CN110445808A - Abnormal flow attack guarding method, device, electronic equipment - Google Patents
Abnormal flow attack guarding method, device, electronic equipment Download PDFInfo
- Publication number
- CN110445808A CN110445808A CN201910789754.2A CN201910789754A CN110445808A CN 110445808 A CN110445808 A CN 110445808A CN 201910789754 A CN201910789754 A CN 201910789754A CN 110445808 A CN110445808 A CN 110445808A
- Authority
- CN
- China
- Prior art keywords
- traffic
- filtering
- characteristic model
- normal discharge
- characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The application provides a kind of abnormal flow attack guarding method, device, electronic equipment and machine readable storage medium.In this application, filtering is executed to the network flow received, obtains filtering traffic;Traffic characteristic study is executed to the filtering traffic, determines corresponding traffic characteristic model;It is compared based on the traffic characteristic model and the execution of default normal discharge characteristic model, determines whether the filtering traffic is normal discharge;If the filtering traffic is abnormal flow, the filtering traffic is blocked, so that effectively improving the response speed and accuracy of protection for abnormal flow attack complicated and changeable in real time.
Description
Technical field
This application involves field of communication technology more particularly to abnormal flow attack guarding method, device, electronic equipment and machines
Device readable storage medium storing program for executing.
Background technique
DDoS (Distributed Denial of Service, distributed denial of service attack), refers in different positions
The multiple attackers set control to one or several target offensive attacks or an attacker positioned at different location simultaneously
More machines simultaneously to victim while being implemented to attack using these machines.Since the sending point of attack is distributed across different places
, therefore this kind of attack is known as distributed denial of service attack.
The network connected extensively with high speed is brought conveniently to user, and extremely advantageous item is also created for ddos attack
Part.At the slow network epoch, when hacker captures offensive puppet's machine, can always pay the utmost attention to close with a distance from target network
Machine, because the hop count by router is few, effect is good.And the connection bandwidth between telecommunications backbone node is all with 10G now
Or 100G rank, thus cause ddos attack that can initiate from farther place or other cities, the puppet seat in the plane of attacker
Bigger range can be distributed in by setting, and selection is got up more flexible.
For example, it is commonly installed DDoS primary control program on a computer in common ddos attack, with
Several subscriber computers for being saturated installation DDoS broker program on Internet are communicated, when DDoS broker program is received
To DDoS primary control program attack instruction when, can offensive attack DDoS.Utilize client/server technology, DDoS primary control program energy
The operation of thousands of secondary DDoS broker programs is triggered in seconds.
Summary of the invention
The application provides a kind of abnormal flow attack guarding method, and the method is applied to network protection equipment, the side
Method includes:
Filtering is executed to the network flow received, obtains filtering traffic;
Traffic characteristic study is executed to the filtering traffic, determines corresponding traffic characteristic model;
It is compared based on the traffic characteristic model and the execution of default normal discharge characteristic model, determines that the filtering traffic is
No is normal discharge;If the filtering traffic is abnormal flow, the filtering traffic is blocked.
Optionally, described that traffic characteristic study is executed to the filtering traffic, it determines corresponding traffic characteristic model, wraps
It includes:
Based on predetermined period, traffic sampling is executed by protocol type to the filtering traffic, obtains corresponding sampling flow;
The message characteristic in the sampling flow is counted, based on the statistical data of the message characteristic, determines the filtering
The corresponding traffic characteristic model of flow.
Optionally, described to be compared based on the traffic characteristic model and the execution of default normal discharge characteristic model, determine institute
State whether filtering traffic is normal discharge, comprising:
Included with the default normal discharge characteristic model by the message characteristic that the traffic characteristic model includes
Message characteristic executes matching;
If the message characteristic that the traffic characteristic model includes is included with the default normal discharge characteristic model
Message characteristic match or in preset tolerance threshold, it is determined that the filtering traffic be normal discharge;Otherwise, it determines
The filtering traffic is abnormal flow.
Optionally, further includes:
If whether the filtering traffic is normal discharge, by the corresponding traffic characteristic model modification of the filtering traffic
Into the default normal discharge characteristic model.
