UA1 and HTTP _ refer 1 occurs the most times among the 9 access requests, and thus is a high-risk access information group. Step S200 may determine the access request carrying the high-risk access information group and accessing the URI1 as a network attack, that is, all of the first access request to the ninth access request may be determined as a network attack.
Optionally, the determining, as a network attack, the access request carrying the high-risk access information group and accessing the URI includes:
and determining the access request carrying the high-risk access information group and accessing the URI as the distributed network attack.
In practical application, the invention can determine the access request carrying the high-risk access information group and accessing the URI as distributed network attack. As can be known from the analysis of the above determination process for network attacks, when URIs accessed by some access parties are concentrated in a preset time period and URIs accessed in the concentrated manner are accessed by more access parties in the preset time period, the present invention can determine that a network attack has occurred, and determine that an access request carrying an access information group with the largest occurrence number in access requests accessing the URIs accessed in the concentrated manner in the preset time period is a network attack. This cyber attack is a distributed cyber attack because the IP of the cyber attack may change.
In the embodiment of the present invention, the network attack determined in step S200 may be a network attack performed by modifying an IP, or a network attack performed by controlling a broiler chicken through a plurality of different IPs.
The network attack detection method disclosed by the embodiment of the invention can be used for determining the number of the Uniform Resource Identifiers (URIs) accessed in the preset time period to be lower than the number of the access parties in the preset time period; for each URI of the at least one URI accessed by the determined accessing party: determining the number of access parties accessing the URI within the preset time period, obtaining access information groups carried by each access request accessing the URI within the preset time period when the number of the access parties exceeds a first threshold value, determining the access information group with the largest occurrence frequency in each access request as a high-risk access information group, determining the access request carrying the high-risk access information group and accessing the URI as a network attack, and improving the detection and identification capability of the server on the network attack.
The inventor of the present application finds, through research in the process of implementing the present invention, that the existing network attack detection technology has the following problems: since the existing internet attack detection technology detects the internet attack only by counting the number of times that a single IP accesses the URI of the web server in a unit time at the web server side, when a web page is blocked, a user may refresh the web page many times in a short time, which causes the electronic device of the user to send an access request for the same URI to the web server of the web page many times in a short time. In this case, when the access request to the same URI issued by the user in a short time exceeds the threshold, the existing cyber attack detection technology determines the access request issued by the user as a cyber attack, and thus a "false kill" situation occurs. In order to solve the problem, the embodiment of the present invention further provides another network attack detection method based on the steps shown in fig. 1, as shown in fig. 2, after step S100, the method may further include the following steps:
s300, determining the URI of which the sum of the times of access by all access parties in the preset time period exceeds a second threshold value as an attacked URI;
s400, for each attacked URI: and determining the access request sent by the determined access party and accessing the attacked URI for a number of times exceeding a third threshold value in the preset time period as the network attack.
The execution sequence of step S300 and steps S100 and S200 is not limited in the present invention, and step S300 may be executed before or after at least one of steps S100 and S200, step S300 may be executed between steps S100 and S200, step S300 may be executed in parallel with step S100, and step S300 may be executed in parallel with step S200.
Wherein, step S400 is executed after step S300, and step S400 is executed after step S100.
Specifically, step S400 may, for each attacked URI: and determining the access request sent by the determined access party and having the number of times of accessing the attacked URI exceeding a third threshold value in the preset time period as the high-frequency network attack.
When the sum of the times that a certain URI is accessed by all access parties in the preset time period exceeds a second threshold value, the URI is accessed more times, and the URI is possibly attacked. In this case, an access party having a large number of accesses to the URI that is likely to be attacked is determined as an attacker, and an access request from the attacker to access the URI that is likely to be attacked is determined as a network attack.
As can be seen, the embodiment of the present invention reduces the "false killing" condition to a certain extent by increasing the condition that the second threshold value is exceeded in step S300. For example: although a user refreshes the same webpage for multiple times in a short time, the sum of the current access times of the webpage does not exceed the second threshold, the access request sent by the user cannot be mistaken for network attack, and therefore 'mistaken killing' is avoided.
Optionally, the second threshold corresponds to a URI, and the second thresholds corresponding to different URIs may be the same or different. For a URI, the setting process of the second threshold corresponding to the URI may include:
and obtaining the sum of the times of all the access parties accessing the URI in at least one historical time period, and determining a second threshold value corresponding to the URI according to the obtained sum of the access times.
The length of the historical time period may be the same as the preset time period, and the historical time period may also include a certain number of preset time periods.
Specifically, when the plurality of historical time periods are provided and the length of each historical time period is equal to the length of the preset time period, after the obtained sum of the times that all visitors access the URI in each historical time period, the second threshold may be determined according to a standard deviation method three times that of the abnormal discrimination data in the gaussian distribution. Of course, the determination can be made by the double standard deviation method.
