CN110460559A - Distribution hits detection method, device and the computer readable storage medium of library behavior - Google Patents

Distribution hits detection method, device and the computer readable storage medium of library behavior Download PDF

Info

Publication number
CN110460559A
CN110460559A CN201810427569.4A CN201810427569A CN110460559A CN 110460559 A CN110460559 A CN 110460559A CN 201810427569 A CN201810427569 A CN 201810427569A CN 110460559 A CN110460559 A CN 110460559A
Authority
CN
China
Prior art keywords
library
distribution
access data
behavior
hit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810427569.4A
Other languages
Chinese (zh)
Inventor
杭小勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Ltd Research Institute filed Critical China Mobile Communications Group Co Ltd
Priority to CN201810427569.4A priority Critical patent/CN110460559A/en
Publication of CN110460559A publication Critical patent/CN110460559A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/556Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present invention provides detection method, device and the computer readable storage medium that a kind of distribution hits library behavior, is related to technical field of network security, to improve the detection accuracy for hitting library behavior to distribution.The detection method for hitting library behavior of the invention, comprising: client is obtained according to measurement of discharge to be checked and accesses data;The client access data are parsed, access data characteristics is obtained;It by the access data characteristics and hits library behavioural characteristic and is compared, and determine that the distribution in measurement of discharge to be checked hits library behavior according to comparison result.The detection accuracy that library behavior is hit to distribution can be improved in the embodiment of the present invention.