The application also provides a kind of abnormal flow attack protective device, and described device is applied to network protection equipment, described
Device includes:
Filtering module executes filtering to the network flow received, obtains filtering traffic;
Study module executes traffic characteristic study to the filtering traffic, determines corresponding traffic characteristic model;
Protection module is compared based on the traffic characteristic model and the execution of default normal discharge characteristic model, described in determination
Whether filtering traffic is normal discharge;If the filtering traffic is abnormal flow, the filtering traffic is blocked.
Optionally, the study module further,
Based on predetermined period, traffic sampling is executed by protocol type to the filtering traffic, obtains corresponding sampling flow;
The message characteristic in the sampling flow is counted, based on the statistical data of the message characteristic, determines the filtering
The corresponding traffic characteristic model of flow.
Optionally, the protection module further,
Included with the default normal discharge characteristic model by the message characteristic that the traffic characteristic model includes
Message characteristic executes matching;
If the message characteristic that the traffic characteristic model includes is included with the default normal discharge characteristic model
Message characteristic match or in preset tolerance threshold, it is determined that the filtering traffic be normal discharge;Otherwise, it determines
The filtering traffic is abnormal flow.
Optionally, the protection module further,
If whether the filtering traffic is normal discharge, by the corresponding traffic characteristic model modification of the filtering traffic
Into the default normal discharge characteristic model.
The application also provides a kind of electronic equipment, including communication interface, processor, memory and bus, and the communication connects
Pass through bus between mouth, the processor and the memory to be connected with each other;
Machine readable instructions are stored in the memory, the processor is executed by calling the machine readable instructions
Above-mentioned method.
The application also provides a kind of machine readable storage medium, and the machine readable storage medium is stored with machine readable finger
It enables, the machine readable instructions realize the above method when being called and being executed by processor.
By above embodiments, learn and establish corresponding flow based on traffic characteristic is executed to filtered network flow
Characteristic model;And judge whether corresponding flow is abnormal flow, if so, blocking the flow, is made based on traffic characteristic model
It obtains for abnormal flow attack complicated and changeable in real time, effectively improves the response speed and accuracy of protection.
Detailed description of the invention
Fig. 1 is a kind of flow chart for abnormal flow attack guarding method that an exemplary embodiment provides;
Fig. 2 is a kind of block diagram for abnormal flow attack protective device that an exemplary embodiment provides;
Fig. 3 is the hardware structure diagram for a kind of electronic equipment that an exemplary embodiment provides.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application.
It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority
Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps
It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from
In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determination ".
In order to make those skilled in the art more fully understand the technical solution in the embodiment of the present application, below first to this Shen
Please embodiment be related to abnormal flow attack protection the relevant technologies, be briefly described.
In some scenes, it is attacked for the abnormal flow based on DDos, existing technical solution is usually: by manpower work
Rule of thumb, in advance addition for known mass flow characteristic type abnormal flow DPI (Deep Packet Inspection,
The depth detection of data packet) match and correspond to protection rule;Alternatively, first passing through manual analysis attack after DDos attack starts
The traffic characteristic of flow, then come manual configuration DPI matching and corresponding protection rule.
Based on the above scene as it can be seen that the protection for abnormal flow attack depends on artificial experience and manual configuration, a side
Face, in fact it could happen that the problem of normal discharge is blocked caused by being configured due to protection rule errors, on the other hand, it is also possible to go out
The problem of existing preset protection rule possibly can not identify the traffic characteristic of the changeable abnormal flow of current flexible.
And the application is directed to one kind, based on traffic characteristic study is executed to filtered network flow, determines and corresponds to
Traffic characteristic model;And is judged when corresponding to flow as abnormal flow based on traffic characteristic model and execute the skill for blocking protection
Art scheme.
When realizing, the network flow that network protection equipment interconnection receives executes filtering, obtains filtering traffic;To the mistake
It filters flow and executes traffic characteristic study, determine corresponding traffic characteristic model;Based on the traffic characteristic model and preset normal
Traffic characteristic model executes comparison, determines whether the filtering traffic is normal discharge;If the filtering traffic is exception stream
Amount, then block the filtering traffic.
