CN110445808A - Abnormal flow attack guarding method, device, electronic equipment - Google Patents

Abnormal flow attack guarding method, device, electronic equipment Download PDF

Info

Publication number
CN110445808A
CN110445808A CN201910789754.2A CN201910789754A CN110445808A CN 110445808 A CN110445808 A CN 110445808A CN 201910789754 A CN201910789754 A CN 201910789754A CN 110445808 A CN110445808 A CN 110445808A
Authority
CN
China
Prior art keywords
traffic
filtering
characteristic model
normal discharge
characteristic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910789754.2A
Other languages
Chinese (zh)
Inventor
曹志强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201910789754.2A priority Critical patent/CN110445808A/en
Publication of CN110445808A publication Critical patent/CN110445808A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Abstract

The application provides a kind of abnormal flow attack guarding method, device, electronic equipment and machine readable storage medium.In this application, filtering is executed to the network flow received, obtains filtering traffic;Traffic characteristic study is executed to the filtering traffic, determines corresponding traffic characteristic model;It is compared based on the traffic characteristic model and the execution of default normal discharge characteristic model, determines whether the filtering traffic is normal discharge;If the filtering traffic is abnormal flow, the filtering traffic is blocked, so that effectively improving the response speed and accuracy of protection for abnormal flow attack complicated and changeable in real time.