Description

Distribution hits detection method, device and the computer readable storage medium of library behavior
Technical field
The present embodiments relate to the detection sides that technical field of network security more particularly to a kind of distribution hit library behavior Method, device and computer readable storage medium.
Background technique
It hits library behavior to refer to, based on a large amount of user data, is accustomed to (identical user using the identical registration of user Name and password), attempt the behavior for logging in other websites.
Existing library detection technique of hitting is mainly for the detection of same source IP (Internet Protocol, Internet protocol). But it with the continuous promotion of hacker attack technical level, hits library mode and tends to diversification, complicates, existing detection technique is difficult Library behavior is hit to hidden distribution to detect, it is lower so as to cause detection accuracy.
Summary of the invention
In view of this, the embodiment of the present invention provide a kind of distribution hit detection method, device and the computer of library behavior can Storage medium is read, to improve the detection accuracy of head-on collision library behavior.
In order to solve the above technical problems, in a first aspect, the embodiment of the present invention provides the detection that a kind of distribution hits library behavior Method, comprising:
Client, which is obtained, according to measurement of discharge to be checked accesses data;
The client access data are parsed, access data characteristics is obtained;
It by the access data characteristics and hits library behavioural characteristic and is compared, and measurement of discharge to be checked is determined according to comparison result In distribution hit library behavior.
Wherein, the access data characteristics includes login failure number of the same subscriber name in same destination IP;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and according to comparison result determine it is described to Distribution in detection flows hits library behavior, comprising:
By in the first statistical time section, same subscriber name same destination IP login failure number and log in the frequency of failure Threshold value is compared;
If in the first statistical time section, same subscriber name is greater than described step in the login failure number of same destination IP Land frequency of failure threshold value, it is determined that there are distributions to be confirmed to hit library behavior in the measurement of discharge to be checked.
Wherein, the access data characteristics further includes the IP list hitting library behavior according to the distribution to be confirmed and determining In, number of the identical sources IP in the different process identification (PID)s of identical access time;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and according to comparison result determine it is described to Distribution in detection flows hits library behavior, further includes:
Library behavior is hit for the distribution to be confirmed, by identical sources IP identical access time different process identification (PID)s Number be compared with number of passes threshold value is logged into;
Source IP is logged into number of passes threshold value greater than described in the number of the different process identification (PID)s of identical access time if they are the same, then Determining that the distribution to be confirmed hits library behavior is to hit library behavior.
Wherein, the access data characteristics includes the communication bag size that same subscriber name is sent in different source IPs;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and according to comparison result determine it is described to Distribution in detection flows hits library behavior, comprising:
According in the second statistical time section, the communication bag size that same subscriber name is sent in different source IPs calculates communication bag Size variance;
The communication bag size variance is compared with preset communication bag size variance threshold values;
If the communication bag size variance is less than preset communication bag size variance threshold values, it is determined that exist in protected object Distribution hits library behavior.
Second aspect, the embodiment of the present invention provide the detection device that a kind of distribution hits library behavior, comprising:
First obtains module, accesses data for obtaining client according to measurement of discharge to be checked;
Second obtains module, for parsing the client access data, obtains access data characteristics;
Determining module, for by the access data characteristics and hitting library behavioural characteristic and being compared, and according to comparison result Determine that the distribution in measurement of discharge to be checked hits library behavior.
The third aspect, the embodiment of the present invention provide a kind of communication equipment, comprising: memory, processor and are stored in described On memory and the computer program that can run on the processor;It is real when the computer program is executed by the processor The now step in method as described in relation to the first aspect.
Fourth aspect, the embodiment of the present invention provide a kind of computer readable storage medium, for storing computer program, institute State the step realized in method as described in relation to the first aspect when computer program is executed by processor.
The above-mentioned technical proposal of the embodiment of the present invention has the beneficial effect that:
In embodiments of the present invention, it is analyzed by treating detection flows, obtains client and access data, and then obtain Access data characteristics.Later, by by the access data characteristics and hitting library behavioural characteristic and being compared, and according to comparison result Determine that the distribution in measurement of discharge to be checked hits library behavior.Therefore, using the scheme of the embodiment of the present invention, compared with prior art, Rate of false alarm can be reduced, identifies that polynary, complicated, hidden distribution hits library behavior attack, library row is hit to distribution to can be improved For detection accuracy.
Detailed description of the invention
Fig. 1 is the flow chart that the distribution of the embodiment of the present invention hits the detection method of library behavior;
Fig. 2 is the schematic diagram that the distribution of the embodiment of the present invention hits the detection device of library behavior;
Fig. 3 is the schematic diagram of the communication equipment of the embodiment of the present invention.
Specific embodiment