The sum of the times of all the access parties accessing the URI in each historical time period can be obtained through a historical flow log of the target server.
Specifically, the sum of the times that all the access parties access the URI in each historical time period may be extracted from the historical traffic, and the value of the second threshold may be determined according to the sum of the times. For example, the preset time period and the historical time period are both 4 minutes, and with 4 minutes as the unit time, in the historical traffic log, the sum of the number of times that all visitors accessed the URI in the unit time in each day of the week before the current day is extracted, and further, the maximum value of the sum of the number of times that all visitors accessed the URI in the unit time in each day of the seven days is determined, for example, the maximum value is 62, 71, 58, 73, 65, 67, and 59 in sequence. Then, the seven data are averaged to obtain a mean value a, the 7 data are subjected to standard deviation calculation to obtain a standard deviation B, and then, according to a triple standard deviation calculation formula, a value of a plus 3 times B is used as a second threshold value of the corresponding URI.
Optionally, the third threshold corresponds to a URI, and the third thresholds corresponding to different URIs may be the same or different.
The network attack detection method disclosed by the embodiment of the invention and shown in figure 2 can effectively avoid the 'false killing' condition in the network attack detection process by identifying the high-frequency network attack.
Corresponding to the method shown in fig. 1, an embodiment of the present invention provides a network attack detection device, and as shown in fig. 3, the network attack detection device may include: an accessor determining unit 100 and a first cyber attack determining unit 200, wherein:
the accessing party determining unit 100 is configured to determine accessing parties of which the number of the uniform resource identifiers URIs accessed in a preset time period is lower than a preset number;
optionally, the technician may set the preset time period according to actual detection needs. In practical applications, the number of the preset time periods in the present invention may be one or more. For example: starting from 0 minute 0 second at 0 point of a certain day of a certain month of a certain year, every 10 seconds is a preset time period, so that a plurality of preset time periods can be set. Of course, when there are a plurality of preset time periods, the preset time periods are not necessarily connected in sequence, and a time interval may also be provided between two adjacent preset time periods, which is not limited herein. For each preset time period, the invention can determine whether the network attack exists in the preset time period.
The first cyber attack determining unit 200 is configured to, for each URI of at least one URI accessed by the determined access party: determining the number of access parties accessing the URI within the preset time period, obtaining access information groups carried by each access request accessing the URI within the preset time period when the number of the access parties exceeds a first threshold value, determining the access information group with the largest occurrence frequency in each access request as a high-risk access information group, and determining the access request carrying the high-risk access information group and accessing the URI as a network attack.
Optionally, the access information group may include: at least one of a device fingerprint, a user identification, a user agent UA, and an HTTP _ refer access information. Specifically, the access information group does not include an IP address.
The visitor determining unit 100 may specifically include: an access request obtaining subunit, an access request determining subunit, and a quantity determining subunit, wherein:
the access request obtaining subunit is configured to obtain an access request for an access party to access the uniform resource identifier URI within a preset time period, where the access request also carries an IP address of the access party;
the access request determining subunit is configured to determine an information combination formed by the IP address and the access information group as an access party identifier, and determine an access request carrying the same access party identifier as an access request of the same access party;
the number determination subunit is configured to, for each accessor: obtaining the number of accessed URIs carried in each access request accessed by the access party to the URI in the preset time period, and determining the access party as follows when the number is lower than the preset number: and the number of the accessed URIs in the preset time period is lower than the preset number of the access parties.
Optionally, the first network attack determining unit 200 determines that the number of access parties accessing the URI in the preset time period is specifically set as:
and determining the number of the access parties accessing the URI in the preset time period according to the access party identification carried in each access request carrying the URI.
Specifically, after determining that each access request carrying the URI carries N types of access party identifiers, the first network attack determining unit 200 may determine that the number of access parties accessing the URI in a preset time period is N.
Optionally, the first threshold corresponds to a URI, and the first thresholds corresponding to different UIRs may be the same or different.
Optionally, the first network attack determining unit 200 determines the access request carrying the high-risk access information group and accessing the URI as a network attack, and specifically sets the following settings:
and determining the access request carrying the high-risk access information group and accessing the URI as the distributed network attack.
In practical application, the invention can determine the access request carrying the high-risk access information group and accessing the URI as distributed network attack. As can be known from the analysis of the above determination process for network attacks, when URIs accessed by some access parties are concentrated in a preset time period and URIs accessed in the concentrated manner are accessed by more access parties in the preset time period, the present invention can determine that a network attack has occurred, and determine that an access request carrying an access information group with the largest occurrence number in access requests accessing the URIs accessed in the concentrated manner in the preset time period is a network attack. This cyber attack is a distributed cyber attack because the IP of the cyber attack may change.