In above scheme, learn and establish corresponding flow spy based on traffic characteristic is executed to filtered network flow
Levy model;And judge whether corresponding flow is abnormal flow based on traffic characteristic model, if so, the flow is blocked, so that
For abnormal flow attack complicated and changeable in real time, the response speed and accuracy of protection are effectively improved.
The application is described below by specific embodiment and in conjunction with specific application scenarios.
Referring to FIG. 1, Fig. 1 is a kind of flow chart for abnormal flow attack guarding method that one embodiment of the application provides,
The method is applied to network protection equipment, and the above method executes following steps:
Step 102 executes filtering to the network flow received, obtains filtering traffic.
Step 104 executes traffic characteristic study to the filtering traffic, determines corresponding traffic characteristic model.
Step 106 is compared based on the traffic characteristic model and the execution of default normal discharge characteristic model, determines the mistake
Filter whether flow is normal discharge;If the filtering traffic is abnormal flow, the filtering traffic is blocked.
In the present specification, above-mentioned network protection equipment includes any shape for supporting to execute network flow detection and protection
The network equipment of formula.
For example, above-mentioned network protection equipment may include supporting to execute network flow detection and protection in practical application
Firewall, intrusion prevention equipment etc..
In the present specification, above-mentioned network flow, the network of any agreement including entering above-mentioned network protection equipment
Flow.
For example, above-mentioned network flow may include the TCP flow amount for entering above-mentioned network protection equipment, UDP flow amount, ICMP
The combination of one or more of flow, other protocol traffics.
It should be noted that above-mentioned network flow may include normal discharge, it can also include DDos abnormal flow.
For example, above-mentioned network flow may include 3 kinds of flows: normal TCP flow amount, normal UDP flow amount, DDos ICMP are different
Normal flow.
In the present specification, above-mentioned filtering traffic, refer to above-mentioned network flow through above-mentioned network protection equipment by it is default just
The corresponding filtering rule of normal flow characteristic model, executes filtered network flow.
Then above example continues to illustrate, and above-mentioned filtering traffic may include through above-mentioned network protection equipment by default normal
The corresponding filtering rule of traffic characteristic model executes filtered normal TCP flow amount, normal UDP flow amount namely above-mentioned filtering stream
Amount is all or part of flow of above-mentioned network flow.
It should be noted that above-mentioned filtering traffic can be true normal discharge, it can also not be predetermined normal discharge
The abnormal flow that characteristic model correctly identifies.
In the present specification, above-mentioned network protection equipment executes filtering to above-mentioned network flow, obtains above-mentioned filtering traffic.
In the present specification, further, above-mentioned network protection equipment executes traffic characteristic study to above-mentioned filtering traffic,
Determine corresponding traffic characteristic model.
For example, above-mentioned filtering traffic may include several TCP flow amounts and UDP flow amount, above-mentioned network protection equipment is to upper
It states filtering traffic and executes traffic characteristic study, determine the corresponding traffic characteristic model of each flow.
In a kind of embodiment shown, above-mentioned network protection equipment is based on predetermined period, presses to above-mentioned filtering traffic
Protocol type executes traffic sampling, obtains corresponding sampling flow.
Then above example continues to illustrate, and above-mentioned network protection equipment can be every one minute, to above-mentioned filtering traffic point
Not An protocol type, such as: TCP, UDP or other agreements, execute traffic sampling (such as: acquired respectively for every flow
The message specified number), obtain corresponding sampling flow.
It should be noted that above-mentioned sampling flow includes the polymerization of all agreement sampling flows.
In the present specification, the message characteristic in the above-mentioned above-mentioned sampling flow of network protection device statistics;
Wherein, above-mentioned message characteristic may include the IP five-tuple information of message, the feature of the data load of message and
Transmission frequency of message etc..
For example, above-mentioned network protection equipment can identify above-mentioned message characteristic based on DPI technology, and pass through when realizing
Above-mentioned message characteristic is converted into hashed value by hash function to be stored in traffic characteristic table, and further counts above-mentioned sampling
The quantity of above-mentioned message characteristic in flow.
Certainly, above-mentioned message characteristic can also include message length, user-defined feature etc..If above-mentioned sampling flow is
TCP flow amount, above-mentioned message characteristic can also include sequence number, confirmation number, FLAG label of message etc..
In the present specification, above-mentioned traffic characteristic model refers to corresponding to sampling flow corresponding with above-mentioned filtering traffic
Traffic characteristic model.
In the present specification, further, above-mentioned statistical data of the network protection equipment based on above-mentioned message characteristic determines
Above-mentioned traffic characteristic model.
For example, the statistical data of above-mentioned message characteristic includes: in one minute, the message characteristic of a TCP flow amount includes: report
It is more than 10000/second that text, which sends frequency, and continues 24 hours, then above-mentioned network protection equipment is using the statistical data as this
The corresponding above-mentioned traffic characteristic model of flow (instruction can be located at by IP five-tuple).
In another example the statistical data of above-mentioned message characteristic includes: in one minute, the message characteristic of a UDP flow amount includes:
Message length is greater than 8192 bytes, and continues 2 hours, then above-mentioned network protection equipment is using the statistical data as this flow
(instruction can be located at by IP five-tuple) corresponding above-mentioned traffic characteristic model.
For another example the statistical data of above-mentioned message characteristic includes: in one minute, the message characteristic of a TCP flow amount includes:
The magnanimity TCP SYN message that the same IP address is persistently sent, then above-mentioned network protection equipment is using the statistical data as this
The corresponding above-mentioned traffic characteristic model of flow (instruction can be located at by IP five-tuple).
Certainly, in practical applications, above-mentioned traffic characteristic model may include that one or the corresponding flow of multiple flows are special
Levy model.
In the present specification, after study determines the corresponding traffic characteristic model of above-mentioned filtering traffic, above-mentioned network protection
Equipment is based on above-mentioned traffic characteristic model and default normal discharge characteristic model and executes to compare, determine above-mentioned filtering traffic whether be
Normal discharge.
In a kind of embodiment shown, message that above-mentioned traffic characteristic model is included by above-mentioned network protection equipment
Feature is matched with the message characteristic execution that above-mentioned default normal discharge characteristic model is included;If above-mentioned traffic characteristic model
The message characteristic that the message characteristic and above-mentioned default normal discharge characteristic model for including are included matches or in preset appearance
Bear in threshold value, it is determined that above-mentioned filtering traffic is normal discharge;Otherwise, it determines above-mentioned filtering traffic is abnormal flow.
For example, the message characteristic that above-mentioned traffic characteristic model includes includes: the message of a TCP flow amount in one minute
Feature includes: that message sends 5000/second of frequency;The message characteristic that above-mentioned default normal discharge characteristic model is included includes:
In one minute, the message characteristic of a TCP flow amount includes that message sends 5000/second of frequency or in 4500-5500/second
In the range of (default tolerance threshold), then above-mentioned network protection equipment determines that above-mentioned filtering traffic is normal discharge.
In another example the message characteristic that above-mentioned traffic characteristic model includes includes: the report of a TCP flow amount in one minute
Literary feature includes: that message sends 6000/second of frequency;The message characteristic packet that above-mentioned default normal discharge characteristic model is included
Include: in one minute, the message characteristic of a TCP flow amount include message send 5000/second of frequency or 4500-5500/
In the range of second (default tolerance threshold), then above-mentioned network protection equipment determines that above-mentioned filtering traffic is abnormal flow.
In the present specification, during whether determine above-mentioned filtering traffic is normal discharge, if above-mentioned filtering traffic
For abnormal flow, then the above-mentioned above-mentioned filtering traffic of network protection devices block.
For example, for abnormal above-mentioned filtering traffic, above-mentioned network protection equipment can be corresponding for its when realizing
Above-mentioned traffic characteristic model, creates and issues and enable the identification of corresponding flow and block protection rule, becomes to realize to dynamic
The abnormal flow of change realizes the protection of near real-time, improves the response speed of protection.
In a kind of embodiment shown, during whether determine above-mentioned filtering traffic is normal discharge, if on
Stating filtering traffic is normal discharge, and above-mentioned network protection equipment then arrives the corresponding traffic characteristic model modification of above-mentioned filtering traffic
In above-mentioned default normal discharge characteristic model.
For example, in practical applications, as the time develops, proper network flow is the thus normal net continually changing
Network flow correspond to discharge model be also it is continually changing, above-mentioned network protection equipment is then by the above-mentioned filtering in above-mentioned predetermined period
The corresponding traffic characteristic model of flow, continuous updating realize default normal stream into above-mentioned default normal discharge characteristic model
Measure feature model can reflect the state of current time above-mentioned network flow with true and accurate, so that above-mentioned network protection equipment is effective
Ground improves protection accuracy, and normal discharge is avoided to be misidentified as abnormal flow.
Certainly, in practical applications, in addition to above-mentioned network protection learning equipment automatically updates default normal discharge character modules
Outside type, modification model parameter by hand can also be carried out by user, to improve the accuracy rate of model.
In above technical scheme, learn and establish corresponding stream based on traffic characteristic is executed to filtered network flow
Measure feature model;And judge whether corresponding flow is abnormal flow based on traffic characteristic model, if so, the flow is blocked,
So that effectively improving the response speed and accuracy of protection for abnormal flow attack complicated and changeable in real time.
Fig. 2 is a kind of block diagram for abnormal flow attack protective device that one exemplary embodiment of the application provides.With it is above-mentioned
Embodiment of the method is corresponding, and present invention also provides a kind of embodiment of abnormal flow attack protective device, described device applications
In network protection equipment, please referring to a kind of abnormal flow attack protective device 20, described device exemplified by Fig. 2 includes:
Filtering module 201 executes filtering to the network flow received, obtains filtering traffic;
Study module 202 executes traffic characteristic study to the filtering traffic, determines corresponding traffic characteristic model;
Protection module 203 is compared based on the traffic characteristic model and the execution of default normal discharge characteristic model, determines institute
State whether filtering traffic is normal discharge;If the filtering traffic is abnormal flow, the filtering traffic is blocked.
In the present embodiment, the study module 202 further,
Based on predetermined period, traffic sampling is executed by protocol type to the filtering traffic, obtains corresponding sampling flow;
The message characteristic in the sampling flow is counted, based on the statistical data of the message characteristic, determines the filtering
The corresponding traffic characteristic model of flow.
In the present embodiment, the protection module 203 further,
Included with the default normal discharge characteristic model by the message characteristic that the traffic characteristic model includes
Message characteristic executes matching;
If the message characteristic that the traffic characteristic model includes is included with the default normal discharge characteristic model
Message characteristic match or in preset tolerance threshold, it is determined that the filtering traffic be normal discharge;Otherwise, it determines
The filtering traffic is abnormal flow.
In the present embodiment, the protection module 203 further,
If whether the filtering traffic is normal discharge, by the corresponding traffic characteristic model modification of the filtering traffic
Into the default normal discharge characteristic model.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The module of explanation may or may not be physically separated, and the component shown as module can be or can also be with
It is not physical module, it can it is in one place, or may be distributed on multiple network modules.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize application scheme.Those of ordinary skill in the art are not paying
Out in the case where creative work, it can understand and implement.
System, device, module or the module that above-described embodiment illustrates can specifically realize by computer chip or entity,
Or it is realized by the product with certain function.A kind of typically to realize that equipment is computer, the concrete form of computer can
To be personal computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media play
In device, navigation equipment, E-mail receiver/send equipment, game console, tablet computer, wearable device or these equipment
The combination of any several equipment.
The embodiment of the abnormal flow attack protective device of the application can be using on electronic equipment shown in Fig. 3.Dress
Setting embodiment can also be realized by software realization by way of hardware or software and hardware combining.It is implemented in software to be
Example, as the device on a logical meaning, being will be in machine readable storage medium by the processor of electronic equipment where it
Corresponding computer program instructions run the machine-executable instruction of formation after reading.For hardware view, as shown in figure 3,
A kind of hardware structure diagram that protective device place electronic equipment is attacked for the abnormal flow of the application, in addition to processing shown in Fig. 3
Except device, communication interface, bus and machine readable storage medium, the electronic equipment in embodiment where device is generally according to this
The actual functional capability of electronic equipment can also include other hardware, repeat no more to this.
Accordingly, it the embodiment of the present application also provides the hardware configuration of a kind of electronic equipment of Fig. 2 shown device, refers to
Fig. 3, Fig. 3 are the hardware structural diagram of a kind of electronic equipment provided by the embodiments of the present application.The equipment includes: communication interface
301, processor 302, machine readable storage medium 303 and bus 303;Wherein, communication interface 301, processor 302, machine can
It reads storage medium 303 and mutual communication is completed by bus 303.Wherein, communication interface 301, for carrying out network communication.Place
Reason device 302 can be a central processing unit (CPU), and processor 302 can execute to be stored in machine readable storage medium 303
Machine readable instructions, to realize process as described above.
Machine readable storage medium 303 referred to herein can be any electronics, magnetism, optics or other physical stores
Device may include or store information, such as executable instruction, data, etc..For example, machine readable storage medium may is that easily
Lose memory, nonvolatile memory or similar storage medium.Specifically, machine readable storage medium 303 can be RAM
(Radom Access Memory, random access memory), flash memory, memory driver (such as hard disk drive), solid state hard disk,
Any kind of storage dish (such as CD, DVD) perhaps similar storage medium or their combination.
So far, hardware configuration description shown in Fig. 3 is completed.
In addition, the embodiment of the present application also provides a kind of machine readable storage medium including machine-executable instruction, example
Such as the machine-readable readable storage medium storing program for executing 303 in Fig. 3, the machine-executable instruction can be by data processing equipment
Device 302 is managed to execute to realize data processing method described above.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus
Realization process, details are not described herein.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to its of the application
Its embodiment.This application is intended to cover any variations, uses, or adaptations of the application, these modifications, purposes or
Person's adaptive change follows the general principle of the application and including the undocumented common knowledge in the art of the application
Or conventional techniques.The description and examples are only to be considered as illustrative, and the true scope and spirit of the application are by following
Claim is pointed out.
It should be understood that the application is not limited to the precise structure that has been described above and shown in the drawings, and
And various modifications and changes may be made without departing from the scope thereof.Scope of the present application is only limited by the accompanying claims.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.
Claims (10)
1. a kind of abnormal flow attack guarding method, which is characterized in that the method is applied to network protection equipment, the method
Include:
Filtering is executed to the network flow received, obtains filtering traffic;
Traffic characteristic study is executed to the filtering traffic, determines corresponding traffic characteristic model;
Based on the traffic characteristic model and default normal discharge characteristic model execution compare, determine the filtering traffic whether be
Normal discharge;If the filtering traffic is abnormal flow, the filtering traffic is blocked.
2. the method according to claim 1, wherein it is described to the filtering traffic execute traffic characteristic study,
Determine corresponding traffic characteristic model, comprising:
Based on predetermined period, traffic sampling is executed by protocol type to the filtering traffic, obtains corresponding sampling flow;
The message characteristic in the sampling flow is counted, based on the statistical data of the message characteristic, determines the filtering traffic
Corresponding traffic characteristic model.
3. the method according to claim 1, wherein described be based on the traffic characteristic model and default normal stream
Measure feature model executes comparison, determines whether the filtering traffic is normal discharge, comprising:
By the message characteristic that the traffic characteristic model includes and the message that the default normal discharge characteristic model is included
Feature executes matching;
If the report that the message characteristic that the traffic characteristic model includes and the default normal discharge characteristic model are included
Literary feature matches or in preset tolerance threshold, it is determined that the filtering traffic is normal discharge;Otherwise, it determines described
Filtering traffic is abnormal flow.
4. the method according to claim 1, wherein further include:
If whether the filtering traffic is normal discharge, by the corresponding traffic characteristic model modification of the filtering traffic to institute
It states in default normal discharge characteristic model.
5. a kind of abnormal flow attacks protective device, which is characterized in that described device is applied to network protection equipment, described device
Include:
Filtering module executes filtering to the network flow received, obtains filtering traffic;
Study module executes traffic characteristic study to the filtering traffic, determines corresponding traffic characteristic model;
Protection module is compared based on the traffic characteristic model and the execution of default normal discharge characteristic model, determines the filtering
Whether flow is normal discharge;If the filtering traffic is abnormal flow, the filtering traffic is blocked.
6. device according to claim 5, which is characterized in that the study module further,
Based on predetermined period, traffic sampling is executed by protocol type to the filtering traffic, obtains corresponding sampling flow;
The message characteristic in the sampling flow is counted, based on the statistical data of the message characteristic, determines the filtering traffic
Corresponding traffic characteristic model.
7. device according to claim 5, which is characterized in that the protection module further,
By the message characteristic that the traffic characteristic model includes and the message that the default normal discharge characteristic model is included
Feature executes matching;
If the report that the message characteristic that the traffic characteristic model includes and the default normal discharge characteristic model are included
Literary feature matches or in preset tolerance threshold, it is determined that the filtering traffic is normal discharge;Otherwise, it determines described
Filtering traffic is abnormal flow.
8. device according to claim 5, which is characterized in that the protection module further,
If whether the filtering traffic is normal discharge, by the corresponding traffic characteristic model modification of the filtering traffic to institute
It states in default normal discharge characteristic model.
9. a kind of electronic equipment, which is characterized in that including communication interface, processor, memory and bus, the communication interface,
It is connected with each other between the processor and the memory by bus;
Machine readable instructions are stored in the memory, the processor is executed by calling the machine readable instructions as weighed
Benefit requires 1 to 4 described in any item methods.
10. a kind of machine readable storage medium, which is characterized in that the machine readable storage medium is stored with machine readable finger
It enables, the machine readable instructions realize the described in any item methods of Claims 1-4 when being called and being executed by processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910789754.2A CN110445808A (en) | 2019-08-26 | 2019-08-26 | Abnormal flow attack guarding method, device, electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910789754.2A CN110445808A (en) | 2019-08-26 | 2019-08-26 | Abnormal flow attack guarding method, device, electronic equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110445808A true CN110445808A (en) | 2019-11-12 |
Family
ID=68437580
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910789754.2A Pending CN110445808A (en) | 2019-08-26 | 2019-08-26 | Abnormal flow attack guarding method, device, electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110445808A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111865724A (en) * | 2020-07-28 | 2020-10-30 | 公安部第三研究所 | Information acquisition control implementation method for video monitoring equipment |
CN113765914A (en) * | 2021-09-03 | 2021-12-07 | 杭州安恒信息技术股份有限公司 | CC attack protection method, system, computer equipment and readable storage medium |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1809000A (en) * | 2006-02-13 | 2006-07-26 | 成都三零盛安信息系统有限公司 | Network intrusion detection method |
CN101741686A (en) * | 2008-11-13 | 2010-06-16 | 天津比蒙新帆信息技术有限公司 | Method applied to traffic identification and control of P2P network based on mathematical modeling technology |
CN103780588A (en) * | 2012-10-24 | 2014-05-07 | 北京邮电大学 | User abnormal behavior detection method in digital home network |
US20140223562A1 (en) * | 2008-09-26 | 2014-08-07 | Oracle International Corporation | System and Method for Distributed Denial of Service Identification and Prevention |
CN107483473A (en) * | 2017-09-05 | 2017-12-15 | 上海海事大学 | A kind of low speed Denial of Service attack data-flow detection method of cloud environment |
CN107682341A (en) * | 2017-10-17 | 2018-02-09 | 北京奇安信科技有限公司 | The means of defence and device of CC attacks |