Below in conjunction with drawings and examples, specific embodiments of the present invention will be described in further detail.Following reality Example is applied for illustrating the present invention, but is not intended to limit the scope of the invention.
As shown in Figure 1, the distribution of the embodiment of the present invention hits the detection method of library behavior, comprising:
Step 101 obtains client access data according to measurement of discharge to be checked.
In embodiments of the present invention, described to grab the stream via protected object according to configuration of IP, port, packet capturing time Amount packet, that is, obtaining measurement of discharge to be checked.Wherein, the client access data in measurement of discharge to be checked include but is not limited to following: visitor Family end access information five-tuple (source IP, source port, destination IP, destination port, access protocol), SessionID (process identification (PID)), Source MAC (Media Access Control, medium access control) address, login account name, access time, the affiliated region IP, Communication bag size, login identification.In practical application, protected object can be server, equipment under fire etc..
Wherein, the packet capturing time refers to the period of the measurement of discharge to be checked of crawl protected object.The login identification is Entered state mark, Entered state are divided into: logging in successfully or log in failure.
Step 102, the parsing client access data, obtain access data characteristics.
Wherein, the access data characteristics includes login failure number of the same subscriber name in same destination IP.Further , in order to improve accuracy, the access data characteristics may also include identical sources IP in the different process marks of identical access time The number of knowledge.
Alternatively, the access data characteristics includes the communication bag size that same subscriber name is sent in different source IPs.
Step 103 by the access data characteristics and is hit library behavioural characteristic and is compared, and determines institute according to comparison result It states the distribution in measurement of discharge to be checked and hits library behavior.
It in embodiments of the present invention, in this step, can be different according to the difference for the content that access data characteristics includes Mode determine that distribution hits library behavior.
Mode one, the access data characteristics include login failure number of the same subscriber name in same destination IP.Specifically It comprises the following processes:
For the data obtained in step 101, it is counted according to user name, is obtained in the first statistical time section, Login failure number of the same subscriber name in same destination IP.Then, by the first statistical time section, same subscriber name is same The login failure number of destination IP is compared with frequency of failure threshold value is logged in.Wherein, the frequency of failure threshold value that logs in can be pre- First it is arranged.If in the first statistical time section, same subscriber name is greater than described step in the login failure number of same destination IP Land frequency of failure threshold value, it is determined that there are distributions to be confirmed to hit library behavior in the protected object.
Above procedure alternatively referred to as logs in unsuccessfully abnormality detection.
In order to further increase accuracy, in this fashion, the access data characteristics further includes according to described to true The distribution recognized is hit in the IP list that library behavior determines, number of the identical sources IP in the different process identification (PID)s of identical access time. So, on the basis of logging in unsuccessfully abnormality detection, it may also include and log in process abnormality detection as follows.
Under normal conditions, a SessionID represents an access process.Normal connection, same source IP initiate primary visit It asks, process number is stablized;And library behavior is hit generally for blasting efficiency is accelerated, by the way that multiple connectivity ports, multiple processes can be opened Parallel.Therefore, it is based on the feature, on the basis of the result for logging in unsuccessfully abnormality detection of acquisition, obtains and to be confirmed hits library The IP list of behavior.Identical sources IP is obtained in the different process identification (PID)s (SessionID) of identical access time according to the IP list Number.Then, library behavior is hit for the distribution to be confirmed, by identical sources IP identical access time different processes The number of mark is compared with number of passes threshold value is logged into.Wherein, being logged into number of passes threshold value can be preset.Source IP exists if they are the same The number of the different process identification (PID)s of identical access time is logged into number of passes threshold value described in being greater than, it is determined that the distribution to be confirmed It is to hit library behavior that formula, which hits library behavior,.
Mode two, the access data characteristics include the communication bag size that same subscriber name is sent in different source IPs.
In practice, attacker controls multiple servers by distributed mode and attacks, and has operational order, operation Time, data package size similar features;And normal users log in behavior, difference in operation is larger, and data package size is relatively unstable It is fixed.Based on the feature, which specifically includes following process:
For the data obtained in step 101, obtain in the second statistical time section, same subscriber name is sent in different source IPs Communication bag size, access time etc..According in the second statistical time section, same subscriber name sends logical in different source IPs Believe Bao great little, calculates communication bag size variance.That is, in the second statistical time section, can by the variance of communication bag size come Judge communication bag size departure degree in the period.Then, by the communication bag size variance and preset communication bag size Variance threshold values are compared.Wherein, communication bag size variance threshold values can be set as needed.If the communication bag size variance is small In preset communication bag size variance threshold values, then determines there is the similar behavior of communication, determine there is distribution in measurement of discharge to be checked Hit library behavior.
When calculating communication bag size variance, such as under type such as can be used and calculate:
Wherein, σ2For variance, X is communication bag size, and μ is the mean value of communication bag size, and N is the number of communication bag size.
The above process of mode three is alternatively referred to as data packet abnormality detection.