In the embodiment of the present invention, the network attack determined by the first network attack determining unit 200 may be a network attack performed by modifying an IP, or may be a network attack performed by controlling a broiler chicken through a plurality of different IPs.
The network attack detection equipment disclosed by the embodiment of the invention can determine the number of the Uniform Resource Identifiers (URIs) accessed in the preset time period to be lower than the number of the access parties in the preset time period; for each URI of the at least one URI accessed by the determined accessing party: determining the number of access parties accessing the URI within the preset time period, obtaining access information groups carried by each access request accessing the URI within the preset time period when the number of the access parties exceeds a first threshold value, determining the access information group with the largest occurrence frequency in each access request as a high-risk access information group, determining the access request carrying the high-risk access information group and accessing the URI as a network attack, and improving the detection and identification capability of the server on the network attack.
Corresponding to the method shown in fig. 2, as shown in fig. 4, an embodiment of the present invention provides another network attack detecting device, which further includes a URI determining unit 300 and a second network attack determining unit 400 on the basis of the network attack detecting device shown in fig. 3, where:
the URI determining unit 300 is configured to determine, as an attacked URI, a URI in which the sum of the number of times of access by all access parties within the preset time period exceeds a second threshold;
the second cyber attack determining unit 400 is configured to, for each attacked URI: and determining the access request sent by the determined access party and accessing the attacked URI for a number of times exceeding a third threshold value in the preset time period as the network attack.
When the sum of the times that a certain URI is accessed by all access parties in the preset time period exceeds a second threshold value, the URI is accessed more times, and the URI is possibly attacked. In this case, an access party having a large number of accesses to the URI that is likely to be attacked is determined as an attacker, and an access request from the attacker to access the URI that is likely to be attacked is determined as a network attack.
It can be seen that, in the embodiment of the present invention, by adding the condition that the URI determination unit 300 exceeds the second threshold, the "false kill" condition is reduced to a certain extent. For example: although a user refreshes the same webpage for multiple times in a short time, the sum of the current access times of the webpage does not exceed the second threshold, the access request sent by the user cannot be mistaken for network attack, and therefore 'mistaken killing' is avoided.
Optionally, the second threshold corresponds to a URI, and the second thresholds corresponding to different URIs may be the same or different.
Optionally, the second network attack determining unit 400 may be specifically configured to, for each attacked URI: and determining the access request sent by the determined access party and having the number of times of accessing the attacked URI exceeding a third threshold value in the preset time period as the high-frequency network attack.
Optionally, the third threshold corresponds to a URI, and the third thresholds corresponding to different URIs may be the same or different.
The network attack detection device shown in fig. 4 disclosed by the embodiment of the invention can effectively avoid the 'false killing' condition in the network attack detection process by identifying the high-frequency network attack.
The network attack detection device comprises a processor and a memory, the access party determination unit 100, the first network attack determination unit 200 and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to one or more, and network attacks are detected by adjusting kernel parameters.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
The embodiment of the invention provides a storage medium, wherein a computer executable instruction is stored in the storage medium, and when the computer executable instruction is loaded and executed by a processor, the network attack detection method provided by the embodiment of the invention is realized.
The embodiment of the invention provides a processor, which is used for running a program, wherein the network attack detection method is executed when the program runs.
The embodiment of the invention provides computer equipment which is characterized by comprising a processor, a memory and a program which is stored on the memory and can run on the processor, wherein the processor at least realizes the following steps when executing the program:
determining the number of the Uniform Resource Identifiers (URIs) accessed in a preset time period to be lower than the number of the access parties with preset number;
for each URI of the at least one URI accessed by the determined accessing party: determining the number of access parties accessing the URI within the preset time period, obtaining access information groups carried by each access request accessing the URI within the preset time period when the number of the access parties exceeds a first threshold value, determining the access information group with the largest occurrence frequency in each access request as a high-risk access information group, and determining the access request carrying the high-risk access information group and accessing the URI as a network attack.
The computer device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present application further provides a computer program product adapted to perform at least the procedure of initializing the following method steps when executed on a data processing device:
determining the number of the Uniform Resource Identifiers (URIs) accessed in a preset time period to be lower than the number of the access parties with preset number;
for each URI of the at least one URI accessed by the determined accessing party: determining the number of access parties accessing the URI within the preset time period, obtaining access information groups carried by each access request accessing the URI within the preset time period when the number of the access parties exceeds a first threshold value, determining the access information group with the largest occurrence frequency in each access request as a high-risk access information group, and determining the access request carrying the high-risk access information group and accessing the URI as a network attack.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, apparatus (system), or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, apparatus (system) or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (10)