CN108377240A (en) * | 2018-02-07 | 2018-08-07 | 平安科技(深圳)有限公司 | Exceptional interface detection method, device, computer equipment and storage medium |
CN108650218A (en) * | 2018-03-22 | 2018-10-12 | 平安科技(深圳)有限公司 | Network Traffic Monitoring method, apparatus, computer equipment and storage medium |
CN109818964A (en) * | 2019-02-01 | 2019-05-28 | 长沙市智为信息技术有限公司 | A kind of ddos attack detection method, device, equipment and storage medium |
-
2019
- 2019-08-26 CN CN201910789754.2A patent/CN110445808A/en active Pending
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1809000A (en) * | 2006-02-13 | 2006-07-26 | 成都三零盛安信息系统有限公司 | Network intrusion detection method |
US20140223562A1 (en) * | 2008-09-26 | 2014-08-07 | Oracle International Corporation | System and Method for Distributed Denial of Service Identification and Prevention |
CN101741686A (en) * | 2008-11-13 | 2010-06-16 | 天津比蒙新帆信息技术有限公司 | Method applied to traffic identification and control of P2P network based on mathematical modeling technology |
CN103780588A (en) * | 2012-10-24 | 2014-05-07 | 北京邮电大学 | User abnormal behavior detection method in digital home network |
CN107483473A (en) * | 2017-09-05 | 2017-12-15 | 上海海事大学 | A kind of low speed Denial of Service attack data-flow detection method of cloud environment |
CN107682341A (en) * | 2017-10-17 | 2018-02-09 | 北京奇安信科技有限公司 | The means of defence and device of CC attacks |
CN108377240A (en) * | 2018-02-07 | 2018-08-07 | 平安科技(深圳)有限公司 | Exceptional interface detection method, device, computer equipment and storage medium |
CN108650218A (en) * | 2018-03-22 | 2018-10-12 | 平安科技(深圳)有限公司 | Network Traffic Monitoring method, apparatus, computer equipment and storage medium |
CN109818964A (en) * | 2019-02-01 | 2019-05-28 | 长沙市智为信息技术有限公司 | A kind of ddos attack detection method, device, equipment and storage medium |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111865724A (en) * | 2020-07-28 | 2020-10-30 | 公安部第三研究所 | Information acquisition control implementation method for video monitoring equipment |
CN111865724B (en) * | 2020-07-28 | 2022-02-08 | 公安部第三研究所 | Information acquisition control implementation method for video monitoring equipment |
CN113765914A (en) * | 2021-09-03 | 2021-12-07 | 杭州安恒信息技术股份有限公司 | CC attack protection method, system, computer equipment and readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106161451B (en) | Defend the method, apparatus and system of CC attack | |
CN105577608B (en) | Network attack behavior detection method and device | |
EP3110103A1 (en) | Systems and methods for automatically mitigating denial of service attacks | |
CN105991637B (en) | The means of defence and device of network attack | |
CN110839017B (en) | Proxy IP address identification method, device, electronic equipment and storage medium | |
CN109768991B (en) | Message replay attack detection method and device and electronic equipment | |
EP3343871A1 (en) | Method and system for detecting and mitigating denial-of-service attacks | |
CN105323259B (en) | A kind of method and apparatus preventing synchronous packet attack | |
CN108809923A (en) | The system and method for traffic filtering when detecting ddos attack | |
Udhayan et al. | Statistical segregation method to minimize the false detections during ddos attacks. | |
CN111565203B (en) | Method, device and system for protecting service request and computer equipment | |
CN111083157B (en) | Method and device for processing message filtering rules | |
CN110099027A (en) | Transmission method and device, storage medium, the electronic device of service message | |
CN109657463A (en) | A kind of defence method and device of message flood attack | |
CN109040140A (en) | A kind of attack detection method and device at a slow speed | |
CN110445808A (en) | Abnormal flow attack guarding method, device, electronic equipment | |
CN108737344B (en) | Network attack protection method and device | |
CN108616488A (en) | A kind of defence method and defensive equipment of attack | |
CN106101088B (en) | The method of cleaning equipment, detection device, routing device and prevention DNS attack | |
CN106534111A (en) | Method for defending network attack for cloud platform based on flow rule | |
CN106790310B (en) | Method and system for integrating distributed denial of service attack protection and load balancing | |
CN111193594B (en) | Method for screening data packets received by service infrastructure and data packet cleaning system | |
CN113765849A (en) | Abnormal network traffic detection method and device | |
CN107360196B (en) | Attack detection method and device and terminal equipment | |
JP4322179B2 (en) | Denial of service attack prevention method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191112 |