Description

Abnormal flow attack guarding method, device, electronic equipment
Technical field
This application involves field of communication technology more particularly to abnormal flow attack guarding method, device, electronic equipment and machines Device readable storage medium storing program for executing.
Background technique
DDoS (Distributed Denial of Service, distributed denial of service attack), refers in different positions The multiple attackers set control to one or several target offensive attacks or an attacker positioned at different location simultaneously More machines simultaneously to victim while being implemented to attack using these machines.Since the sending point of attack is distributed across different places , therefore this kind of attack is known as distributed denial of service attack.
The network connected extensively with high speed is brought conveniently to user, and extremely advantageous item is also created for ddos attack Part.At the slow network epoch, when hacker captures offensive puppet's machine, can always pay the utmost attention to close with a distance from target network Machine, because the hop count by router is few, effect is good.And the connection bandwidth between telecommunications backbone node is all with 10G now Or 100G rank, thus cause ddos attack that can initiate from farther place or other cities, the puppet seat in the plane of attacker Bigger range can be distributed in by setting, and selection is got up more flexible.
For example, it is commonly installed DDoS primary control program on a computer in common ddos attack, with Several subscriber computers for being saturated installation DDoS broker program on Internet are communicated, when DDoS broker program is received To DDoS primary control program attack instruction when, can offensive attack DDoS.Utilize client/server technology, DDoS primary control program energy The operation of thousands of secondary DDoS broker programs is triggered in seconds.
Summary of the invention
The application provides a kind of abnormal flow attack guarding method, and the method is applied to network protection equipment, the side Method includes:
Filtering is executed to the network flow received, obtains filtering traffic;
Traffic characteristic study is executed to the filtering traffic, determines corresponding traffic characteristic model;
It is compared based on the traffic characteristic model and the execution of default normal discharge characteristic model, determines that the filtering traffic is No is normal discharge;If the filtering traffic is abnormal flow, the filtering traffic is blocked.
Optionally, described that traffic characteristic study is executed to the filtering traffic, it determines corresponding traffic characteristic model, wraps It includes:
Based on predetermined period, traffic sampling is executed by protocol type to the filtering traffic, obtains corresponding sampling flow;
The message characteristic in the sampling flow is counted, based on the statistical data of the message characteristic, determines the filtering The corresponding traffic characteristic model of flow.
Optionally, described to be compared based on the traffic characteristic model and the execution of default normal discharge characteristic model, determine institute State whether filtering traffic is normal discharge, comprising:
Included with the default normal discharge characteristic model by the message characteristic that the traffic characteristic model includes Message characteristic executes matching;
If the message characteristic that the traffic characteristic model includes is included with the default normal discharge characteristic model Message characteristic match or in preset tolerance threshold, it is determined that the filtering traffic be normal discharge;Otherwise, it determines The filtering traffic is abnormal flow.
Optionally, further includes:
If whether the filtering traffic is normal discharge, by the corresponding traffic characteristic model modification of the filtering traffic Into the default normal discharge characteristic model.
The application also provides a kind of abnormal flow attack protective device, and described device is applied to network protection equipment, described Device includes:
Filtering module executes filtering to the network flow received, obtains filtering traffic;
Study module executes traffic characteristic study to the filtering traffic, determines corresponding traffic characteristic model;
Protection module is compared based on the traffic characteristic model and the execution of default normal discharge characteristic model, described in determination Whether filtering traffic is normal discharge;If the filtering traffic is abnormal flow, the filtering traffic is blocked.
Optionally, the study module further,
Based on predetermined period, traffic sampling is executed by protocol type to the filtering traffic, obtains corresponding sampling flow;
The message characteristic in the sampling flow is counted, based on the statistical data of the message characteristic, determines the filtering The corresponding traffic characteristic model of flow.
Optionally, the protection module further,
Included with the default normal discharge characteristic model by the message characteristic that the traffic characteristic model includes Message characteristic executes matching;
If the message characteristic that the traffic characteristic model includes is included with the default normal discharge characteristic model Message characteristic match or in preset tolerance threshold, it is determined that the filtering traffic be normal discharge;Otherwise, it determines The filtering traffic is abnormal flow.
Optionally, the protection module further,
If whether the filtering traffic is normal discharge, by the corresponding traffic characteristic model modification of the filtering traffic Into the default normal discharge characteristic model.