1. A network attack detection method, the method comprising:
determining the number of the Uniform Resource Identifiers (URIs) accessed in a preset time period to be lower than the number of the access parties with preset number;
for each URI of the at least one URI accessed by the determined accessing party: determining the number of access parties accessing the URI within the preset time period, obtaining access information groups carried by each access request accessing the URI within the preset time period when the number of the access parties exceeds a first threshold value, determining the access information group with the largest occurrence frequency in each access request as a high-risk access information group, and determining the access request carrying the high-risk access information group and accessing the URI as a network attack.
2. The method of claim 1, wherein accessing the set of information comprises: at least one of a device fingerprint, a user identification, a user agent UA, and an HTTP _ refer access information.
3. The method of claim 1, wherein determining that the number of URI's accessed within the preset time period is less than a preset number of accessing parties comprises:
obtaining an access request for an access party to access a Uniform Resource Identifier (URI) in a preset time period, wherein the access request also carries an IP address of the access party;
determining an information combination formed by the IP address and the access information group as an access party identifier, and determining an access request carrying the same access party identifier as an access request of the same access party;
for each visitor: obtaining the number of accessed URIs carried in each access request accessed by the access party to the URI in the preset time period, and determining the access party as follows when the number is lower than the preset number: and the number of the accessed URIs in the preset time period is lower than the preset number of the access parties.
4. The method of claim 3, wherein determining the number of visitors to the URI within the preset time period comprises:
and determining the number of the access parties accessing the URI in the preset time period according to the access party identification carried in each access request carrying the URI.
5. The method according to any one of claims 1 to 4, wherein the determining the access request carrying the high-risk access information group and accessing the URI as a network attack comprises:
and determining the access request carrying the high-risk access information group and accessing the URI as the distributed network attack.
6. The method of claim 1, further comprising:
determining the URI with the sum of the times of access by all the access parties in the preset time period exceeding a second threshold value as an attacked URI;
for each attacked URI: and determining the access request sent by the determined access party and accessing the attacked URI for a number of times exceeding a third threshold value in the preset time period as the network attack.
7. The method of claim 6, wherein for each attacked URI: determining, as a network attack, an access request of the determined access party accessing the attacked URI, the number of times of accessing the attacked URI exceeding a third threshold within the preset time period, including:
for each attacked URI: and determining the access request sent by the determined access party and having the number of times of accessing the attacked URI exceeding a third threshold value in the preset time period as the high-frequency network attack.
8. A cyber attack detecting device, characterized in that the cyber attack detecting device includes an accessing party determining unit and a first cyber attack determining unit, wherein:
the access party determining unit is used for determining access parties with the number of the Uniform Resource Identifiers (URIs) accessed in a preset time period lower than a preset number;
the first cyber attack determining unit is configured to, for each URI of at least one URI accessed by the determined access party: determining the number of access parties accessing the URI within the preset time period, obtaining access information groups carried by each access request accessing the URI within the preset time period when the number of the access parties exceeds a first threshold value, determining the access information group with the largest occurrence frequency in each access request as a high-risk access information group, and determining the access request carrying the high-risk access information group and accessing the URI as a network attack.
9. A storage medium having stored thereon computer-executable instructions that, when loaded and executed by a processor, implement the cyber attack detection method according to any one of claims 1 to 7.
10. A computer device comprising a processor, a memory, and a program stored on the memory and executable on the processor, the processor when executing the program performing at least the following steps:
determining the number of the Uniform Resource Identifiers (URIs) accessed in a preset time period to be lower than the number of the access parties with preset number;
for each URI of the at least one URI accessed by the determined accessing party: determining the number of access parties accessing the URI within the preset time period, obtaining access information groups carried by each access request accessing the URI within the preset time period when the number of the access parties exceeds a first threshold value, determining the access information group with the largest occurrence frequency in each access request as a high-risk access information group, and determining the access request carrying the high-risk access information group and accessing the URI as a network attack.
CN201910379112.5A 2019-05-08 2019-05-08 Network attack detection method, equipment, storage medium and computer equipment Active CN110071941B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910379112.5A CN110071941B (en) 2019-05-08 2019-05-08 Network attack detection method, equipment, storage medium and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910379112.5A CN110071941B (en) 2019-05-08 2019-05-08 Network attack detection method, equipment, storage medium and computer equipment

