CN110460559A - Distribution hits detection method, device and the computer readable storage medium of library behavior - Google Patents
Distribution hits detection method, device and the computer readable storage medium of library behavior Download PDFInfo
- Publication number
- CN110460559A CN110460559A CN201810427569.4A CN201810427569A CN110460559A CN 110460559 A CN110460559 A CN 110460559A CN 201810427569 A CN201810427569 A CN 201810427569A CN 110460559 A CN110460559 A CN 110460559A
- Authority
- CN
- China
- Prior art keywords
- library
- distribution
- access data
- behavior
- hit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/556—Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the present invention provides detection method, device and the computer readable storage medium that a kind of distribution hits library behavior, is related to technical field of network security, to improve the detection accuracy for hitting library behavior to distribution.The detection method for hitting library behavior of the invention, comprising: client is obtained according to measurement of discharge to be checked and accesses data;The client access data are parsed, access data characteristics is obtained;It by the access data characteristics and hits library behavioural characteristic and is compared, and determine that the distribution in measurement of discharge to be checked hits library behavior according to comparison result.The detection accuracy that library behavior is hit to distribution can be improved in the embodiment of the present invention.
Description
Technical field
The present embodiments relate to the detection sides that technical field of network security more particularly to a kind of distribution hit library behavior
Method, device and computer readable storage medium.
Background technique
It hits library behavior to refer to, based on a large amount of user data, is accustomed to (identical user using the identical registration of user
Name and password), attempt the behavior for logging in other websites.
Existing library detection technique of hitting is mainly for the detection of same source IP (Internet Protocol, Internet protocol).
But it with the continuous promotion of hacker attack technical level, hits library mode and tends to diversification, complicates, existing detection technique is difficult
Library behavior is hit to hidden distribution to detect, it is lower so as to cause detection accuracy.
Summary of the invention
In view of this, the embodiment of the present invention provide a kind of distribution hit detection method, device and the computer of library behavior can
Storage medium is read, to improve the detection accuracy of head-on collision library behavior.
In order to solve the above technical problems, in a first aspect, the embodiment of the present invention provides the detection that a kind of distribution hits library behavior
Method, comprising:
Client, which is obtained, according to measurement of discharge to be checked accesses data;
The client access data are parsed, access data characteristics is obtained;
It by the access data characteristics and hits library behavioural characteristic and is compared, and measurement of discharge to be checked is determined according to comparison result
In distribution hit library behavior.
Wherein, the access data characteristics includes login failure number of the same subscriber name in same destination IP;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and according to comparison result determine it is described to
Distribution in detection flows hits library behavior, comprising:
By in the first statistical time section, same subscriber name same destination IP login failure number and log in the frequency of failure
Threshold value is compared;
If in the first statistical time section, same subscriber name is greater than described step in the login failure number of same destination IP
Land frequency of failure threshold value, it is determined that there are distributions to be confirmed to hit library behavior in the measurement of discharge to be checked.
Wherein, the access data characteristics further includes the IP list hitting library behavior according to the distribution to be confirmed and determining
In, number of the identical sources IP in the different process identification (PID)s of identical access time;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and according to comparison result determine it is described to
Distribution in detection flows hits library behavior, further includes:
Library behavior is hit for the distribution to be confirmed, by identical sources IP identical access time different process identification (PID)s
Number be compared with number of passes threshold value is logged into;
Source IP is logged into number of passes threshold value greater than described in the number of the different process identification (PID)s of identical access time if they are the same, then
Determining that the distribution to be confirmed hits library behavior is to hit library behavior.
Wherein, the access data characteristics includes the communication bag size that same subscriber name is sent in different source IPs;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and according to comparison result determine it is described to
Distribution in detection flows hits library behavior, comprising:
According in the second statistical time section, the communication bag size that same subscriber name is sent in different source IPs calculates communication bag
Size variance;
The communication bag size variance is compared with preset communication bag size variance threshold values;
If the communication bag size variance is less than preset communication bag size variance threshold values, it is determined that exist in protected object
Distribution hits library behavior.
Second aspect, the embodiment of the present invention provide the detection device that a kind of distribution hits library behavior, comprising:
First obtains module, accesses data for obtaining client according to measurement of discharge to be checked;
Second obtains module, for parsing the client access data, obtains access data characteristics;
Determining module, for by the access data characteristics and hitting library behavioural characteristic and being compared, and according to comparison result
Determine that the distribution in measurement of discharge to be checked hits library behavior.
The third aspect, the embodiment of the present invention provide a kind of communication equipment, comprising: memory, processor and are stored in described
On memory and the computer program that can run on the processor;It is real when the computer program is executed by the processor
The now step in method as described in relation to the first aspect.
Fourth aspect, the embodiment of the present invention provide a kind of computer readable storage medium, for storing computer program, institute
State the step realized in method as described in relation to the first aspect when computer program is executed by processor.
The above-mentioned technical proposal of the embodiment of the present invention has the beneficial effect that:
In embodiments of the present invention, it is analyzed by treating detection flows, obtains client and access data, and then obtain
Access data characteristics.Later, by by the access data characteristics and hitting library behavioural characteristic and being compared, and according to comparison result
Determine that the distribution in measurement of discharge to be checked hits library behavior.Therefore, using the scheme of the embodiment of the present invention, compared with prior art,
Rate of false alarm can be reduced, identifies that polynary, complicated, hidden distribution hits library behavior attack, library row is hit to distribution to can be improved
For detection accuracy.
Detailed description of the invention
Fig. 1 is the flow chart that the distribution of the embodiment of the present invention hits the detection method of library behavior;
Fig. 2 is the schematic diagram that the distribution of the embodiment of the present invention hits the detection device of library behavior;
Fig. 3 is the schematic diagram of the communication equipment of the embodiment of the present invention.
Specific embodiment
Below in conjunction with drawings and examples, specific embodiments of the present invention will be described in further detail.Following reality
Example is applied for illustrating the present invention, but is not intended to limit the scope of the invention.
As shown in Figure 1, the distribution of the embodiment of the present invention hits the detection method of library behavior, comprising:
Step 101 obtains client access data according to measurement of discharge to be checked.
In embodiments of the present invention, described to grab the stream via protected object according to configuration of IP, port, packet capturing time
Amount packet, that is, obtaining measurement of discharge to be checked.Wherein, the client access data in measurement of discharge to be checked include but is not limited to following: visitor
Family end access information five-tuple (source IP, source port, destination IP, destination port, access protocol), SessionID (process identification (PID)),
Source MAC (Media Access Control, medium access control) address, login account name, access time, the affiliated region IP,
Communication bag size, login identification.In practical application, protected object can be server, equipment under fire etc..
Wherein, the packet capturing time refers to the period of the measurement of discharge to be checked of crawl protected object.The login identification is
Entered state mark, Entered state are divided into: logging in successfully or log in failure.
Step 102, the parsing client access data, obtain access data characteristics.
Wherein, the access data characteristics includes login failure number of the same subscriber name in same destination IP.Further
, in order to improve accuracy, the access data characteristics may also include identical sources IP in the different process marks of identical access time
The number of knowledge.
Alternatively, the access data characteristics includes the communication bag size that same subscriber name is sent in different source IPs.
Step 103 by the access data characteristics and is hit library behavioural characteristic and is compared, and determines institute according to comparison result
It states the distribution in measurement of discharge to be checked and hits library behavior.
It in embodiments of the present invention, in this step, can be different according to the difference for the content that access data characteristics includes
Mode determine that distribution hits library behavior.
Mode one, the access data characteristics include login failure number of the same subscriber name in same destination IP.Specifically
It comprises the following processes:
For the data obtained in step 101, it is counted according to user name, is obtained in the first statistical time section,
Login failure number of the same subscriber name in same destination IP.Then, by the first statistical time section, same subscriber name is same
The login failure number of destination IP is compared with frequency of failure threshold value is logged in.Wherein, the frequency of failure threshold value that logs in can be pre-
First it is arranged.If in the first statistical time section, same subscriber name is greater than described step in the login failure number of same destination IP
Land frequency of failure threshold value, it is determined that there are distributions to be confirmed to hit library behavior in the protected object.
Above procedure alternatively referred to as logs in unsuccessfully abnormality detection.
In order to further increase accuracy, in this fashion, the access data characteristics further includes according to described to true
The distribution recognized is hit in the IP list that library behavior determines, number of the identical sources IP in the different process identification (PID)s of identical access time.
So, on the basis of logging in unsuccessfully abnormality detection, it may also include and log in process abnormality detection as follows.
Under normal conditions, a SessionID represents an access process.Normal connection, same source IP initiate primary visit
It asks, process number is stablized;And library behavior is hit generally for blasting efficiency is accelerated, by the way that multiple connectivity ports, multiple processes can be opened
Parallel.Therefore, it is based on the feature, on the basis of the result for logging in unsuccessfully abnormality detection of acquisition, obtains and to be confirmed hits library
The IP list of behavior.Identical sources IP is obtained in the different process identification (PID)s (SessionID) of identical access time according to the IP list
Number.Then, library behavior is hit for the distribution to be confirmed, by identical sources IP identical access time different processes
The number of mark is compared with number of passes threshold value is logged into.Wherein, being logged into number of passes threshold value can be preset.Source IP exists if they are the same
The number of the different process identification (PID)s of identical access time is logged into number of passes threshold value described in being greater than, it is determined that the distribution to be confirmed
It is to hit library behavior that formula, which hits library behavior,.
Mode two, the access data characteristics include the communication bag size that same subscriber name is sent in different source IPs.
In practice, attacker controls multiple servers by distributed mode and attacks, and has operational order, operation
Time, data package size similar features;And normal users log in behavior, difference in operation is larger, and data package size is relatively unstable
It is fixed.Based on the feature, which specifically includes following process:
For the data obtained in step 101, obtain in the second statistical time section, same subscriber name is sent in different source IPs
Communication bag size, access time etc..According in the second statistical time section, same subscriber name sends logical in different source IPs
Believe Bao great little, calculates communication bag size variance.That is, in the second statistical time section, can by the variance of communication bag size come
Judge communication bag size departure degree in the period.Then, by the communication bag size variance and preset communication bag size
Variance threshold values are compared.Wherein, communication bag size variance threshold values can be set as needed.If the communication bag size variance is small
In preset communication bag size variance threshold values, then determines there is the similar behavior of communication, determine there is distribution in measurement of discharge to be checked
Hit library behavior.
When calculating communication bag size variance, such as under type such as can be used and calculate:
Wherein, σ2For variance, X is communication bag size, and μ is the mean value of communication bag size, and N is the number of communication bag size.
The above process of mode three is alternatively referred to as data packet abnormality detection.
Wherein, its duration can be set as needed in the first statistical time section or second time period.
In embodiments of the present invention, it is analyzed by treating detection flows, obtains client and access data, and then obtain
Access data characteristics.Later, by by the access data characteristics and hitting library behavioural characteristic and being compared, and according to comparison result
Determine that the distribution in measurement of discharge to be checked hits library behavior.Therefore, using the scheme of the embodiment of the present invention, compared with prior art,
Rate of false alarm can be reduced, identifies that polynary, complicated, hidden distribution hits library behavior attack, library row is hit to distribution to can be improved
For detection accuracy, validity.
Meanwhile using the scheme of the embodiment of the present invention, does not need to compare with huge social worker library, computing resource can be saved.
As shown in Fig. 2, a kind of distribution of the embodiment of the present invention hits the detection device of library behavior, comprising:
First obtains module 201, accesses data for obtaining client according to measurement of discharge to be checked;Second obtains module 202,
For parsing the client access data, access data characteristics is obtained;Determining module 203, for the access data are special
It seeks peace and hits library behavioural characteristic and be compared, and determine that the distribution in the measurement of discharge to be checked hits library behavior according to comparison result.
Wherein, the access data characteristics includes login failure number of the same subscriber name in same destination IP;It is described true
Cover half block 203 includes:
First Comparative sub-module, for by the first statistical time section, same subscriber name to be lost in the login of same destination IP
It loses number and is compared with frequency of failure threshold value is logged in;
First determines submodule, if same subscriber name is stepped on same destination IP in the first statistical time section
The record frequency of failure logs in frequency of failure threshold value described in being greater than, it is determined that there are distributions to be confirmed to hit library row in measurement of discharge to be checked
For.
To further increase accuracy, the access data characteristics further includes hitting library row according to the distribution to be confirmed
For in determining IP list, number of the identical sources IP in the different process identification (PID)s of identical access time;The determining module 203 is also
Can include:
Second Comparative sub-module, for hitting library behavior for the distribution to be confirmed, by identical sources IP in identical visit
Ask that the number of the different process identification (PID)s of time is compared with number of passes threshold value is logged into;
Third determines submodule, and the number for source IP if they are the same in the different process identification (PID)s of identical access time is greater than institute
It states and is logged into number of passes threshold value, it is determined that it is to hit library behavior that the distribution to be confirmed, which hits library behavior,.
Wherein, the access data characteristics includes the communication bag size that same subscriber name is sent in different source IPs;It is described true
Cover half block 203 includes:
Computational submodule, for according to the communication bag that in the second statistical time section, same subscriber name is sent in different source IPs
Size calculates communication bag size variance;
Third Comparative sub-module, for carrying out the communication bag size variance and preset communication bag size variance threshold values
Compare;
4th determines submodule, if being less than preset communication bag size variance threshold values for the communication bag size variance,
Then determine that there are distributions to hit library behavior in measurement of discharge to be checked.
The working principle of device of the present invention can refer to the description of preceding method embodiment.
In embodiments of the present invention, it is analyzed by treating detection flows, obtains client and access data, and then obtain
Access data characteristics.Later, by by the access data characteristics and hitting library behavioural characteristic and being compared, and according to comparison result
Determine that the distribution in measurement of discharge to be checked hits library behavior.Therefore, using the scheme of the embodiment of the present invention, compared with prior art,
Rate of false alarm can be reduced, identifies that polynary, complicated, hidden distribution hits library behavior attack, library row is hit to distribution to can be improved
For detection accuracy, validity.
Meanwhile using the scheme of the embodiment of the present invention, does not need to compare with huge social worker library, computing resource can be saved.
As shown in figure 3, the embodiment of the invention also provides a kind of communication equipments: including: processor 300, deposited for reading
Program in reservoir 310 executes following process:
Client, which is obtained, according to measurement of discharge to be checked accesses data;
The client access data are parsed, access data characteristics is obtained;
It by the access data characteristics and hits library behavioural characteristic and is compared, and measurement of discharge to be checked is determined according to comparison result
In distribution hit library behavior.
Transceiver 320, for sending and receiving data under control of the processor 500.
Wherein, in Fig. 3, bus architecture may include the bus and bridge of any number of interconnection, specifically by processor 300
The various circuits for the memory that the one or more processors and memory 310 of representative represent link together.Bus architecture is also
Various other circuits of such as peripheral equipment, voltage-stablizer and management circuit or the like can be linked together, these are all
It is it is known in the art, therefore, it will not be further described herein.Bus interface provides interface.Transceiver 320 can
To be multiple element, that is, includes transmitter and transceiver, the list for communicating over a transmission medium with various other devices is provided
Member.Processor 300, which is responsible for management bus architecture and common processing, memory 310, can store processor 300 and is executing operation
When used data.
Processor 300, which is responsible for management bus architecture and common processing, memory 310, can store processor 300 and is holding
Used data when row operation.
The access data characteristics includes login failure number of the same subscriber name in same destination IP;Processor 300 is also
For reading the computer program, execution following steps:
By in the first statistical time section, same subscriber name same destination IP login failure number and log in the frequency of failure
Threshold value is compared;
If in the first statistical time section, same subscriber name is greater than described step in the login failure number of same destination IP
Land frequency of failure threshold value, it is determined that there are distributions to be confirmed to hit library behavior in measurement of discharge to be checked.
The access data characteristics further includes being hit in the IP list that library behavior determines according to the distribution to be confirmed, phase
With source IP the different process identification (PID)s of identical access time number;Processor 300 is also used to read the computer program, holds
Row following steps:
Library behavior is hit for the distribution to be confirmed, by identical sources IP identical access time different process identification (PID)s
Number be compared with number of passes threshold value is logged into;
Source IP is logged into number of passes threshold value greater than described in the number of the different process identification (PID)s of identical access time if they are the same, then
Determining that the distribution to be confirmed hits library behavior is to hit library behavior.
The access data characteristics includes the communication bag size that same subscriber name is sent in different source IPs;Processor 300 is also
For reading the computer program, execution following steps:
According in the second statistical time section, the communication bag size that same subscriber name is sent in different source IPs calculates communication bag
Size variance;
The communication bag size variance is compared with preset communication bag size variance threshold values;
If the communication bag size variance is less than preset communication bag size variance threshold values, it is determined that deposited in measurement of discharge to be checked
Library behavior is hit in distribution.
In addition, the computer readable storage medium of the embodiment of the present invention, for storing computer program, the computer journey
Sequence can be executed by processor and perform the steps of
Client, which is obtained, according to measurement of discharge to be checked accesses data;
The client access data are parsed, access data characteristics is obtained;
It by the access data characteristics and hits library behavioural characteristic and is compared, and measurement of discharge to be checked is determined according to comparison result
In distribution hit library behavior.
Wherein, the access data characteristics includes in the first statistical time section, and same subscriber name is stepped on same destination IP
Record the frequency of failure;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and determined according to comparison result to be detected
Distribution in flow hits library behavior, comprising:
By in the first statistical time section, same subscriber name same destination IP login failure number and log in the frequency of failure
Threshold value is compared;
If in the first statistical time section, same subscriber name is greater than described step in the login failure number of same destination IP
Land frequency of failure threshold value, it is determined that there are distributions to be confirmed to hit library behavior in measurement of discharge to be checked.
Wherein, the access data characteristics further includes the IP list hitting library behavior according to the distribution to be confirmed and determining
In, number of the identical sources IP in the different process identification (PID)s of identical access time;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and determined according to comparison result to be detected
Distribution in flow hits library behavior, further includes:
Library behavior is hit for the distribution to be confirmed, by identical sources IP identical access time different process identification (PID)s
Number be compared with number of passes threshold value is logged into;
Source IP is logged into number of passes threshold value greater than described in the number of the different process identification (PID)s of identical access time if they are the same, then
Determining that the distribution to be confirmed hits library behavior is to hit library behavior.
Wherein, the access data characteristics includes the communication bag size that same subscriber name is sent in different source IPs;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and determined according to comparison result to be detected
Distribution in flow hits library behavior, comprising:
According in the second statistical time section, the communication bag size that same subscriber name is sent in different source IPs calculates communication bag
Size variance;
The communication bag size variance is compared with preset communication bag size variance threshold values;
If the communication bag size variance is less than preset communication bag size variance threshold values, it is determined that deposited in measurement of discharge to be checked
Library behavior is hit in distribution.
In several embodiments provided herein, it should be understood that disclosed method and apparatus, it can be by other
Mode realize.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the unit, only
For a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components can combine
Or it is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed phase
Coupling, direct-coupling or communication connection between mutually can be through some interfaces, the INDIRECT COUPLING or communication of device or unit
Connection can be electrical property, mechanical or other forms.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that the independent physics of each unit includes, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
The above-mentioned integrated unit being realized in the form of SFU software functional unit can store and computer-readable deposit at one
In storage media.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are used so that a computer
Equipment (can be personal computer, server or the network equipment etc.) executes receiving/transmission method described in each embodiment of the present invention
Part steps.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (Read-Only Memory, abbreviation
ROM), random access memory (Random Access Memory, abbreviation RAM), magnetic or disk etc. are various can store
The medium of program code.
The above is a preferred embodiment of the present invention, it is noted that for those skilled in the art
For, without departing from the principles of the present invention, it can also make several improvements and retouch, these improvements and modifications
It should be regarded as protection scope of the present invention.
Claims (7)
1. the detection method that a kind of distribution hits library behavior characterized by comprising
Client, which is obtained, according to measurement of discharge to be checked accesses data;
The client access data are parsed, access data characteristics is obtained;
It by the access data characteristics and hits library behavioural characteristic and is compared, and the measurement of discharge to be checked is determined according to comparison result
In distribution hit library behavior.
2. the method according to claim 1, wherein the access data characteristics includes same subscriber name same
The login failure number of destination IP;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and determined according to comparison result described to be detected
Distribution in flow hits library behavior, comprising:
By in the first statistical time section, same subscriber name same destination IP login failure number and log in frequency of failure threshold value
It is compared;
If in the first statistical time section, same subscriber name logs in mistake greater than described in the login failure number of same destination IP
Lose frequency threshold value, it is determined that there are distributions to be confirmed to hit library behavior in the measurement of discharge to be checked.
3. according to method as claimed in claim 2, which is characterized in that the access data characteristics further includes according to described to be confirmed
Distribution is hit in the IP list that library behavior determines, number of the identical sources IP in the different process identification (PID)s of identical access time;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and measurement of discharge to be checked is determined according to comparison result
In distribution hit library behavior, further includes:
Library behavior is hit for the distribution to be confirmed, by identical sources IP identical access time different process identification (PID)s
Number be logged into number of passes threshold value and be compared;
Source IP is logged into number of passes threshold value greater than described in the number of the different process identification (PID)s of identical access time if they are the same, it is determined that
It is to hit library behavior that the distribution to be confirmed, which hits library behavior,.
4. the method according to claim 1, wherein the access data characteristics includes same subscriber name in difference
The communication bag size that source IP is sent;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and determined according to comparison result described to be detected
Distribution in flow hits library behavior, comprising:
According in the second statistical time section, the communication bag size that same subscriber name is sent in different source IPs calculates communication bag size
Variance;
The communication bag size variance is compared with preset communication bag size variance threshold values;
If the communication bag size variance is less than preset communication bag size variance threshold values, it is determined that deposited in the measurement of discharge to be checked
Library behavior is hit in distribution.
5. the detection device that a kind of distribution hits library behavior characterized by comprising
First obtains module, accesses data for obtaining client according to measurement of discharge to be checked;
Second obtains module, for parsing the client access data, obtains access data characteristics;
Determining module for by the access data characteristics and hitting library behavioural characteristic and being compared, and is determined according to comparison result
Distribution in the measurement of discharge to be checked hits library behavior.
6. a kind of communication equipment, comprising: memory, processor and be stored on the memory and can transport on the processor
Capable computer program;It is characterized in that,
The computer program is realized when being executed by the processor in method according to any one of claims 1 to 4
Step.
7. a kind of computer readable storage medium, for storing computer program, which is characterized in that the computer program is located
Reason device realizes the step in method according to any one of claims 1 to 4 when executing.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810427569.4A CN110460559A (en) | 2018-05-07 | 2018-05-07 | Distribution hits detection method, device and the computer readable storage medium of library behavior |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810427569.4A CN110460559A (en) | 2018-05-07 | 2018-05-07 | Distribution hits detection method, device and the computer readable storage medium of library behavior |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110460559A true CN110460559A (en) | 2019-11-15 |
Family
ID=68472146
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810427569.4A Pending CN110460559A (en) | 2018-05-07 | 2018-05-07 | Distribution hits detection method, device and the computer readable storage medium of library behavior |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110460559A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112165445A (en) * | 2020-08-13 | 2021-01-01 | 杭州数梦工场科技有限公司 | Method, device, storage medium and computer equipment for detecting network attack |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104811449A (en) * | 2015-04-21 | 2015-07-29 | 深信服网络科技(深圳)有限公司 | Base collision attack detecting method and system |
US20160014084A1 (en) * | 2014-07-09 | 2016-01-14 | Shape Security, Inc. | Using Individualized APIs to Block Automated Attacks on Native Apps and/or Purposely Exposed APIs with Forced User Interaction |
CN107294953A (en) * | 2017-05-18 | 2017-10-24 | 深信服科技股份有限公司 | Attack operation detection method and device |
-
2018
- 2018-05-07 CN CN201810427569.4A patent/CN110460559A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160014084A1 (en) * | 2014-07-09 | 2016-01-14 | Shape Security, Inc. | Using Individualized APIs to Block Automated Attacks on Native Apps and/or Purposely Exposed APIs with Forced User Interaction |
CN104811449A (en) * | 2015-04-21 | 2015-07-29 | 深信服网络科技(深圳)有限公司 | Base collision attack detecting method and system |
CN107294953A (en) * | 2017-05-18 | 2017-10-24 | 深信服科技股份有限公司 | Attack operation detection method and device |
Non-Patent Citations (1)
Title |
---|
魏琴芳等: ""基于流量特征的登录账号密码暴力破解攻击检测方法"", 《西南大学学报(自然科学版)》 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112165445A (en) * | 2020-08-13 | 2021-01-01 | 杭州数梦工场科技有限公司 | Method, device, storage medium and computer equipment for detecting network attack |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107465651B (en) | Network attack detection method and device | |
US9462009B1 (en) | Detecting risky domains | |
RU2538292C1 (en) | Method of detecting computer attacks to networked computer system | |
CN108156174A (en) | Botnet detection method, device, equipment and medium based on the analysis of C&C domain names | |
CN106603555A (en) | Method and device for preventing library-hit attacks | |
CN110995640B (en) | Method for identifying network attack and honeypot protection system | |
JP2019021294A (en) | SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS | |
US11838319B2 (en) | Hardware acceleration device for denial-of-service attack identification and mitigation | |
CN114666162B (en) | Flow detection method, device, equipment and storage medium | |
Rahman et al. | A game-theoretic approach for deceiving remote operating system fingerprinting | |
CN111464525B (en) | Session identification method, session identification device, session identification control equipment and storage medium | |
RU2740027C1 (en) | Method and system for preventing malicious automated attacks | |
Charlier et al. | SynGAN: Towards generating synthetic network attacks using GANs | |
CN106921671B (en) | network attack detection method and device | |
CN109040140A (en) | A kind of attack detection method and device at a slow speed | |
CN108234516B (en) | Method and device for detecting network flooding attack | |
CN106790175B (en) | A kind of detection method and device of worm event | |
Tang et al. | AKN-FGD: adaptive kohonen network based fine-grained detection of ldos attacks | |
CN111131309A (en) | Distributed denial of service detection method and device and model creation method and device | |
WO2017019103A1 (en) | Network traffic pattern based machine readable instruction identification | |
CN105939321B (en) | A kind of DNS attack detection method and device | |
Sree et al. | Detection of http flooding attacks in cloud using dynamic entropy method | |
Ogawa et al. | Malware originated http traffic detection utilizing cluster appearance ratio | |
CN110460559A (en) | Distribution hits detection method, device and the computer readable storage medium of library behavior | |
CN116743406A (en) | Network security early warning method and device, storage medium and computer equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191115 |
|
RJ01 | Rejection of invention patent application after publication |