CN110505232A - The detection method and device of network attack, electronic equipment, storage medium - Google Patents

The detection method and device of network attack, electronic equipment, storage medium Download PDF

Info

Publication number
CN110505232A
CN110505232A CN201910800363.6A CN201910800363A CN110505232A CN 110505232 A CN110505232 A CN 110505232A CN 201910800363 A CN201910800363 A CN 201910800363A CN 110505232 A CN110505232 A CN 110505232A
Authority
CN
China
Prior art keywords
terminal
flows
data
access data
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910800363.6A
Other languages
Chinese (zh)
Inventor
朱利军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Baidu Online Network Technology Beijing Co Ltd
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201910800363.6A priority Critical patent/CN110505232A/en
Publication of CN110505232A publication Critical patent/CN110505232A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

This application discloses the detection method and device of network attack, electronic equipment, storage mediums, are related to network attack field.Specific implementation are as follows: it is abnormal to detect that the flowing of access data of client access target server exist, flowing of access data characterization client sends accessing request information to destination server and is formed by data on flows, and accessing request information at least characterizes the characteristic information for being equipped with the terminal of client;Statistics within a preset period of time at least one client to destination server send accessing request information be formed by target access data on flows, and the characteristic information of the terminal characterized based on accessing request information in target access data on flows, obtain terminal accounting feature corresponding to target access data on flows;Terminal accounting feature is compared with default terminal accounting feature, to determine terminal accounting corresponding to target access data on flows with the presence or absence of exception, based on whether there is abnormal judging result determines whether there is assault.

Description

The detection method and device of network attack, electronic equipment, storage medium
Technical field
This application involves a kind of computer field more particularly to a kind of network attack fields.
Background technique
Challenging black hole (Challenge Collapsar, CC) attack, is a kind of distributed denial of service based on the page The network attack mode of (Distributed Denial of Service, DDoS) and camouflage, attacker utilize proxy server The legitimate request for being directed toward destination server (such as victim host) is generated, to realize network attack;Here, since attacker initiates Request it is legal, so cannot go to identify using the legitimacy and traffic characteristic of request and attack as protecting other DDos attack the same Request is hit, therefore, CC attack detecting technology is come into being, but how quickly to detect CC attack, and how to reduce wrong report, is become Urgent problem to be solved in CC attack detecting technology.
Summary of the invention
The embodiment of the present application provides a kind of detection method and device of network attack, electronic equipment, storage medium, big Under flow, reduce wrong report on the basis of, quickly detect whether as assault.
In a first aspect, the embodiment of the present application provides a kind of detection method of network attack, comprising:
Detect that the flowing of access data of client access target server have exception, flowing of access data characterization client It holds to destination server transmission accessing request information and is formed by data on flows, accessing request information at least characterizes and is equipped with client The characteristic information of the terminal at end;
At least one client is formed by statistics to destination server transmission accessing request information within a preset period of time Target access data on flows, and the characteristic information of the terminal characterized based on accessing request information in target access data on flows, Obtain terminal accounting feature corresponding to target access data on flows;
Terminal accounting feature is compared with default terminal accounting feature, to determine corresponding to target access data on flows Terminal accounting with the presence or absence of abnormal, based on whether there is abnormal judging result determines whether there is assault.
Here, on the one hand, since the embodiment of the present application is after determining flowing of access data there are exception i.e. after automatic trigger The testing process of continuous assault, so, the testing process of automation is realized, is laid a good foundation for engineering.
On the other hand, in practical application, under the normal access state of network, actual terminal accounting feature and terminal market The relating to parameters such as share, and it is unrelated with flowing of access etc., and when there are assault, the terminal accounting under the state is special Sign can exist the state that is misfitted with relevant parameters such as the physical end market shares, especially data volume it is bigger after, network is normal Under access state, actual terminal accounting feature can be fluctuated in a certain range, not can be with the increase of amount of access and beyond fluctuation Range,
And when assault generation, actual terminal accounting feature can exceed fluctuation range, be based on this principle, this Shen Please embodiment be compared to determine whether there is assault by terminal accounting feature and default terminal accounting feature Mode can realize the detection of assault under big flow, and preparation rate is high;Moreover, because without obtaining page visit Ask the frequency, only need to obtain actual terminal accounting feature can be realized testing process, so, with the existing acquisition page access frequency It is compared to carry out the detection mode of assault, the embodiment is low in resources consumption, and detection speed is fast.
In another aspect, under the normal access state of network, since actual terminal accounting feature not can be with amount of access Increase and changes, so, when business holds activity or promotion, even if mass users can increase page access in the short time, But as long as the access is positive, frequentation is asked, not will lead to actual terminal accounting feature and there is exception, therefore, in this case, this Shen Please embodiment method will not report by mistake;And can be avoided failing to report for following situation, i.e., hacker uses a large amount of attack IP, each attack IP Visitation frequency is controlled, makes to attack IP control visitation frequency lower than threshold value, even if at this point, visitation frequency is lower than threshold value, as long as the shape Terminal accounting exists abnormal under state, can be detected, therefore, further improve accuracy in detection.
In one embodiment, it is abnormal to detect that the flowing of access data of client access target server exist, wraps It includes:
Obtain the flowing of access data of client access target server;
Flowing of access data are compared with historical traffic data, determine flowing of access data beyond historical traffic data Beyond preset threshold is partially larger than after, it is abnormal to determine that flowing of access data exist.
Here, the testing process of above-mentioned abnormal conditions is automation process, can judge automatically out current access stream Data are measured with the presence or absence of exception, in this way, realize that the testing process of assault is laid a good foundation for automation, meanwhile, it is Engineering application is laid a good foundation.
In one embodiment, the feature of the terminal characterized based on accessing request information in target access data on flows Information obtains terminal accounting feature corresponding to target access data on flows, comprising:
Client identification field set by the corresponding accessing request information of target access data on flows is parsed, client is obtained The characteristic information for the terminal that end identification field is characterized;
Based on the characteristic information of the corresponding terminal of target access data on flows, obtain corresponding to target access data on flows Terminal accounting feature.
Here, due to need to only parse a field, i.e. client identification field in the embodiment of the application Obtain the characteristic information of required terminal, and then obtain terminal accounting feature, therefore, with the existing acquisition page access frequency come into The detection mode of row assault is compared, and this embodiment offers a kind of low in resources consumption feasible programs, to realize Big flow performance detection is laid a good foundation;Meanwhile being also the compatible prior art, realize that being engineered application lays a good foundation.
In one embodiment, terminal accounting feature is compared with default terminal accounting feature, to determine target Terminal accounting corresponding to flowing of access data is with the presence or absence of abnormal, comprising:
By target terminal in the practical accounting section of the target terminal in terminal accounting feature and default terminal accounting feature Pre-set interval be compared, whether the practical accounting section for comparing target terminal exceeds pre-set interval, with determine target visit Ask terminal accounting corresponding to data on flows with the presence or absence of abnormal.
Here, since under the normal access state of network, actual terminal accounting feature can be fluctuated in a certain range, not can Exceed fluctuation range with the increase of amount of access, and matches with terminal market share etc.;It is real but when assault occurs The terminal accounting feature on border not can match or match with terminal market share etc., for example, when assault occurs, The amount of access of certain Terminal Type will increase dramatically, and the terminal accounting of the Terminal Type is caused to improve, and exceed fluctuation range;Alternatively, network It is average that attack is orientated the accounting of terminal, at this point, misfitting with terminal market share, is based on this, which gives A specific simple and feasible quick detection scheme out, the practical accounting of particular terminal is compared with pre-set interval, to sentence Disconnected practical accounting section judges whether there is assault with the presence or absence of exception;In this way, being established for engineering application Basis.
In one embodiment, method further include:
The practical accounting section for comparing to obtain target terminal determines and target access data on flows pair beyond after pre-set interval The terminal accounting answered exists abnormal;Alternatively,
After the practical accounting section for comparing to obtain target terminal is without departing from pre-set interval, determining and target access data on flows Corresponding terminal accounting is normal.
Here, after the practical accounting section of target terminal exceeds pre-set interval, illustrate the practical accounting of the target terminal It does not match with parameters such as terminal market shares, therefore, assert there is exception at this time, and then assert there is network attack thing at this time Part;Otherwise, after the practical accounting section of target terminal is without departing from pre-set interval, illustrate practical accounting and the end of the target terminal The parameters such as the end market share match, and therefore, assert that there is no exceptions at this time, and then assert and network attack thing is not present at this time Part;In this way, the embodiment gives a specific simple and feasible quick detection scheme, base has been established for engineering application Plinth.
In one embodiment, at least one client accesses statistics to destination server transmission within a preset period of time Solicited message is formed by target access data on flows, comprising:
Obtain first network traffic mirroring data;
From first network traffic mirroring data, obtain in the preset time period under flowing of access data exist extremely extremely A few client sends accessing request information to destination server and is formed by target access data on flows.
Here, to avoid loss of data, the availability of this method is improved, data can be backed up, such as to flowing of access Data carry out back-up processing and improve the safety of this method in this way, obtaining target access data on flows by Backup Data Property.
In one embodiment, method further include:
Obtain the second network flow mirror image data;
Second network flow mirror image data is pre-processed, to filter out in the presence of abnormal flowing of access data;
Default terminal accounting feature is at least obtained based on pretreated network flow mirror image data.
Here, to avoid loss of data, the availability of this method is improved, data can be backed up, such as to flowing of access Data carry out back-up processing and improve the safety of this method in this way, obtaining target access data on flows by Backup Data Property.Meanwhile to avoid the default terminal accounting feature inaccuracy as baseline, for example, for calculating default terminal accounting feature Source data in there are the unidentified assaults arrived, at this point, the default terminal accounting determined based on the source data is special Sign can inaccuracy, so, to avoid the situation, to source data in the concrete mode, such as the second network flow mirror image data into Row pretreatment, filters out in the presence of abnormal flowing of access data, in this way, guarantee that the default terminal accounting feature determined is accurate, It lays a good foundation finally to detect raising accuracy in detection.
Second aspect, the embodiment of the present application provide a kind of detection device of network attack, comprising:
Detection unit, for detecting that it is abnormal that the flowing of access data of client access target server exist, access stream Amount data characterization client sends accessing request information to destination server and is formed by data on flows, and accessing request information is at least Characterization is equipped with the characteristic information of the terminal of client;
Processing unit, for count within a preset period of time at least one client to destination server send access request Information is formed by target access data on flows, and the terminal characterized based on accessing request information in target access data on flows Characteristic information, obtain terminal accounting feature corresponding to target access data on flows;
Attack judging unit, for terminal accounting feature to be compared with default terminal accounting feature, with determination Terminal accounting corresponding to target access data on flows is with the presence or absence of exception, based on whether there is abnormal judging result determination is It is no that there are assaults.
In one embodiment, detection unit is also used to:
Obtain the flowing of access data of client access target server;
Flowing of access data are compared with historical traffic data, determine flowing of access data beyond historical traffic data Beyond preset threshold is partially larger than after, it is abnormal to determine that flowing of access data exist.
In one embodiment, processing unit is also used to:
Client identification field set by the corresponding accessing request information of target access data on flows is parsed, client is obtained The characteristic information for the terminal that end identification field is characterized;
Based on the characteristic information of the corresponding terminal of target access data on flows, obtain corresponding to target access data on flows Terminal accounting feature.
In one embodiment, attack judging unit is also used to:
By target terminal in the practical accounting section of the target terminal in terminal accounting feature and default terminal accounting feature Pre-set interval be compared, whether the practical accounting section for comparing target terminal exceeds pre-set interval, with determine target visit Ask terminal accounting corresponding to data on flows with the presence or absence of abnormal.
In one embodiment, attack judging unit is also used to:
The practical accounting section for comparing to obtain target terminal determines and target access data on flows pair beyond after pre-set interval The terminal accounting answered exists abnormal;Alternatively,
After the practical accounting section for comparing to obtain target terminal is without departing from pre-set interval, determining and target access data on flows Corresponding terminal accounting is normal.
In one embodiment, processing unit is also used to:
Obtain first network traffic mirroring data;
From first network traffic mirroring data, obtain in the preset time period under flowing of access data exist extremely extremely A few client sends accessing request information to destination server and is formed by target access data on flows.
In one embodiment, processing unit is also used to:
Obtain the second network flow mirror image data;
Second network flow mirror image data is pre-processed, to filter out in the presence of abnormal flowing of access data;
Default terminal accounting feature is at least obtained based on pretreated network flow mirror image data.
The third aspect, the embodiment of the present application provide a kind of electronic equipment, comprising:
At least one processor;And
The memory being connect at least one processor communication;Wherein,
Memory is stored with the instruction that can be executed by least one processor, and instruction is executed by least one processor, with At least one processor is set to be able to carry out the process described above.
Fourth aspect, the embodiment of the present application provide a kind of non-instantaneous computer-readable storage for being stored with computer instruction Medium, computer instruction is for making computer execute the process described above.
One embodiment in above-mentioned application have the following advantages that or the utility model has the advantages that
Because of the i.e. testing process of automatic trigger subsequent network attack after determining flowing of access data there are exception, So the embodiment of the present application realizes the testing process of automation, lay a good foundation for engineering application;Meanwhile because passing through Terminal accounting feature and default terminal accounting feature are compared to determine whether there is assault mode, so, money Source consumption is low, and detection speed is fast, the detection of assault can be realized under big flow, and then solve existing resource and disappear Consumption is high, detection speed is slow, the technical issues of can not realizing under big flow.And, it is thus also avoided that the case where failing to report further mentions Accuracy in detection is risen.
Other effects possessed by above-mentioned optional way are illustrated hereinafter in conjunction with specific embodiment.
Detailed description of the invention
Attached drawing does not constitute the restriction to the application for more fully understanding this programme.Wherein:
Fig. 1 is the schematic diagram according to the application first embodiment;
Fig. 2 is the schematic diagram according to the application second embodiment;
Fig. 3 is the schematic diagram according to the application 3rd embodiment;
Fig. 4 is the block diagram for the device for the detection method for realizing the network attack of the embodiment of the present application;
Fig. 5 is the block diagram for the electronic equipment for the detection method for realizing the network attack of the embodiment of the present application.
Specific embodiment
It explains below in conjunction with exemplary embodiment of the attached drawing to the application, including the various of the embodiment of the present application Details should think them only exemplary to help understanding.Therefore, those of ordinary skill in the art should recognize It arrives, it can be with various changes and modifications are made to the embodiments described herein, without departing from the scope and spirit of the present application.Together Sample, for clarity and conciseness, descriptions of well-known functions and structures are omitted from the following description.
Here, CC attack detecting technology refers to the hypertext transfer protocol for finding that hacker initiates in large-scale network traffic (HyperText Transfer Protocol, HTTP) layer ddos attack.Current internet HTTP application layer ddos attack inspection In survey, in order to accurately identify that the CC that hacker initiates is attacked, it will usually 7 laminar flow amounts be carried out HTTP parsing, obtain page Face visitation frequency, and then CC attack is determine whether according to the page access frequency;For example, being adopted based on the data after HTTP parsing Determined with such as under type:
Mode one: the number of requests that same source IP address issues in the statistical unit time, if reaching some threshold values, just Assert that the source IP address has attack, that is, is determined as that CC is attacked.
Mode two: the identical port of same destination server or the total data packet of different port are reached in the statistical unit time Several or number of requests, it is abnormal or under attack that the threshold values for reaching certain then assert that the destination server occurs, that is, is determined as CC Attack.
Mode three: same source IP accesses the number of requests of the same page in the statistical unit time, if reaching some valve Value is determined as that CC is attacked it is assumed that the source IP address has attack.
But since above-mentioned detection method is needed to HTTP Context resolution and obtains the page access frequency, so, consumption money Source is higher, and detection speed is slow, and performance can not support under big flow.Moreover, when business holds activity or promotion, mass users Page access can be increased in short time, but above-mentioned detection method can generate a large amount of wrong reports because access increases sharply, and reduce detection Accuracy.
Meanwhile there is also failing to report situation, for example, if hacker using a large amount of attack IP, each attack IP control visitation frequency, Make to attack IP control visitation frequency lower than the threshold value in mode one, then can not be detected in above-mentioned detection scheme.
Therefore, a kind of new efficient detection method is needed, under big flow, on the basis of reducing wrong report, is quickly examined Measure CC attack.
Based on this, the embodiment of the present application provides a kind of detection method of network attack, as shown in Figure 1, this method comprises:
Step S101: detect that the flowing of access data of client access target server have exception, flowing of access number Accessing request information is sent to destination server according to characterization client and is formed by data on flows, and accessing request information at least characterizes The characteristic information of the terminal of client is installed.
In practical application, destination server can be specially to provide the server of network information browsing service, for example, Web Server, i.e., when client access webpage when, need to the destination server send accessing request information, and then make client with Server establishes connection to complete to be connected to the network, and realizes access of the client to webpage.
Here, flowing of access data can be specially similar and different client to access request transmitted by destination server Information is formed by data on flows.It is asked for example, being accessed transmitted by same port of the similar and different client to destination server The data on flows for asking information to be formed, and/or, it accesses and asks transmitted by different port of the similar and different client to destination server The data on flows for asking information to be formed.
In a specific example, the similar and different client of flowing of access data characterization sends access to destination server and asks Seek amount of access corresponding to information.Based on this, the flowing of access data packet of the embodiment of the present application contains at least one client At least one accessing request information at end.Here, in practical application, which can be specially asking based on HTTP Seek message.
Multiple fields can be set in a specific example, in accessing request information, by multiple fields of setting come Different information are carried, for example, being provided with client identification field, and the visitor are equipped with to carry by the client identification field The characteristic information of the terminal at family end;In practical application, including but not limited to following information in the characteristic information of the terminal: terminal product Board, terminal models etc..
Here, it should be noted that, in practical application, the destination server can for for multiple webpages provide browsing service Server, or be only that a webpage provides the server of browsing service;At this point, browsing process data can be client Access the data on flows of at least one webpage in multiple webpages that the destination server is supported, or client access should The data on flows for the webpage that destination server is only supported, the application are without limitation.Above-mentioned multiple two and two, fingers More than.
In one embodiment, it is the automation for realizing assault testing process, can be accessed by monitoring Data on flows triggers assault testing process to automate;Specific steps include:
Obtain the flowing of access data of client access target server;
Flowing of access data are compared with historical traffic data, determine flowing of access data beyond historical traffic data Beyond preset threshold is partially larger than after, it is abnormal to determine that flowing of access data exist.
For example, periodically acquire current accessed data on flows, and by the history stream of the current flowing of access data and the same period Amount data are compared, when flow increases sharply, for example, historical traffic data of the current accessed data on flows beyond the same period exceeds It is abnormal then to assert that current accessed data on flows exists, starts the detection stream of subsequent network attack for partially larger than preset threshold The step of after journey namely starting step S102.Otherwise, do not start the testing process of subsequent network attack, continue the period Property obtain flowing of access data, so circulation realize assault automatic detection.Here, above-mentioned preset threshold is experience Value, can be arranged according to actual needs.
Step S102: statistics within a preset period of time at least one client to destination server send accessing request information It is formed by target access data on flows, and the spy of the terminal characterized based on accessing request information in target access data on flows Reference breath, obtains terminal accounting feature corresponding to target access data on flows.
Here, target access data on flows is similar with upper flowing of access data, and which is not described herein again.
In practical application, as described above, can be by way of field be arranged come carried terminal in accessing request information Characteristic information, for example, setting client identification field, at this point, being obtained in step S102 corresponding to target access data on flows The step of terminal accounting feature, can specifically include:
Client identification field set by the corresponding accessing request information of target access data on flows is parsed, client is obtained The characteristic information for the terminal that end identification field is characterized;
Based on the characteristic information of the corresponding terminal of target access data on flows, obtain corresponding to target access data on flows Terminal accounting feature.
That is, the characteristic information of terminal is obtained by the client identification field of parsing accessing request information setting, Similarly, the characteristic information of the terminal for all accessing request informations that target access data on flows is included is obtained, and then is based on It is special to obtain the corresponding terminal accounting of the target access data on flows for the characteristic information of the corresponding terminal of all accessing request informations Sign.
Here, since the client for sending accessing request information can be identical or different client, and different clients Identical or different terminal is corresponded to again, so, the characteristic information of the terminal based on all accessing request informations can just obtain the mesh The terminal accounting feature of similar and different terminal corresponding to flowing of access data is marked, in this way, for subsequent network attack Detection is laid a good foundation.
Further more, need to only parse a field, i.e. client identification field due in the embodiment of the application Obtain the characteristic information of required terminal, and then obtain terminal accounting feature, therefore, with the existing acquisition page access frequency come into The detection mode of row assault is compared, and this embodiment offers a kind of low in resources consumption feasible programs, to realize Big flow performance detection is laid a good foundation;Meanwhile being also the compatible prior art, realize that being engineered application lays a good foundation.
In one embodiment, to avoid loss of data, the availability of this method is improved, data can be backed up, Back-up processing such as is carried out to flowing of access data and improves this in this way, obtaining target access data on flows by Backup Data The safety of method.Specific steps include:
Obtain first network traffic mirroring data;
From first network traffic mirroring data, obtain in the preset time period under flowing of access data exist extremely extremely A few client sends accessing request information to destination server and is formed by target access data on flows.
That is, the target access data on flows got includes that flowing of access data have abnormal down-off number According in this way, there is a situation where whether exception is to establish caused by assault for subsequent confirmation flowing of access data Basis.
In one embodiment, to avoid loss of data, the availability of this method is improved, data can be backed up, Back-up processing such as is carried out to flowing of access data and improves this in this way, obtaining target access data on flows by Backup Data The safety of method.Meanwhile to avoid the default terminal accounting feature inaccuracy as baseline, for example, default whole for calculating There are the unidentified assaults arrived in the source data of end accounting feature, at this point, being determined based on the source data default Terminal accounting feature can be inaccurate, so, to avoid the situation, to source data, such as the second network flow in the concrete mode Mirror image data is pre-processed, and is filtered out in the presence of abnormal flowing of access data, in this way, guaranteeing the default terminal accounting determined Feature is accurate, improves accuracy in detection for final detection and lays a good foundation.Specific steps include:
Obtain the second network flow mirror image data;
Second network flow mirror image data is pre-processed, to filter out in the presence of abnormal flowing of access data;
Default terminal accounting feature is at least obtained based on pretreated network flow mirror image data.
It, can be with the parameters such as the reference terminal market share and/or the browser market share, Lai Gongtong in a specific example Obtain default terminal accounting feature;Because presetting terminal accounting feature can be with terminal market part under the normal access state of network The parameters such as volume, the browser market share are mutually fitted, moreover, data volume is bigger, fitting degree is higher, so, it is accounted in default terminal It, can be with the factors such as the reference terminal market share and/or the browser market share when than feature.Here, browser market part Volume refers to the market share of the corresponding browser of the client of the embodiment of the present application.
Here, the mode for filtering out abnormal flowing of access data, which can refer to, judges flowing of access data with the presence or absence of abnormal Method determine flowing of access data beyond same for example, flowing of access data are compared with the historical traffic data of the same period The historical traffic data of phase beyond preset threshold is partially larger than after, it is abnormal to determine that flowing of access data exist, it is no longer superfluous here It states.Certainly, in practical application, can also use other judgment modes, the application to this with no restriction.
Here, it should be noted that in practical application, the period of data image and mode can according to actual needs and Determine, the embodiment of the present application to this with no restriction.
In a specific example, the second network flow mirror image data is different from first network traffic mirroring data, the second net Network traffic mirroring data are that there are the data before abnormality for flowing of access data, for example, specific earlier than the abnormality one The data of duration;And first network traffic mirroring data are after abnormality occurs and to occur the data of previous specific time period, The two is without intersection;Certainly, in practical application, there may also be intersections for the two, even if including in the second network flow mirror image data Abnormal data, the embodiment of the present application can also be by pretreated mode, by abnormal data elimination, and then ensure that detection knot The accuracy of fruit.
Step S103: terminal accounting feature is compared with default terminal accounting feature, to determine target access flow Terminal accounting corresponding to data is attacked with the presence or absence of exception, based on whether there is abnormal judging result and determine whether there is network Hit event.
In one embodiment, terminal accounting feature is compared with default terminal accounting feature, to determine target Terminal accounting corresponding to flowing of access data is with the presence or absence of abnormal, comprising:
By target terminal in the practical accounting section of the target terminal in terminal accounting feature and default terminal accounting feature Pre-set interval be compared, whether the practical accounting section for comparing target terminal exceeds pre-set interval, with determine target visit Ask terminal accounting corresponding to data on flows with the presence or absence of abnormal.
Here, since under the normal access state of network, actual terminal accounting feature can be fluctuated in a certain range, not can Exceed fluctuation range with the increase of amount of access, and matches with terminal market share etc.;It is real but when assault occurs The terminal accounting feature on border not can match or match with terminal market share etc., for example, when assault occurs, The amount of access of certain Terminal Type will increase dramatically, and the terminal accounting of the Terminal Type is caused to improve, and exceed fluctuation range;Alternatively, network It is average that attack is orientated the accounting of terminal, at this point, misfitting with terminal market share, is based on this, which can With by the way that the practical accounting of particular terminal is compared with pre-set interval, come judge practical accounting section with the presence or absence of abnormal, And then assault is judged whether there is, in this way, a kind of simple and feasible quick detection scheme is provided, for engineering Using laying a good foundation.
In one embodiment, method further include:
The practical accounting section for comparing to obtain target terminal determines and target access data on flows pair beyond after pre-set interval The terminal accounting answered exists abnormal;Alternatively,
After the practical accounting section for comparing to obtain target terminal is without departing from pre-set interval, determining and target access data on flows Corresponding terminal accounting is normal.
Here, as shown in Fig. 2, step S201: detecting that the flowing of access data of client access target server exist It is abnormal.Step S202: statistics within a preset period of time at least one client to destination server send accessing request information institute The target access data on flows of formation, and the feature of the terminal characterized based on accessing request information in target access data on flows Information obtains terminal accounting feature corresponding to target access data on flows.Step S203: the terminal that step S202 is determined The pre-set interval of target terminal carries out in the practical accounting section of target terminal in accounting feature and default terminal accounting feature Compare, judges whether the practical accounting section of target terminal exceeds pre-set interval;If exceeding, S204 is thened follow the steps, otherwise, is held Row step S205.Step S204: the practical accounting of assertive goal terminal does not match with parameters such as terminal market shares, determine with There is exception in the corresponding terminal accounting of target access data on flows, and then assert there is assault at this time.In other words, recognize There is abnormal phenomenon for the flowing of access data is caused by assault.Step S205: assertive goal terminal Practical accounting matches with parameters such as terminal market shares, determines that terminal accounting corresponding with target access data on flows is normal, And then assert and assault is not present at this time.In other words, it is believed that it is not net that the flowing of access data, which have abnormal phenomenon, Caused by network attack.
In this way, giving a specific simple and feasible quick detection scheme, lay a good foundation for engineering application.
Thus it is possible, on the one hand, since the embodiment of the present application is after determining flowing of access data there are exception i.e. after automatic trigger The testing process of continuous assault, so, the testing process of automation is realized, is laid a good foundation for engineering.
On the other hand, in practical application, under the normal access state of network, actual terminal accounting feature and terminal market The relating to parameters such as share, and it is unrelated with flowing of access etc., and when there are assault, the terminal accounting under the state is special Sign can exist the state that is misfitted with relevant parameters such as the physical end market shares, especially data volume it is bigger after, network is normal Under access state, actual terminal accounting feature can be fluctuated in a certain range, not can be with the increase of amount of access and beyond fluctuation Range, and when assault generation, actual terminal accounting feature can exceed fluctuation range, be based on this principle, the application Embodiment is compared to determine whether there is assault side by terminal accounting feature and default terminal accounting feature Formula can realize the detection of assault under big flow, and preparation rate is high;Moreover, because without obtaining page access The frequency, only need to obtain actual terminal accounting feature can be realized testing process, so, come with the existing acquisition page access frequency The detection mode for carrying out assault is compared, and the embodiment is low in resources consumption, and detection speed is fast.
In another aspect, under the normal access state of network, since actual terminal accounting feature not can be with amount of access Increase and changes, so, when business holds activity or promotion, even if mass users can increase page access in the short time, But as long as the access is positive, frequentation is asked, not will lead to actual terminal accounting feature and there is exception, therefore, in this case, this Shen Please embodiment method will not report by mistake;And can be avoided failing to report for following situation, i.e., hacker uses a large amount of attack IP, each attack IP Visitation frequency is controlled, makes to attack IP control visitation frequency lower than threshold value, even if at this point, visitation frequency is lower than threshold value, as long as the shape Terminal accounting exists abnormal under state, can be detected, therefore, further improve accuracy in detection.
It should be noted that the assault of the embodiment of the present application can be specially CC attack, further, The embodiment of the present application method can be applied to following scene:
CC attack detection system under cloud computing platform environment, Internet data center (Internet Data Center, IDC) CC attack detection system under environment, the CC attack detection system of big flow enterprise.
Here, the terminal of the embodiment of the present application can be specially mobile terminal (such as mobile phone, smartwatch), or personal electricity Brain (Personal Computer, PC) terminal.
The embodiment of the present application is described in further details below in conjunction with a specific example, chooses user agent (User Agent, UA) distribution as variable is examined, detects CC attack according to this.Here, UA distribution can symbolize terminal point Cloth feature namely above-described terminal accounting feature.Under the normal access of one website, when amount of access reaches certain scale When, the factors such as UA distribution and the main flow terminal market share, the browser market share are fitted very much;Data volume is bigger, fitting degree It is higher.Moreover, the CC attack of a website, often hacker uses random UA (mobile phone of such as random model) in real process Or fixed UA (e.g., the smartwatch of certain fixing model) accesses, in this way, after attack occurs, UA points of the period Cloth will become very average or knockdown, and usually attack is bigger, and effect is more obvious.Based on this principle, UA distribution is used Mode can be determined whether as true CC event.
As shown in figure 3, detailed process includes:
Firstly, previous period (as in 6 hours) occurs using network flow mirror image data statistics suspected attack event UA distribution situation, and record the accounting section of different UA.In this stage, usually website, can also without flow or flow special hour UA distribution situation is got by learning a large amount of web log file.Specific steps include:
Step S301: occurred previous the period (such as 6 hours using network flow mirror image data statistics suspected attack event It is interior) UA distribution situation, and record the accounting section of different UA.Specifically, it obtains suspected attack event and the previous period occurs (in such as 6 hours) network flow mirror image data, obtains HTTP flow;The UA field in HTTP is parsed, UA is extracted;Statistics obtains The UA distribution situation in previous period occurs for the suspected attack event.
Step S302: when statistics suspected attack event occurs, the UA distribution situation of each minor cycle (such as in 30S) is calculated The accounting section of different UA is compared with the UA accounting section in step S301, if the UA accounting of substantial deviation step S301 Section is then determined to have CC attack for example, some UA accounting section is 5 times of UA accounting in step S301 or more.Or Person also determines that there are true CC attacks if the UA distribution accounting calculated is very average.
In such manner, it is possible to detect the indetectable CC attack of existing scheme, moreover, efficiently saving resource, only parse The UA field of HTTP, 20 times faster than traditional scheme of performance.Meanwhile it also can accurately be identified under emergency situations during activity etc. CC is attacked out.
The embodiment of the present application also provides a kind of detection devices of network attack for realizing the above method, as shown in figure 4, should Device 400 includes:
Detection unit 401 is accessed for detecting that it is abnormal that the flowing of access data of client access target server exist Data on flows characterizes client and is formed by data on flows to destination server transmission accessing request information, and accessing request information is extremely Few characterization is equipped with the characteristic information of the terminal of client;
Processing unit 402 is used to count at least one client within a preset period of time and accesses to destination server transmission Solicited message is formed by target access data on flows, and characterized based on accessing request information in target access data on flows The characteristic information of terminal obtains terminal accounting feature corresponding to target access data on flows;
Attack judging unit 403, for terminal accounting feature to be compared with default terminal accounting feature, with true The terminal accounting corresponding to flowing of access data that sets the goal is determined with the presence or absence of exception based on whether there is abnormal judging result With the presence or absence of assault.
In one embodiment, detection unit 401 is also used to:
Obtain the flowing of access data of client access target server;
Flowing of access data are compared with historical traffic data, determine flowing of access data beyond historical traffic data Beyond preset threshold is partially larger than after, it is abnormal to determine that flowing of access data exist.
In one embodiment, processing unit 402 is also used to:
Client identification field set by the corresponding accessing request information of target access data on flows is parsed, client is obtained The characteristic information for the terminal that end identification field is characterized;
Based on the characteristic information of the corresponding terminal of target access data on flows, obtain corresponding to target access data on flows Terminal accounting feature.
In one embodiment, attack judging unit 403 is also used to:
By target terminal in the practical accounting section of the target terminal in terminal accounting feature and default terminal accounting feature Pre-set interval be compared, whether the practical accounting section for comparing target terminal exceeds pre-set interval, with determine target visit Ask terminal accounting corresponding to data on flows with the presence or absence of abnormal.
In one embodiment, attack judging unit 403 is also used to:
The practical accounting section for comparing to obtain target terminal determines and target access data on flows pair beyond after pre-set interval The terminal accounting answered exists abnormal;Alternatively,
After the practical accounting section for comparing to obtain target terminal is without departing from pre-set interval, determining and target access data on flows Corresponding terminal accounting is normal.
In one embodiment, processing unit 402 is also used to:
Obtain first network traffic mirroring data;
From first network traffic mirroring data, obtain in the preset time period under flowing of access data exist extremely extremely A few client sends accessing request information to destination server and is formed by target access data on flows.
In one embodiment, processing unit 402 is also used to:
Obtain the second network flow mirror image data;
Second network flow mirror image data is pre-processed, to filter out in the presence of abnormal flowing of access data;
Default terminal accounting feature is at least obtained based on pretreated network flow mirror image data.
It need to be noted that: apparatus above implements the description of item, be with above method description it is similar, have same The identical beneficial effect of embodiment of the method, therefore do not repeat them here.For undisclosed technical detail in the application Installation practice, Those skilled in the art please refers to the description of the application embodiment of the method and understands, to save length, which is not described herein again.
According to an embodiment of the present application, present invention also provides a kind of electronic equipment and a kind of readable storage medium storing program for executing.
As shown in figure 5, being the block diagram according to the electronic equipment of the detection method of the network attack of the embodiment of the present application.Electronics Equipment is intended to indicate that various forms of digital computers, such as, laptop computer, desktop computer, workbench, individual digital Assistant, server, blade server, mainframe computer and other suitable computer.Electronic equipment also may indicate that various The mobile device of form, such as, personal digital assistant, cellular phone, smart phone, wearable device and other similar calculating Device.Component, their connection and relationship shown in this article and their function are merely exemplary, and are not intended to limit Make the realization of the application that is described herein and/or requiring.
As shown in figure 5, the electronic equipment includes: one or more processors 501, memory 502, and each for connecting The interface of component, including high-speed interface and low-speed interface.All parts are interconnected using different buses, and can be pacified It installs in other ways on public mainboard or as needed.Processor can to the instruction executed in electronic equipment into Row processing, including storage in memory or on memory (such as, to be coupled to interface in external input/output device Display equipment) on show graphic user interface (Graphical User Interface, GUI) graphical information instruction.In In other embodiment, if desired, can be by multiple processors and/or multiple bus and multiple memories and multiple memories one It rises and uses.It is also possible to connect multiple electronic equipments, each equipment provides the necessary operation in part (for example, as server battle array Column, one group of blade server or multicomputer system).In Fig. 5 by taking a processor 501 as an example.
Memory 502 is non-transitory computer-readable storage medium provided herein.Wherein, memory is stored with The instruction that can be executed by least one processor, so that at least one processor executes the inspection of network attack provided herein Survey method.The non-transitory computer-readable storage medium of the application stores computer instruction, and the computer instruction is for making to calculate Machine executes the detection method of network attack provided herein.
Memory 502 is used as a kind of non-transitory computer-readable storage medium, can be used for storing non-instantaneous software program, non- Instantaneous computer executable program and module, as the corresponding program of the detection method of the network attack in the embodiment of the present application refers to Order/module (for example, attached detection unit shown in Fig. 4 401, processing unit 402 and attack judging unit 403).Processor 501 non-instantaneous software program, instruction and the modules being stored in memory 502 by operation, thereby executing each of server Kind functional application and data processing, the i.e. detection method of network attack in realization above method embodiment.
Memory 502 may include storing program area and storage data area, wherein storing program area can store operation system Application program required for system, at least one function;Storage data area can store the electronics of the detection method according to network attack Equipment uses created data etc..In addition, memory 502 may include high-speed random access memory, can also include Non-transitory memory, for example, at least a disk memory, flush memory device or other non-instantaneous solid-state memories.One In a little embodiments, optional memory 502 includes the memory remotely located relative to processor 501, these remote memories can To pass through the electronic equipment of the detection method of network connection to network attack.The example of above-mentioned network includes but is not limited to interconnect Net, intranet, local area network, mobile radio communication and combinations thereof.
The electronic equipment of the detection method of network attack can also include: input unit 503 and output device 504.Processing Device 501, memory 502, input unit 503 and output device 504 can be connected by bus or other modes, in Fig. 5 with For being connected by bus.
Input unit 503 can receive the number or character information of input, and generate and the detection method of network attack The related key signals input of the user setting and function control of electronic equipment, for example, touch screen, keypad, mouse, track pad, The input units such as touch tablet, indicating arm, one or more mouse button, trace ball, control stick.Output device 504 can wrap Include display equipment, auxiliary lighting apparatus (for example, LED) and haptic feedback devices (for example, vibrating motor) etc..The display equipment can To include but is not limited to, liquid crystal display (Liquid Crystal Display, LCD), light emitting diode (Light Emitting Diode, LED) display and plasma scope.In some embodiments, display equipment can be touch Screen.
The various embodiments of system and technology described herein can be in digital electronic circuitry, integrated circuit system System, is consolidated specific integrated circuit (Application Specific Integrated Circuits, ASIC), computer hardware It is realized in part, software, and/or their combination.These various embodiments may include: to implement in one or more calculating In machine program, which can hold in programmable system containing at least one programmable processor Row and/or explain, which can be dedicated or general purpose programmable processors, can from storage system, at least One input unit and at least one output device receive data and instruction, and data and instruction is transmitted to the storage system System, at least one input unit and at least one output device.
These calculation procedures (also referred to as program, software, software application or code) include the machine of programmable processor Instruction, and can use programming language, and/or the compilation/machine language of level process and/or object-oriented to implement these Calculation procedure.As used herein, term " machine readable media " and " computer-readable medium " are referred to for referring to machine It enables and/or data is supplied to any computer program product, equipment, and/or the device of programmable processor (for example, disk, light Disk, memory, programmable logic device (programmable logic device, PLD)), including, receiving can as machine The machine readable media of the machine instruction of read signal.Term " machine-readable signal " is referred to for by machine instruction and/or number According to any signal for being supplied to programmable processor.
In order to provide the interaction with user, system and technology described herein, the computer can be implemented on computers Include for user show information display device (for example, CRT (Cathode Ray Tube, cathode-ray tube) or LCD (liquid crystal display) monitor);And keyboard and indicator device (for example, mouse or trace ball), user can be by this Keyboard and the indicator device provide input to computer.The device of other types can be also used for providing the friendship with user Mutually;For example, the feedback for being supplied to user may be any type of sensory feedback (for example, visual feedback, audio feedback or Touch feedback);And it can be received with any form (including vocal input, voice input or tactile input) from user Input.
System described herein and technology can be implemented including the computing system of background component (for example, as data Server) or the computing system (for example, application server) including middleware component or the calculating including front end component System is (for example, the subscriber computer with graphic user interface or web browser, user can pass through graphical user circle Face or the web browser to interact with the embodiment of system described herein and technology) or including this backstage portion In any combination of computing system of part, middleware component or front end component.Any form or the number of medium can be passed through Digital data communicates (for example, communication network) and is connected with each other the component of system.The example of communication network includes: local area network (Local Area Network, LAN), wide area network (Wide Area Network, WAN) and internet.
Computer system may include client and server.Client and server is generally off-site from each other and usually logical Communication network is crossed to interact.By being run on corresponding computer and each other with the meter of client-server relation Calculation machine program generates the relationship of client and server.
According to the technical solution of the embodiment of the present application, on the one hand, since the embodiment of the present application is determining flowing of access data There are the testing processes for after exception being automatic trigger subsequent network attack, so, the testing process of automation is realized, is Engineering is laid a good foundation.
On the other hand, in practical application, under the normal access state of network, actual terminal accounting feature and terminal market The relating to parameters such as share, and it is unrelated with flowing of access etc., and when there are assault, the terminal accounting under the state is special Sign can exist the state that is misfitted with relevant parameters such as the physical end market shares, especially data volume it is bigger after, network is normal Under access state, actual terminal accounting feature can be fluctuated in a certain range, not can be with the increase of amount of access and beyond fluctuation Range, and when assault generation, actual terminal accounting feature can exceed fluctuation range, be based on this principle, the application Embodiment is compared to determine whether there is assault side by terminal accounting feature and default terminal accounting feature Formula can realize the detection of assault under big flow, and preparation rate is high;Moreover, because without obtaining page access The frequency, only need to obtain actual terminal accounting feature can be realized testing process, so, come with the existing acquisition page access frequency The detection mode for carrying out assault is compared, and the embodiment is low in resources consumption, and detection speed is fast.
In another aspect, under the normal access state of network, since actual terminal accounting feature not can be with amount of access Increase and changes, so, when business holds activity or promotion, even if mass users can increase page access in the short time, But as long as the access is positive, frequentation is asked, not will lead to actual terminal accounting feature and there is exception, therefore, in this case, this Shen Please embodiment method will not report by mistake;And can be avoided failing to report for following situation, i.e., hacker uses a large amount of attack IP, each attack IP Visitation frequency is controlled, makes to attack IP control visitation frequency lower than threshold value, even if at this point, visitation frequency is lower than threshold value, as long as the shape Terminal accounting exists abnormal under state, can be detected, therefore, further improve accuracy in detection.
It need to be noted that: the above electronic equipment implements the description of item, is similar, tool with above method description There is the identical beneficial effect of same embodiment of the method, therefore does not repeat them here.For undisclosed technology in the application Installation practice Details, those skilled in the art please refer to the description of the application embodiment of the method and understand, no longer superfluous here to save length It states.
It should be understood that various forms of processes illustrated above can be used, rearrangement increases or deletes step.Example Such as, each step recorded in the application of this hair can be performed in parallel or be sequentially performed the order that can also be different and execute, As long as it is desired as a result, being not limited herein to can be realized technical solution disclosed in the present application.
Above-mentioned specific embodiment does not constitute the limitation to the application protection scope.Those skilled in the art should be bright White, according to design requirement and other factors, various modifications can be carried out, combination, sub-portfolio and substitution.It is any in the application Spirit and principle within made modifications, equivalent substitutions and improvements etc., should be included within the application protection scope.

Claims (10)

1. a kind of detection method of network attack characterized by comprising
It is abnormal to detect that the flowing of access data of client access target server exist, flowing of access data characterization client to Destination server sends accessing request information and is formed by data on flows, and accessing request information at least characterizes and is equipped with client The characteristic information of terminal;
At least one client is formed by statistics to destination server transmission accessing request information within a preset period of time Target access data on flows, and the feature letter of the terminal characterized based on accessing request information in the target access data on flows Breath, obtains terminal accounting feature corresponding to the target access data on flows;
The terminal accounting feature is compared with default terminal accounting feature, with the determination target access data on flows institute Corresponding terminal accounting is with the presence or absence of exception, based on whether there is abnormal judging result determines whether there is network attack thing Part.
2. the method according to claim 1, wherein the access for detecting client access target server Data on flows exists abnormal, comprising:
Obtain the flowing of access data of client access target server;
Flowing of access data are compared with historical traffic data, determine flowing of access data beyond the super of historical traffic data After being partially larger than preset threshold out, it is abnormal to determine that the flowing of access data exist.
3. the method according to claim 1, wherein described asked based on accessing in the target access data on flows The characteristic information for the terminal for asking information to be characterized obtains terminal accounting feature corresponding to the target access data on flows, packet It includes:
Client identification field set by the corresponding accessing request information of the target access data on flows is parsed, client is obtained The characteristic information for the terminal that end identification field is characterized;
Based on the characteristic information of the corresponding terminal of the target access data on flows, it is right to obtain the target access data on flows institute The terminal accounting feature answered.
4. the method according to claim 1, wherein described by the terminal accounting feature and default terminal accounting Feature is compared, with terminal accounting corresponding to the determination target access data on flows with the presence or absence of abnormal, comprising:
By target terminal in the practical accounting section of the target terminal in the terminal accounting feature and default terminal accounting feature Pre-set interval be compared, whether the practical accounting section for comparing the target terminal exceeds the pre-set interval, with true Terminal accounting corresponding to the fixed target access data on flows is with the presence or absence of abnormal.
5. according to the method described in claim 4, it is characterized in that, the method also includes:
The practical accounting section for comparing to obtain the target terminal determines and the target access stream beyond after the pre-set interval It measures the corresponding terminal accounting of data and there is exception;Alternatively,
After the practical accounting section for comparing to obtain the target terminal is without departing from the pre-set interval, the determining and target access The corresponding terminal accounting of data on flows is normal.
6. the method according to claim 1, wherein described count at least one client within a preset period of time Accessing request information, which is sent, to the destination server is formed by target access data on flows, comprising:
Obtain first network traffic mirroring data;
From the first network traffic mirroring data, obtain in the preset time period under flowing of access data exist extremely extremely A few client sends accessing request information to the destination server and is formed by target access data on flows.
7. the method according to claim 1, wherein the method also includes:
Obtain the second network flow mirror image data;
The second network flow mirror image data is pre-processed, to filter out in the presence of abnormal flowing of access data;
Default terminal accounting feature is at least obtained based on pretreated network flow mirror image data.
8. a kind of detection device of network attack characterized by comprising
Detection unit, for detecting that the flowing of access data of client access target server have exception, flowing of access number Accessing request information is sent to destination server according to characterization client and is formed by data on flows, and accessing request information at least characterizes The characteristic information of the terminal of client is installed;
Processing unit, for count within a preset period of time at least one client to the destination server send access request Information is formed by target access data on flows, and characterized based on accessing request information in the target access data on flows The characteristic information of terminal obtains terminal accounting feature corresponding to the target access data on flows;
Attack judging unit, for the terminal accounting feature to be compared with default terminal accounting feature, with determination Terminal accounting corresponding to the target access data on flows is with the presence or absence of exception, based on whether it is true to there is abnormal judging result Surely it whether there is assault.
9. a kind of electronic equipment characterized by comprising
At least one processor;And
The memory being connect at least one described processor communication;Wherein,
The memory is stored with the instruction that can be executed by least one described processor, and described instruction is by described at least one It manages device to execute, so that at least one described processor is able to carry out method of any of claims 1-7.
10. a kind of non-transitory computer-readable storage medium for being stored with computer instruction, which is characterized in that the computer refers to It enables for making the computer perform claim require method described in any one of 1-7.
CN201910800363.6A 2019-08-27 2019-08-27 The detection method and device of network attack, electronic equipment, storage medium Pending CN110505232A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910800363.6A CN110505232A (en) 2019-08-27 2019-08-27 The detection method and device of network attack, electronic equipment, storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910800363.6A CN110505232A (en) 2019-08-27 2019-08-27 The detection method and device of network attack, electronic equipment, storage medium

Publications (1)

Publication Number Publication Date
CN110505232A true CN110505232A (en) 2019-11-26

Family

ID=68590008

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910800363.6A Pending CN110505232A (en) 2019-08-27 2019-08-27 The detection method and device of network attack, electronic equipment, storage medium

Country Status (1)

Country Link
CN (1) CN110505232A (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110445770A (en) * 2019-07-18 2019-11-12 平安科技(深圳)有限公司 Attack Source positioning and means of defence, electronic equipment and computer storage medium
CN111177513A (en) * 2019-12-31 2020-05-19 北京百度网讯科技有限公司 Method and device for determining abnormal access address, electronic equipment and storage medium
CN111698174A (en) * 2020-04-28 2020-09-22 平安普惠企业管理有限公司 Dynamic flow distribution method, device, equipment and storage medium
CN112099983A (en) * 2020-09-22 2020-12-18 北京知道创宇信息技术股份有限公司 Service exception handling method and device, electronic equipment and computer readable storage medium
CN112134723A (en) * 2020-08-21 2020-12-25 杭州数梦工场科技有限公司 Network anomaly monitoring method and device, computer equipment and storage medium
CN112241535A (en) * 2020-10-20 2021-01-19 福建奇点时空数字科技有限公司 Server security policy configuration method based on flow data analysis
CN112351042A (en) * 2020-11-16 2021-02-09 百度在线网络技术(北京)有限公司 Attack flow calculation method and device, electronic equipment and storage medium
CN112953938A (en) * 2021-02-20 2021-06-11 百度在线网络技术(北京)有限公司 Network attack defense method and device, electronic equipment and readable storage medium
CN113297241A (en) * 2021-06-11 2021-08-24 工银科技有限公司 Method, device, equipment, medium and program product for judging network flow
CN113347186A (en) * 2021-06-01 2021-09-03 百度在线网络技术(北京)有限公司 Reflection attack detection method and device and electronic equipment
CN113452647A (en) * 2020-03-24 2021-09-28 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
CN113949525A (en) * 2021-09-07 2022-01-18 中云网安科技有限公司 Method and device for detecting abnormal access behavior, storage medium and electronic equipment
CN114124492A (en) * 2021-11-12 2022-03-01 中盈优创资讯科技有限公司 Network traffic anomaly detection and analysis method and device
CN114584623A (en) * 2022-03-10 2022-06-03 广州方硅信息技术有限公司 Traffic request cleaning method and device, storage medium and computer equipment

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104202336A (en) * 2014-09-22 2014-12-10 浪潮电子信息产业股份有限公司 DDoS (distributed denial of service) attach detection method based on information entropy
CN104348811A (en) * 2013-08-05 2015-02-11 深圳市腾讯计算机系统有限公司 Method and device for detecting attack of DDoS (distributed denial of service)
CN105337966A (en) * 2015-10-16 2016-02-17 中国联合网络通信集团有限公司 Processing method for network attacks and device
CN105577608A (en) * 2014-10-08 2016-05-11 腾讯科技(深圳)有限公司 Network attack behavior detection method and network attack behavior detection device
CN106161451A (en) * 2016-07-19 2016-11-23 青松智慧(北京)科技有限公司 The method of defence CC attack, Apparatus and system
CN107426136A (en) * 2016-05-23 2017-12-01 腾讯科技(深圳)有限公司 A kind of recognition methods of network attack and device
CN108600145A (en) * 2017-12-25 2018-09-28 北京神州绿盟信息安全科技股份有限公司 A kind of method and device of determining ddos attack equipment
US10122740B1 (en) * 2015-05-05 2018-11-06 F5 Networks, Inc. Methods for establishing anomaly detection configurations and identifying anomalous network traffic and devices thereof
CN108780479A (en) * 2015-09-05 2018-11-09 万事达卡技术加拿大无限责任公司 For to the abnormal system and method for being detected and scoring

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104348811A (en) * 2013-08-05 2015-02-11 深圳市腾讯计算机系统有限公司 Method and device for detecting attack of DDoS (distributed denial of service)
CN104202336A (en) * 2014-09-22 2014-12-10 浪潮电子信息产业股份有限公司 DDoS (distributed denial of service) attach detection method based on information entropy
CN105577608A (en) * 2014-10-08 2016-05-11 腾讯科技(深圳)有限公司 Network attack behavior detection method and network attack behavior detection device
US10122740B1 (en) * 2015-05-05 2018-11-06 F5 Networks, Inc. Methods for establishing anomaly detection configurations and identifying anomalous network traffic and devices thereof
CN108780479A (en) * 2015-09-05 2018-11-09 万事达卡技术加拿大无限责任公司 For to the abnormal system and method for being detected and scoring
CN105337966A (en) * 2015-10-16 2016-02-17 中国联合网络通信集团有限公司 Processing method for network attacks and device
CN107426136A (en) * 2016-05-23 2017-12-01 腾讯科技(深圳)有限公司 A kind of recognition methods of network attack and device
CN106161451A (en) * 2016-07-19 2016-11-23 青松智慧(北京)科技有限公司 The method of defence CC attack, Apparatus and system
CN108600145A (en) * 2017-12-25 2018-09-28 北京神州绿盟信息安全科技股份有限公司 A kind of method and device of determining ddos attack equipment

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110445770A (en) * 2019-07-18 2019-11-12 平安科技(深圳)有限公司 Attack Source positioning and means of defence, electronic equipment and computer storage medium
CN111177513A (en) * 2019-12-31 2020-05-19 北京百度网讯科技有限公司 Method and device for determining abnormal access address, electronic equipment and storage medium
CN111177513B (en) * 2019-12-31 2023-10-31 北京百度网讯科技有限公司 Determination method and device of abnormal access address, electronic equipment and storage medium
CN113452647B (en) * 2020-03-24 2022-11-29 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
CN113452647A (en) * 2020-03-24 2021-09-28 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
CN111698174B (en) * 2020-04-28 2024-02-20 山东八浚通信科技有限公司 Traffic dynamic allocation method, device, equipment and storage medium
CN111698174A (en) * 2020-04-28 2020-09-22 平安普惠企业管理有限公司 Dynamic flow distribution method, device, equipment and storage medium
CN112134723A (en) * 2020-08-21 2020-12-25 杭州数梦工场科技有限公司 Network anomaly monitoring method and device, computer equipment and storage medium
CN112099983A (en) * 2020-09-22 2020-12-18 北京知道创宇信息技术股份有限公司 Service exception handling method and device, electronic equipment and computer readable storage medium
CN112241535A (en) * 2020-10-20 2021-01-19 福建奇点时空数字科技有限公司 Server security policy configuration method based on flow data analysis
CN112351042B (en) * 2020-11-16 2023-04-07 百度在线网络技术(北京)有限公司 Attack flow calculation method and device, electronic equipment and storage medium
CN112351042A (en) * 2020-11-16 2021-02-09 百度在线网络技术(北京)有限公司 Attack flow calculation method and device, electronic equipment and storage medium
CN112953938A (en) * 2021-02-20 2021-06-11 百度在线网络技术(北京)有限公司 Network attack defense method and device, electronic equipment and readable storage medium
CN112953938B (en) * 2021-02-20 2023-04-28 百度在线网络技术(北京)有限公司 Network attack defense method, device, electronic equipment and readable storage medium
CN113347186A (en) * 2021-06-01 2021-09-03 百度在线网络技术(北京)有限公司 Reflection attack detection method and device and electronic equipment
CN113347186B (en) * 2021-06-01 2022-05-06 百度在线网络技术(北京)有限公司 Reflection attack detection method and device and electronic equipment
CN113297241A (en) * 2021-06-11 2021-08-24 工银科技有限公司 Method, device, equipment, medium and program product for judging network flow
CN113949525A (en) * 2021-09-07 2022-01-18 中云网安科技有限公司 Method and device for detecting abnormal access behavior, storage medium and electronic equipment
CN114124492B (en) * 2021-11-12 2023-07-25 中盈优创资讯科技有限公司 Network traffic anomaly detection and analysis method and device
CN114124492A (en) * 2021-11-12 2022-03-01 中盈优创资讯科技有限公司 Network traffic anomaly detection and analysis method and device
CN114584623A (en) * 2022-03-10 2022-06-03 广州方硅信息技术有限公司 Traffic request cleaning method and device, storage medium and computer equipment
CN114584623B (en) * 2022-03-10 2024-03-29 广州方硅信息技术有限公司 Flow request cleaning method and device, storage medium and computer equipment

Similar Documents

Publication Publication Date Title
CN110505232A (en) The detection method and device of network attack, electronic equipment, storage medium
CN106130816B (en) A kind of content distributing network monitoring method, monitoring server and system
US9384114B2 (en) Group server performance correction via actions to server subset
CN104426885B (en) Abnormal account providing method and device
US10459780B2 (en) Automatic application repair by network device agent
US8782215B2 (en) Performance testing in a cloud environment
WO2018120722A1 (en) Asynchronous interface testing method, terminal, device, system, and storage medium
US20170187737A1 (en) Method and electronic device for processing user behavior data
US10452469B2 (en) Server performance correction using remote server actions
CN114095567B (en) Data access request processing method and device, computer equipment and medium
CN106776243A (en) A kind of monitoring method and device for monitoring software
CN108667840A (en) Injection loophole detection method and device
US11249889B2 (en) Anomaly feedback monitoring and detection system
CN104809057A (en) Application test system, application test method and storage medium
CN104579830A (en) Service monitoring method and device
CN109491754A (en) The performance test methods and device of virtual server
JP2021192214A (en) Method and device for verifying operation states of applications
CN112948224A (en) Data processing method, device, terminal and storage medium
CN113362173A (en) Anti-duplication mechanism verification method, anti-duplication mechanism verification system, electronic equipment and storage medium
CN117040799A (en) Page interception rule generation and page access control method and device and electronic equipment
US10901813B2 (en) Clustering and monitoring system
CN116545905A (en) Service health detection method and device, electronic equipment and storage medium
CN111245948A (en) DHT network connection method, electronic device, and medium
CN113849356A (en) Equipment testing method and device, electronic equipment and storage medium
CN115333920B (en) Alarm test method, alarm test device, electronic equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191126