Publications (2)

Publication Number Publication Date
CN110071941A CN110071941A (en) 2019-07-30
CN110071941B true CN110071941B (en) 2021-10-29

Family

ID=67370310

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910379112.5A Active CN110071941B (en) 2019-05-08 2019-05-08 Network attack detection method, equipment, storage medium and computer equipment

Country Status (1)

Country Link
CN (1) CN110071941B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111447228A (en) * 2020-03-27 2020-07-24 四川虹美智能科技有限公司 Intelligent household appliance access request processing method and system, cloud server and intelligent air conditioner
CN111917787B (en) * 2020-08-06 2023-07-21 北京奇艺世纪科技有限公司 Request detection method, request detection device, electronic equipment and computer readable storage medium
CN112202821B (en) * 2020-12-04 2021-03-30 北京优炫软件股份有限公司 Identification defense system and method for CC attack
CN113467314B (en) * 2021-07-15 2022-04-26 广州赛度检测服务有限公司 Information security risk assessment system and method based on big data and edge calculation
CN113810486B (en) * 2021-09-13 2022-12-20 珠海格力电器股份有限公司 Internet of things platform docking method and device, electronic equipment and storage medium
CN113992403A (en) * 2021-10-27 2022-01-28 北京知道创宇信息技术股份有限公司 Access speed limit interception method and device, defense server and readable storage medium
CN114386025A (en) * 2021-12-14 2022-04-22 深圳前海微众银行股份有限公司 Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
CN115102781B (en) * 2022-07-14 2024-01-09 中国电信股份有限公司 Network attack processing method, device, electronic equipment and medium
CN116647412B (en) * 2023-07-26 2024-01-26 深圳市鹿驰科技有限公司 Security defense method and system of Web server

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103297435A (en) * 2013-06-06 2013-09-11 中国科学院信息工程研究所 Abnormal access behavior detection method and system on basis of WEB logs
CN104811349A (en) * 2015-03-26 2015-07-29 浪潮集团有限公司 Method and device of access statistics
CN104967629A (en) * 2015-07-16 2015-10-07 网宿科技股份有限公司 Network attack detection method and apparatus
CN105939361A (en) * 2016-06-23 2016-09-14 杭州迪普科技有限公司 Method and device for defensing CC (Challenge Collapsar) attack
WO2017218031A1 (en) * 2016-06-16 2017-12-21 Level 3 Communications, Llc Systems and methods for preventing denial of service attacks utilizing a proxy server
CN107707545A (en) * 2017-09-29 2018-02-16 深信服科技股份有限公司 A kind of abnormal web page access fragment detection method, device, equipment and storage medium
CN108259425A (en) * 2016-12-28 2018-07-06 阿里巴巴集团控股有限公司 The determining method, apparatus and server of query-attack
CN109246064A (en) * 2017-07-11 2019-01-18 阿里巴巴集团控股有限公司 Safe access control, the generation method of networkaccess rules, device and equipment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101061375B1 (en) * 2009-11-02 2011-09-02 한국인터넷진흥원 JR type based DDoS attack detection and response device
US10375143B2 (en) * 2016-08-26 2019-08-06 Cisco Technology, Inc. Learning indicators of compromise with hierarchical models