The application also provides a kind of electronic equipment, including communication interface, processor, memory and bus, and the communication connects Pass through bus between mouth, the processor and the memory to be connected with each other;
Machine readable instructions are stored in the memory, the processor is executed by calling the machine readable instructions Above-mentioned method.
The application also provides a kind of machine readable storage medium, and the machine readable storage medium is stored with machine readable finger It enables, the machine readable instructions realize the above method when being called and being executed by processor.
By above embodiments, learn and establish corresponding flow based on traffic characteristic is executed to filtered network flow Characteristic model;And judge whether corresponding flow is abnormal flow, if so, blocking the flow, is made based on traffic characteristic model It obtains for abnormal flow attack complicated and changeable in real time, effectively improves the response speed and accuracy of protection.
Detailed description of the invention
Fig. 1 is a kind of flow chart for abnormal flow attack guarding method that an exemplary embodiment provides;
Fig. 2 is a kind of block diagram for abnormal flow attack protective device that an exemplary embodiment provides;
Fig. 3 is the hardware structure diagram for a kind of electronic equipment that an exemplary embodiment provides.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application. It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determination ".
In order to make those skilled in the art more fully understand the technical solution in the embodiment of the present application, below first to this Shen Please embodiment be related to abnormal flow attack protection the relevant technologies, be briefly described.
In some scenes, it is attacked for the abnormal flow based on DDos, existing technical solution is usually: by manpower work Rule of thumb, in advance addition for known mass flow characteristic type abnormal flow DPI (Deep Packet Inspection, The depth detection of data packet) match and correspond to protection rule;Alternatively, first passing through manual analysis attack after DDos attack starts The traffic characteristic of flow, then come manual configuration DPI matching and corresponding protection rule.
Based on the above scene as it can be seen that the protection for abnormal flow attack depends on artificial experience and manual configuration, a side Face, in fact it could happen that the problem of normal discharge is blocked caused by being configured due to protection rule errors, on the other hand, it is also possible to go out The problem of existing preset protection rule possibly can not identify the traffic characteristic of the changeable abnormal flow of current flexible.
And the application is directed to one kind, based on traffic characteristic study is executed to filtered network flow, determines and corresponds to Traffic characteristic model;And is judged when corresponding to flow as abnormal flow based on traffic characteristic model and execute the skill for blocking protection Art scheme.
When realizing, the network flow that network protection equipment interconnection receives executes filtering, obtains filtering traffic;To the mistake It filters flow and executes traffic characteristic study, determine corresponding traffic characteristic model;Based on the traffic characteristic model and preset normal Traffic characteristic model executes comparison, determines whether the filtering traffic is normal discharge;If the filtering traffic is exception stream Amount, then block the filtering traffic.
In above scheme, learn and establish corresponding flow spy based on traffic characteristic is executed to filtered network flow Levy model;And judge whether corresponding flow is abnormal flow based on traffic characteristic model, if so, the flow is blocked, so that For abnormal flow attack complicated and changeable in real time, the response speed and accuracy of protection are effectively improved.
The application is described below by specific embodiment and in conjunction with specific application scenarios.
Referring to FIG. 1, Fig. 1 is a kind of flow chart for abnormal flow attack guarding method that one embodiment of the application provides, The method is applied to network protection equipment, and the above method executes following steps:
Step 102 executes filtering to the network flow received, obtains filtering traffic.
Step 104 executes traffic characteristic study to the filtering traffic, determines corresponding traffic characteristic model.
Step 106 is compared based on the traffic characteristic model and the execution of default normal discharge characteristic model, determines the mistake Filter whether flow is normal discharge;If the filtering traffic is abnormal flow, the filtering traffic is blocked.
In the present specification, above-mentioned network protection equipment includes any shape for supporting to execute network flow detection and protection The network equipment of formula.
For example, above-mentioned network protection equipment may include supporting to execute network flow detection and protection in practical application Firewall, intrusion prevention equipment etc..
In the present specification, above-mentioned network flow, the network of any agreement including entering above-mentioned network protection equipment Flow.
For example, above-mentioned network flow may include the TCP flow amount for entering above-mentioned network protection equipment, UDP flow amount, ICMP The combination of one or more of flow, other protocol traffics.
It should be noted that above-mentioned network flow may include normal discharge, it can also include DDos abnormal flow.
For example, above-mentioned network flow may include 3 kinds of flows: normal TCP flow amount, normal UDP flow amount, DDos ICMP are different Normal flow.
In the present specification, above-mentioned filtering traffic, refer to above-mentioned network flow through above-mentioned network protection equipment by it is default just The corresponding filtering rule of normal flow characteristic model, executes filtered network flow.
Then above example continues to illustrate, and above-mentioned filtering traffic may include through above-mentioned network protection equipment by default normal The corresponding filtering rule of traffic characteristic model executes filtered normal TCP flow amount, normal UDP flow amount namely above-mentioned filtering stream Amount is all or part of flow of above-mentioned network flow.
It should be noted that above-mentioned filtering traffic can be true normal discharge, it can also not be predetermined normal discharge The abnormal flow that characteristic model correctly identifies.
In the present specification, above-mentioned network protection equipment executes filtering to above-mentioned network flow, obtains above-mentioned filtering traffic.
In the present specification, further, above-mentioned network protection equipment executes traffic characteristic study to above-mentioned filtering traffic, Determine corresponding traffic characteristic model.
For example, above-mentioned filtering traffic may include several TCP flow amounts and UDP flow amount, above-mentioned network protection equipment is to upper It states filtering traffic and executes traffic characteristic study, determine the corresponding traffic characteristic model of each flow.
In a kind of embodiment shown, above-mentioned network protection equipment is based on predetermined period, presses to above-mentioned filtering traffic Protocol type executes traffic sampling, obtains corresponding sampling flow.
Then above example continues to illustrate, and above-mentioned network protection equipment can be every one minute, to above-mentioned filtering traffic point Not An protocol type, such as: TCP, UDP or other agreements, execute traffic sampling (such as: acquired respectively for every flow The message specified number), obtain corresponding sampling flow.
It should be noted that above-mentioned sampling flow includes the polymerization of all agreement sampling flows.
In the present specification, the message characteristic in the above-mentioned above-mentioned sampling flow of network protection device statistics;
Wherein, above-mentioned message characteristic may include the IP five-tuple information of message, the feature of the data load of message and Transmission frequency of message etc..
For example, above-mentioned network protection equipment can identify above-mentioned message characteristic based on DPI technology, and pass through when realizing Above-mentioned message characteristic is converted into hashed value by hash function to be stored in traffic characteristic table, and further counts above-mentioned sampling The quantity of above-mentioned message characteristic in flow.
Certainly, above-mentioned message characteristic can also include message length, user-defined feature etc..If above-mentioned sampling flow is TCP flow amount, above-mentioned message characteristic can also include sequence number, confirmation number, FLAG label of message etc..
In the present specification, above-mentioned traffic characteristic model refers to corresponding to sampling flow corresponding with above-mentioned filtering traffic Traffic characteristic model.
In the present specification, further, above-mentioned statistical data of the network protection equipment based on above-mentioned message characteristic determines Above-mentioned traffic characteristic model.
For example, the statistical data of above-mentioned message characteristic includes: in one minute, the message characteristic of a TCP flow amount includes: report It is more than 10000/second that text, which sends frequency, and continues 24 hours, then above-mentioned network protection equipment is using the statistical data as this The corresponding above-mentioned traffic characteristic model of flow (instruction can be located at by IP five-tuple).
In another example the statistical data of above-mentioned message characteristic includes: in one minute, the message characteristic of a UDP flow amount includes: Message length is greater than 8192 bytes, and continues 2 hours, then above-mentioned network protection equipment is using the statistical data as this flow (instruction can be located at by IP five-tuple) corresponding above-mentioned traffic characteristic model.
For another example the statistical data of above-mentioned message characteristic includes: in one minute, the message characteristic of a TCP flow amount includes: The magnanimity TCP SYN message that the same IP address is persistently sent, then above-mentioned network protection equipment is using the statistical data as this The corresponding above-mentioned traffic characteristic model of flow (instruction can be located at by IP five-tuple).
Certainly, in practical applications, above-mentioned traffic characteristic model may include that one or the corresponding flow of multiple flows are special Levy model.
In the present specification, after study determines the corresponding traffic characteristic model of above-mentioned filtering traffic, above-mentioned network protection Equipment is based on above-mentioned traffic characteristic model and default normal discharge characteristic model and executes to compare, determine above-mentioned filtering traffic whether be Normal discharge.
In a kind of embodiment shown, message that above-mentioned traffic characteristic model is included by above-mentioned network protection equipment Feature is matched with the message characteristic execution that above-mentioned default normal discharge characteristic model is included;If above-mentioned traffic characteristic model The message characteristic that the message characteristic and above-mentioned default normal discharge characteristic model for including are included matches or in preset appearance Bear in threshold value, it is determined that above-mentioned filtering traffic is normal discharge;Otherwise, it determines above-mentioned filtering traffic is abnormal flow.
For example, the message characteristic that above-mentioned traffic characteristic model includes includes: the message of a TCP flow amount in one minute Feature includes: that message sends 5000/second of frequency;The message characteristic that above-mentioned default normal discharge characteristic model is included includes: In one minute, the message characteristic of a TCP flow amount includes that message sends 5000/second of frequency or in 4500-5500/second In the range of (default tolerance threshold), then above-mentioned network protection equipment determines that above-mentioned filtering traffic is normal discharge.
In another example the message characteristic that above-mentioned traffic characteristic model includes includes: the report of a TCP flow amount in one minute Literary feature includes: that message sends 6000/second of frequency;The message characteristic packet that above-mentioned default normal discharge characteristic model is included Include: in one minute, the message characteristic of a TCP flow amount include message send 5000/second of frequency or 4500-5500/ In the range of second (default tolerance threshold), then above-mentioned network protection equipment determines that above-mentioned filtering traffic is abnormal flow.
In the present specification, during whether determine above-mentioned filtering traffic is normal discharge, if above-mentioned filtering traffic For abnormal flow, then the above-mentioned above-mentioned filtering traffic of network protection devices block.
For example, for abnormal above-mentioned filtering traffic, above-mentioned network protection equipment can be corresponding for its when realizing Above-mentioned traffic characteristic model, creates and issues and enable the identification of corresponding flow and block protection rule, becomes to realize to dynamic The abnormal flow of change realizes the protection of near real-time, improves the response speed of protection.
In a kind of embodiment shown, during whether determine above-mentioned filtering traffic is normal discharge, if on Stating filtering traffic is normal discharge, and above-mentioned network protection equipment then arrives the corresponding traffic characteristic model modification of above-mentioned filtering traffic In above-mentioned default normal discharge characteristic model.
For example, in practical applications, as the time develops, proper network flow is the thus normal net continually changing Network flow correspond to discharge model be also it is continually changing, above-mentioned network protection equipment is then by the above-mentioned filtering in above-mentioned predetermined period The corresponding traffic characteristic model of flow, continuous updating realize default normal stream into above-mentioned default normal discharge characteristic model Measure feature model can reflect the state of current time above-mentioned network flow with true and accurate, so that above-mentioned network protection equipment is effective Ground improves protection accuracy, and normal discharge is avoided to be misidentified as abnormal flow.
Certainly, in practical applications, in addition to above-mentioned network protection learning equipment automatically updates default normal discharge character modules Outside type, modification model parameter by hand can also be carried out by user, to improve the accuracy rate of model.
In above technical scheme, learn and establish corresponding stream based on traffic characteristic is executed to filtered network flow Measure feature model;And judge whether corresponding flow is abnormal flow based on traffic characteristic model, if so, the flow is blocked, So that effectively improving the response speed and accuracy of protection for abnormal flow attack complicated and changeable in real time.
Fig. 2 is a kind of block diagram for abnormal flow attack protective device that one exemplary embodiment of the application provides.With it is above-mentioned Embodiment of the method is corresponding, and present invention also provides a kind of embodiment of abnormal flow attack protective device, described device applications In network protection equipment, please referring to a kind of abnormal flow attack protective device 20, described device exemplified by Fig. 2 includes:
Filtering module 201 executes filtering to the network flow received, obtains filtering traffic;
Study module 202 executes traffic characteristic study to the filtering traffic, determines corresponding traffic characteristic model;
Protection module 203 is compared based on the traffic characteristic model and the execution of default normal discharge characteristic model, determines institute State whether filtering traffic is normal discharge;If the filtering traffic is abnormal flow, the filtering traffic is blocked.
In the present embodiment, the study module 202 further,
Based on predetermined period, traffic sampling is executed by protocol type to the filtering traffic, obtains corresponding sampling flow;
The message characteristic in the sampling flow is counted, based on the statistical data of the message characteristic, determines the filtering The corresponding traffic characteristic model of flow.
In the present embodiment, the protection module 203 further,
Included with the default normal discharge characteristic model by the message characteristic that the traffic characteristic model includes Message characteristic executes matching;
If the message characteristic that the traffic characteristic model includes is included with the default normal discharge characteristic model Message characteristic match or in preset tolerance threshold, it is determined that the filtering traffic be normal discharge;Otherwise, it determines The filtering traffic is abnormal flow.
In the present embodiment, the protection module 203 further,
If whether the filtering traffic is normal discharge, by the corresponding traffic characteristic model modification of the filtering traffic Into the default normal discharge characteristic model.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit The module of explanation may or may not be physically separated, and the component shown as module can be or can also be with It is not physical module, it can it is in one place, or may be distributed on multiple network modules.It can be according to actual The purpose for needing to select some or all of the modules therein to realize application scheme.Those of ordinary skill in the art are not paying Out in the case where creative work, it can understand and implement.
System, device, module or the module that above-described embodiment illustrates can specifically realize by computer chip or entity, Or it is realized by the product with certain function.A kind of typically to realize that equipment is computer, the concrete form of computer can To be personal computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media play In device, navigation equipment, E-mail receiver/send equipment, game console, tablet computer, wearable device or these equipment The combination of any several equipment.
The embodiment of the abnormal flow attack protective device of the application can be using on electronic equipment shown in Fig. 3.Dress Setting embodiment can also be realized by software realization by way of hardware or software and hardware combining.It is implemented in software to be Example, as the device on a logical meaning, being will be in machine readable storage medium by the processor of electronic equipment where it Corresponding computer program instructions run the machine-executable instruction of formation after reading.For hardware view, as shown in figure 3, A kind of hardware structure diagram that protective device place electronic equipment is attacked for the abnormal flow of the application, in addition to processing shown in Fig. 3 Except device, communication interface, bus and machine readable storage medium, the electronic equipment in embodiment where device is generally according to this The actual functional capability of electronic equipment can also include other hardware, repeat no more to this.
Accordingly, it the embodiment of the present application also provides the hardware configuration of a kind of electronic equipment of Fig. 2 shown device, refers to Fig. 3, Fig. 3 are the hardware structural diagram of a kind of electronic equipment provided by the embodiments of the present application.The equipment includes: communication interface 301, processor 302, machine readable storage medium 303 and bus 303;Wherein, communication interface 301, processor 302, machine can It reads storage medium 303 and mutual communication is completed by bus 303.Wherein, communication interface 301, for carrying out network communication.Place Reason device 302 can be a central processing unit (CPU), and processor 302 can execute to be stored in machine readable storage medium 303 Machine readable instructions, to realize process as described above.
Machine readable storage medium 303 referred to herein can be any electronics, magnetism, optics or other physical stores Device may include or store information, such as executable instruction, data, etc..For example, machine readable storage medium may is that easily Lose memory, nonvolatile memory or similar storage medium.Specifically, machine readable storage medium 303 can be RAM (Radom Access Memory, random access memory), flash memory, memory driver (such as hard disk drive), solid state hard disk, Any kind of storage dish (such as CD, DVD) perhaps similar storage medium or their combination.
So far, hardware configuration description shown in Fig. 3 is completed.
In addition, the embodiment of the present application also provides a kind of machine readable storage medium including machine-executable instruction, example Such as the machine-readable readable storage medium storing program for executing 303 in Fig. 3, the machine-executable instruction can be by data processing equipment Device 302 is managed to execute to realize data processing method described above.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus Realization process, details are not described herein.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to its of the application Its embodiment.This application is intended to cover any variations, uses, or adaptations of the application, these modifications, purposes or Person's adaptive change follows the general principle of the application and including the undocumented common knowledge in the art of the application Or conventional techniques.The description and examples are only to be considered as illustrative, and the true scope and spirit of the application are by following Claim is pointed out.
It should be understood that the application is not limited to the precise structure that has been described above and shown in the drawings, and And various modifications and changes may be made without departing from the scope thereof.Scope of the present application is only limited by the accompanying claims.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.

Claims (10)

1. a kind of abnormal flow attack guarding method, which is characterized in that the method is applied to network protection equipment, the method Include:
Filtering is executed to the network flow received, obtains filtering traffic;
Traffic characteristic study is executed to the filtering traffic, determines corresponding traffic characteristic model;
Based on the traffic characteristic model and default normal discharge characteristic model execution compare, determine the filtering traffic whether be Normal discharge;If the filtering traffic is abnormal flow, the filtering traffic is blocked.
2. the method according to claim 1, wherein it is described to the filtering traffic execute traffic characteristic study, Determine corresponding traffic characteristic model, comprising:
Based on predetermined period, traffic sampling is executed by protocol type to the filtering traffic, obtains corresponding sampling flow;
The message characteristic in the sampling flow is counted, based on the statistical data of the message characteristic, determines the filtering traffic Corresponding traffic characteristic model.
3. the method according to claim 1, wherein described be based on the traffic characteristic model and default normal stream Measure feature model executes comparison, determines whether the filtering traffic is normal discharge, comprising:
By the message characteristic that the traffic characteristic model includes and the message that the default normal discharge characteristic model is included Feature executes matching;
If the report that the message characteristic that the traffic characteristic model includes and the default normal discharge characteristic model are included Literary feature matches or in preset tolerance threshold, it is determined that the filtering traffic is normal discharge;Otherwise, it determines described Filtering traffic is abnormal flow.
4. the method according to claim 1, wherein further include:
If whether the filtering traffic is normal discharge, by the corresponding traffic characteristic model modification of the filtering traffic to institute It states in default normal discharge characteristic model.
5. a kind of abnormal flow attacks protective device, which is characterized in that described device is applied to network protection equipment, described device Include:
Filtering module executes filtering to the network flow received, obtains filtering traffic;
Study module executes traffic characteristic study to the filtering traffic, determines corresponding traffic characteristic model;
Protection module is compared based on the traffic characteristic model and the execution of default normal discharge characteristic model, determines the filtering Whether flow is normal discharge;If the filtering traffic is abnormal flow, the filtering traffic is blocked.
6. device according to claim 5, which is characterized in that the study module further,
Based on predetermined period, traffic sampling is executed by protocol type to the filtering traffic, obtains corresponding sampling flow;
The message characteristic in the sampling flow is counted, based on the statistical data of the message characteristic, determines the filtering traffic Corresponding traffic characteristic model.
7. device according to claim 5, which is characterized in that the protection module further,
By the message characteristic that the traffic characteristic model includes and the message that the default normal discharge characteristic model is included Feature executes matching;
If the report that the message characteristic that the traffic characteristic model includes and the default normal discharge characteristic model are included Literary feature matches or in preset tolerance threshold, it is determined that the filtering traffic is normal discharge;Otherwise, it determines described Filtering traffic is abnormal flow.
8. device according to claim 5, which is characterized in that the protection module further,
If whether the filtering traffic is normal discharge, by the corresponding traffic characteristic model modification of the filtering traffic to institute It states in default normal discharge characteristic model.
9. a kind of electronic equipment, which is characterized in that including communication interface, processor, memory and bus, the communication interface, It is connected with each other between the processor and the memory by bus;
Machine readable instructions are stored in the memory, the processor is executed by calling the machine readable instructions as weighed Benefit requires 1 to 4 described in any item methods.
10. a kind of machine readable storage medium, which is characterized in that the machine readable storage medium is stored with machine readable finger It enables, the machine readable instructions realize the described in any item methods of Claims 1-4 when being called and being executed by processor.
CN201910789754.2A 2019-08-26 2019-08-26 Abnormal flow attack guarding method, device, electronic equipment Pending CN110445808A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910789754.2A CN110445808A (en) 2019-08-26 2019-08-26 Abnormal flow attack guarding method, device, electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910789754.2A CN110445808A (en) 2019-08-26 2019-08-26 Abnormal flow attack guarding method, device, electronic equipment

Publications (1)

Publication Number Publication Date
CN110445808A true CN110445808A (en) 2019-11-12

Family

ID=68437580

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910789754.2A Pending CN110445808A (en) 2019-08-26 2019-08-26 Abnormal flow attack guarding method, device, electronic equipment

Country Status (1)

Country Link
CN (1) CN110445808A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111865724A (en) * 2020-07-28 2020-10-30 公安部第三研究所 Information acquisition control implementation method for video monitoring equipment
CN113765914A (en) * 2021-09-03 2021-12-07 杭州安恒信息技术股份有限公司 CC attack protection method, system, computer equipment and readable storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1809000A (en) * 2006-02-13 2006-07-26 成都三零盛安信息系统有限公司 Network intrusion detection method
CN101741686A (en) * 2008-11-13 2010-06-16 天津比蒙新帆信息技术有限公司 Method applied to traffic identification and control of P2P network based on mathematical modeling technology
CN103780588A (en) * 2012-10-24 2014-05-07 北京邮电大学 User abnormal behavior detection method in digital home network
US20140223562A1 (en) * 2008-09-26 2014-08-07 Oracle International Corporation System and Method for Distributed Denial of Service Identification and Prevention
CN107483473A (en) * 2017-09-05 2017-12-15 上海海事大学 A kind of low speed Denial of Service attack data-flow detection method of cloud environment
CN107682341A (en) * 2017-10-17 2018-02-09 北京奇安信科技有限公司 The means of defence and device of CC attacks
CN108377240A (en) * 2018-02-07 2018-08-07 平安科技(深圳)有限公司 Exceptional interface detection method, device, computer equipment and storage medium
CN108650218A (en) * 2018-03-22 2018-10-12 平安科技(深圳)有限公司 Network Traffic Monitoring method, apparatus, computer equipment and storage medium
CN109818964A (en) * 2019-02-01 2019-05-28 长沙市智为信息技术有限公司 A kind of ddos attack detection method, device, equipment and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1809000A (en) * 2006-02-13 2006-07-26 成都三零盛安信息系统有限公司 Network intrusion detection method
US20140223562A1 (en) * 2008-09-26 2014-08-07 Oracle International Corporation System and Method for Distributed Denial of Service Identification and Prevention
CN101741686A (en) * 2008-11-13 2010-06-16 天津比蒙新帆信息技术有限公司 Method applied to traffic identification and control of P2P network based on mathematical modeling technology
CN103780588A (en) * 2012-10-24 2014-05-07 北京邮电大学 User abnormal behavior detection method in digital home network
CN107483473A (en) * 2017-09-05 2017-12-15 上海海事大学 A kind of low speed Denial of Service attack data-flow detection method of cloud environment
CN107682341A (en) * 2017-10-17 2018-02-09 北京奇安信科技有限公司 The means of defence and device of CC attacks
CN108377240A (en) * 2018-02-07 2018-08-07 平安科技(深圳)有限公司 Exceptional interface detection method, device, computer equipment and storage medium
CN108650218A (en) * 2018-03-22 2018-10-12 平安科技(深圳)有限公司 Network Traffic Monitoring method, apparatus, computer equipment and storage medium
CN109818964A (en) * 2019-02-01 2019-05-28 长沙市智为信息技术有限公司 A kind of ddos attack detection method, device, equipment and storage medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111865724A (en) * 2020-07-28 2020-10-30 公安部第三研究所 Information acquisition control implementation method for video monitoring equipment
CN111865724B (en) * 2020-07-28 2022-02-08 公安部第三研究所 Information acquisition control implementation method for video monitoring equipment
CN113765914A (en) * 2021-09-03 2021-12-07 杭州安恒信息技术股份有限公司 CC attack protection method, system, computer equipment and readable storage medium

Similar Documents

Publication Publication Date Title
CN106161451B (en) Defend the method, apparatus and system of CC attack
CN105577608B (en) Network attack behavior detection method and device
EP3110103A1 (en) Systems and methods for automatically mitigating denial of service attacks
CN105991637B (en) The means of defence and device of network attack
CN110839017B (en) Proxy IP address identification method, device, electronic equipment and storage medium
CN109768991B (en) Message replay attack detection method and device and electronic equipment
EP3343871A1 (en) Method and system for detecting and mitigating denial-of-service attacks
CN105323259B (en) A kind of method and apparatus preventing synchronous packet attack
CN108809923A (en) The system and method for traffic filtering when detecting ddos attack
Udhayan et al. Statistical segregation method to minimize the false detections during ddos attacks.
CN111565203B (en) Method, device and system for protecting service request and computer equipment
CN111083157B (en) Method and device for processing message filtering rules
CN110099027A (en) Transmission method and device, storage medium, the electronic device of service message
CN109657463A (en) A kind of defence method and device of message flood attack
CN109040140A (en) A kind of attack detection method and device at a slow speed
CN110445808A (en) Abnormal flow attack guarding method, device, electronic equipment
CN108737344B (en) Network attack protection method and device
CN108616488A (en) A kind of defence method and defensive equipment of attack
CN106101088B (en) The method of cleaning equipment, detection device, routing device and prevention DNS attack
CN106534111A (en) Method for defending network attack for cloud platform based on flow rule
CN106790310B (en) Method and system for integrating distributed denial of service attack protection and load balancing
CN111193594B (en) Method for screening data packets received by service infrastructure and data packet cleaning system
CN113765849A (en) Abnormal network traffic detection method and device
CN107360196B (en) Attack detection method and device and terminal equipment
JP4322179B2 (en) Denial of service attack prevention method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191112