Wherein, its duration can be set as needed in the first statistical time section or second time period.
In embodiments of the present invention, it is analyzed by treating detection flows, obtains client and access data, and then obtain Access data characteristics.Later, by by the access data characteristics and hitting library behavioural characteristic and being compared, and according to comparison result Determine that the distribution in measurement of discharge to be checked hits library behavior.Therefore, using the scheme of the embodiment of the present invention, compared with prior art, Rate of false alarm can be reduced, identifies that polynary, complicated, hidden distribution hits library behavior attack, library row is hit to distribution to can be improved For detection accuracy, validity.
Meanwhile using the scheme of the embodiment of the present invention, does not need to compare with huge social worker library, computing resource can be saved.
As shown in Fig. 2, a kind of distribution of the embodiment of the present invention hits the detection device of library behavior, comprising:
First obtains module 201, accesses data for obtaining client according to measurement of discharge to be checked;Second obtains module 202, For parsing the client access data, access data characteristics is obtained;Determining module 203, for the access data are special It seeks peace and hits library behavioural characteristic and be compared, and determine that the distribution in the measurement of discharge to be checked hits library behavior according to comparison result.
Wherein, the access data characteristics includes login failure number of the same subscriber name in same destination IP;It is described true Cover half block 203 includes:
First Comparative sub-module, for by the first statistical time section, same subscriber name to be lost in the login of same destination IP It loses number and is compared with frequency of failure threshold value is logged in;
First determines submodule, if same subscriber name is stepped on same destination IP in the first statistical time section The record frequency of failure logs in frequency of failure threshold value described in being greater than, it is determined that there are distributions to be confirmed to hit library row in measurement of discharge to be checked For.
To further increase accuracy, the access data characteristics further includes hitting library row according to the distribution to be confirmed For in determining IP list, number of the identical sources IP in the different process identification (PID)s of identical access time;The determining module 203 is also Can include:
Second Comparative sub-module, for hitting library behavior for the distribution to be confirmed, by identical sources IP in identical visit Ask that the number of the different process identification (PID)s of time is compared with number of passes threshold value is logged into;
Third determines submodule, and the number for source IP if they are the same in the different process identification (PID)s of identical access time is greater than institute It states and is logged into number of passes threshold value, it is determined that it is to hit library behavior that the distribution to be confirmed, which hits library behavior,.
Wherein, the access data characteristics includes the communication bag size that same subscriber name is sent in different source IPs;It is described true Cover half block 203 includes:
Computational submodule, for according to the communication bag that in the second statistical time section, same subscriber name is sent in different source IPs Size calculates communication bag size variance;
Third Comparative sub-module, for carrying out the communication bag size variance and preset communication bag size variance threshold values Compare;
4th determines submodule, if being less than preset communication bag size variance threshold values for the communication bag size variance, Then determine that there are distributions to hit library behavior in measurement of discharge to be checked.
The working principle of device of the present invention can refer to the description of preceding method embodiment.
In embodiments of the present invention, it is analyzed by treating detection flows, obtains client and access data, and then obtain Access data characteristics.Later, by by the access data characteristics and hitting library behavioural characteristic and being compared, and according to comparison result Determine that the distribution in measurement of discharge to be checked hits library behavior.Therefore, using the scheme of the embodiment of the present invention, compared with prior art, Rate of false alarm can be reduced, identifies that polynary, complicated, hidden distribution hits library behavior attack, library row is hit to distribution to can be improved For detection accuracy, validity.
Meanwhile using the scheme of the embodiment of the present invention, does not need to compare with huge social worker library, computing resource can be saved.
As shown in figure 3, the embodiment of the invention also provides a kind of communication equipments: including: processor 300, deposited for reading Program in reservoir 310 executes following process:
Client, which is obtained, according to measurement of discharge to be checked accesses data;
The client access data are parsed, access data characteristics is obtained;
It by the access data characteristics and hits library behavioural characteristic and is compared, and measurement of discharge to be checked is determined according to comparison result In distribution hit library behavior.
Transceiver 320, for sending and receiving data under control of the processor 500.
Wherein, in Fig. 3, bus architecture may include the bus and bridge of any number of interconnection, specifically by processor 300 The various circuits for the memory that the one or more processors and memory 310 of representative represent link together.Bus architecture is also Various other circuits of such as peripheral equipment, voltage-stablizer and management circuit or the like can be linked together, these are all It is it is known in the art, therefore, it will not be further described herein.Bus interface provides interface.Transceiver 320 can To be multiple element, that is, includes transmitter and transceiver, the list for communicating over a transmission medium with various other devices is provided Member.Processor 300, which is responsible for management bus architecture and common processing, memory 310, can store processor 300 and is executing operation When used data.
Processor 300, which is responsible for management bus architecture and common processing, memory 310, can store processor 300 and is holding Used data when row operation.
The access data characteristics includes login failure number of the same subscriber name in same destination IP;Processor 300 is also For reading the computer program, execution following steps:
By in the first statistical time section, same subscriber name same destination IP login failure number and log in the frequency of failure Threshold value is compared;
If in the first statistical time section, same subscriber name is greater than described step in the login failure number of same destination IP Land frequency of failure threshold value, it is determined that there are distributions to be confirmed to hit library behavior in measurement of discharge to be checked.
The access data characteristics further includes being hit in the IP list that library behavior determines according to the distribution to be confirmed, phase With source IP the different process identification (PID)s of identical access time number;Processor 300 is also used to read the computer program, holds Row following steps:
Library behavior is hit for the distribution to be confirmed, by identical sources IP identical access time different process identification (PID)s Number be compared with number of passes threshold value is logged into;
Source IP is logged into number of passes threshold value greater than described in the number of the different process identification (PID)s of identical access time if they are the same, then Determining that the distribution to be confirmed hits library behavior is to hit library behavior.
The access data characteristics includes the communication bag size that same subscriber name is sent in different source IPs;Processor 300 is also For reading the computer program, execution following steps:
According in the second statistical time section, the communication bag size that same subscriber name is sent in different source IPs calculates communication bag Size variance;
The communication bag size variance is compared with preset communication bag size variance threshold values;
If the communication bag size variance is less than preset communication bag size variance threshold values, it is determined that deposited in measurement of discharge to be checked Library behavior is hit in distribution.
In addition, the computer readable storage medium of the embodiment of the present invention, for storing computer program, the computer journey Sequence can be executed by processor and perform the steps of
Client, which is obtained, according to measurement of discharge to be checked accesses data;
The client access data are parsed, access data characteristics is obtained;
It by the access data characteristics and hits library behavioural characteristic and is compared, and measurement of discharge to be checked is determined according to comparison result In distribution hit library behavior.
Wherein, the access data characteristics includes in the first statistical time section, and same subscriber name is stepped on same destination IP Record the frequency of failure;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and determined according to comparison result to be detected Distribution in flow hits library behavior, comprising:
By in the first statistical time section, same subscriber name same destination IP login failure number and log in the frequency of failure Threshold value is compared;
If in the first statistical time section, same subscriber name is greater than described step in the login failure number of same destination IP Land frequency of failure threshold value, it is determined that there are distributions to be confirmed to hit library behavior in measurement of discharge to be checked.
Wherein, the access data characteristics further includes the IP list hitting library behavior according to the distribution to be confirmed and determining In, number of the identical sources IP in the different process identification (PID)s of identical access time;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and determined according to comparison result to be detected Distribution in flow hits library behavior, further includes:
Library behavior is hit for the distribution to be confirmed, by identical sources IP identical access time different process identification (PID)s Number be compared with number of passes threshold value is logged into;
Source IP is logged into number of passes threshold value greater than described in the number of the different process identification (PID)s of identical access time if they are the same, then Determining that the distribution to be confirmed hits library behavior is to hit library behavior.
Wherein, the access data characteristics includes the communication bag size that same subscriber name is sent in different source IPs;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and determined according to comparison result to be detected Distribution in flow hits library behavior, comprising:
According in the second statistical time section, the communication bag size that same subscriber name is sent in different source IPs calculates communication bag Size variance;
The communication bag size variance is compared with preset communication bag size variance threshold values;
If the communication bag size variance is less than preset communication bag size variance threshold values, it is determined that deposited in measurement of discharge to be checked Library behavior is hit in distribution.
In several embodiments provided herein, it should be understood that disclosed method and apparatus, it can be by other Mode realize.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the unit, only For a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components can combine Or it is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed phase Coupling, direct-coupling or communication connection between mutually can be through some interfaces, the INDIRECT COUPLING or communication of device or unit Connection can be electrical property, mechanical or other forms.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that the independent physics of each unit includes, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
The above-mentioned integrated unit being realized in the form of SFU software functional unit can store and computer-readable deposit at one In storage media.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are used so that a computer Equipment (can be personal computer, server or the network equipment etc.) executes receiving/transmission method described in each embodiment of the present invention Part steps.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (Read-Only Memory, abbreviation ROM), random access memory (Random Access Memory, abbreviation RAM), magnetic or disk etc. are various can store The medium of program code.
The above is a preferred embodiment of the present invention, it is noted that for those skilled in the art For, without departing from the principles of the present invention, it can also make several improvements and retouch, these improvements and modifications It should be regarded as protection scope of the present invention.

Claims (7)

1. the detection method that a kind of distribution hits library behavior characterized by comprising
Client, which is obtained, according to measurement of discharge to be checked accesses data;
The client access data are parsed, access data characteristics is obtained;
It by the access data characteristics and hits library behavioural characteristic and is compared, and the measurement of discharge to be checked is determined according to comparison result In distribution hit library behavior.
2. the method according to claim 1, wherein the access data characteristics includes same subscriber name same The login failure number of destination IP;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and determined according to comparison result described to be detected Distribution in flow hits library behavior, comprising:
By in the first statistical time section, same subscriber name same destination IP login failure number and log in frequency of failure threshold value It is compared;
If in the first statistical time section, same subscriber name logs in mistake greater than described in the login failure number of same destination IP Lose frequency threshold value, it is determined that there are distributions to be confirmed to hit library behavior in the measurement of discharge to be checked.
3. according to method as claimed in claim 2, which is characterized in that the access data characteristics further includes according to described to be confirmed Distribution is hit in the IP list that library behavior determines, number of the identical sources IP in the different process identification (PID)s of identical access time;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and measurement of discharge to be checked is determined according to comparison result In distribution hit library behavior, further includes:
Library behavior is hit for the distribution to be confirmed, by identical sources IP identical access time different process identification (PID)s Number be logged into number of passes threshold value and be compared;
Source IP is logged into number of passes threshold value greater than described in the number of the different process identification (PID)s of identical access time if they are the same, it is determined that It is to hit library behavior that the distribution to be confirmed, which hits library behavior,.
4. the method according to claim 1, wherein the access data characteristics includes same subscriber name in difference The communication bag size that source IP is sent;
It is described by the access data characteristics and to hit library behavioural characteristic and be compared, and determined according to comparison result described to be detected Distribution in flow hits library behavior, comprising:
According in the second statistical time section, the communication bag size that same subscriber name is sent in different source IPs calculates communication bag size Variance;
The communication bag size variance is compared with preset communication bag size variance threshold values;
If the communication bag size variance is less than preset communication bag size variance threshold values, it is determined that deposited in the measurement of discharge to be checked Library behavior is hit in distribution.
5. the detection device that a kind of distribution hits library behavior characterized by comprising
First obtains module, accesses data for obtaining client according to measurement of discharge to be checked;
Second obtains module, for parsing the client access data, obtains access data characteristics;
Determining module for by the access data characteristics and hitting library behavioural characteristic and being compared, and is determined according to comparison result Distribution in the measurement of discharge to be checked hits library behavior.
6. a kind of communication equipment, comprising: memory, processor and be stored on the memory and can transport on the processor Capable computer program;It is characterized in that,
The computer program is realized when being executed by the processor in method according to any one of claims 1 to 4 Step.
7. a kind of computer readable storage medium, for storing computer program, which is characterized in that the computer program is located Reason device realizes the step in method according to any one of claims 1 to 4 when executing.
CN201810427569.4A 2018-05-07 2018-05-07 Distribution hits detection method, device and the computer readable storage medium of library behavior Pending CN110460559A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810427569.4A CN110460559A (en) 2018-05-07 2018-05-07 Distribution hits detection method, device and the computer readable storage medium of library behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810427569.4A CN110460559A (en) 2018-05-07 2018-05-07 Distribution hits detection method, device and the computer readable storage medium of library behavior

Publications (1)

Publication Number Publication Date
CN110460559A true CN110460559A (en) 2019-11-15

Family

ID=68472146

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810427569.4A Pending CN110460559A (en) 2018-05-07 2018-05-07 Distribution hits detection method, device and the computer readable storage medium of library behavior

Country Status (1)

Country Link
CN (1) CN110460559A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112165445A (en) * 2020-08-13 2021-01-01 杭州数梦工场科技有限公司 Method, device, storage medium and computer equipment for detecting network attack

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104811449A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Base collision attack detecting method and system
US20160014084A1 (en) * 2014-07-09 2016-01-14 Shape Security, Inc. Using Individualized APIs to Block Automated Attacks on Native Apps and/or Purposely Exposed APIs with Forced User Interaction
CN107294953A (en) * 2017-05-18 2017-10-24 深信服科技股份有限公司 Attack operation detection method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160014084A1 (en) * 2014-07-09 2016-01-14 Shape Security, Inc. Using Individualized APIs to Block Automated Attacks on Native Apps and/or Purposely Exposed APIs with Forced User Interaction
CN104811449A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Base collision attack detecting method and system
CN107294953A (en) * 2017-05-18 2017-10-24 深信服科技股份有限公司 Attack operation detection method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
魏琴芳等: ""基于流量特征的登录账号密码暴力破解攻击检测方法"", 《西南大学学报(自然科学版)》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112165445A (en) * 2020-08-13 2021-01-01 杭州数梦工场科技有限公司 Method, device, storage medium and computer equipment for detecting network attack

Similar Documents

Publication Publication Date Title
CN107465651B (en) Network attack detection method and device
US9462009B1 (en) Detecting risky domains
RU2538292C1 (en) Method of detecting computer attacks to networked computer system
CN108156174A (en) Botnet detection method, device, equipment and medium based on the analysis of C&C domain names
CN106603555A (en) Method and device for preventing library-hit attacks
CN110995640B (en) Method for identifying network attack and honeypot protection system
JP2019021294A (en) SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS
US11838319B2 (en) Hardware acceleration device for denial-of-service attack identification and mitigation
CN114666162B (en) Flow detection method, device, equipment and storage medium
Rahman et al. A game-theoretic approach for deceiving remote operating system fingerprinting
CN111464525B (en) Session identification method, session identification device, session identification control equipment and storage medium
RU2740027C1 (en) Method and system for preventing malicious automated attacks
Charlier et al. SynGAN: Towards generating synthetic network attacks using GANs
CN106921671B (en) network attack detection method and device
CN109040140A (en) A kind of attack detection method and device at a slow speed
CN108234516B (en) Method and device for detecting network flooding attack
CN106790175B (en) A kind of detection method and device of worm event
Tang et al. AKN-FGD: adaptive kohonen network based fine-grained detection of ldos attacks
CN111131309A (en) Distributed denial of service detection method and device and model creation method and device
WO2017019103A1 (en) Network traffic pattern based machine readable instruction identification
CN105939321B (en) A kind of DNS attack detection method and device
Sree et al. Detection of http flooding attacks in cloud using dynamic entropy method
Ogawa et al. Malware originated http traffic detection utilizing cluster appearance ratio
CN110460559A (en) Distribution hits detection method, device and the computer readable storage medium of library behavior
CN116743406A (en) Network security early warning method and device, storage medium and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191115

RJ01 Rejection of invention patent application after publication