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103297435A (en) * 2013-06-06 2013-09-11 中国科学院信息工程研究所 Abnormal access behavior detection method and system on basis of WEB logs
CN104811349A (en) * 2015-03-26 2015-07-29 浪潮集团有限公司 Method and device of access statistics
CN104967629A (en) * 2015-07-16 2015-10-07 网宿科技股份有限公司 Network attack detection method and apparatus
WO2017218031A1 (en) * 2016-06-16 2017-12-21 Level 3 Communications, Llc Systems and methods for preventing denial of service attacks utilizing a proxy server
CN105939361A (en) * 2016-06-23 2016-09-14 杭州迪普科技有限公司 Method and device for defensing CC (Challenge Collapsar) attack
CN108259425A (en) * 2016-12-28 2018-07-06 阿里巴巴集团控股有限公司 The determining method, apparatus and server of query-attack
CN109246064A (en) * 2017-07-11 2019-01-18 阿里巴巴集团控股有限公司 Safe access control, the generation method of networkaccess rules, device and equipment
CN107707545A (en) * 2017-09-29 2018-02-16 深信服科技股份有限公司 A kind of abnormal web page access fragment detection method, device, equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"一种检测网络流量异常和网络攻击的算法";朱俚治等;《计算技术与自动化》;20170518;第36卷(第1期);全文 *
J Choi等."A method of DDoS attack detection using HTTP packet pattern and rule engine in cloud computing environment".《Springer》.2014, *

Also Published As

Publication number Publication date
CN110071941A (en) 2019-07-30

Similar Documents

Publication Publication Date Title
CN110071941B (en) Network attack detection method, equipment, storage medium and computer equipment
US20200244689A1 (en) Detection and mitigation of recursive domain name system attacks
US10635817B2 (en) Targeted security alerts
US9900344B2 (en) Identifying a potential DDOS attack using statistical analysis
US9282116B1 (en) System and method for preventing DOS attacks utilizing invalid transaction statistics
US9275348B2 (en) Identifying participants for collaboration in a threat exchange community
US8549645B2 (en) System and method for detection of denial of service attacks
CN103701795B (en) The recognition methods of the attack source of Denial of Service attack and device
US10944784B2 (en) Identifying a potential DDOS attack using statistical analysis
US11095671B2 (en) DNS misuse detection through attribute cardinality tracking
US9300684B2 (en) Methods and systems for statistical aberrant behavior detection of time-series data
CN109561097B (en) Method, device, equipment and storage medium for detecting security vulnerability injection of structured query language
US9350754B2 (en) Mitigating a cyber-security attack by changing a network address of a system under attack
US20220407858A1 (en) Methods and systems for ip-based network intrusion detection and prevention
CN112861132A (en) Cooperative protection method and device
US11856010B2 (en) Finding malicious domains with DNS query pattern analysis
US10721148B2 (en) System and method for botnet identification
CN109413022B (en) Method and device for detecting HTTP FLOOD attack based on user behavior
CN103618730A (en) Website DDOS attack defense system and method based on integral strategy
CN114257403B (en) False alarm detection method, equipment and readable storage medium
US11425162B2 (en) Detection of malicious C2 channels abusing social media sites
NL2033657A (en) Active defense system and method for network intrusion based on dynamic ip blacklist
CN112560085B (en) Privacy protection method and device for business prediction model
Wei et al. Decision tree applied in web-based intrusion detection system
Okamoto et al. Implementation and evaluation of an immunity-enhancing module for ISC BIND9

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant